Why Shellshock Battle Is Only Beginning Fighting Hackers Leveraging the Flaws Could Go on for Years
Why Shellshock Battle Is Only Beginning
Michael Smith

Nearly two weeks after news of Shellshock broke, attacks that attempt to exploit Bash vulnerabilities are already grabbing headlines. But Akamai's Michael Smith warns that the battle against Shellshock-targeting hackers may continue for years.

Millions of devices, including routers and modems, could contain Shellshock vulnerabilities. And Smith warns it's going to take a long time to find those devices and keep them patched.

As a result, organizations must be diligent, persistent and committed to the long-term goal of mitigating the risks associated with Shellshock, Smith says during this second part of a two-part interview with Information Security Media Group. Expect to be patching and upgrading devices for many years, as new weaknesses continue to be identified or exploited, he says.

"You've got all of these devices, and the problem is that there isn't really a good, centralized device management system for all of these," Smith says. "So, I think we'll be finding these vulnerabilities for years to come."

Shellshock encompasses security vulnerabilities found in the Bourne-again shell system software, better known as Bash - a common command-line interface used in many Unix-based systems, including Linux and Apple's Mac OS. Bash is found in everything from Web servers and e-mail servers to numerous types of standalone devices, including routers and Web cams.

Researchers are identifying new Shellshock attacks in the wild on a daily basis, Smith warns. During this interview, he discusses some of those attacks, as well as:

  • Why common gateway interface scripts, used to remotely access most devices that connect to the Internet, are a concern;
  • The specific Shellshock-related security flaws Akamai has addressed; and
  • What other security firms are doing to test and release patches, as new vulnerabilities are discovered.

Going forward, the most important step that organizations can take is to continue downloading and testing patches for all new Bash-related vulnerabilities, as they get released, Smith says. And in part one of this interview, Smith reviewed some of the specific challenges organizations will face when it comes to patching the various Shellshock vulnerabilities.

At Akamai, Smith is responsible for leading a team of Web security incident responders and researchers that study the tactics, techniques and procedures of Web attackers and apply that knowledge to protect businesses during numerous events, such as site defacements, data breaches and distributed-denial-of-service attacks. Previously, Smith served as Akamai's security evangelist and as the ambassador for the information security team.

Around the Network