News Stay informed about the latest enterprise technology news and product updates.

Bash bug creates wave of shell security concerns on social media

News roundup: The revelation that the Bash bug could be the worst worm outbreak in more than a decade started a frenzy on social media. Plus: a 'Kyle and Stan' malvertising update; GM ups auto cybersecurity; two data breaches; and more.

As details of the Bash bug emerge -- and more information about its scope comes to light -- the security industry is aflutter with conversation, clogging social media feeds with questions, comments, concerns and even a little wry humor.

The vulnerability in the Unix-based Bourne-again shell, or Bash, which first hit the headlines on Wednesday, was discovered by UK-based expert Stéphane Chazelas. Research has confirmed that the vulnerability, which goes by the name Shellshock and is detailed in CVE-2014-6271, is more than 20 years old, affects every shell version up to 4.3, and has the potential to be bigger and more widespread than the epic Heartbleed flaw discovered earlier this year.

In the midst of testing systems for vulnerabilities and waiting for proper patches to be released, security admins and industry observers are taking to Twitter with #bash, #shellshock and even #bashbug, #bashbleed and #bashpocalypse to express their concern, anger and sarcasm.

Bash is a pretty hot topic on the feeds, and IBM's infographic proves it:

At least one Web hosting customer knew about the bug before her hosting provider did:

Fortunately, Go Daddy got its facts straight later:

Twitter feeds have offered information, news and sage advice:

As well as reports debunking first attempts at patches:

As soon as reports of the first attack in the wild hit, Twitter comments and concern quickly ramped up:

And despite the seriousness of the issue, many still made time to joke:

Yet, joking aside, many used social media to offer valuable help and insight to their fellow security admins:

Will the Bash bug turn out to be the next Heartbleed? According to Errata Security CEO Robert Graham, who first wrote in his blog that Bash is "as big a deal as Heartbleed," his previous statement may have to be reneged:

In other news

  • The "Kyle and Stan" malvertising network that was first reported on Sept. 8 by Cisco Systems Inc. is now nine times bigger than original reports suggested. In an updated blog post, Cisco researcher Armin Pelkmann wrote that the network responsible for malicious ads on popular websites including and has been identified in nearly 6,500 domains, up from the previously reported 703 domains. The blog also notes that the malvertising network, which could reach potentially millions of users, has infrastructure that dates back to January 2012, meaning attacks may have been ongoing for the past two and a half years.
  • A report released by The Enterprise Strategy Group titled Network Security Trends in the Era of Cloud and Mobile Computing has reaffirmed the skills-gap problem in the enterprise. Results from the survey revealed that 47% of organizations believe the number of employees dedicated to working on security is inadequate. Additionally, 44% of companies believe their networking/security staff does not have adequate knowledge in both networking and security technologies, and 37% of organizations responded their security staff didn't have the ability to keep up with the growing threat landscape. Separately, a new Norwich University infographic released this week highlights statistics that show just how dire the need for more information security professionals has become, including the need for an additional 330,000 new information security pros worldwide.
  • In response to the growing number of threats facing Internet of Things devices, General Motors Co. announced Wednesday that it has hired its first person to oversee cybersecurity for its automobiles. Jeffrey Massimilla, who was formerly an engineering group manager for the company, moved into his new role on Sept. 2. The creation of the role affirms the growing threats facing automobiles as Internet connectivity becomes an increasingly common feature in new vehicles.
  • Illinois-based sandwich shop Jimmy John's revealed Wednesday that the credit and debit card data of the customers at 216 of its locations may be at risk. According to the company's statement, its systems were compromised when an intruder stole login credentials from its point-of-sale vendor and used the logins to remotely access its PoS systems between June 16, 2014 and Sept. 5, 2014. The company was made aware of the issue on July 30 and has "taken steps to prevent this type of event from occurring in the future." Jimmy John's wasn't the only breach reported this week. Viator, Inc. -- a tours and activities provider acquired by TripAdvisor LLC this summer -- notified 880,000 of its customers that their payment card data may have been compromised. An additional 560,000 customers were informed that their Viator account information -- including their email address, password and site nickname -- may be at risk. An investigation into the cause of the Viator breach is under way.

Next Steps

Will Bash be worse than Heartbleed? Join the conversation!

Don't miss the latest info on malvertising, bridging the skills gap, IoT security and data breaches.

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.