Web security: don’t be shellshocked

For years, it’s been assumed that Windows-based PCs were at risk of security threats, and that Linux and Mac systems were safe, because not enough people used them to make aiming viruses at them worth the scammers’ time. But the new dangers are not viruses – they’re weaknesses in web systems that all computers use. It’s this that gives them such a potentially huge impact.

The three recent security flaws to hit the news are just little corners of systems left unsecured when they were developed. The web has changed so much, in terms of both how it’s coded and how we use it, that weak spots develop as new capability develops around them.

Heartbleed was the first of the new weak spots to be discovered. It attacks the SSL algorithms that make financial data secure on the internet. Basically, it meant that websites with the hyper-secure ‘https’ prefix – the ones we use for pushing our money around the place – had a small window open in the basement. Heartbleed compromised, potentially, the users of over half a million websites, including online banks and shopping outlets. The fixes began the instant the flaw was discovered, but they are still ongoing.

The best advice we can offer is to check with all the websites you send sensitive information through – all those with ‘https’ at the beginning – and see that they’ve patched their server. Then change your passwords. To find out more, read these articles in CNET, Business Insider and Vox.

Shellshock is a flaw in the Bash shell, which is essentially the Linux or Unix equivalent of the Windows command prompt. This is a pretty basic element of the operating system; Bash has been around for over 25 years and is extremely widely used in the Linux community. The good news is this one doesn’t impact on Windows computers, but the bad news is that many of the devices that provide security defences for networks, such as firewalls, are vulnerable – along with websites. Many of these have already been patched, but businesses should check with their providers.

There are informative articles on CNET, Business Insider, and Vox.

BadUSB is the most recent flaw to emerge in the news, and it gets us where it hurts – in our phones. It’s centred on code that underlies the ubiquitous USB protocol, which malware can search for and attach itself to, only to wreak havoc when the device is plugged into another computer – your laptop, say, or a colleague’s PC. Signs are that this is an open door that can be exploited easily, and would give attackers the ability to access data on a system that’s connected to a USB. At the moment nobody really knows how to fix it, and as we all know, USB devices are everywhere. Our best advice at this stage is to limit your USB use wherever possible, especially of devices with a memory component. And remember that most devices have memory these days.

To learn more, see Business Insider and Wired.

We work hard to provide all our clients with the best possible web security. If you’re not sure yours is up to the mark, get in touch.