Were three of Yahoo’s computer servers breached by hackers who exploited the Shellshock security flaw or not? Yahoo first confirmed the breach, but has since retracted the statement.
Pegged as a bigger issue than the infamous Heartbleed bug that affected two-thirds of the Internet, Shellshock, also known as the Bash (Bourne-Again Shell) bug threatens to wreak havoc on Unix and Linux systems on which software from these and many other technology companies is based.
The Shellshock flaw lets bad guys inject malicious code to run inside a Bash shell, which is a common interface for directing commands to computers. Cybercriminals could use the bug to gain access to sensitive user information or take over computers remotely.
First of Many Exploits?
Regardless of the cause, Somaini said, Yahoo’s course of action remained the same: to isolate the servers at risk and protect their users’ data. He said the affected API servers are used to provide live game streaming data to Yahoo’s Sports front end and do not store user data.
“At this time we have found no evidence that the attackers compromised any other machines or that any user data was affected,” Somaini said. “This flaw was specific to a small number of machines and has been fixed, and we have added this pattern to our CI/CD code scanners to catch future issues.”
Shellshock was first publicly disclosed on September 24 and most researchers have been expecting a breach. Cloud security vendor Incapsula reports that close to 1 billion attacks have occurred since the vulnerability was announced.
Good News, Bad News
In fact, many organizations have been impacted by Shellshock, they just don’t know it heard yet, according to Ken Westin, a security analyst for cyberthreat detection firm Tripwire. But he told us there is yet good news.
“The good news is that unlike Heartbleed, Shellshock exploits generally leave evidence behind so if organizations have the right security tools in place they can detect these attacks,” he said.
Of course, there’s also bad news. Westin said detecting Shellshock requires a strong security foundation that provides the visibility necessary to quickly identify both vulnerable systems and exploit attempts.
Westin’s advice for responding to Shellshock is this: Identify unauthorized changes on any system and then use that data to quickly identify the scope of a potential compromise.
“Larger organizations such as Yahoo tend to have these protections in place,” Westin said. “Most smaller firms haven’t made enough of these investments so they should expect to be victimized by Shellshock exploits that will be difficult to detect.”
NewsFactor Network
