Skip to main content

Shellshock: How to protect yourself [UPDATED]

A worrying new security vulnerability (opens in new tab) has muscled its way onto the Internet, and world-leading security experts are saying it's even worse than this year's Heartbleed fiasco.

Called "Bash" or "Shellshock", the security flaw is inherent to a computer's shell. This is the user interface that accesses operating systems like Command Prompt, and means that many Linux, Unix, and some BSD systems (including Apple's OS X) are vulnerable.

Read more: What every business needs to know about Shellshock (opens in new tab)

Worryingly, the ubiquitous nature of the bug means that a large percentage of software is engaged in constant interaction with the shell. Consequently the bug can infiltrate software in a number of different ways.

So what can you do to protect yourself against this frightening new bug, and how can you avoid Shellshock? Well, the answer is basically the same as it's always been. There's no special tool or patch that'll keep you protected from Shellshock. It's just pure, common-sense cyber security.

1. Keep Windows, OS X and Linux up to date

Unlike a lot of malware out there, the new Shellshock breed is capable only of infecting Apple computers running OS X and any machine running Linux - basically any operating system based on Unix. As such, it's important to keep your operating system up to date to ensure that it has the latest security patches and vulnerabilities aren't left undetected. While it's not clear whether Shellshock affects Windows machines, it's always best to keep everything up to date anyway.

While there aren't any specific updates dealing with Shellshock right now, all the major companies will be scrambling to fix the opening, and updates should be coming soon.

Update: Apple has released a patch fixing the bash vulnerability. Anyone who worries that they or their business might be vulnerable should take steps to update their systems now. The updates haven't yet made their way onto Apple's automated update tool, but the individual links for the updates are here: for Mavericks (opens in new tab), for Lion (opens in new tab), and for Mountain Lion (opens in new tab).

2. Patch Bash and backup your data

To mitigate the risks involved, Toyin Adelakun of Sestus advised: "the urgent advice is to immediately patch or update the bash software. That applies both to servers as well as clients (i.e. individuals' systems) such as Apple MacBooks and Mac Pro desktop computers. Because they affect both client and server computers, and because they could lead to data leakage directly from computers, these risks do indeed potentially surpass those of the Heartbleed bug."

Internet users should also ensure that all sensitive data is backed up, and make sure that no data that could compromise their company or any other organisation is stored on their personal computers.

"People should not only protect their computers, but also ensure that they back up their data regularly," said security expert David Emm of Kaspersky.

3. Perform proper security maintenance has published a list of downloads it recommends to keep yourself protected.

Unfortunately, the massive demand for the service is causing the website to crash, and it's been offline for about 24 hours now. Not very helpful, we know – but hopefully it'll be up and running soon enough.

In the meantime, why not check out ITProPortal's article on 3 security tools you must have before you go online.

4. Use a password manager

Phishing gets a lot easier once the attacker has access to your personal data. Using long, complex passwords, and different passwords for each site you access will maximise your security on this front If you're not feeling up to that, why not get a password manager?

We've written up a rundown of all the best password managers available, so go check that out.

How many times do we have to tell you? Don't open them! If you don't know where an email came from, don't open it. If you weren't expecting an email from a colleague, don't open it. If the message in the text is generic and could have come from anyone, don't open it.

Don't rely on hovering over the link to see the URL, either – hackers are becoming more and more sophisticated at spoofing legitimates URLs in order to infect you with malware. This is the single most common vector of attack, so protect yourself from fake emails, and you'll be laughing.

6. Stay informed!

Make sure you stay abreast of developments. We'll be following the story as it develops, so subscribe to our newsletter using the form below to get all the updates as they come in.

Final advice

The message is always the same - make sure your antivirus software, and firewall, and everything else designed to protect you is up to date.

If you're a business, audit your ENTIRE IT estate regularly so you understand your exposure and can make prudent decisions based on accurate data. Patch wherever and whenever possible to remove threats. Minimise exposure but limiting access to data where patches cannot be applied – and then pressurise dependent software providers to upgrade their applications.

Paul Cooper
Paul Cooper

Paul has worked as an archivist, editor and journalist, and has a PhD in the cultural and literary significance of ruins. His writing has appeared in the New York Times, The BBC, The Atlantic, National Geographic, and Discover Magazine, and he was previously Staff Writer and Journalist at ITProPortal.