5 Things You Need to Know About the BashBug



1. Don’t Panic.

As our favorite galactic traveler’s companion reminds us (ref. Hitch Hikers Guide to the Galaxy), It’s important to keep problems in perspective. The Heartbleed Bug incited widespread panic for what turned out to be limited reasons. This new security bug is reported to be even bigger than Heartbleed, but it, too, has a relatively limited reach. It only affects Unix-based systems that use Bash. The best way to address it is to keep updated on the patches which are sent out. Some routers are also affected, and so updates will be pushed out to handle those as well.

2. What is the BashBug?

Bash is one of the central programs to the modern Unix operating system. It’s used to issue commands to the kernel of the OS. It is a little like the Windows command line. Mac’s desktop operating systems are built on Unix, and that’s why people are concerned. The BashBug is an exploitable nuance of the Bash shell that someone could use to observe and possibly modify an unknowing computer’s information. Basically, it’s like leaving your car window down.

3. I have an iPhone, should I be worried?

No. The iOS is a different operating system from the Desktop OS of MAC, known as OS X.

4. What if someone w/ a Mac emails me? Will my company be at risk? Can I “catch” the Bug this way?

No. The vulnerability is specific to Unix-based OSes. It can’t be transferred between operating systems. Windows has a fundamentally different underlying program, and it does not include Bash, which is the host for this bug.

5. What’s this thing about routers? 

Some routers run on a variation of Linux. Manufacturers will also be pushing out updates to resolve this. Please contact your system administrator (which might be us) to resolve it if you have concerns. We can be reached at 888-244-1748.


What does the Heartbleed Bug mean for me?



As I started thinking about my own personal safety in protecting myself against the Heartbleed bug, I started to  wonder how it truly affected me.  I’d updated the passwords that I needed to, to make sure that I could not potentially make things easier for my accounts to be compromised. But then I realized that if I was wondering about my Heartbleed damages, chances are the customers I help out every day, as an Everon tech, were wondering about it, too.  

From a technical standpoint, I knew that the way Heartbleed affected me had to do with websites that use Open SSL/TLS for encryption to make their sites secure. What does that mean to my non-tech customers? Well, simply put, this bug can affect you either directly or indirectly on your computer, but only to a small extent. The more immediate effect has been to the sites on which you have secure usernames and passwords to log in — everything from Social Media Sites to E-Commerce to streaming Entertainment sites. If you have installed software from any of these sites, and have it on your system, this is how your computer can be affected. But if you simply log in to a site and use your browser you are not at risk with your computer system.

Also you should note that, chances are, you first logged onto these sites before the patches were updated. And those changes weren’t done until almost immediately after the story was reported. There is a good chance that you’ve been compromised and, unfortunately, there is no trace if you were. This is why the sites that have updated their systems to fix this are requesting you to update your passwords. There may be sites still updating, so if you have already changed your password before the patch was completed, you will have to do it again. Banking sites seemed to have been secure, as they do not use Open SSL for their security encryption, therefore they are not likely  to be compromised. But if you use the same password for banking as you do for email or Facebook, you could be in trouble. This is why they are recommending the changes.

This might help to understand how you access sites using SSL:

Flow Chart SSL

(click to enlarge)

This Mashable link will help you find out which passwords need to be updated immediately, as these companies have already installed the patch update to their networks:  http://mashable.com/2014/04/09/heartbleed-bug-websites-affected/. There was another report that said Android phones may be compromised as well, if you are running Android OS Jellybean 4.1 or older. Google is currently working with Android partners to get the patch distributed to resolve this issue. You can view that article here (also on Mashable): http://mashable.com/2014/04/11/devices-running-android-4-1-1-vulnerable-to-heartbleed/.

Heartbleed Virus Update



From Steve Curran, Director of Infrastructure,  at Everon’s parent company, PlumChoice:

This week we’ve all heard, read and seen quite a bit of news regarding the new Heartbleed virus.  This is a serious situation for impacted companies as well as consumers using many online services such as banking, retail and social media.

This virus primarily affects Linux based systems and the potential impact to our internal systems is limited.   We’ve investigated our systems which might be affected and have found none to be vulnerable to the virus.  Good news indeed.

Regarding all of us as consumers, many of us should take action to prevent potential exposure of passwords on a variety of websites.  CNET has compiled an excellent listing of the top 100 sites across the web, indicating where we as consumers may want to take action.  This article - which is being updated as statuses change - can be located at http://www.cnet.com/how-to/which-sites-have-patched-the-heartbleed-bug/ and recommends we change our passwords on sites such as Google, Facebook, Yahoo!, Dropbox and a number of others.

After reviewing this article and your own unique situation, if you have doubt as to the Heartbleed vulnerability of any website you access, the conservative approach would be to simply change your password and monitor for suspicious prior activity.

A further note of caution though…  As you’ll see from the article, this patching activity continues in real time – changing your password will only help if that website has been patched, which may not yet be complete.

We continue to monitor the situation closely and I’ll communicate further as the situation dictates.

 - Steve Curran | Director of Infrastructure, Information Security Officer | PlumChoice®, Inc.