Beware the 'Bash Bug,' although not much can be done
NEW YORK - Internet security experts are warning that a new programming flaw known as the "Bash Bug" may pose a serious threat to millions of computers and other devices, such as home Internet routers. Even the systems used to run factory floors and power plants could be affected. Here are some common questions and answers about the latest security scare.
NEW YORK - Internet security experts are warning that a new programming flaw known as the "Bash Bug" may pose a serious threat to millions of computers and other devices, such as home Internet routers. Even the systems used to run factory floors and power plants could be affected. Here are some common questions and answers about the latest security scare.
Question: What is the Bash Bug, and why is it a big deal?
Answer: The bug, also known as "Shellshock," is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X. Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices, and even the computers that create bitcoins. Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks. Bash is a command shell - "the thing you use to tell your computer what you want it to do," explains Christopher Budd, global threat communications manager at security firm Trend Micro. Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.
Q.: Should you be worried?
A.: For now, the Bash Bug appears to be more of a potential nuisance than a major threat. It's a more vexing problem for Mac owners. The Bash Bug makes it easy for hackers to take control of a Mac running on a public Wi-Fi network, such as one in a coffee shop or airport, said Chris Wysopal, chief technology officer of computer security firm Veracode. At home, a hacker who takes control of an Internet router could consume so much bandwidth for online mischief that the owner would get hit with a huge bill from service providers that impose monthly data caps, said Dave Lewis, Akamai Technologies' global security advocate. Another possible security problem: A hacker who seizes control of a vulnerable Web server might collect online passwords stored in databases, said Joe Siegrist, CEO of LastPass, a service that stores and protects passwords.
Q.: What can you do about it?
A.: Everyday users can't do much right now, except to wait for manufacturers to release fixes for their products. Budd recommends applying the patches for routers, Macs, and other devices as they come out. Even if a fix is developed, getting it could be another matter. Budd expects that to be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides. Of course, it always helps to run up-to-date security software on your devices.