Bash Bug more dangerous than Heartbleed?SecurEnvoy 10/10/2014 Archive
How dangerous is the Bash Bug security vulnerability that recently emerged (also known as Shellshock)? Is it perhaps even more dangerous than the well-known Heartbleed bug? This is a question being asked by experts and users since the threat became apparent. Shellshock primarily affects GNU/Linux, Mac OS X and other Unix-based operating systems that can be addressed as servers from the Internet. This is particularly problematic because many web servers use Bash (Bourne Again Shell) to run CGI (Common Gateway Interface) scripts.
The answer to the above question is “yes”, according to the American National Institute of Standards and Technology (NIST). The NIST awarded the Bash Bug the maximum score of 10 in terms of damage potential on its own rating scale.
As was the case with Heartbleed, the current threat also shows how back-end server faults can be used to obtain access to stored login details. SecurEnvoy servers are not affected by this vulnerability, since we only use Windows-based systems.
The root of the problem is the use of static passwords, which are insecure for several reasons. This starts with their input, as keyloggers can intervene here. Cybercriminals can also make use of simple keystroke spying (shoulder surfing). In addition, data can be intercepted during its transmission. Heartbleed and Shellshock actually go one step further and simply catch data at its final destination, the server. The only secure solution is to use one-time access codes as part of a two-factor authentication method. With our approach, we replace conventional physical tokens with a device that everyone has with them these days anyway: the smartphone. For example, users can receive a dynamically generated code via SMS which they enter in addition to their username and password in order to authenticate themselves when logging in.