Shellshocked, and expecting worse to come

Vulnerabilities like Shellshock and Heartbleed are disruptive at the best of times, and they seem to be happening with greater frequency.

I was Shellshocked last week.

Ever since the announcement of the Shellshock vulnerability (also known as the Bash vulnerability) in late September, I have been very busy. As you're probably aware, the Shellshock vulnerability is prevalent in systems that are based on the Linux operating system.

Unfortunately for those of us that have to deal with the vulnerability, the Linux operating system is used in lots of devices that we don't normally think of as computers, so they don't fall into a normal patching routine. I suppose it's so widely used because it's free, making it attractive as a platform for vendors to use when they set out to create a new product, from toasters to cars. But for many of those products, the Linux operating system is way more complex than what they really need. On my network, I found it in network devices, load balancers and even a couple of my favorite security products. And one of those was my firewall!

I also found the Shellshock vulnerability in my building's door access-control system (and that's the same building access-control system I recently wrote about that was hooked up to an old PC running its management software). It's connected to the network, but it's not part of the normal computing infrastructure, so it is just as vulnerable to Shellshock as anything else. For this and other specialized devices, I've had to reach out to the vendors to obtain firmware updates. I've been successful at getting updates from most of my company's vendors, so my team has been busy applying updates. Trouble is, some of the devices I had to update were not well supported by the vendor, because they're not the kinds of things you would normally think of applying updates to. That door controller, for instance, is a simple device that translates inputs from our badge readers to the access-control system, and back to the door locks. That's not something we normally mess around with.

I hate to think what malicious attackers could do if they exploited the Shellshock, or any vulnerability, on these door controllers. For example, could they lock people into their offices? Or could they monitor the movements of our staff? Maybe even unlock the doors so they could sneak in the building at night and steal from my company?

Not a good time

There's never a good time to drop everything and deal with a new security vulnerability, of course. Still, this is a particularly bad time for something like this to come up. I'm right in the middle of several major projects, while trying to find time to plan for next year's budget, and dealing every day with a threat landscape that seems to force my firewall to block more attacks than ever (as I recently wrote about).

But what really worries me is that it seems as if the pace at which major, pervasive vulnerabilities like Shellshock and Heartbleed are discovered seems to be increasing, along with the severity of those vulnerabilities. Am I going to have to expect to drop everything, every couple of months, to fix some new major vulnerability? If so, I'm going to need more staff, resources and budget.

We live in interesting times. I'm starting to understand how that can be a curse.

This week's journal is written by a real security manager, "J.F. Rice," whose name and employer have been disguised for obvious reasons. Contact him at

Join in

To join in the discussions about security, click here.

Join the CSO newsletter!

Error: Please check your email address.

Tags Malware & VulnerabilitiesShellshockShellantispamsecurity

More about Linux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By J.F. Rice

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place