The Bash bug, first exposed in September 2014, could be devastating for retailers and manufacturers this holiday season thanks to its wide distribution across Unix-based systems such as Linux and Mac. The Bash bug opened doors for hackers to access confidential information and take over systems with remotely-executed code, tacking on their malicious code to the environment variable in Bash, a command line shell in these systems.
The good news is that software companies started developing and distributing patches fairly quickly. There is bad news, however: some companies didn’t roll out all patches in a timely or comprehensive fashion. Oracle warned its users that more than 30 products were affected, but patches for only two products, Linux and Solaris, were immediately available. And many that did install patches may still be at risk because they failed to install subsequent patches that are required to fully close the vulnerability.
The fact that Unix-based systems are so intrinsic makes the problem particularly acute – delays in patching mean that many systems may have been vulnerable for a period of time long enough for hackers to install an intrusive bit of code. That code could still be sitting there, undetected, while hackers just wait for the right opportunity to pounce.
For hackers that want to maximize their holiday haul of personal information, including credit card numbers, what better time to pounce than the holiday season. On Black Friday and Cyber Monday, shoppers entered credit card information at unprecedented levels to score deals – and, unbeknownst to retailers, that command line interface vulnerability mentioned above may be exposing their customers’ data to hackers. Meanwhile, the retailer’s data security team is already fighting a fire somewhere else – Bash bug for some IT teams was relegated to lower priority.
It’s not certain that Bash bug-related hacks will bite retailers this holiday season, but the possibility is quite real and present. As we’ve seen in the past, large companies are by no means immune to hacking simply because they spend more liberally. Hackers are patient guests, and waiting is actually a good thing for them. And there’s no better time to exploit a weakness than the holiday shopping season. The question is, which retailers will top the hackers’ holiday list this year?
It’s not too late for retailers to act. Certainly, executive teams and boards of directors would support decisive action that avoids front-page scrutiny and potential embarrassment. While it’s always better to have a long term strategy for cybersecurity, sometimes it’s important to fight the fire in front of you – even if it’s only smoldering. Bash bug may be smoldering right now for some and every line of code should be examined.
Yes, analyzing every line of code is onerous. There are other steps that retailers can and should take, including blocking or alerting on unusual activity, especially pertaining to sensitive data. After all, Bash bug exploits vulnerabilities that are hard to see, and many businesses that are compromised will not know about the exfiltration of data until it is too late, when their customers’ information is already being sold and the media is calling.
It’s never too late to protect your most sensitive data – or your customers’ data – but time is running out this holiday season to stop the Grinch from exploiting Bash to steal Christmas.
About the Author
Patrick Upatham is the global director of advanced cybersecurity at Digital Guardian. A former FBI cybercrime information security professional, he has helped organizations identify security gaps in existing and potential processes and infrastructure and developed strategies to address risk management and governance. Patrick is also an expert on incident response and forensic analysis.