Threat Risk AssessmentTransigram

Shellshock hits where it hurts

Effect on Cloud and Personal Desktops

It’s becoming customary to hear about vulnerabilities with commonly used utilities: cash registers, web servers, Internet security protocols, and operating systems. Concerns regarding breaches such as Shellshock and Heartbleed are becoming a staple in executive boardrooms and in senior leadership meetings. Business leaders are asking, how do we predict the next one, and how can we deal with this one?

Medicine says prevention is better than cure

The recent computer security breach dubbed Shellshock has demonstrated that no computing device is fully safe. If you are a Mac user, you can paste the following single line into the terminal app,

env x='() { :;}; echo vulnerable’ bash -c “echo this is a test”

If the code echoes ‘vulnerable’ then your Mac is affected and can be hacked.

The recent Shellshock breach affects a category of personal computers running Apple Mac OSX or Ubuntu Linux, or any other desktop Linux Versions. More importantly, it affects server systems powering Internet web servers and enterprise software application servers such as mail and customer relationship management systems. The breach affects a command interface called Bash. Bash is a tool used for operating system management, configuration, updates, managing access and other operating activities.

The Bash utility has been patched since Redhat acknowledged the flaw on September 24.

The exploit allows an attacker to bypass the console’s controls by making requests to evaluate special characters. If successful, a hacker would be able to take control of a server machine.

For a very long time, security specialists have had confidence in server systems running Unix variant operating systems. Brand names for these operating systems include Redhat© , Debian, Linux, Fedora, Ubuntu, slackware Linux , Apple OSX, and others. News of this vulnerability was definitely shocking, as it contradicts common beliefs regarding the security of Unix based servers.

Well known secure server operating systems are vulnerable to attack.

Some security advocates have downplayed the threat, given that it can only be exploited by internal staff and that the systems can be patched rather quickly. In our opinion, there are a few reasons to take this breach seriously. Shellshock: a) could be a threat to cloud providers offering access to shared resources; b) affects all personal desktops which could be hacked by users with access to shared machines in schools, not-for profit organizations, or community and primary care organizations; c) may have been active for some time; d) may not be easily traced to a single user. In fairness, all these issues can go away by simply patching the Bash version. Nevertheless, the threat to small to medium organizations will remain until all desktops and mini-servers have been patched.

Shellshock could be a concern for shared cloud environments.

Many cloud service providers offer remote desktop access to servers. While each client receives access to a console with secure login using robust credentials, once authenticated a user can break the Bash shell console using the Shellshock exploit. From there an attack can be launched and within minutes the hacker could take over a physical device. Given that these devices run shared databases or enterprise applications, the threat becomes real. The hacker can disrupt services, change access rights to data, or reconfigure data stores using the newly acquired administrator rights.

A similar issue can be exploited in environments with shared computers like libraries, community organizations, clinics, even banks or hospitals. A user with limited access can break into a machine using Shellshock and receive access to any files stored on the machine.

We’ve modified principles of successful prevention from the medical field[2] to fit the current context. Successful prevention depends upon:

  • a knowledge of causation,
  • understanding of data communication paths,
  • identification of risk factors and risk groups,
  • availability of early detection and treatment measures,
  • an organization for applying these measures to appropriate persons or groups, and
  • continuous evaluation of and development of procedures applied

How would these principles help in the current situation? Resource sharing in the case of cloud computing is the biggest root cause to Shellshock. Shared databases, and sharing of computing resources in general, create a single point of failure. Understanding causation will be the principle applied here. If your cloud instance is virtually disjoined from other user spaces, then your data and processes will be safer. Whereas consolidation could reduce costs short term, long-term costs in my view will increase. Dealing with the Shellshock bug calls on security administrators to understand every communication path and while reducing reliance on shared resources. It is worth while noting that since this article was first drafted, we have tested at least two cloud providers and we found that their systems had been patched.


  1. Mitigating the Shellshock vulnerability, Red hat Linux, https://access.redhat.com/articles/1212303 , Accessed September 2014.
  2. Concepts of prevention and control, www.pitt.edu/~super7/32011-33001/32311.ppt, Accessed September 2014.
  3. Heartbleed Bug, http://en.wikipedia.org/wiki/Heartbleed, Accessed September 2014.
  4. http://Transigram.com

Live Blog Updated: Sept 29, 700 EST.

About Waël Hassan:

Waël Hassan, PhD, is the editor in chief and lead writer of Transigram.com. Dr. Hassan is a risk and big data specialist, privacy evangelist, and a writer, designer and implementer of privacy enhancing solutions. Waël has contributed to the risk practice by developing methodologies and frameworks for envisioning, evaluating, and implementing privacy, with an emphasis on design maturity.

%d bloggers like this: