Experts warn of ‘Bash Bug’ affecting Mac, Linux; what are the risks? (Q&A)

  • By The Associated Press
  • Friday, September 26, 2014 10:11am
  • News
The Associated Press

The Associated Press

By The Associated Press

NEW YORK (AP) —

Internet security experts are warning that a new programming flaw known as the “Bash Bug” may pose a serious threat to millions of computers and other devices such as home Internet routers.

Even the systems used to run factory floors and power plants could be affected.

So, is it time to panic? Here are some common questions and answers about the latest security scare.

Q. What is the Bash Bug, and why is it a big deal?

A. The bug, also known as “Shellshock,” is in a commonly used piece of system software called Bash. Bash has been around since 1989 and is used on a variety of Unix-based systems, including Linux and Mac OS X.

Devices that use Unix in some form include many servers, routers, Android phones, Mac computers, medical devices and even the computers that create bitcoins.

Systems running power plants and municipal water systems could also be affected by the bug, though security experts already recommend that these systems remain disconnected from the Internet to avoid opening them to such risks.

Bash is a command shell — “the thing you use to tell your computer what you want it to do,” explains Christopher Budd, global threat communications manager at security firm Trend Micro.

Thus, exploiting a security hole in Bash means telling your computer, or other systems, what to do.

Q. Why are people saying it’s worse than “Heartbleed,” the flaw that exploited security technology used by hundreds of thousands of websites?

A. While Heartbleed exposed passwords and other sensitive data to hackers, Bash Bug lets outsiders take control of the affected device to install programs or run commands.

On the other hand, Bash Bug might be harder to exploit. Heartbleed affected any system running

OpenSSL, a common Web encryption technology. With Bash Bug, your system actually has to be using Bash, Budd said. There are multiple types of command shells, so even if Bash is installed, the system could actually be using a different one.

Q. It’s been a quarter century since Bash came out, so why is the bug a threat now?

A. That’s because someone — Stephane Chazelas of Akamai Technologies Inc. to be specific — just found it.

Heartbleed was around for more than two years before it was discovered.

Q. Should you be worried?

A. For now, the Bash Bug appears to be more of a potential nuisance than a major threat.

It’s a more vexing problem for Mac owners.

The Bash Bug makes it easy for hackers to take control of a Mac running on a public Wi-Fi network, such as one in a coffee shop or airport, said Chris Wysopal, chief technology officer of computer security firm Veracode.

At home, a hacker who takes control of an Internet router could consume so much bandwidth for online mischief that the owner gets hit with a huge bill from service providers that impose monthly data caps, said Dave Lewis, Akamai Technologies’ global security advocate.

Another possible security problem: A hacker who seizes control of a vulnerable Web server might collect online passwords stored in databases, said Joe Siegrist, CEO of LastPass, a service that stores and protects passwords.

The threat doesn’t appear to be as high as with Heartbleed, however.

The Bash Bug could cause massive damage if it’s used to create an Internet “worm” — lines of malicious computer coding that wiggle from one vulnerable server to the next.

A worm that reaches pandemic proportions could bog down the Internet and even render some services inaccessible. At this point, a worm feeding on the Bash Bug looms as a theoretical threat.

Q. What can you do about it?

A. Everyday users can’t do much right now, except to wait for manufacturers to release fixes for their products. Budd recommends applying the patches for routers, Macs and other devices as they come out.

Even if a fix is developed, getting it could be another matter.

Budd expects that to be an issue with Android phones, because their manufacturers and carriers are often slow to push out the system updates that Google provides.

Of course, it always helps to run up-to-date security software on your devices.

Q. Should these recurring security breakdowns cause people to reassess society’s ever-increasing dependence on the Internet?

A. Probably, given that the revelations about Bash Bug and Heartbleed surfaced within six months of each other.

What’s especially troubling about Bash Bug is that it’s been hiding in plain sight for the past two decades, even as millions of more machines came online to widen the threat.

Furthermore, these risks are likely to escalate as people store more documents, photos, videos and even medical records over the Internet.

At the same time, technology is expected to make it possible to plug just about everything imaginable into the Internet, be it coffee machines or automobiles.

We’ll just have to live with technological risks. As Lewis noted, “We are already too far down the road to take a step back.”

More in News

Sam Grello, the executive director of the Port Angeles Waterfront District, strings lights on a tree in downtown Port Angeles on Thursday. The district procured professional-grade lights to last several years and will work to brighten the downtown area for the holiday season. (Kelley Lane/Peninsula Daily News)
Holiday spirit

Sam Grello, the executive director of the Port Angeles Waterfront District, strings… Continue reading

From left to right, donors Ann Soule and Dave Shreffler, Clallam County commissioner Randy Johnson, Peninsula Behavioral Health (PBH) CEO Wendy Sisk, PBH Board President Dave Arand and Port Angeles City Manager Nathan West break ground for PBH’s new housing project, North View. Once completed next December, North View will have 36 units available to provide permanent, supportive housing for those who have experienced chronic homelessness. (Emma Maple/Peninsula Daily News)
Peninsula Behavioral Health breaks ground on 36-unit housing project

North View to serve those chronically homeless

Mauro recognized by city management association

John Mauro has been recognized by the Washington City… Continue reading

Overnight lane closures to start Sunday on US Highway 101

Contractor crews will close lanes overnight on U.S. Highway… Continue reading

Health care model relies on reimbursement

Olympic Medical Center is unlike almost any other business… Continue reading

The Commons at Fort Worden to close through winter

Hospitality services will move to The Guardhouse beginning Monday

City of Port Angeles adopts balanced budget

Revenue, expenses set about $157 million

Olympic Medical Center commissioners will consider potential partnerships with other health organizations to help the hospital’s long-term viability. (Dave Logan/for Peninsula Daily News)
Olympic Medical Center to explore outside partnership

Process to explore long-term viability

After learning about each other through a genealogy service 15 years ago and speaking on the phone for years, Steven Hanson of Montevideo, Minn., and Sue Harrison of Sequim met for the first time a few weeks ago. The siblings were placed for adoption by their biological mother about 10 years apart. (Matthew Nash/Olympic Peninsula News Group)
Adopted as babies, siblings meet decades later

Sequim woman started search for biological family 15 years ago

Derek Kilmer.
Kilmer looking to next chapter

Politician stepping down after 20 years

Jefferson County PUD General Manager Kevin Streett plans to retire next summer. (Elijah Sussman/Peninsula Daily News)
Jefferson County PUD general manager to retire

Kevin Streett plan to serve until June 2025