Salted Hash: Live from DerbyCon (Update 1)

LOUISVILLE – DerbyCon got off to a great start this morning, as hundreds packed the opening keynote address. The conference, now in its fourth year, runs all weekend long in downtown Louisville, Kentucky.

As is the case with any gathering of hackers and security professionals, the news of the day usually takes center stage as the topic of conversation.

Today there are two things of note, the first being the fire at the Chicago air traffic control center, which has caused several flight problems across the nation. Flights in and out of Chicago (both airports) were canceled, which led to a ripple effect, as flights at other major hubs (were either delayed or canceled due to routing problems.

There is talk that some of the attendees who were due to arrive today are delayed, and there’s a real fear that return flights for a many will be plagued with delays and other problems on Sunday and Monday, but that’s not certain.

Most of the airlines contacted by Salted Hash wouldn’t comment on the matter, so the best bet is to just allow for extra time at the airport, arrive early, and make sure that connecting flights are on time.

The other topic of conversation this morning, as expected, is Shellshock, the GNU Bash vulnerability disclosed publicly earlier this week that has the potential to rival Heartbleed when it comes to scale and the potential for damage.

However, despite the hype, not much is known about this bug. The full impact remains a mystery and administrators across the globe are working overtime this weekend to apply patches – even though the Red Hat patch is incomplete.

“It is definitely worse than Heartbleed,” one DerbyCon attendee told Salted Hash.

“The only thing that’s going to make this less of an issue is community response,” he added. The point being that when Heartbleed was announced, the community rallied around the issue. There was a clear scope and there was a way to focus on the issue. Now, it’s too widespread and there are too many unknowns.

It’s interesting to listen to attendees talk about the issue, because there is some misinformation about the topic. For example, the issue of command execution versus code execution, as it relates to Shellshock.

It’s worth noting that an attacker leveraging this vulnerability can only issue commands with the permissions of the process that’s targeted. However, anything that can run at root / system level is an immediate threat.

This is also why embedded devices are suspect, because most of those do run with system permissions, but the problem is – no one knows how many or what type of embedded devices are impacted by this issue.

Finally, there have been several well-known products impacted by Shellshock, which if not patched, could leave networks the world over exposed. Included in this batch of products are IBM’s QRadar, several Cisco products, and a handful of F5, Fortinet, and Juniper products. Details on those advisories can be seen here.