Shellshock Vulnerability

Over the past year many new security scares have popped up causing IT departments all over the world to scramble to protect their most vital data. One of the more recent ones, discovered in mid-September called Shellshock actually affected all machines that run the Unix shell Bash. Bash is the software behind the text-based utility called Terminal on Mac OS X systems. It gives the user access to all services that the computer has to offer and is also used on most Linux systems. It can be installed on Windows but doesn’t come standard, and requires a little bit of effort to get it to work on a Windows based system. Within hours of the discovery and announcement of the vulnerability, hackers took advantage and began creating extensive networks of vulnerable computers called Botnets, that when given a command from the controller can do just about anything without the owner/user of the infected computer knowing what was happening.

This vulnerability within Bash allows commands to be run as administrator when the command is inside another command as a variable. It gets complicated but essentially if you have a long command that doesn’t require root access, there is a way to embed another command within that first and the embedded command will run with root access without having to input the root/administrator password. This sort of vulnerability is a major flaw and allows complete access to a system to install or use whatever resources are connected to the vulnerable machine without the need to authenticate as an administrator.

Since the discovery, a method has also been discovered to determine if your machine has the flawed Bash version. Open Terminal (it’s in /Applications/Utilities or use Spotlight to find it) then copy and paste this command and press enter:

env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

If your system contains the vulnerability it will output two lines: one says “vulnerable” and the second line says “this is a test”. If you don’t have the vulnerability then all it will say is “this is a test”.

Make sure your computer is up to date. There are websites out there that will allow you to download a patch to fix the vulnerability. If you want to do it yourself rather than wait for a fix to come through your software updates, make sure you trust the source you’re downloading from. Who knows what else you’re installing into your machine when you try to patch it yourself.

See this article from our Director of IT & Development Morgan Aldridge for some further advice on patching this vulnerability.

I’m a big advocate of knowing how to protect yourself, be it your identity, your data, or your privacy. Shellshock is a backdoor to your computer and your digital life. Whatever you do make sure you are taking the most precautions possible. Use two-factor authentication on all of your internet accounts when its available. Never use the same password twice. Use encryption on your personal computer and your external hard drives. Encrypt your cell phone backups. Don’t share personal information when you don’t have too. If someone with malicious intent is interested in getting into your life, don’t make it easy for them!

Similar Posts

  • A Different Kind of Business

    Small Dog Electronics has launched a promotion in our retail stores to funnel donations to women’s shelters in each of the communities where we operate. With several participating brands we will make a donation for each sale to the local shelter. Why would we do this? Yes, we have an interest in combating domestic violence and want our employees to be safe at work or home but we have a commercial and philosophical reason too. As you may know, the margins on our products is very low, in many cases below 10% and you have a wide variety of places to buy these same products. It is difficult for us to compete with big box stores that use Apple products as “loss leaders” by discounting to below cost or online resellers that do not charge sales tax. While many companies will simply suck it up and discount their products to compete, we have decided upon a different direction.

    While we cannot compete solely on the basis of price, Small Dog Electronics wants to give you many reasons to choose to buy your next Mac or iPad from us. One way we can effectively compete is through community involvement. Instead of discounting the products we will make these donations to leverage our “money machine” to help the communities where we live. While we have our on-going customer-driven charitable contributions program where we match donations, we feel that the giving generated by these special promotions not only raises awareness about important issues but also lets our customers and our company make a real difference. I hope you agree!

    Find out more about this program here.

  • Migration Assistant in 10.9: Disk Image Troubles

    If you have been a long time Mac user, there is a good chance that you have used the tool Migration Assistant at some point or another. If you haven’t, the general premise is that it takes your data (be it from an old Mac, or a backup), and transfers it to your new Mac. Working in repair, I have to back up customer data frequently, and after wiping it off of the machine, restore it once the repair has been completed. The way that I do this primarily is: pull the drive out of the machine and plug into a known good computer and back it up to my server in a file called a disk image or .dmg.

    Up until 10.9, you could create a test account, mount the disk image and restore the data through Migration Assistant, but in 10.9 Migration Assistant now runs as the root user of the computer and as a result logs you out of your newly created account, thus un-mounting any disk images that may have been mounted. There have been a few work arounds that we have used here that make it work, through different terminal scripts and apps made by people online. Well today I found a new tool that makes it all so much quicker, and all it requires is typing a basic command into terminal.

    *sudo hdiutil attach /Path/To/Image.dmg*

    What this does is it mounts the disk image to the root user of the computer, which is not logged out when using the Migration Assistant tool. For the ??path/to/image.dmg?? part, the easiest way to replace that with the correct path is to locate the file then click and drag it right into the Terminal window.

  • I often make jokes about starting a Smash Mouth tribute band called Smoosh Mouth. We will cover all their greatest hits (or rather their two hits) “All Star” and “Walkin’ on the Sun” but also more obscure gems like the a capella ““Days Like These,””:http://www.youtube.com/watch?v=IaYvCKaqPsM which makes me cringe with laughter every single time. But these are jokes, and Smash Mouth is terrible, so when Steve Harwell’s vocals started floating over my wireless speakers, I was concerned.

    Was someone crouching in the bushes, hacking their way onto our Wi-Fi network, and AirPlaying the offending noise? Was it a neighbor stealing our Wi-Fi from the comfort of next door? Both scenarios were unlikely as our network was securely password protected. This had to be an inside job. I did some interrogating of my housemates, but to no avail. Whoever was committing this nefarious crime would not spill the beans. Luckily, I had one more security option available, which is the AirPlay password that can be “setup in Airport Utility.”:http://support.apple.com/kb/PH5141

    One secure password later, I no longer have to worry about the sounds of the band’s 1999 album Astro Lounge playing through the house and for that I am truly grateful. Keep reading for some useful information about iOS 8 updates, pro tips on using the Migration Assistant tool, a look at a recent security flaw in OS X and how to see if you are vulnerable, and a note from Don about Small Dog’s support of Domestic Violence Awareness Month.

    -Mike D
    “miked@smalldog.com”:mailto:miked@smalldog.com

  • 8.0.2

    Vermont’s namesake iOS software version was released shortly after 8.0.1 (which was only available for a matter of hours) was released. 8.0.1 was an update to iOS 8 intended to resolve some third-party keyboard issues, Family Sharing problems, and other small glitches.

    Immediately after Apple introduced 8.0.1 for user devices, it was found that the update caused loss of cellular network connectivity and Touch ID on Apple’s newest devices: the iPhone 6 and iPhone 6 Plus. No iPhone 4s/5/5s was affected in this manner. Apple stated approximately 40,000 users were affected.

    The only resolution for these iPhones was to reinstall iOS 8.0.0 from scratch and then restore from a backup of the device (hopefully they had one).

    iOS 8.0.2, the current operating system, is for the most part stable with many problems having been resolved, including the 8.0.1 issues if users happened to still be on that operating system.

    As always, have a backup of your phone! I recently signed myself up for the $12/year iCloud Drive 20GB plan to make sure there was always enough room for my iPhone to have an automatic backup. A backup of my phone is one thing I’ll never have to worry about now. Alternatively, one can backup their iOS device by using iTunes and connecting the device directly to the user’s computer.

    For more help on choosing a backup method for your iPhone, iPad, or iPod, and instructions on setup, visit “http://support.apple.com/kb/HT5262”:http://support.apple.com/kb/HT5262

    A full list of the iOS 8.0.2 and a list of new iOS 8 features are available at “http://support.apple.com/kb/DL1758”:http://support.apple.com/kb/DL1758