Security breach fatigue. We all have it. Get a sandwich delivered to your office, or have a set of keys made at a hardware store, and you’ll probably need to get your credit cards replaced. The digital infrastructure in our offices isn’t much different. Eventually, a vulnerability will be found in almost every system. Just when we thought it was safe to go back in the water after ‘heartbleed,’ there’s a new IT security scare called ‘shellshocked.’
In a nutshell, it’s a problem with what is called the bash shell. Internet bad guys can send specially crafted, malicious commands through an interface that relies upon bash commands and injecting nasty code that results in a compromised server. Linux and Mac OSX servers are vulnerable. Windows servers are not. Let that be a lesson that ‘security through obscurity’ is not a good working model.
Anyway, the nitty gritty is that this doesn’t impact you unless you have Mac or Linux servers that are exposed to the internet, meaning that they host things like a web site, or email, or FTP. For Mac servers, we are currently monitoring Apple’s response to this security event. They have not yet provided a patch for OSX. If Apple drags their feet on supplying a fix, it may be necessary to shift gears and apply a custom solution. We are prepared to switch gears for our clients as the situation evolves.
Most flavors of linux have updates available that will need to be applied and we are working with our affected customers to remediate these issues. It must be said though: you need to consider more than just the gear in your network closet. Your website provider may be upgrading their servers according to a rolling schedule or leave this task to you outright. You should take note of your web server’s name and check your hosting partner’s support site. Their twitter feed is usually a good first place to find their response to shellshocked.
Companies with hosted linux virtual machines in places like Amazon’s EC2 system should not assume that the vendor will take care of this for you. Bottom line, if you have a linux server that provides any level of functionality to your customers, you need to execute a high level of due diligence to ensure that your systems are safe. If you need assistance with this process, we are more than happy to assist with a calm, measured and tactical response that will ease your IT fatigue.