I’m more in #ShellShock about the speed of the attackers !

If you haven’t caught up with it yet, there is a vulnerability out there which is quite a serious one.

What’s gone wrong now ?

If you have Linux, Unix or Mac OS X then you need to keep your eyes out for updates … and then learn how to test them for vulnerabilities !

 

So this is the issue … Bash. It’s in all the languages above and this is the problem with it :

I’ve given you a couple of links so you can get some breadth on the issue …

  1. Troy Hunt (LINK)
  2. Threatpost (LINK)
  3. CVE-2014-6271 (LINK)
  4. Akamai (LINK)

Well, am I affected ?

So yeah – that’s a biggie hey ?

Plenty of vendors have jumped on the scanner side of things to see if you are vulnerable :

  1. Errata Security (LINK)
  2. WebSecurify (LINK)
  3. Nessus (LINK)

Please note – you should use any tools you find on the internet with caution … only choose those you know or have been recommended by a competent security professional.

 

OK, you’ve probably ran that and found you are vulnerable. Yep, bad times ahead, I’m afraid. For those with multiple systems, it’s going to be a long night in the office.

Woah, so how do I fix it ?

Well it looks as simple as running update manager

  1. Update Manager (LINK)
  2. Ubuntu (LINK)
  3. Command line : apt-get update; apt-get upgrade; (Thanks to Matthew Pettitt for that ! LINK)

But … you said !

Disclaimer – this may fix this bug but could break everything that you were running, there may be a reboot and you never see your system again … backups please ladies and gents …. backups and test restores please.

OK, I’m still alive – now what ?

Test again … yes that’s right, check it’s been applied properly. (see section above !)

Phew, no problems here then !

Well not quite …

There is this bypass to look at :

bypass #shellshock patch: X='() { (a)=>\’ bash -c “echo date” creates ./echo with contents of `date` output

 

Oh and also – keep an eye out for the bots that have been trying to gain access for the last 24 hours !

  • What ?!! there’s already an active bot for this ?!! (LINK)
  • Yeah – there’s also this reverse shell too (LINK)
  • Oh and this daemon that reboots machines (LINK)

And is that it ?

Well essentially yes for now but keep a lookout on Twitter as there is sure going to be some big problems ahead which may be coming as a result of this. If you aren’t sure then go get some help … it’ll be on the news shortly so your boss will be OK by then to talk to you about it and will understand it. If you need a quick analogy … tell him we’re screwed and you’re going to resign. It’s easier than trying to fight the management team to try to get it fixed !!

 

The take away :

As technology becomes more pervasive and integrated into our lives and as some systems come to the fore, so the patching of those technologies has to be thought about. In this situation there are going to be some systems which simply cannot be patched. There will be some embedded systems, legacy Unix boxes etc which simply will not be able to be updated. The criminals were able to create an exploitive bot within hours while we were still warming up the PR departments to draft a catchy logo and first blog. The attackers yet again beat us. Add in to the mix the TVs, routers, medical equipment, SCADA systems and other devices yet to be discovered, we’re in for a bumpy ride – make sure you do your bit to keep the internet safe.

Underground, overground, travelling free !

So the Tube – the London Underground is going NFC for payment transactions then … [LINK] … can you see the weakness here ?

We’ve had Oyster cards for some time now in London as a means to pay at the turnstiles to travel on the London networks – bus, Underground etc. I assume some contractual issues came in to play and the scheme was moved to a new contactless system. I noted that the tech at the turnstiles appeared to not change which indicated that the readers stayed the same but perhaps the software behind the system did change.

 

So we have a NFC reader and a piece of software to read those NFC chips to authenticate that the code being presented indeed is for a valid card.

I also noted a conversation with First Group commercial director in Manchester during 2013 when they were talking about trialling contactless payment systems.

This is definitely pointing to a payment on the device environment coming up for the UK. I kind of support it as it is rare I don’t go out without my device .. but often that I forget to take my travel card !

 

I have a Samsung i9100P specifically for its NFC chip – I see NFC in several devices and with the announcement of the iPhone 6 – I see it also features NFC. The good news is that it can allow micro-payments not only from your bank but also against your phone provider which means you can use a variety of accounts. Massive benefits to the consumer – I can see its adoption.

I also see the criminals rubbing their hands in glee. How many bus drivers will be checking that the app you pay for the journey with is the genuine one ?

 

In the London Underground with good connectivity, they could probably spot the fake NFC payment coming in and block you going through the turnstiles but on a vehicle such as a bus or unmanned station – I can see fake apps springing up to allow you to reset your “payment card” to get free journeys.

I found this link some time ago [LINK] and yes indeed San Francisco has had this problem with a weakness in the NFC cards allowing them to be tinkered with.

 

But this is now 2 years later – with a rooted Android phone I can see NFC becoming an interesting new vector for attack … I wonder if anyone is :

  1. looking at it (vendor, supplier and corporate)
  2. thinking about it at a coding level at the vendor
  3. working out the legals of what is involved – is it illegal ? What are the laws around this ?

 

An interesting subject that I think could grow especially with iPay from Apple also.

 

*UPDATE

And as if by magic comes news that Subway restaurants are going NFC also (LINK). Interestingly here is that iPay won’t be accepted yet … I guess they’re waiting for trusted security to be proven.

 

What do you think ?

 

The movie list

This list is for my kids.

 

Let’s face it, I hate most of the stuff you watch – Barbie and the Dreamhouse was the low point. So this is a list of films I want you to watch.

Not in any particular order (although I’ll guide you on the proper order for Star Wars!) – just make sure they’re age appropriate. When you’ve watched them all, then I’ll allow Barbie again !!! (maybe not also !!)

 

  • THX1138
  • Blazing Saddles
  • Rollerball
  • Driver
  • Convoy
  • Time Bandits
  • Escape from New York
  • Mad Max (all of them so we can then debate which was the best)
  • Blade Runner
  • Dark Crystal
  • War Games (I want to watch this again too, book it in!!)
  • Top Gun
  • Labyrinth (ask for my Ludo impression)
  • Flight of the Navigator
  • Short Circuit (don’t watch number 2 – it sucked)
  • Ferris Beuller
  • Lost Boys
  • Dirty Dancing
  • La Bamba
  • BeetleJuice
  • Akira
  • Bill + Ted (all of them in one sitting)
  • Pretty Woman (with your mum)
  • Flatliners (they all die .. get over it)
  • Drop Dead Fred
  • Jurassic Park (Start at 9am and watch them all in one day)
  • Mrs Doubtfire
  • Wayne’s World (Schwing! …. inappropriate but very funny !)
  • Dumb and Dumber
  • Mask
  • Shawshank Redemption
  • Forrest Gump
  • Ace Ventura (One of my hero’s is Ace … you may get my humour … CHICAGO !!)
  • Pulp Fiction (great soundtrack)
  • Leon
  • Judge Dredd (all versions then debate which is the best and why)
  • The Net (I’ll show you all the technical nonsense in it .. Sandra Bullock didn’t invent the internet)
  • Crimson Tide
  • Hackers (all of them – but you need to read a couple of books first)
  • Tank Girl
  • Braveheart
  • Romeo and Juliet (with your mum)
  • Trainspotting (cracking soundtrack)
  • Mission Impossible (wait till you see 3 … you’ll die laughing)
  • The Rock
  • DragonHeart
  • Eraser
  • Swingers
  • Contact
  • Face Off
  • Gattaca
  • Grosse Point Blank
  • Full Monty
  • Titanic
  • Good Will Hunting
  • Austin Powers (and please get dressed up)
  • Men in Black (all of them in one sitting)
  • Rocky Horror Picture Show
  • Little Shop of Horrors

 

  • Weird Science
  • CannonBall Run
  • Devils Advocate
  • Fifth Element
  • Godzilla (the older one)
  • Truman Show
  • Enemy of the state
  • Armageddon
  • Lock Stock
  • Snatch
  • Meet Joe Black
  • Shakespeare in Love (watch with your mum!)
  • Avengers
  • Matrix (promise you’ll only watch the first one!)
  • American Pie
  • 6th Sense
  • Notting Hill
  • Office Space
  • Payback
  • Three Kings
  • Emperor’s New Groove
  • Chicken Run
  • Road Trip
  • Gladiator (See MovieMistakes.com first)
  • Gone in 60 Seconds
  • Pich Black
  • O Brother Where Art Thou
  • Boiler Room
  • Hollow Man
  • Perfect Storm
  • Monsters Inc
  • Dune
  • Convoy
  • Smokey and the Bandits
  • Fast and Furious (all of them)
  • Lord of the Rings
  • Oceans 11
  • AI (please read Isaac Asimov I Robot first)
  • Moulin Rouge
  • Swordfish
  • A Knight’s Tale
  • Catch Me If You Can
  • Bourne Identity
  • Men In Black (all of them)
  • Transporter (all of them)
  • Minority Report
  • Austin Powers (all of them)
  • Finding Nemo
  • Italian Job (the original)
  • School of Rock
  • League of Extraordinary Gentlemen
  • Love Actually
  • 50 First Dates
  • Day After Tomorrow
  • National Treasure (after watching – speak to Grandy)
  • Anchorman
  • Van Helsing
  • Yes Man
  • HitchHikers Guide (Orginal, read  the books then watch the latest one)
  • xXx
  • Cars
  • Flushed Away
  • 300
  • V for Vendetta
  • Talladega Nights
  • Ice Age
  • Night at the Museum
  • Employee of the Month
  • Little Miss Sunshine
  • I am Legend (and then write the ending properly)
  • Meet the Robinsons
  • Madagascar (all of them)
  • Below

 

That’ll do for now … I’ll add to it as I remember more.

 

If you have any suggestions please recommend them here :