PSA: Shellshock bash bug First, if youre a unix sysadmin or anyone running any web services that pass through a unix server, ow. Hope youve got overtime pay. For anyone who cares to read more about the details of what the bug is and what it can do, etc, I refer you to Troy Hunts post of yesterday ( troyhunt/2014/09/everything-you-need-to-know-about.html ). If youre a normal person hearing about this, then then there are a few things you can and should do: 1. Check that your home wifi router is not able to be accessed via the Internet (usually for administration purposes). If that is on, and your router runs Linux (and many of them do), its potentially a problem. Check your instruction leaflet for whether this can be on or not and turn it off if it is. Then check how to download the latest firmware for your router, in a few weeks time youll want to do that. If you have any other devices that are accessible via the Internet, you probably want to find out if theyre Linux based and turn that feature off too. 2. If youre a Mac OS X user, if your machine only ever joins networks with trusted machines on it, youre probably safe for now. But just in case or if you ever join public networks, open System Preferences - Sharing. If Printer Sharing is on, you want to turn it off. if youre using an old version of Mac OS, you may have Web Sharing turned on, you also want to turn it off. New versions of Mac OS dont have Web Sharing, unless youre running OS X Server. If you have Remote Login active, just check that you do not Allow Access for All Users. Other than that, wait for Apple to issue an OS Software Update that fixes the problem. 3. If youre a Linux user, you probably want to run your Linux versions package updater right now. And again in a few days time, as the bash maintainers have not actually released a patch that fully fixes the problem yet. 4. This is a similar situation to the Heartbleed bug in that web servers may potentially be broken into (its even worse technically). You will need to confirm with website owners that they were either not vulnerable, or were vulnerable and have fixed the bug, then change your password on that service. Again. Yes, I know. Tiresome. Sorry. :-( Its probably best to just prioritise the important sites (net banking, and anything with serious personal consequences), and do those in a few days time. 5. If you use unique passwords for every site you log in to, that at least limits any potentially stolen passwords to sites that are vulnerable and lessens the urgency on changing every password you have. Thats why, if you havent already, now is the time to find a password keeper application to randomly generate new unique passwords for every single site you log in to and store them for you. If youre an Apple only person, the iCloud Keychain is quite good and free, otherwise I highly recommend 1Password ( https://agilebits/onepassword ). LastPass ( https://lastpass ) showed themselves to be reasonably good at security (and they support Linux). There are other options for secure password keepers, if people who use other good ones wish to mention them in comments, please feel free. Original Link: thorfinn.dreamwidth.org/57338.html
Posted on: Fri, 26 Sep 2014 05:55:50 +0000
Trending Topics
Recently Viewed Topics
© 2015