If you are ShellShock-ed now, prepare for worse...

If you were still convinced of this illusion of the Internet as a peaceful place, then the recent  large scale, 'hair on fire' vulnerability, ShellShock (and HeartBleed) and the events that followed it, can leave you, well, a bit shell-shocked.
 
I do not want to go into the technical details of the ShellShock vulnerability. If you want to learn more, Google is you friend. For this article it is sufficient to understand that the vulnerability has been present in the code of Bash for over 20 years. It is the result of functionality that was put into Bash at a time when most systems were not yet connected to the Internet and the Internet itself was  still considered a friendly place to live.
 
It is safe to assume that Bash is not the program to suffer from this. There are a lot more parts of the GNU toolset, but also of commercial closed source systems that have a very long history and are currently no longer well understood. In fact this is such a well-known phenomenon in IT that it has found its way into Terry Pratchett's fantasy novels. In one novel Pratchett's describes Hex, the computer in the high energy magic building of the Unseen University. Among other unconventional things, ants run through Hex'es tubes and it contains a nest of mice. While the nest is clearly not a part of the computer design, Hex stopped functioning when the nest was removed and thus, the nest became an integral part of Hex.
 
Like the nest of mice, the ability to export functions to a child process is, by today's standards not a good idea, or something that that you would want to support. However removing or disabling such functionality might brake something and thus remains part of the system. In fact the unpatched version of Bash still offers the possibility a funtion to import backwards compatibility with a very old version of Bash. A very old version of Bash which by all means should not be present on any system anymore.
 
Obviously, by now you have or should have patched all systems under you control, but what about the systems not under our control? The examples are plentiful: there are still scores of PCs running, mostly pirated, copies of Windows XP and even 98 and 95 out there. Simply because people cannot afford an upgrade or are not willing to upgrade. There are tons of forgotten or ill taken care of servers running outdated operating systems that still have those vulnerabilities. Embedded devices are specifically a problem. Often these devices have been put together on a tight budget without an efficient means to update them on the scale now required. Or with a means to update, but without a manufacturer willing, able or alive to provide a patch, a problem which will only grow as the Internet of things becomes a reality.
 
Modern survival on the Internet is like surviving a zombie apocalypse. If you set foot outside of a safe defensible place you will be attacked. Not by the undead who want your brains, but by massive botnets who are after your resources to aid in spamming campaigns, DDoS attacks or to mine bitcoins. If you have a connection to the Internet you may also be attacked by more clever adversaries like cyber criminals, (corporate or nation state) spies or intelligence agencies depending on what may be gained by attacking you.
 
Survival in an environment like this asks for investments in all four layers of the Security Survival Pyramid.
 
Defensible Infrastructure. Investment in this layer leads to the biggest security gains. We need to invest to make sure we have an infrastructure that can be defended. Such an infrastructure has as little exposure as possible to the enemy. Systems that are not connected are harder to attack then highly connected systems. Defensible systems are built with failure and remediation in mind, e.g. because they can be patched on the fly.
 
Craftsmanship deals with the skillful abilities of the defenders. If it is easy to patch a system, it will be patched sooner and more often. A good system administrator is often a great line of defense. But it is also the skillful ability of the team to apply defensive measures, such as egress filtering on all firewalls and consistently updating all relevant defences, like IPS and AV.
 
Situational Awareness remains important. It means that you can do a quick assessment to determine which part of your estate is well defended and which parts need attention or may need to be turned off altogether. The sooner you are aware of a problem, the sooner it can be addressed. The better you can observe the evolution of the attacks, the better you know how quick to hurry.
 
Mitigating Controls. Often defensible infrastructure, craftsmanship and operational intelligence safe your hide, but external factors like a previous unknown vulnerability or new attack cause the defense to fail. For instance, the invention of the crossbow signified the end of chainmail armor. In these cases mitigating controls like shields or a harness are needed even if they are expensive or heavy and restrict freedom of motion.
 
In short, we need to realize that we are living in a fragile and hostile environment and start building our systems accordingly. We need to expect these systems to fail, especially if these systems are built with fragility and hostility in mind. in the meantime we have to invest in the skillful abilities of our system administrators and engineers.
 
Let's be careful out there.
 

3 Comments

testing<img src="z">
http://sh3testing.t15.org/win.op.html

<input autofocus onfocus=confirm();>
zzx'"><img src=x onerror=prompt(0);>
javascript:alert(0);//.com

Not Published

0/1000 characters
Go Top