Shellshock, Heartbleed, and the Gradual Downfall of Open Source

The number 404 with shatter marks
credit: Wired.com
Back in April, we reported about Heartbleed, a vulnerability found in OpenSSL, the open source version of SSL. SSL is designed to protect the transmission of secure and important information over the web.

A new bug turned exploit has recently been discovered. This one is called Shellshock, and it lies in the very base structure of the internet itself. In fact, Wired says this is just the beginning.

In 1987, Brian Fox drove from Boston, Massachusetts, to Santa Barbara, California, with two massive reel tapes in the trunk of his car. On those tapes was Bash, a tool for the UNIX operating system he had written and tagged with a license that let anyone use the code and even redistribute it to others. After arriving in California, Fox continued to work on Bash, and gained other developers on his team to develop it as well. Eventually, Chet Ramey, a developer from Case Western Reserve University in Cleveland, took charge of the project and works on Bash in his spare time.

Bash found its way onto tens of thousands of machines. But somewhere along the way, in about 1992, one engineer typed a bug into the code. Last week, more then twenty years later, security researchers finally noticed this flaw in Fox’s ancient program. They called it Shellshock, and they warned it could allow hackers to wreak havoc on the modern internet. – Wired.com

Ramey isn’t positive, but told Wired he wouldn’t be surprised if he himself coded the bug back around 1992. That makes it possibly the oldest, significant-yet-unpatched bug currently known. At least, as far as anyone can figure out.

It makes one wonder if Open Source is as good as people claim it is.

Open Source is accessible. It’s often free, or very cheap, and extremely customizable due to its nature of having source code that isn’t hidden behind compiled executables. Anyone with programming knowledge can peer into its depths and change, update, or fix what they see. The idea behind Open Source was to use the “Many Eyes” rule developed by Linus Torvalds. It touted faster software releases and fixes, more secure software, and less bugs. In an ideal Open Source world, this would likely be the case.

“[T]here’s a lot of code that doesn’t actually get very many eyes at all,” Torvalds told Wired. “And a lot of open-source projects don’t actually have all that many developers involved, even when they are fairly core.”

This lack of developers defeats the purpose and idea behind Open Source and the “Many Eyes” ideal.

Another situation this brings to light is the lack of security auditing that is actually being. A lot of older code that sites at the core of the internet was created in a time when auditing that software didn’t really make sense. They never predicted that it would be such an integral piece of the communications network they created. And, by the time auditing made sense, the software had already been in use for 15 years. That doesn’t mean that large companies with the manpower and ability to do such audits shouldn’t actually do them, but they didn’t because it was just accepted to be safe.

Even with Shellshock, Brian Fox is still proud of the project he once drove across the country. “Its been 27 years of that software being out there before a bug was found,” [Ramey] says. “That’s a pretty impressive ration of usage to bugs found.” – Wired.com

PCWorld Magazine reported that patches have already been released, and have also already been hacked. According to their article, “…neither patch addressed the underlying risky behavior of parsing remotely originating strings.”

Red Hat product security researcher Florian Weimer has developed a more durable patch, and Ramey has accepted it as Bash-4.3 Official Patch 27, official last Saturday. Google security engineer Michal Zalewski recommends deploying Weimer’s patch manually unless your Linux distribution is already deploying it on their own. An easy way to tell is by typing foo='() { echo not patched; }’ bash -c foo on your command line. It will either respond that the command was not found or it will respond that your system is not patched.

This patch from Weimer also covers several other vulnerabilities recently discovered by Zalewski, two of which have not yet been publicly announced.

Happy Autumn 2014!

Autumn 2014 Google Doodle
Today’s Google Doodle celebrates the Autumnal Equinox, credit: google.com
Today’s Google Doodle celebrates the colors of Fall with an animated image showing a figure walking along a line of trees. As the figure passes, the trees each change colors from shades of grey to shades of red and gold before falling off to reveal the Google name spelled by the trees’ bare branches. A single leaf remains for a second longer before drifting down to rest on the head of the figure.

Metro states, “Equinox, from the Latin for ‘equal night’, occurs when the Earth’s axis tilts neither towards nor away from the Sun, making day and night of roughly equal length – though not exactly.”

According to a list on Wikipedia, the equinox for both March and September have important cultural significance in addition to seasonal weather changes and hours of daylight vs night. Some examples include Mabon, a pagan festival of thanksgiving for the fruits of the earth and a recognition of the need to share them to secure the blessings of the Goddess and the God during the coming winter months, for the Northern hemisphere, and Ostara, inaugurating the new year on the Zodiacal calendar, as well as the time of rebirth or return for vegetation gods and a time of great fertility for the Southern hemisphere.

Oops! Was Your GMail Password Leaked?

GMail Envelope Logo
5 Million GMail Passwords Leaked in Russian Bitcoin Forum, credit: Cairo on Flickr
Today, it was reported that a Russian Bitcoin Forum was the location of a massive leak of approximately 5 million GMail usernames and passwords. The list was reportedly posted on Tuesday, according to Russian site, CNews. According to the poster of the list, approximately 60% of the accounts were still accurate.

However, the “leak” appears to be a list of passwords that were phished and scammed from users over a length of time, and many may have already been updated or the accounts themselves are long since inactive and/or suspended.

The leak also includes account information from Yandex, the largest Russian search engine.

According to Google and Yandex via CNews, their systems have not been compromised, hence the theory that the list of accounts were from various phishing attempts over time. If you’re not certain and want to be safe, it is best to change your password. Changing any and all account passwords on a regular basis is always a good idea and security practice.

A site, https://isleaked.com/en.php, is using the leaked list and running a search of it to find potentially compromised accounts. You can enter your GMail address into the form, and it will search. If you do not want to enter your email address, you can enter portions of the address and it will search for similar patterns. For example, entering du****7**gmail.com will match any email address with those characters that might be on the list.