Programmers are often their own worst enemies. When writing code, programmers may become responsible for the creation of insistent, malicious and sometimes challenging-to-locate errors known as “bugs.” Bugs are so common that good debugging (and testing) strategies are almost always taught hand-in-hand with programming itself. You may know that bugs can cause software to crash or behave unexpectedly, but what you may not know is that there is a much greater risk that bugs pose: they may permit malicious users to gain access to hidden data or to misuse software to perform actions contrary to the programmer’s intent. In other words, the worst bugs allow hackers to bug (or collect information about) you and even alter that information.

In recent months, three bugs have grabbed the public’s attention and imagination. But what are these bugs really and what do they mean to you?

 

Heartbleedheartbleed

What is it?

A vulnerability in OpenSSL (a popular open-source encryption software library) that “allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software” [5, emphasis added]. Hackers can gain free and open access to both the gatekeepers (encryption keys) and the treasure (your private information).

What caused it?

Reportedly, valuing performance over security led to a flawed implementation of transport layer security protocols [5]. Want the specifics? It’s a lesson in checking user inputs. The bug was caused by a missing bounds check on a user-input’s length parameter. Without this check, hackers could copy and send extra data as part of the information sent from the user’s memory back to the caller [7].

How are hackers exploiting it?

Comprehensive reports are not yet available, but tests reveal that hackers have had the opportunity to gain access to a huge number of private encryption keys as well as user data such as usernames and passwords [5]. Hackers were (are) able to access extra memory 64 bytes at a time with each call of memcpy() [7].

What is its impact?

Potentially, 500,000 machines are vulnerable [1]. It affects web, email, virtual private networks, instant messaging and more [5].

What is being done about it?

OpenSSL recommends developers switch to the latest version of their toolkit [5].

Meaning behind the name:

The bug was found in the “heartbeat” extension of the transport layer security protocols [5].

What is unique about it?

The Heartbleed bug exposed many secrets. The bug has been around for a long time and has been easy for hackers to exploit, while exploitation itself has been difficult to trace [5]. It has also captured public imagination and had one of the most stylized turns in the media.

 

Shellshockshellshock-bug-100457107-large

 What is it?

A bug in Bash — the Unix command prompt — that “can be used to remotely take control of almost any system” that has Bash installed [1].

What caused it?

Bash is designed to allow users to define any environment variables that may specify a function definition. The user is able to insert code after these function definitions and later be able to execute the code using certain scripts [6].

How are hackers exploiting it?

Hackers can use typical “code injection attacks” to execute malicious code on webpages using Common Gateway Interface scripts (in other words, pages that need to be executed prior to being sent as output) [6]. While security firms have not reported extremely widespread attempts to exploit the bug thus far, potential attacks may be far ranging in type and scope. One type of already reported attack: “infecting vulnerable web servers with malware” [1]. Are you at risk? “For an attack to be successful, a targeted system must be accessible via the Internet and also running a second vulnerable set of code besides Bash” [2].

What is its impact?

There are potentially 500 million machines vulnerable [1].

What is being done about it?

The US Computer Emergency Readiness Team (US-Cert) is promoting a patch, but some warn it may not fix all the issues behind the bug [1].

Meaning behind the name:

Alludes to the trauma after battle; in this case, however, greater battle may still be on the horizon.

What is it unique about it?

While broad in the access it provides and far-reaching in terms of those that may be affected by it, it is relatively simple for hackers to exploit [1], which makes it even more dangerous.

 

BadUSB

bad_USBWhat is it?

Malware created by digital security researchers as “proof-of-concept” software that demonstrates the vulnerabilities in USB security. A USB stick infected with the researchers’ malicious software can “completely take over a PC, invisibly alter files [it] installed … or even redirect the user’s internet traffic” [4].

What caused it?

Lack of code-signing procedures as well as lack of consistent standards for USB manufacturers [4].

How are hackers exploiting it?

Each USB has a microcontroller (a small “computer” that facilitates communication between the USB and the computer). Hackers can hijack or reprogram this software to do something other than the original intent [8]. The researchers who discovered the problem imagine several possible scenarios. Some they foresaw include “replac[ing] software being installed with a corrupted or backdoored version,” “impersonat[ing] a USB keyboard to suddenly start typing commands,” or logging your keystrokes [4, 8].

What is its impact?

All your USB devices — whether keyboard, mouse, smartphone, or memory stick — may be affected [4].

What is being done about it?

The researchers who created the malware suggest, “The short-term solution to BadUSB isn’t a technical patch so much as a fundamental change in how we use USB gadgets” [4].

Meaning behind the name:

There is nothing redeeming about researcher Karsten Nohl’s “infected” technology.

What is unique about it?

Unlike Shellshock and Heartbleed, the bug is not an implementation mistake but rather a design flaw.

 

References

  1. Shellshock, BBC
  2. Shellshock, HuffPost
  3. How to check if your version of Bash still has the Shellshock bug
  4. Bad USB, Wired
  5. Heartbleed
  6. Shellshock, Blog
  7. Heartbleed, The Register
  8. BadUSB, Extreme Tech

About The Author

Isabelle is a Projects Chair with Princeton Women in Computer Science and interned last summer in the CS department. She is passionate about technology, creative writing, and education.