TR Editors' blog

Why the Shellshock Bug Is Worse than Heartbleed

We still don't know how many systems are vulnerable to the Shellshock bug, but it is likely in the millions.

Cesar Cerrudo 30/09/2014

Last Wednesday a serious software vulnerability called Shellshock was reported; the bug could be exploited to compromise millions of servers and other devices worldwide. We still don't know how wide and costly the problem will be, but we already know that Shellshock is more serious than the Heartbleed vulnerability that received wide attention back in April.

Heartbleed affected software used by servers to encrypt and secure communications. The flaw allowed attackers to get sensitive information such as encryption keys or passwords from vulnerable servers that could be used to secretly access the system later, for example to steal personal data.

Shellshock allows an attacker much more power. They can use it to take complete control of a system even without having a username and password. Exploitation of the vulnerability is simple and doesn't require advanced skills.

Because an attacker can use Shellshock to remotely execute any code on a system, it could be used to create a self-replicating "worm." It would use one compromised system to attack other systems, and so on, propagating over the network and compromising hundreds or thousands of system in little time.

The Shellshock vulnerability was found in a software package called Bash, a command line interpreter, or shell, that provides a powerful, flexible way to run commands on a computer. It is the default for all Linux-based operating systems and Apple's Mac OS X. Bash is also widely used on simple Internet connected devices, many of which run versions of Linux, meaning that not only servers could be compromised but also some home routers, IP cameras, etc.

Some popular networking devices widely used by corporations have already been identified as vulnerable. Mobile devices are not at risk, unless you have modified your Apple or Android device to gain more control over its software.

Shellshock is dangerous because while Bash is not directly exposed to the Internet, some software that is can make use of Bash internally. For example, the "DHCP" software that negotiates your connection to a Wi-Fi network can pass along commands to Bash. This means that someone with a vulnerable operating system (mostly Linux) could be attacked when connecting to an untrusted Wi-Fi. (It's worth noting that connecting to untrusted Wi-Fi networks is always a risk.)

Within a day of Shellshock being reported, there was evidence that it was being used to stage attacks "in the wild." Information security departments at all companies and organizations should take preventive actions such as applying security fixes and close monitoring of internal networks. The United States Computer Emergency Readiness Team has issued an alert, and along with other security organizations worldwide is recommending users and system administrators apply security fixes as soon as possible.

However, it's still too early to come up with an exhaustive list of affected devices that need updating. And although researchers and device vendors are publishing details about which devices are vulnerable and which aren't, for some devices in use, no one will be checking because they are no longer supported, or documentation is lacking.

The faster systems are identified and patched, the lower the number of security compromises—and financial losses—that will be caused by Shellshock. It's possible the economic effects of this bug will be severe because one compromised system can affect a lot of people. For instance, a compromised e-commerce site could not only cause lost sales due to downtime needed to patch, but also expose millions of credit card details, inconveniencing consumers.

Cesar Cerrudo is the chief technology officer at the computer security company IOActive Labs.

The Snooze Factor

MIT Technology Review Custom 30/09/2014

Americans spend about three and a half months of their lives hitting snooze buttons, according to research conducted by the health innovation company Withings.

More than three-quarters of the 3,000-plus adults surveyed early in 2014 rely on loud devices—typically bedside alarm clocks or smartphones–to wake them up. Of those, 57 percent are “snoozers” who hit the button at least once to stay in bed a few minutes longer.

But snoozing doesn’t seem to improve well-being. Of those surveyed, 57 percent report regularly feeling tired during the day, while only 33 percent describe their wakeup experience as “good.”

In fact, a majority of survey respondents—nearly 80 percent—agree that an unpleasant awakening can ruin the entire day. Respondents blamed bad wakeup experiences for negatively affecting their ability to concentrate (51 percent); to produce quality work (38 percent); and to enjoy a sense of well-being (35 percent).

It’s hardly surprising, then, that nearly half of survey respondents admitted that they’ve thought about smashing their alarms.

For more on the Withings sleep survey and the company’s new “No More Snooze” campaign, please visit http://www.withings.com/us/withings-aura.html

A Wake-Up Call for Better Sleep

MIT Technology Review Custom 30/09/2014

Sleep problems are not new. In the Middle Ages, the poet Geoffrey Chaucer movingly described the frustration of sleeplessness. William Shakespeare portrayed sleep deprivation so convincingly in his plays that many scholars assume the playwright himself suffered from insomnia. Even A.A. Milne’s Winnie-the-Pooh counted sheep and Heffalumps (imaginary elephants) in his quest to fall asleep.

Today, sleep problems are approaching epidemic proportions. Some 48 percent of Americans say they sometimes can’t sleep, according to the National Sleep Foundation (NSF), a nonprofit organization that promotes sleep education and advocacy. And 22 percent report experiencing insomnia all or most nights, according to NSF surveys.

“When sleep is problematic, people often dread it,” observes W. Christopher Winter, a neurologist and sleep medicine specialist and medical director of the Martha Jefferson Hospital Sleep Medicine Center in Charlottesville, Virginia. People spend hours tossing and turning, hoping and praying for sleep to come, often feeling ever more hopeless as the night wears on.

CAUSES AND COSTS

What causes insomnia? Clete Kushida, medical director of the Stanford Sleep Medicine Center at Stanford University in Palo Alto, California, and president of the World Sleep Foundation, cites a number of factors: everything from disease to depression to disorders such as sleep apnea or restless leg syndrome. Chronic pain, some medications, stress, and lifestyle events such as job losses or divorce can also lead to sleeplessness.

Whatever the cause, insomnia is taking a toll—and not just on individuals. The average U.S. employee costs his or her company $2,280 in productivity loss every year because of sleeplessness, according to research in the medical journal Sleep. For the nation as a whole, that adds up to a whopping productivity loss of $63.2 billion due to worker fatigue.

SNOOZE AND LOSE

Part of the problem, of course, is that many people don’t just have trouble sleeping: they have trouble waking up too. Their day begins with an unpleasant jolt, when a loud alarm clock or radio suddenly disrupts their sleep. They hit the snooze button; a few minutes later, they hit it again. And again. And again—sometimes a dozen or more times.

“People have to be up at 7 a.m., so they start waking up and hitting ‘snooze’” at 5 a.m. or 6 a.m., Winter says. In most cases, people are better off with the extra hour or two of shut-eye and then simply getting out of bed on time, he adds: “Why voluntarily fragment your sleep?” (For most adults, seven to eight hours of uninterrupted sleep appears to be about the right amount, according to the National Institutes of Health.)

While buzzing, beeping, or blaring alarms may force people to get up, those options don’t typically generate a positive wake-up experience, says Michael J. Decker, a sleep specialist and associate professor in the school of nursing at Case Western Reserve University in Cleveland, Ohio. In fact, being startled awake by noisy devices “may make us feel worse on an already grumpy morning,” he says. For more research on the wake-up experience, see “The Snooze Factor.”

 

LIGHT: THE ALL-IMPORTANT INGREDIENT

If there’s a common thread woven through the experts’ advice on how to sleep well and wake up refreshed, it’s this: understand the power of light—especially in the morning.

A strong dose of light first thing in the morning can offset grogginess, Kushida says. Patients who give themselves about 30 minutes of light exposure shortly after waking are more likely to feel alert all day.

Meanwhile, there’s evidence that waking up gradually in response to light—as if dawn were illuminating the room naturally —is not only more pleasant, but yields benefits all day long. “The presence of light prior to awakening has been shown to increase our body’s level of cortisol, which is a neurohormone that helps to prepare our brain and body for the stressors of the day,” Decker explains. Extra light and cortisol in the morning allow people to adapt better to stress throughout the day, helping them deliver peak performance.

RECOMMENDATIONS FOR BETTER REST

Experts offer the following tips for ensuring a good night’s sleep:

  • Set a schedule—and stick to it. “Keep a regular timetable for going to bed and getting up—even on weekends,” Kushida says. Winter agrees: “The body wants to do everything on a schedule,” he says. “You’ve got to create consistency.” Maintaining regular sleep-wake cycles helps people to stay in harmony with their circadian rhythms, physiological processes that follow roughly 24-hour patterns, largely in response to light and darkness. A consistent bedtime also helps the body derive maximum benefits from melatonin, a natural hormone stimulated by low light, which causes drowsiness.
  • Invest in good bedding. “Many of us will spend hundreds or thousands of dollars on living-room furniture, yet skimp on buying a good mattress and pillows,” Decker notes. He encourages patients to test mattresses in the store, looking for the right level of firmness. Those who know, or suspect, that they have allergies may wish to look for hypoallergenic mattresses and pillows.
  • Create a tranquil environment. “No laundry piles on the floor. No books scattered about,” Decker says. “A cluttered room can sometimes promote a sense of anxiety.” If you’ve got lively pets—a cat that attacks your feet during the night or a dog that wants to play at 2 a.m.—you may need to create a pet-free zone during sleeping hours.
  • Wind down. We all know that regular exercise is important for good health. But if you’re looking to prevent insomnia, experts say it’s best to avoid working out for at least two or three hours before bedtime.
  • Write what’s on your mind. “People with Type A personalities may have a lot of things flooding their minds,” Kushida says. “We advise them to write down everything that’s bothering them before bedtime.” That allows them to set aside those issues—at least temporarily—when it’s time to sleep.
  • If you can’t sleep, get up for a little while. “Go to another room and do something that makes you drowsy,” Kushida advises. The moving-to-another-room part is critical, he emphasizes: “The purpose is to recondition your thinking about the bedroom environment as a place to sleep, not a place of tossing and turning.”
  • Check for medical causes. Researchers have identified at least 90 different sleep disorders, Kushida says. Among the most common are sleep apnea, a breathing problem, and restless leg syndrome, which causes relentless twitching and kicking. Both cause people to wake up repeatedly during the night—and, typically, to feel tired the next day. Addressing the underlying issue may relieve or even eliminate the accompanying sleep problems.
  • Take a hard look at your bed partner. If you can’t sleep, it may be because your significant other isn’t sleeping, either. “A large number of people sleep poorly due to their bed partner’s snoring, restless legs, or nightmares,” Decker says. “Many of those behaviors are symptoms of an underlying, and potentially serious, sleep-related disorder”—and should, of course, be discussed with a physician.
  • Track your sleeping patterns. The flow from one sleep cycle to another is supposed to restore the body and brain for the new day ahead, so if you’re not waking up well rested, you may want to consider tracking your sleep cycles. You can choose from among many devices and mobile apps to monitor your sleep patterns all night and help you determine whether you need to change your sleeping patterns. (For instance, you might go to bed a bit earlier or wake up a few minutes later.)

Finally, you may also consider purchasing a natural sleep-aid device. A number of products can help you fall asleep and wake up more peacefully.

The Withings Aura device combines a sleep sensor, bedside light and sound device, and a smartphone app, to track body movement, breathing and heart rate during the night. It also emits soft light and sound programs to help ease you into and out of sleep cycles. For more information, visit http://www.withings.com/us/withings-aura.html.

Publicidade

Vídeo

Inovadores com menos de 35 anos Brasil

Mais Vídeos

Informes Especiais

Uma Cura para os Gastos com Saúde

Os gastos com a saúde estão fora de controle. E a inovação em medicamentos, testes e tratamentos é o motivo. Mas e se a tecnologia pudesse ser uma forma de poupar dinheiro ao invés de gastá-lo?

Ganhando Com Dispositivos Móveis

Publicidade
Publicidade