LAST month a guy called Stéphane Chazelas discovered a really fundamental security problem in the software that would let bad people remotely take over computers.
It was all very chaotic, but when the dust settled inconvenient voices started asking: “But what about all the devices running Bash?”
Back in 1977 the Bourne shell was released, named after a guy called Stephen Bourne and, while not revolutionary, it allowed operators of the big, scary UNIX computers to input text-based commands into their machines, and also to write batches of commands.
It was significantly better than anything that had come before so it became very widely used.
In 1988 the Free Software Foundation decided it was so important to have a like-for-like replacement (able to run those batches of commands built up by operators over the previous decade without modification) that they paid a guy called Brian Fox to write a replacement, which he cheekily named “Bourne Again Shell” or Bash to its friends.
Bash has been picked up and stuck in systems all over the world ever since for those times when someone needs to talk to a machine without the weight of graphical user interfaces (which can require significant design time).
It’s used in Linux systems today, in Apple’s OS X, and in a bewildering array of cheaply made embedded systems such as network routers.
That ADSL2 router you bought at Dick Smith for $140 five years ago that’s been quietly running your WiFi and internet so blamelessly you forgot almost certainly has a shell for techies to configure and debug with. Is it using Bash? Which version? How would you go about updating it? Does it allow remote access to its shell? (It probably shouldn’t but…)
This is why a lot of big ISPs these days such as Telstra and iiNet offer to supply the modems which they maintain and can remotely upgrade as needed.
Corporate environments have network attached storage boxes, many of those have Bash installed.
Your set top box and your smart TV could all have Bash installed.
To hunt the problem down, techies have had to turn to the same tools the hackers use, software called port scanners.
A port scan of your network should turn up all the vulnerable machines which are turned on, they can then be updated, or replaced. A painful process all around.
The terrors of home security don’t end there though. Last year the Russians claimed to have intercepted a batch of tea kettles with WiFi-snooping systems built into the base.
As for your bluetooth keyboard the US National Security Agency offers this advice:
“The use of Bluetooth-enabled keyboards and mice introduces an avenue of attack for an adversary to capture keystrokes and spoof a user to gain access to a host machine. It has been shown that a Bluetooth connection can be made from distances of up to one mile.”
We’ve been here before. We all have to take security seriously. Apply every patch and update however painful, as quickly as possible, and use strong passwords as painful as they may be. Finally, when buying anything that will be attached to the internet ask who will be upgrading it and how?
John Griffiths is the online editor of the daily news service citynews.com.au
Who can be trusted?
In a world of spin and confusion, there’s never been a more important time to support independent journalism in Canberra.
If you trust our work online and want to enforce the power of independent voices, I invite you to make a small contribution.
Every dollar of support is invested back into our journalism to help keep citynews.com.au strong and free.
Thank you,
Ian Meikle, editor
Leave a Reply