When SANS has three lead articles on one topic, you know it is a BIG deal.
Read one of the articles below and write a paragraph summarizing it. The third
item is of particular interest as we are discussing program development controls
and their impact on secure/trusted software this week.
TOP OF THE NEWS
Bash Shellshock Flaw (September 25, 2014)
A serious flaw in a software component called Bash is said to be more serious
that the Heartbleed vulnerability that was disclosed earlier this year. The
flaw, which is being called Shellshock, can be exploited to remotely take
control of vulnerable systems. It affects an estimated 500 million UNIX and
LINUX machines. Bash, or the GNU Bourne Again Shell, is a command prompt on many
Unix systems. The US Computer Emergency Response Team (US-CERT) has issued a
warning and is urging admins to patch the flaw. Others have expressed concern
that the patches that have been made available are incomplete. -http://www.bbc.com/news/technology-29361794 -http://www.csmonitor.com/Innovation/Latest-News-Wires/2014/0925/Cybersecurity-Wh
-Remote-Code-Execution-Vulnerability [Editor Comment (Northcutt): The advice
they are giving us at SANS is be careful about any unusual attachments. That's
always a smart idea. ]
Shellshock Flaw is Being Actively Exploited (September 25, 2014)
There are reports that attackers have already begun exploiting this flaw to
infect vulnerable servers around the world. -http://www.eweek.com/security/linux-malware-uses-shellshock-flaw-to-infiltrate-w
Shellshock May Further Marginalize Open Source Software (September 25,
article in the New York Times tells the story of how Bash and its flaw came to
be. The most impactful paragraph in her story may be the final one, where she
wrote, 'The mantra of open source was perhaps best articulated by Eric S.
Raymond, one of the elders of the open-source movement, who wrote in 1997 that
"given enough eyeballs, all bugs are shallow." But, in this case, Steven M.
Bellovin, a computer science professor at Columbia University, said, those
eyeballs are more consumed with new features than quality. "Quality takes work,
design, review and testing and those are not nearly as much fun as coding," Mr.
Bellovin said. "If the open-source community does not develop those skills, it's
going to fall further behind in the quality race."' -
Source - http://www.sans.org/newsletters/newsbites/newsbites.php?vol=16&issue=77