The Mirage of Internet Security: A Response to the Bash Bug

(Image Source: https://flic.kr/p/mjhubJ)

Recently in our class on the Law of Evidence, the discussion turned to the security of email accounts, specifically Gmail. Our teacher asked a general question, about how easy it would be for a person to hack a Gmail account, on a scale of 0 (extremely difficult) to 5(extremely easy). There was a smattering of response, ranging between 0 to 1.5.

But I would argue that the answer, always, is 5. Even if you disagree with that, at the very least, I would argue that is the presumption we should always work with. The Internet is awash with bugs and errors, and any security that is set up on it can be broken – the only question is how determined the hacker in question is to get your information, and how determined you are to protect it. And that is even before you get started on the devices connecting the average user to the Internet.

The first example that came to mind for such an argument was, till recently, the Heartbleed bug. The Heartbleed scare took the entire Internet by storm, prompting a security check from anyone who heard of it. But once that was done, perhaps the denizens of the Internet felt a bit secure online.

But that should not be. When connected to the Internet, “computers, and computing, are broken”, and nothing is ever truly secure. And that was confirmed again and again just in the past few weeks. The latest in a long history of breaches of online security started with Apple, a company known for its security, facing a massive breach of iCloud, resulting in the leaks of personal pictures of quite a few celebrities (again, not a first, though the scale of the attack is unprecedented). This was followed by a leak of nearly 5 million of Gmail associated usernames and passwords (though these were for the most part outdated and part of older leaks).

And the latest in the woes of Internet Security, at the time of writing, is the Bash Bug, aka Shellshock. The Bash Bug was directly compared with the Heartbleed bug, with security consultants stating that it was much, much worse than the original SSL bug. There are concerns that the Bash bug could affect internet security for years to come, since the version of Linux it affects interacts with a broad range of software, and quite subtly. It also affects Apple’s OS X. ICSI researcher Nicholas Weaver told VergeWe’ll never be able to catalogue all the software out there that is vulnerable to the bash bug. It’s subtle, ugly, and will be with us for years.

As the reports keep coming in, the situation seems to be getting consistently more worrisome. Bash, unlike Heartbleed, allows for remote code execution, and is being actively exploited. According to Cloudfare’s John Graham-Cumming, the bug has been used for attempts at grabbing passwords, spreading malware, so on – he noted one specific event in which the bug was used to open/close a server’s CD/DVD drive. The effectiveness of the patch released by GNU is also currently doubtful, though a new and updated patch has been released since then.

And the Bash bug is, in all probability, not the last or the worst of the bugs to ever affect the Internet. We use multiple software on our computers and mobiles on a regular basis, and to be honest, we don’t quite take as much care as we should. Every security update that is ‘postponed’ is a vulnerability that has been lying around for a while, that might already have been exploited. And the biggest problem is, the person responsible for protecting your security will probably care about it less than you do. Apple, for instance, knew about the vulnerability that led to the leak months before it was exploited. Similarly, Snapchat knew about the vulnerability that led to it being hacked for months. The Heartbleed bug was probably caused by human error and lack of care, and NSA was aware of it for a minimum of two years before it became public.

The list of examples is endless, but I’ll take two more to support my argument. The first is the Internet Census ‘hack’, and the second is Windows XP. An anonymous hacker had recently written a script for the Internet Census that took over embedded Linux devices, ‘owned’(Internet slang for ‘hacked’) them, used them to scan the rest of the internet, creating a survey about the shape of the Internet, and at the same time deposited 10 Terabytes of data back to the hacker, thereafter deactivating the hack. Let’s take another example. Recently, Microsoft decided it will not be supporting its iconic Windows XP OS anymore. But a vast majority of the computers around the world, ranging from ATM Machines to hospital computers to Apple stress testing systems, run Windows XP. Companies and individuals actually panicked, rushing to migrate to other platforms. Finally, after a huge response, Microsoft decided to continue support for XP’s anti-malware systems until July 2015, with various governments signing separate deals with Microsoft for continued support to seek more time to migrate from XP. (To be fair to the issue, third parties will probably come in and fill most of the major gaps in security once security support to XP is finally cut off).

On the Internet, it is not question of if you will be ‘p0wned’(intentional misspelling of ‘owned’). It’s a question of when. That is why there are 0days. But that does not mean you stop using the Internet. As I said in the beginning, what matters is how determined the hacker in question is to get your information, and how determined you are to protect it. So to stay secure on the Internet, take steps to secure yourself. Update your OS and your antiviruses. Check your email accounts on the Have I been pwned, and set up a mail alert. Use PGP encryption on your emails. The list, again, is endless. But for the mirage of a Secure Internet to be real, you are going to have to build it yourself.

Further Readings:

Everything is Broken, Quinn Norton, Medium.

Kali NetHunter turns Android device into hacker Swiss Army knife, Sean Gallagher, ARS Technica.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s