Personal data stores at risk from new bug

Add to: Digg Add to: Del.icio.us Add to: Facebook Add to: Furl Add to: Google Add to: Live Spaces Add to: MySpace Add to: StumbleUpon Add to: Twitter
Monday October 13, 2014 at 2:23pm
Personal data such as documents, photos and videos from thousands of individuals and small businesses could be accidentally and unwittingly shared online. People at risk are those who purchase Network Attached Storage (NAS) devices normally with the intention of sharing media (films, photos etc) within a household or maybe within a small business environment.

When configured correctly these devices can be accessible to any other device on the home or business network. However, they can easily be configured incorrectly to make them available on the internet.

Customers are putting their trust in the manufacturers to have implemented stringent security controls to protect their data. However, this is not the case with some NAS devices on sale. Good security practices are always to change the default password and to keep the firmware updated.

Shellshock puts devices at risk

To make matters even worse a new serious Bug "Shellshock" has just been discovered which could have an impact on network devices such as NAS or routers, for example.

The vulnerability was found in a software component called Bash, which is part of Linux systems as well as Apple's OS X operating system. Many web servers using the Apache system also include the bash component.

Experts are suggesting that Shellshock could hit at least 500 million machines worldwide and unfortunately a reliable and complete patch for Bash is not yet ready. A partial fix exists, but it doesn't fully solve the problem yet.

A patch from Apple should be pending.

Advice for companies who want to mitigate the threat

  • Patch systems at the earliest possible opportunity
  • Follow good cyber-security practices to secure internet connected devices:
    • Block unnecessary inbound traffic at the firewall
    • Disable unnecessary services running on devices
    • If running web server software, ensure it runs from low privilege accounts
    • Filtering input to websites, through a Web Application Firewall, can also help to limit impact
    • Ensure logging and auditing functionality is enabled and actively monitored
    • Disabling advanced functionality, such as cgi-bin, can help to mitigate some of the impact of the vulnerability, but this may have an adverse effect on websites.
With two major security vulnerabilities found in so many months, are we simply putting too much of our trust and information in the cloud? Another reason why storing your data, or at least one backup ‘offline’, isn’t such a bad idea.

Marcus Allen
Parker Management Consultants

Comments on this post:

There aren't any comments for this post yet. Why not be the first to comment?

Categories:

Cyber attacks

Share your experiences:

Your Name  
(to appear with your comment)
Email Address  
(will not be published)
Comments:  
Human Validation Check  
In the box below, please type the characters that you see in the picture. This helps us to ensure a real person (and not a crafty computer!) is submitting this form.

Enter the code shown to the left:

Parker Management Consultants, 1st floor, Dominion Court, 43, Station Road, Solihull, B91 3RT Contact us here