Remove Fake Antivirus

One of my favorite tools, works usually well, as well as one could hope. you run this, then scan your pc with AV and boom, Virus Gone!

What is Wysebrowser.exe and How To Fix It?

working guide remove fff5ee.com

I got the fun time of playing with this for 9 hours today, what a big pain in the neck. Really was not a happy day. Also, when you look up how to remove you get to page to use SPYHUNTER. Let me say this SPYHUNTER is total junk, you cannot remove anything without paying, even then you will still not be able to remove the infections. After all that, as if it wasn't bad already, removing requires you to use REVOunistaller because the uninstalled provided nor windows will remove it. JUNK!

shellshock attacks mail server

Rant: SEO's Biggest waste of money, time and resources a company could spend

I am going to add an article i found below, but I personally wanted to add my distaste for these companies. If you are going to enlist the services of  a SEO you might just go ahead and wipe your ass with that cash. There is nothing that a SEO can do that no semi-tech smart person can do, and if you can search on Google you can defiantly find out how to.

SEO is a complete waste of time
http://performinsider.com/2013/05/seo-is-a-complete-waste-of-time
Written by Pace Lattin
May 9, 2013 # 10:16 am # Marketing Insights, Specials # 42 Comments

There is so much out there about Search Engine Optimization (SEO), including complete publications that just focus on how to optimize, strategize and theorize about SEO.  Entire companies make millions on convincing people that their entire plan should be about SEO so much that they need to hire “experts” to optimize their pages to such a degree that they need to spend more money than they could ever make in return. From reading the publications and expert blogs about SEO, you’d that if you are not thinking about SEO all the time, you are going to completely fail at anything you do online.

Here’s the truth that no one wants to tell you: SEO is complete waste of time.

Many people are going to read what I wrote and proclaim immediately that I am nothing but a total jackass and they are the real expert in SEO and know exactly what is going on.

On a weekly basis I have some “expert” with a blog sending me an email, telling me what I am doing wrong about SEO, and how my publication is completely fucked up from an SEO standpoint, that I am not getting any traffic whatsoever from search engines and they are happy to tell me how I should be running my business.

Here’s a few facts:

1) PerformInsider.com gets almost 1-2k people a day from search engines, mainly google. I have spent almost no time thinking about SEO. We are not even two years old.
2) We get traffic from keywords about SEO, including SEO Tip type articles, and we are not a SEO centric publication
3) Performance Marketing Insider makes more money than almost any publication in the industry based on our traffic and content. We are so successful that are several websites that are completely dedicated to making fun of us this publication.

Here’s probably what you also don’t know about me:
1) I have owned three publications about online advertising in the last 10 years, two of them existing before the word “blog” was even used, and have always been on the top of many search engines without knowing about SEO.
2) I have owned an advertising network that did $100M in revenue in one year. We were in the top 20 comscore networks for several years. We received a great deal of business from search.
3) I have never taken a single SEO class, read a single book about SEO or even gone to a SEO conference. I just have always made good content, done great promotions and focused on business. Yes, I read SEO articles sometimes.

Still, you are probably going to say, “But you need to still be concerned about SEO somewhat, right?” Yes, of course.

I’m not the biggest fan of Jeremy Schoemaker (and I hear he’s not exactly hanging posters of me on his wall) but he knows what he is talking about:

Shoemoney, Jeremy Schoemaker, SEO Sucks

Do basic things to ensure your site is optimized the best, consider the layout, and probably get some good plugins that have great reviews. Still, the focus should be on making great content that drives visitors and makes you money. If you are focusing on SEO from the start instead of creating a real site with real quality content, then you are going to have a sustainable business or site.

The other thing you need to consider is that SEO rules keep on changing. What will show up in search seems to change every day, and those who are making sites specifically for SEO are finding their business models often thrown out the door. However, every business I have made that is content based has survived and made a lot of money no matter what, because what I am doing is focused on content, not on a quick buck.

Even if the rules weren’t changing, what the experts say will work seems to be completely contradictory.

Yes, there are various design things you need to consider, how you link pages – but there are tons of plugins that will do that for you. Even the experts find themselves often being screwed when it comes to SEO because they are..umm.. over-optimizing for SEO. They are so concerned about SEO and how to optimize that they create a site that is only made for SEO and google bitch-slaps them really hard in return.

If you want to know what you really, really need to know about SEO, we actually have an article written by one of the experts. Uh-huh, he has his own publication about search engine marketing and optimization, but without having to hire an expert, read an entire book or attend a webinar, you are going to learn pretty much all you need to know from this one article called 5 SEO Tips You Should Know to Survive in 2013. Really.

Now, go make money, build content and ignore what most the experts are telling you, especially if they want you to buy something, rent something, attend something. Buh-bye.

Take care, and if you disagree, feel free to comment and tell me why.

And by the way, Penn Jillette is one my neighbors and has the craziest-ass house I’ve ever seen.

—-
Get Free Mobile Optimization of your offer

Written by Pace Lattin

Pace Lattin is one of the top experts in interactive advertising, affiliate marketing. Pace Lattin is known for his dedication to ethics in marketing, and focus on compliance and fraud in the industry, and has written numerous articles for publications from MediaPost, ClickZ, ADOTAS and his own blogs.

Microsoft yanks botched patch KB 2949927, re-issues KB 2952664

Four more botched Microsoft patches: KB 3000061, KB 2984972, KB 2949927, KB 2995388

Man in the Middle

Excerpt from: http://iamsteve.in/08/2013/what-are-man-in-the-middle-attacks-arp-spoofing/

If we ever share a WiFi network, chances are I can intercept what you’re doing.

‘Man in the middle’ attacks have been around for about as long as the Internet itself, and so those familiar with network security will already be well aware of the threat posed by ‘ARP spoofing’ or ‘poisoning’. The thing is, most people aren’t familiar with the basics of protecting their communications online, and even those who are don’t always take the precautions that they know in theory they should be.



Wifi Pineapple What is a ‘man in the middle’ attack?

Without going into the technical details of how these attacks actually work, a ‘man in the middle’ attack essentially stick their hand up first when your device is looking for an appropriate router to connect to, and pretends to be where you actually want to gain access to.
Essentially, instead of connecting to the network through the route you might expect (like a wireless router) you get redirected via another device first. This means that all of your traffic is flowing through an additional step before getting onto the Internet, and allows anybody in control of that piece of equipment access to it.

This is incredibly easy to do, there are many real world examples of this in the field. One of the more infamous comes in the decidedly fruity shape of the ‘WiFi’ pineapple… a rogue device that convinces network traffic to connect to it rather than the intended, legitimate source. However, even this is bulky in comparison to the possibilities that are now on offer through mobile phone apps… which are harder to find or identify if they are ever detected.
What are the dangers?

It should hopefully be pretty obvious why you wouldn’t want wee Davey sitting in the corner of Starbucks intercepting everything that you’re doing online, but even if you’re not all that concerned about anybody knowing which websites you visit and when, there are other, more potent dangers that the man in the middle poses.

Whilst SSL is widely used for financial transactions (such as over PayPal), in practice, it’s far from perfect. Many websites still do not offer SSL connections by default, requiring you instead to specifically turn them on. Many simply require encryption for the login process, and not anything afterwards (which we’ll get to in the next section). Even those that do default to a secure connection, often still run the insecure service as well. It wasn’t too long ago that Facebook were operating precisely in this fashion.

Since most people take this for granted, it is fairly easy to redirect a computer under the spell of this sort of poisoning attack to the non-SSL version of a website, without it ever occurring to the user to check.

How can I protect myself?
Without a doubt, these attacks are something that everybody should be aware of, but most people aren’t – partly because of the technical nature of the problem. However, there are some simple things you can do to avoid this type of attack.

HTTPS Everywhere
HTTPS Everywhere is a plugin for Google Chrome and Firefox which automatically forces the browsers to go to the secure version of a website where available, and send all of the traffic over SSL. No need to fiddle about with the settings of individual settings on different services, or working out where offers SSL and where doesn’t. HTTPSEverywhere does the work for you.

Further Securing against the man in the middle
Using an encryption services will keep the data you transmit over a network secure, which is the primary concern of man in the middle attacks. However, they won’t necessarily stop the denial of service attack that was explained above. Whilst there isn’t many, there are a few utilities that Android, Windows, and Mac users can make use of to kill off an attempt completely, or at least be notified of it happening. If anybody is aware of any other effective utilities – especially for Windows/the iPhone – please get in touch!

Be vigilant
There is no single way to completely prevent man in the middle attacks from impacting your network connectivity. Most of the advice that is given from people who skim the surface of this topic boils down to “don’t use open wireless networks”. Uhh, right. Nice idea pal, but not a practical reality. As we rely more and more on disparate WiFi networks, we all need to be aware of the dangers of insecure communications, and take steps to reduce the risks. These aren’t limited solely to open networks, but any that are shared – such as in a workplace or University. Just because they are secured with a keyphrase, doesn’t mean they are any more secure than a public hotspot in an Internet cafe. Some types of wireless network are more secure than others, but it’s up to you to ensure the integrity of your own data.

If you only do one thing after reading this blog, then sign up for a VPN service and start using it on shared networks. Make sure you check that you’re connected to websites in SSL when you expect to be, and if something doesn’t seem right, disconnect and login somewhere else. It’s a first step towards keeping your personal information safe.

See more at http://iamsteve.in/08/2013/what-are-man-in-the-middle-attacks-arp-spoofing/

HIPAA and Windows XP

This topic can seem very Ickie and cloudy as it depends on your interpenetration to the rules. I would like to go on the record as saying that it is not wise to use any software that cannot and will not be updated for security vulnerabilities. I have read over the HIPAA compliance rules and many blogs and articles from experts, and although if you were to ask; "Does the Security Rule mandate minimum operating system requirements for the personal computer systems used by a covered entity?" you may find the answer at http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2014.html to be:

• No. The Security Rule was written to allow flexibility for covered entities to implement security measures that best fit their organizational needs. The Security Rule does not specify minimum requirements for personal computer operating systems, but it does mandate requirements for information systems that contain electronic protected health information (e-PHI). Therefore, as part of the information system, the security capabilities of the operating system may be used to comply with technical safeguards standards and implementation specifications such as audit controls, unique user identification, integrity, person or entity authentication, or transmission security.  Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis (e.g., does an operating system include known vulnerabilities for which a security patch is unavailable, e.g., because the operating system is no longer supported by its manufacturer).

However, i would like to point out, as many of my counterparts would do also, the following from the above:

• Additionally, any known security vulnerabilities of an operating system should be considered in the covered entity’s risk analysis

I think we all could agree since Windows will no longer patch, or update, and security vulnerabilities  on XP, we could see that a HIPAA compliance test on any XP computer would fail, and cost the company. in an article by Mike Semmel from the blog 4Medapproved.com/HITSecurity; He really does a good job of telling us all how important it truly is to get off of these old, outdated systems. 

Within the electronic code of Federal regulations or e-CFR(found at www.ecfr.gov), Title 45, part 164 subpart c, 

§164.308(5)(a)(1) states: 

• Security reminders (Addressable). Periodic security updates.

and §164.308(1)(i):

• Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

and §164.308(1)(A):

• Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.

So i would say with this evidence and the ever decreasing prices of computers, that any company would be farther ahead to pay three to five hundred dollars to replace the computer rather then the fines that could be imposed for the HIPAA Violations.

SandWorm: MICROSOFT WINDOWS ZERO-DAY VULNERABILITY (CVE-2014-4114) USED BY RUSSIAN ESPIONAGE GROUP

reference: http://www.isightpartners.com/2014/10/cve-2014-4114/

An update that just cannot be missed this time around is MS14-060, this is a zero day exploit that can give an attacker remote access to your computer through the use of a Malicious Office Document.

This affects all supported versions of Microsoft Windows and Windows Server 2008 and 2012 has been discovered and announced by iSIGHT Partners in collaboration with Microsoft. A patch has been made available for the vulnerability as of Tuesday, October 14.

MS14-060: Vulnerability in Windows OLE Could Allow Remote Code Execution (3000869) — An attacker who convinced a user to open a malicious Office document could gain remote code execution.

Visible Targets 

Visibility into this campaign indicates targeting across the following domains. It is critical to note that visibility is limited and that there is a potential for broader targeting from this group (and potentially other threat actors) using this zero-day. 

• NATO Ukrainian government organizations 
• Western European government organization 
• Energy Sector firms (specifically in Poland) 
• European telecommunications firms 
• United States academic organization

The group has also reportedly used at least five other older vulnerabilities in their attacks with many times chaining exploits as they move through networks.

So far the actual zero-day vulnerability is successfully exploited through PowerPoint, or other attachments. There has not been any indication that the initial exploit attack vector is remote, so it relies on social engineering or tactic to get a file with the malicious code to execute.

 - See more at: http://www.isightpartners.com/2014/10/cve-2014-4114/#sthash.kmiaLDli.dpuf

October Patch Update

               

USB’s and what makes them Bad

When we talk about a USB device or call something USB we are actually talking about the way a computer peripheral (including keyboards, pointing devices, digital cameras, printers, portable media players, disk drives and network adapters), connects to a computer or system to either communicate or supply electrical power.  In today’s world we all have something we use daily that uses a USB connection or cable; whether it is our smart phone or a mass storage device, an IPod or maybe even a webcam. This Universal standard makes it easy for us to connect all sorts of devices to our computers for easy use as all computers today have USB ports that come standard.

So how can something soo good become bad?

Simply because of opportunity, and hackers. Hackers are described as anyone who seeks to exploit weaknesses in a computer system or network (http://en.wikipedia.org/wiki/Hacker_ (computer_security)). Hackers look for any opportunity that either they can find or may present itself to take control and compromise a system or network. The hackers were able to find such an opportunity in USB device firmware. A USB device firmware hack called BadUSB was presented at Black Hat USA 2014 conference, demonstrating how a USB flash drive microcontroller can be reprogrammed to spoof various other device types in order to take control of a computer, exfiltration data, or spy on the user (http://www.wired.com/2014/07/usb-security/).

So what is BadUSB?

In an article from hacknigpost.com described it “in short, every USB drives has a microcontroller in it which is a small chip that acts as an interface between the device (keyboard, or  flash drive) and the host (PC). This small chip often has firmware that can be reprogrammed to do notorious things, such as logging your keystrokes and infect your Personal computer with malware, or something much worse. BadUSB is really very dangerous because of one factor which is “It is Undetectable”, even if scanned by Antivirus program.” According to Wired Magazine, this BadUSB vulnerability is practically unpatchable because it exploits the very way that USB device is designed. If once infected, each USB drive will infect anything it’s connected to.

So what is the impact of BadUSB?

Once the device is compromised, the USB devices can reportedly:
• Log keystrokes
• alter folders & files
• infect other devices & systems
• spoofs a network card to change the computer’s DNS setting
• Install malware & Control Keyboard

So how do you stay protected?

The best protection against BadUSB vulnerability and other similar exploits is good security practices. Always Keep your software updated & never open any files which you don’t recognize, and don’t plug any devices into your computer unless you know where they’ve been.

top 10 most prolific hacking countries

Here is a list of the top 10 most prolific hacking countries:

1. China
The Chinese may not always guilty, but have a share of 41% of hacker attacks. Just one year before the Republic of China was responsible for only 13% of cyber attacks according to Akamai, and share in the third quarter was 33%.

2. U.S.
Every tenth hacker attacks worldwide originated in the United States.

3. Turkey
Bronze medal for Turkey, accounting for 4.7% of global cybercrime.

4. Russia
Russia is considered to defuse the situation from 6.8% to 4.3% October-December 2012.

5. Тaiwan
Taiwanese are responsible for 3.7% of computer crimes at the end of 2012

6. Brazil
Brazil registered a decline of hacking attacks – from 4.4% at the end of 2011 to 3.8% in the third quarter of 2012 and 3.3% – in the fourth.

7. Romania
The seventh is Romania with a share of 2.8%.

8. India
India is responsible for 2.4% of hacking attacks worldwide.

9.Italy
Italy’s share falling to 1.6%.

10. Hungary
Hungary is responsible for 1.4% of cyber attacks in late 2012

- See more at: http://www.latesthackingnews.com/2014/05/04/the-top-10-hacking-countries-2014/#sthash.IuRVLkPp.dpuf

windows 10 tracks users keylogger

windows 10 tracks users keylogger

http://www.latesthackingnews.com/

Password Best Practices

Password Best Practices

Tips for securely managing your Access Account password

Create a strong password

Use strong passwords to protect your computing resources. Follow these rules to create strong passwords:

§  Use two numbers in the first eight characters.

§  Pick long passwords, at least 8 characters in length if the system allows it.

§  Don't use a common dictionary word, a name, a string of numbers, or your User ID.

§  One of the easiest to remember and hardest to crack password methods is the pseudo-random password. The actual password is generated from an easy to remember phrase that is important to the user. This phrase can be the words from a book that you particularly like, words from a song that you always remember with ease, a statement that some powerful figure made that you will never forget. The key to a successful password is to create a phrase that is easy for you to remember, but no one else will ever think about attributing it to you.

§  personal phrase: "Four score and seven years ago our fathers brought…"
password: 4scanse...
method: Chose first two letters from each word until a total of eight characters resulted.

§  personal phrase: "It was a dark and stormy night...".
password : iWadasn7
method: Chose first letter from each word, followed by the age of nephew.

§  personal phrase: My Brother's Birthday Is april(4) Twenty Two Nineteen Sixty three(3)
password : mbbi4tt19s3
method: Chose the first letter from most words, and substituted numbers for letters.

§  Certain special characters may be used. However, note that some applications may not accept special characters. If this problem is encountered, changing your password to a combination of letters and numbers should solve the problem. Examples of permitted special characters are shown below:

$     .     ,     !     %     ^     *

Note that some special characters should not be used; see disallowed special characters. Also, if you use dial-up service to connect, you cannot have any special characters in your password.

Avoid a weak password

When creating passwords, avoid the following:

§  Easy to guess passwords such as a blank or "password"

§  Your name, spouse’s name, or partner’s name

§  Your pet’s name or your child’s name

§  Names of close friends or coworkers

§  Names of your favorite fantasy characters

§  Your boss’s name

§  Anybody’s name

§  The name of the operating system you’re using

§  String of numbers or letters, like 1234, abcd

§  The hostname of your computer

§  Your phone number or your license plate number

§  Any part of your social security number or Penn State ID

§  Anybody’s birth date

§  Other information easily obtained about you (e.g., address, town, alma mater)

§  Words such as wizard, guru, password, gandalf, and so on

§  A username in any form (as is, capitalized, doubled, etc.)

§  A word in the English dictionary or in a foreign dictionary

§  Place names or any proper nouns

§  Passwords of all the same letter

§  Simple patterns of letters on the keyboard, like asdfg

§  Any of the above spelled backwards

§  Any of the above followed or preceded by a single digit

Protect your password from misuse

§  Do not let anyone else know or use your password; this is a violation of University policy.

§  For optimum security, don't write your password down. If you must write it down, keep it somewhere private such as in a locked drawer or in your wallet. Don’t post it on your computer or anywhere around your desk. Don’t include the name of the system or the associated User ID with the password.

§  Be aware of when a password is sent securely across the Internet. URLs (Web addresses) that begin with “https://” rather than “http://” are secure for use of your password. The "s" in "https" means that the Web site is encrypted and cannot easily be read by other people. If the URL does not begin with "https" then you should not use your Penn State Access Account password.

§  If you suspect that someone else may know your current password, change your password immediately.

§  Change your password periodically, even if it hasn't been compromised.

§  Don't type your password while anyone is watching.

Enable Security Questions

Setting personal security questions greatly enhances the protection of an Access Account.  The security measure enables a forgotten or expired password to be reset remotely by the user and without assistance from the ITS Accounts Office.

The answer creation process to security questions should follow similar procedures to that of generating a password:

§  Information not easily obtainable

§  Notable answer, yet hard for others to guess

§  Do not print answers to the questions

§  Store answers in a secure location if necessary to have printed

§  Change questions periodically to ensure protection

http://its.psu.edu/be-safe/password-best-practices

Shell Shock

http://soph.so/CfPOA

How long would it take to crack my password

http://www.itworld.com/security/280486/how-long-would-it-take-crack-my-password?page=0,1

How long would it take to crack my password: (Includes letters and numbers, no upper- or lower-case and no symbols)

6 characters: 2.25 billion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 0.0224 seconds
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0000224 seconds

10 characters: 3.76 quadrillion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 3.7 weeks.
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 10.45 hours
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 37.61 seconds.

Add a symbol, make the crack several orders of magnitude more difficult:

6 characters: 7.6 trillion possible combinations

• Cracking online using web app hitting a target site with one thousand guesses per second: 2.4 centuries.
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second): 1.26 minutes
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 0.0756 seconds

10 characters: Possible combinations: 171.3 sextillion (171,269,557,687,901,638,419; 1.71 x 1020)

• Cracking online using web app hitting a target site with one thousand guesses per second: 54.46 million centuries.
• Cracking offline using high-powered servers or desktops (one hundred billion guesses/second) 54.46 years
• Cracking offline, using massively parallel multiprocessing clusters or grid (one hundred trillion guesses per second: 2.83 weeks.

OpenVAS

Some tools I have used, pretty cool.

The world's most advanced Open Source vulnerability scanner and manager

OpenVAS is a framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.

Greenbone Networks delivers a vulnerability analysis solution for enterprise IT which includes reporting and security change management.

Posters

http://mindfulsecurity.com/2009/09/19/free-threats-security-awareness-posters/

What are Patches

The word Patch is defined as, “a piece of cloth or other material used to mend or strengthen a torn or weak point.” So it makes sense that a Software patch would is a piece of code added to software to strengthen its weak points. These weak points are usually were Virus’s, Malware and other attacks are focused on, and the patches remedy the method for a computer system to be vulnerable.

Software updates whether big or small are important. Much like with changing the oil in your car, brushing your teeth daily or going to a doctor for annual checkups, updates are necessary. Computers and the software they use require regular updates to ensure they continue to run safely and efficiently.

Viruses are ever-evolving and your operating system, antivirus and other applications should continuously evolve as well. It’s quite easy to ignore system updates for a while and fall behind the times, becoming vulnerable to new threats.

Updates serve a number of different functions as listed below:

• ·         Fix security holes
• ·         Optimize the utilization of resources on the operating system
• ·         Add newer and more secure features
• ·         Remove old and unprotected features
• ·         Update drivers to increase software efficiency

Cool Desktop?

What is #shellshock?

Shellshock (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, CVE-2014-6278) is a vulnerability in GNU's bash shell that gives attackers access to run remote commands on a vulnerable system. If your system has not updated bash in since Tue Sep 30 2014: 1:32PM EST you're most definitely vulnerable and have been since first boot. This security vulnerability affects versions 1.14 (released in 1994) to the most recent version 4.3 according to NVD.

The following can be found at:

http://en.wikipedia.org/wiki/Shellshock_(software_bug)

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet daemons, such as web servers, use Bash to process certain commands, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The bugs cause Bash to unintentionally execute commands when they are stored in specially crafted environment variables. Within days of the initial vulnerability, a series of further related vulnerabilities in Bash were found, leading to the need for further patches.

By 25 September 2014, botnets based on computers compromised with the bug were being used by attackers for distributed denial-of-service attacks and vulnerability scanning. Millions of attacks and probes related to the bug were recorded by security companies in the days following the disclosure.[7][8] The bug could potentially be used to compromise millions of servers and other systems, and it has been compared to the Heartbleed bug in its severity.

Stéphane Chazelas discovered the original bug on 12 September 2014 and suggested the name "bashdoor". The bug was assigned the CVE identifier CVE-2014-6271. Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed since approximately 1992.

Apple Inc. commented that most Mac users were likely not affected, unless they were advanced users. Although notified of the vulnerability before it was made public, the company did not release a corresponding OS X update until 29 September, but it did not fix all known vulnerabilities.

Background

The Shellshock vulnerabilities affect Bash, a program that various Unix-based systems use to execute command lines and command scripts. It is often installed as the system's default command line interface. Bash is free software developed collaboratively and overseen since 1992 on a volunteer basis by Chet Ramey, a professional software architect. Analysis of the sourcecode history of Bash shows that the vulnerabilities had existed undiscovered since approximately version 1.13 in 1992. The maintainers of the Bash sourcecode have difficulty pinpointing the time of introduction due to the lack of comprehensive changelogs.

In Unix-based operating systems, and other operating systems that Bash supports, each running program has its own list of name/value pairs called environment variables. When one program starts another program, it provides an initial list of environment variables for the new program. Separately from these, Bash also maintains an internal list of functions, which are named scripts that can be executed from within Bash. Since Bash is both a command interpreter and a command, it is possible to execute Bash from within Bash. When this happens, the original instance can export environment variables and function definitions into the new instance. Function definitions are exported by encoding them within the environment variable list as variables whose values begin with parentheses ("()") followed by a function definition. The new instance of Bash, upon starting, scans its environment variable list for values in this format and converts them back into internal functions. It performs this conversion by creating a fragment of code from the value and executing it, thereby creating the function 'on-the-fly', but affected versions do not verify that the fragment is a valid function definition. Therefore, given the opportunity to execute Bash with a chosen value in its environment variable list, an attacker can execute arbitrary commands or exploit other bugs that may exist in Bash's command interpreter.

Impact

Within an hour of the announcement of the Bash vulnerability, there were reports of machines being compromised by the bug. By 25 September 2014, botnets based on computers compromised with this exploit were being used by attackers for distributed denial-of-service attacks and vulnerability scanning. Kaspersky Labs reported that machines compromised in an attack, dubbed "Thanks-Rob", were conducting DDoSes against three targets, which they did not identify. On 26 September 2014, a botnet based on computers compromised with this exploit was reported. Dubbed "wopbot", the botnet was being used for a distributed denial-of-service (DDoS) attack against Akamai Technologies and to scan the United States Department of Defense.

On 26 September, the security firm Incapsula noted 17,400 attacks on more than 1,800 web domains, originating from 400 unique IP addresses, in the previous 24 hours; 55% of the attacks were coming from China and the United States. By 30 September, Cloudflare said it was tracking approximately 1.5 million attacks and probes per day related to the bug.

To read more see: http://en.wikipedia.org/wiki/Shellshock_(software_bug)