Blog posts by Alexei Balaganski

Windows 10 will support FIDO standards for strong authentication

At KuppingerCole, we have been following the progress of FIDO alliance for quite some time. Since their specifications for scalable and interoperable strong authentication have been published last year, FIDO has already had several successful deployments in collaboration with such industry giants as Samsung, Google and Alibaba. However, their probably biggest breakthrough been announced just a few days ago by none other than Microsoft. According to their announcement, Microsoft’s upcoming Windows 10 will include support for FIDO standards to enable strong and password-free authentication for a number of consumer and enterprise applications.

We knew, of course, that Microsoft has been working on implementing a new approach to identity protection and access control in their next operating system. Moving away from passwords towards stronger and more secure forms of authentication has been declared on of their top priorities for Windows 10. Of course, solutions like smartcards and OTP tokens have existed for decades, however, in the modern heterogeneous and interconnected world, relying on traditional enterprise PKI infrastructures or limiting ourselves by a single vendor solution is obviously impractical. Therefore, a new kind of identity is needed, which would work equally well for traditional enterprises and in consumer and web scenarios.

Now, unless you’ve been entirely avoiding all news from Microsoft in the recent years, you should have probably already guessed their next move. Embracing an open standard to allow third party manufacturers to develop compatible biometric devices and providing a common framework for hardware and software developers to build additional security into their products instead of building another “walled garden” isn’t just a good business decision, it’s the only sensible strategy.

Microsoft has joined FIDO alliance as a board member back in December 2013. Since then, they have been actively contributing to the development of FIDO specifications. Apparently, a significant part of their designs will be included in the FIDO 2.0 specification, which will then be incorporated into the Windows 10 release. Unfortunately, it’s a bit too early to talk about specific details of that contribution, since FIDO 2.0 specifications are not yet public.

However, it is already possible to get a peek of some of the new functionality in action. Current Windows 10 Technical Preview is already providing several integration scenarios for Windows Sign-in, Azure Active Directory and a handful of major SaaS services like Microsoft’s own Office 365 and partners like Salesforce, Citrix and Box. Using Azure Active Directory, it’s already possible to achieve end-to-end strong two-factor authentication completely without passwords. Windows 10 release will add support for on-premise Active Directory integration as well as integration with consumer cloud services.

And, of course, since this authentication framework will be built upon an open standard, third party developers will be able to quickly integrate it with their products and services, security device manufacturers will be able to bring a wide array of various (and interoperable) strong authentication solutions to the market and enterprise users will finally be able to forget the words “vendor lock-in”. If this isn’t a win-win situation, I don’t know what is.

Privacy Issues in Mobile Security

It is estimated by the International Telecommunication Union that the total number of mobile devices in the world has already exceeded the number of people. Mobile devices are becoming increasingly advanced as well. In fact, modern smartphones are as powerful as desktop computers, but “know” much more about their owners: current and past location, contents of their private text messages, photos and other sensitive information, as well as their online banking credentials and other financial data. They are also always connected to the Internet and thus are especially vulnerable to hacking and malware exploits.

Growing adoption of cloud services has brought its own share of privacy concerns: more and more sensitive data is now managed by third parties, so users are losing visibility and control over their information. However, it is social computing that has made the most profound impact on our society. Ultimately, it has led to a significant erosion of public expectation of privacy and made nearly impossible to undo accidental sharing of private information. Some people have gone as far as to claim that privacy is no longer relevant. This, of course, cannot be further from reality: various studies clearly indicate that users value their privacy and strongly object to sharing of their personal data with third parties without consent. However, many users still do not have a clear understanding as to what extent mobile devices can affect their privacy.

With mobile technologies becoming more sophisticated, general public awareness about the associated risks simply cannot keep up with them. Every day, mobile users can easily fall victim to another new method of tracking, stalking or privacy abuse. Stolen personal information has become a valuable product on the black market. It includes not just financial or medical information, but and kind of PII that can be used as a key to your other assets. It’s not just hackers that are after this kind of loot: telecommunications providers, search engines and social network operators are collecting as much of this information about their users as possible to use it for targeted advertising or just to resell it to third parties. And, after Snowden, do we even need to mention government agencies?

For enterprise IT departments, growing adoption of mobile devices has brought their own share of headaches. One of the biggest current challenges for the IT industry is undoubtedly the Bring Your Own Device (BYOD) problem. While technological challenges of the problem are massive, a proper BYOD strategy must address privacy issues as well. Many organizations may easily overlook them, because issues like liability for leaked or lost private data from company-managed devices still vary per country; they are often considered to be in the grey area of current laws and regulations. These regulations are changing, however, and to stay on the safe side companies should always carefully study and address legal aspects of their mobile device policies: a mistake can cost you a fortune. KuppingerCole provides this kind of expertise as well.

However, regulations alone cannot solve the fundamental cause of so many privacy-related problems of current mobile platforms. As mentioned earlier, modern smartphones and tablets have the same computing power as desktop computers. Yet, both consumers and device manufacturers still fail to realize that mobile devices need at least the same level of protection against malware and hackers as traditional computers.

Modern mobile platforms are based on Unix-like operating systems, incorporating various low-level security features like hardware isolation or code signing. Yet, they are still far behind desktop or server systems when it comes to more sophisticated security tools like firewalls or application control. Even worse, no modern mobile platform includes any built-in vendor-neutral security APIs that would allow 3rd party developers to create such tools. Although there are several solutions available on the market now (like Samsung KNOX), they are all limited to a small number of supported devices and have their own security issues.

Modern mobile platforms are much more closed than desktop operating systems, and this is a source of privacy-related concerns as well. Consider a typical situation for iOS: we learn about data leaks or other violations in a standard app, and it takes months for Apple to even acknowledge the problem, let alone to release a patch for it. The open nature of Android’s ecosystem, on the other hand, leads to platform fragmentation and often vendors simply stop supporting old devices completely. Despite of their differences, the result is still the same: because of fundamental deficiencies in their platforms, both vendors fail to provide adequate means of protecting user’s privacy.

Thus, it is clear that long-term solutions to these problems require a major paradigm shift. Privacy cannot be protected by government regulations or “bolt on” security products – it has to become an integral part of any mobile platform and application. Unfortunately, this stands in stark contrast to the goals of many hardware and software vendors, with only a few already realizing the business value behind “privacy by design”. To break the current trend of hoarding as much personal information as possible, consumers, enterprises and government regulators have to join their efforts and bring everyone to a clear realization that long-term losses from violating customers’ trust will always be greater than short-term gains.

For more information and concrete recommendations to enterprises, mobile device manufacturers and application developers please refer to KuppingerCole’s Advisory Note “Dealing with privacy risks in mobile environments”.

This article has originally appeared in the KuppingerCole Analysts' View newsletter.

Amazon WorkMail – a new player on the Enterprise Email and Calendaring market

Amazon Web Services has again made headlines today by announcing Amazon WorkMail – their managed email and calendaring service targeted at corporate customers. This is obviously a direct take on their biggest competitors, namely, Google and Microsoft, and the biggest differentiators Amazon is focusing on are ease of use and security.

Amazon WorkMail is described as a completely managed replacement for an organization’s own legacy email infrastructure. Since the service is compatible with Microsoft Exchange and is capable of integrating with an existing on-premise Active Directory, the process of migration should be quick and seamless. Since AWS will take over most administrative processes, such as patching or backups, this can dramatically decrease administration efforts and costs.

Although WorkMail has its own web interface, AWS is more focused on supporting existing mail and calendaring tools. Any ActiveSync-capable program, including Microsoft Outlook for Windows and OS X, as well as native iOS and Android email clients, can be supported without installing any plug-ins. Migration from an on-premise Exchange server can be completely transparent and does not require any changes on end user devices. A migration wizard is provided as a part of the package.

With the new service, AWS is also placing big emphasis on security. Since email has long been an integral part of our daily business processes, a lot of sensitive corporate information passes through it and ends up getting stored on the mail server. By integrating with AWS Key Management Service, WorkMail will automatically encrypt all email data at rest, while giving customers complete control over the encryption keys. It is also possible to restrict where this information is stored to a specific geographical region to ensure compliance with local privacy regulations.

Last year, AWS announced their Zocalo service for secure storage and sharing of enterprise data, a direct competitor to other cloud storage services like Dropbox or Google Drive. Needless to say, WorkMail is tightly integrated with Zocalo, allowing the secure exchange of documents instead of sending them as unprotected attachments. In fact, AWS offers a bundle of WorkMail with Zocalo for an attractive price.

There is one potential misunderstanding, however, which I feel obligated to mention. Even with all security features integrated into WorkMail, it still cannot be considered a true end-to-end encryption solution and is thus potentially vulnerable to various security problems. This is another example of a tradeoff between security and convenience, and Amazon simply had to make it to ensure compatibility with existing email programs and protocols.

Still, with an impressive integrated offering and traditionally aggressive pricing model, Amazon WorkMail is definitely another step in AWS’s steady push towards global market leadership.

FIDO Alliance announces final FIDO 1.0 specifications

Yesterday, culminating over 20 months of hard work, FIDO Alliance has published final 1.0 drafts of their Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) specifications, apparently setting a world record in the process as the world’s fastest development of a standard in the Identity Management industry.

I wrote a post about FIDO Alliance in October, when the first public announcement of the specifications has been made. Since that time, I’ve had an opportunity to test several FIDO-compatible solutions myself, including the Security Key and Yubikey Neo-N from Yubico, as well as the FIDO ready fingerprint sensor in my Galaxy S5 phone, which now lets me access my PayPal account securely. I’ve studied the documentation and reference code for building U2F support into web applications and cannot wait to try it myself, seeing how easy it looks. Probably the only thing that’s stopping me right now is that my favorite browser hasn’t implemented U2F yet.

Well, I hope that this will change soon, because that’s what publishing finalized specifications is about: starting today FIDO alliance members are free to officially market their FIDO Ready strong authentication solutions and non-members are encouraged to deploy them with the peace of mind, knowing that their implementation will interoperate with current and future products based on these standards. Press coverage of the event seems to be quite extensive, with many non-technical publications picking up the news. I believe that to be another indication of importance of strong and simple authentication for everyone. Even those who do not understand the technical details are surely picking up the general message of “making the world free of passwords and PINs”.

Those who are interested in technical details would probably be interested in the changes in the final version since the last published draft. I’m sure these can be found on FIDO Alliance’s website or in one of their webinars. What is more important, however, is that products released earlier remain compatible with the final specification and that we should expect many new product announcements from FIDO members really soon. We should probably expect more companies to join the alliance, now that the initiative is gaining more traction. Mozilla Foundation, that includes you as well!

In the meantime, my congratulations to FIDO Alliance on another important milestone in their journey to the future without passwords.

Quis custodiet ipsos custodes?

Or, if your Latin is a bit rusty, “who is guarding the guards themselves”? This was actually my first thought when I’ve read an article published by Heise Online. Apparently, popular security software from Kaspersky Lab, including at least their Internet Security and Antivirus, is still susceptible to the now-well-known POODLE exploit, which allows hackers to perform a man-in-the-middle attack on an SSL 3.0 connection by downgrading the level of encryption and effectively breaking its cryptographic security.

When this vulnerability was published in September, many security researchers called for immediate demise of SSL 3.0, which is a very outdated and in many aspects weak protocol, however quite a lot of older software still doesn’t support TLS, its modern replacement. At the end, many web services, as well as all major browser vendors have implemented some sort of protection against the exploit, either by disabling SSL 3.0 completely or by preventing downgrade attacks using TLS_FALLBACK_SCSV. For a couple of months, we felt safe again.

Well, turns out that getting rid of POODLE isn’t as easy as we thought – it’s not enough to harden both ends of the communication channel, you have to think about the legitimate “men-in-the-middle” as well, which can still be unpatched and vulnerable. This is exactly what happened to Kaspersky’s security products: as soon as the option “Scan encrypted connections” is enabled, they will intercept an outgoing secure connection, decrypt and analyze its content, and then reestablish a new secure connection to the appropriate website. Unfortunately, this new connection is still using SSL 3.0, ready to be exploited.

Think of it: even if you have the latest browser that explicitly disables SSL 3.0, your antivirus software would secretly make your security worse without letting you know (your browser will be connecting to the local proxy using new TLS protocol, which looks perfectly safe). Just like I was writing regarding the Heartbleed bug in April: “there is a fundamental difference between being hacked because of ignoring security best practices and being hacked because our security tools are flawed”. The latter not only adds insult to injury, it can severely undermine user’s trust in security software, which at the end is bad for everyone, even the particular vendor’s competitors.

The problem seems to be originally discovered by a user who posted his findings on Kaspersky’s support forum. I must admit I find the support engineer’s reply very misleading: the SSL vulnerability is by no means irrelevant, and one can imagine multiple scenarios where it could lead to sensitive data leaks.

Well, at least, according to Heise, the company is working on a patch already, which will be released sometime in January. Until then you should think twice before enabling this option: who is going to protect your antivirus after all?

Regin Malware: Stuxnet’s Spiritual Heir?

As if IT security community hasn’t had enough bad news recently, this week has begun with a big one: according to a report from Symantec, a new, highly sophisticated malware has been discovered, which the company dubbed “Regin”. Apparently, the level of complexity and customizability of the malware rivals if not trumps its famous relatives, such as Flamer, Duqu and Stuxnet. Obviously, the investigation is still ongoing and Symantec, together with other researchers like Kaspersky Lab and F-Secure are still analyzing their findings, but even those scarce details allow us to make a few far-reaching conclusions.

Let’s begin with a short summary of currently known facts (although I do recommend reading the full reports from Symantec and Kaspersky Lab linked above, they are really fascinating if a bit too long):

  1. Regin isn’t really new. Researchers have been studying its samples since 2012 and the initial version seems to have been in use since at least 2008. Several components have timestamps from 2003. Makes you appreciate even more how it managed to stay under radars for so long. And did it really? According to F-Secure, at least one company affected by this malware two years ago has explicitly decided to keep quiet about it. What a ground for conspiracy theorists!
  2. Regin’s level of complexity trumps practically any other known piece of malware. Five stages of deployment, built-in drivers for encryption, compression, networking and virtual file systems, utilization of different stealth techniques, different deployment vectors, but most importantly a large number of various payload modules – everything indicates a level of technical competence and financial investment of a state-sponsored project.
  3. Nearly half of affected targets have been private individuals and small businesses and the primary vertical the malware appears to be targeting is telecommunications industry. According to Kaspersky Lab’s report, code for spying on GSM networks has been discovered in it. Geographically, primary targets appear to be Russia and Saudi Arabia, as well as Mexico, Ireland and several other European and Middle Eastern countries.
So, is Regin really the new Stuxnet? Well, no. Surely, its incredible level of sophistication and flexibility indicates that it most certainly is a result of a state-sponsored development. However, Regin’s mode of operation is completely opposite to that of its predecessor. Stuxnet has been a highly targeted attack on Iranian nuclear enrichment facilities with the ultimate goal of sabotaging their work. Regin, on the other hand, is an intelligence-gathering spyware tool, and it doesn’t seem to be targeted on a specific company or government organization. To the contrary, it’s a universal and highly flexible tool designed for long-term covert operations.

Symantec has carefully avoided naming a concrete nation-state or agency that may have been behind this development, but the fact that no infections have been observed in the US or UK is already giving people ideas. And, looking at the Regin discovery as a part of a bigger picture, this makes me feel uneasy.

After Snowden’s revelations, there’s been a lot of hope that public outcry and pressure on governments will somehow lead to major changes limiting intelligence agencies’ powers for cyber spying. Unfortunately, nothing of that kind has happened yet. In fact, looking at the FUD campaign FBI and DoJ are currently waging against mobile vendors (“because of your encryption, children will die!”) or the fact that the same German BND intelligence service that’s promoting mandatory encryption is quietly seeking to install backdoors into email providers and spending millions on zero-day exploits, there isn’t much hope for a change left. Apparently, they seem oblivious to the fact that they are not just undermining trust in the organizations that supposedly exist to protect us from foreign attackers, but also open new attack surfaces for them by setting up backdoors and financing development of new exploits. Do they honestly believe that such a backdoor or exploit won’t be discovered and abused by hackers? This could probably be a topic for a separate blog post…

Isn’t it ironic that among all the talks about Chinese and Russian hackers, the biggest threat to our cybersecurity might come from the West?

Getting a Grip on Operational Technology

Let’s begin with a couple of fundamental definitions:

Information Technology (IT) can be defined as a set of infrastructures, devices and software for processing information. A traditional IT system is in charge of storing, transmitting and transforming data, but it does not interface directly with the physical world.

Operational Technology (OT) is a set of hardware devices, sensors and software that support management and monitoring of physical equipment and processes within an enterprise, such as manufacturing plants or power distribution grids. OT deals with such components as various sensors, meters and valves, as well as industrial control systems (ICS) that supervise and monitor them.

The terms ICS and SCADA, by the way, are nowadays often used interchangeably; however, this isn’t strictly true, since Supervisory Control and Data Acquisition (SCADA) is just a subset of industrial control systems, other types being embedded systems, distributed control systems, etc. Traditionally, the term SCADA has been used for large-scale distributed control systems, such as a power grid or a gas pipeline.

Historically, IT and OT have evolved quite independently, driven by completely different business demands, requirements and regulations. In a sense, Operation Technology predates the era of computers – the first manufacturing control systems weren’t even electronic! Early ICS were monolithic physically isolated systems without network connectivity. Later generations were usually based on proprietary communication protocols and device-specific real-time operating systems. Driven above all by demand of process continuity, they were usually designed without security in mind.

Current ICS, however, have gradually evolved towards large-scale systems based on open standards and protocols, such as IP, as well as using standard PCs running Windows as control workstations. They are becoming increasingly interconnected with office networks and the Internet. Yet, modern industrial networks are often still plagued with the same blatant disregard for security. The underlying reason for that has little to do with technology; on the contrary, it’s a consequence of a deep cultural divide between OT and IT. Operations departments usually consist of industry specialists with engineering background, while IT departments are staffed by people without knowledge of manufacturing processes. OT is usually managed by a business unit, with different requirements, strategies and responsibilities from IT. Instead of collaborating, they are often forced to compete for budgets and fight over issues that the other party simply sees as insignificant.

The times are changing, however. As we are approaching the new “connected” age, the technological divide between industrial and enterprise networks is disappearing. Smart devices or “things” are everywhere now, and embedded intelligence finds widespread use in industrial networks as well. A modern agile business constantly demands for new ways of communication with partners, customers and other external entities. All this creates new exciting opportunities. And new risks.

Opening OT to the world means that industrial networks are exposed to the same old security problems like malware attacks and lack of strong authentication. However, the challenges for information security professionals go far beyond that. There are challenges that traditional IT security isn’t yet capable of addressing. This includes technical issues like securing proprietary programmable logic controllers (PLC), business requirements like ensuring manufacturing process continuity, and completely new challenges like enabling massive-scale identity services for the Internet of Everything.

The convergence of IT and OT is therefore inevitable, even though the challenges the organizations are going to face on the way to it look daunting. And it is the responsibility of IT specialists do lead and steer this process.

“If not us, then who? If not now, then when?”

This article has originally appeared in the KuppingerCole Analysts' View newsletter.

Big News from the FIDO Alliance

FIDO Alliance (where FIDO stands for Fast IDentity Online) is an industry consortium formed in July 2012 with a goal to address the lack of interoperability among various strong authentication devices. Currently among its members are various strong authentication solution vendors (such as RSA, Nok Nok Labs or Yubico), payment providers (VISA, MasterCard, PayPal, Alibaba), as well as IT industry giants like Microsoft and Google. The mission of the FIDO Alliance has been to reduce reliance on passwords for authentication and to develop specifications for open, scalable and interoperable strong authentication mechanisms.

KuppingerCole has been closely following the progress of FIDO Alliance’s developments for the last couple of years. Initially Martin Kuppinger has been somewhat skeptical about the alliance’s chances to gain enough support and acceptance among the vendors. However, seeing how many new members were joining the alliance, as well as announcements like the first FIDO authentication deployment by PayPal and Samsung earlier this year would confirm their dedication to lead a paradigm shift in the current authentication landscape. It’s not just about getting rid of passwords, but about giving users the opportunity to rely on their own personal digital identities, potentially bringing to an end the current rule of social logins.

After years of collaboration, Universal Authentication Framework and Universal 2nd Factor specifications have been made public in October 2014. This has been closely followed by several announcements from different Alliance members, unveiling their products and solutions implementing the new FIDO U2F standard.

One that definitely made the biggest splash is, of course, Google’s announcement of strengthening their existing 2-step verification with a hardware-based second factor, the Security Key. Although Google has been a strong proponent of multifactor authentication for years, their existing infrastructure is based on one-time codes sent to users’ mobile devices. Such schemes are known to be prone to various attacks and cannot protect users from falling victim to a phishing attack.

The Secure Key (which is a physical USB device manufactured by Yubico) enables much stronger verification based on cryptographic algorithms. This also means that each service has its own cryptographic key, meaning that users can reliably tell a real Google website from a fake one. Surely, this first deployment based on a USB device has its deficiencies as well, for example, it won’t work on current mobile devices, since they all lack a suitable USB port. However, since the solution is based on a standard, it’s expected to work with any compatible authentication devices or software solutions from other alliance members.

Currently, U2F support is available only in Google Chrome browser, but since the standard is backed by such a large number of vendors including major players like Microsoft or Salesforce, I am sure that other browsers will follow soon. Another big advantage of an established standard is availability of libraries to enable quick inclusion of U2F support into existing client applications and websites. Yubico, for example, provides a set of libraries for different languages. Google offers open source reference code for U2F specification as well.

In a sense, this first U2F large-scale deployment by Google is just the first step in a long journey towards the ultimate goal of getting rid of passwords completely. But it looks like a large group sharing the same vision has much more chances to reach that goal earlier that anybody planning to walk all the way alone.

GlobalSign acquires Ubisecure, plans to win the IoE market

GlobalSign, one of the world’s biggest certificate authorities and a leading provider of digital identity services, has announced today that it has acquired Ubisecure, a Finnish privately held software development company specializing in Identity and Access Management solutions.

Last year, KuppingerCole has recognized Ubisecure as a product leader in our Leadership Compass on Access Management and Federation. Support for a broad range of authentication methods including national ID cards and banking cards, as well as integrated identity management capabilities with configurable registration workflows have been noted as the product’s strengths. However, it is the solution’s focus on enabling identity services on a large scale, targeted at governments and service providers, which KuppingerCole has noted as Ubisecure’s primary strength.

Unfortunately, until recently the Helsinki-based company has only been present in EMEA (mainly in the Nordic countries), obviously lacking resources to maintain a strong partner network. GlobalSign’s large worldwide presence with 9 international offices and over 5000 reseller partners provides a unique possibility to bring Ubisecure’s technology to a global market quickly and with little effort.

GlobalSign, established in 1996, is one of the oldest and biggest, as well as reportedly the fastest growing certificate authorities on the market. After becoming a part of the Japanese group of companies GMO Internet Inc. in 2006, GlobalSign has been steadily expanding its enterprise presence with services like enterprise PKI, cloud-based managed SSL platform, and strategic collaborations with cloud service providers. With the acquisition of Ubisecure, the company is launching its new long-term strategy of becoming a leading provider of end-to-end identity services for smart connected devices, powering the so-called Internet of Everything.

Market analysts currently estimate that up to 50 billion of such devices (or simply “things”) will be connecting to the Internet within the next 10 years. This may well be the largest technology market in history, with over $14 trillion at stake. Needless to say, the new trend brings new critical challenges that have to be addressed, such as device security and malware protection, however, probably the biggest of all is going to be providing identity services on a massive scale, mediating trust for billions on online transactions between people and “things” every minute and ensuring safety of e-commerce, communications, and content delivery.

A company that manages to bring a service with such capabilities to the market first will definitely be in a very attractive position, and GlobalSign, with their strong background in identity-related solutions, massive existing customer base and a large partner network, is aspiring to grab that position by making Ubisecure’s innovative technology available globally. Time will tell how well they can compete against technological giants on the market, as well as against other API vendors with strong IAM background (Ping Identity and CA / Layer 7 come to mind). Still, recognizing a rare combination of innovative technology and solid market presence, we believe them to be a player in the market that is definitely worth looking at.

First Heartbleed, now Shellshock?

Half a year has passed since the discovery of the dreaded Heardbleed bug, and the shock of that incident, which many have dubbed the most serious security flaw in years, has finally begun to wear off. Then the security community has been shocked again last week, when details of a new critical vulnerability in another widely used piece of software have been made public after the initial embargo.

Apparently, Bash, arguably the most popular Unix shell software used on hundreds of millions of servers, personal computers, and network devices, contains a critical bug in the way it’s processing environment variables, which causes unintentional execution of system commands stored in those variables (you can find a lot of articles explaining the details, ranging from pretty simple to deeply technical). Needless to say, this provides an ample opportunity for hackers to run malicious commands on affected machines, whether they are connected to the network or not. What’s worse, the bug has remained unnoticed for over twenty years, which means that huge numbers of legacy systems are affected as well (as opposed to Heartbleed, which was caused by a bug in a recent version of OpenSSL).

Given the huge number of affected devices, many security researchers have already called Shellshock “bigger than Heartbleed”. In my opinion, however, comparing these two problems directly isn’t that simple. The biggest problem with the Heartbleed bug was that it has affected even those companies that have been consistently following security best practices, simply because the most important security tool itself was flawed. Even worse, those who failed to patch their systems regularly and were still using an old OpenSSL version were not affected.

Shellshock bug, however, is different, since Bash itself, being simply a command-line tool for system administrators, is usually not directly exposed to the Internet, and the vulnerability can only be exploited through other services. In fact, if your IT staff has been following reasonably basic security guidelines, the impact on your network will already be minimal, and with a few additional steps can be prevented completely.

The major attack vector for this vulnerability are naturally CGI scripts. Although CGI is a long outdated technology, which, quite frankly, has no place on a modern web server, it’s still found on a lot of public web servers. For example, the popular Apache web server has a CGI module enabled by default, which means that hackers can use Shellshock bug as a new means to deploy botnet clients on web servers, steal system passwords and so on. There have already been numerous reports about attacks exploiting Shellshock bug in the wild. Researchers also report that weaknesses in DHCP clients or SSH servers can potentially be exploited as well, however this requires special conditions to be met and can be easily prevented by administrators.

So, what are our recommendations on dealing with Shellshock bug?

For consumers:

First of all, you should check whether your computers or network devices are affected by the bug at all. Vulnerable are computers running different Unix flavors, most importantly many Linux distributions and OS X. Obviously, Windows machines are not affected unless they have Cygwin software installed. Most embedded network devices, such as modems and routers, although Linux-based, use a different shell, BusyBox, which doesn’t have the bug. As for mobile devices, stock iOS and Android do not contain Bash shell, but jailbroken iOS devices and custom Android firmwares may have it installed as well.

A simple test for checking whether your shell is vulnerable is this command:

env X="() { :;} ; echo vulnerable" /bin/sh -c "echo hello"
If you see “vulnerable” after running it, you know you are and you should immediately look for a security update. Many vendors have already issued patches for their OS distributions (although Apple is still working on an official patch, there are instructions available for fixing the problem DIY-style).

For network administrators:

Obviously, you should install security updates as well, but to stop there would not be a good idea. Although a series of patches for currently described Bash vulnerability has already been issued, researchers warn that Bash has never been designed for security and that new vulnerabilities can be discovered in it later. A reasonable, if somewhat drastic consideration would be to replace Bash on your servers with a different shell, since just about every other shell does not interpret commands in environment variables and is therefore inherently invulnerable to this exploit.

Another important measure would be to check all network services that can interact with Bash and harden their configurations appropriately. This includes, for example, the ForceCommand feature in OpenSSH.

Last but not the least, you should make sure that your network security tools are updated to recognize the new attack. Security vendors are already working on adding new tests to their software.

For web application developers:

Do not use CGI. Period.

If you are stuck with a legacy application you still have to maintain, you should at least put it behind some kind of a “sanitizing proxy” service that would filter out requests containing malicious environment variables. Many vendors offer specialized solutions for web application security, however, budget solutions using open source tools like nginx are possible as well.

So, if Shellshock bug can be fixed so easily, why are security researchers so worried about it? The main reason is a sheer number of legacy devices that will never be patched and will remain exposed to the exploit for years. Another burning question for IT departments is: how long hackers (or worse, NSA) have been aware of the bug and for how long they could have been secretly exploiting it? Remember, the upper limit for this guess is 22 years!

And of course, in even longer perspective, the problem raises a lot of new questions regarding the latest IT fad: the Internet of Things. Now that we already have smart fridges and smart cars and will soon have smart locks and smart thermostats installed everywhere, how can we make sure that all these devices remain secure in the long term? Vendors predict that in 10 years there will be over 50 billion “things” connected to a global network. Can you imagine patching 50 billion Bash installations? Can you afford not patching your door lock? Will you be able to install an antivirus on your car? Looks like we need to have a serious talk with IoT vendors. How about next year at our European Identity and Cloud Conference?

Discover KuppingerCole

KuppingerCole Select

Register now for KuppingerCole Select and get your free 30-day access to a great selection of KuppingerCole research materials and to live trainings.

Stay Connected

Blog

Spotlight

AI for the Future of your Business Learn more

AI for the Future of your Business

AI for the Future of your Business: Effective, Safe, Secure & Ethical Everything we admire, love, need to survive, and that brings us further in creating a better future with a human face is and will be a result of intelligence. Synthesizing and amplifying our human intelligence have therefore the potential of leading us into a new era of prosperity like we have not seen before, if we succeed keeping AI Safe, Secure and Ethical. Since the very beginning of industrialization, and even before, we have been striving at structuring our work in a way that it becomes accessible for [...]

Latest Insights

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00