• At Kemp Little, we are known for our ability to serve the very particular needs of a large but diverse technology client base. Our hands-on industry know-how makes us a good fit with many of the world's biggest technology and digital media businesses, yet means we are equally relevant to companies with a technology bias, in sectors such as professional services, financial services, retail, travel and healthcare.
  • Kemp Little specialises in the technology and digital media sectors and provides a range of legal services that are crucial to fast-moving, innovative businesses.Our blend of sector awareness, technical excellence and responsiveness, means we are regularly ranked as a leading firm by directories such as Legal 500, Chambers and PLC Which Lawyer. Our practice areas cover a wide range of legal issues and advice.
  • Our Commercial Technology team has established itself as one of the strongest in the UK. We are ranked in Legal 500, Chambers & Partners and PLC Which Lawyer, with four of our partners recommended.
  • Our team provides practical and commercial advice founded on years of experience and technical know-how to technology and digital media companies that need to be alert to the rules and regulations of competition law.
  • Our Corporate Practice has a reputation for delivering sound legal advice, backed up with extensive industry experience and credentials, to get the best results from technology and digital media transactions.
  • In the fast-changing world of employment law our clients need practical, commercial and cost-effective advice. They get this from our team of employment law professionals.
  • Our team of leading IP advisors deliver cost-effective, strategic and commercial advice to ensure that your IP assets are protected and leveraged to add real value to your business.
  • Our litigation practice advises on all aspects of dispute resolution, with a particular focus on ownership, exploitation and infringement of intellectual property rights and commercial disputes in the technology sector.
  • We have an industry-leading reputation for our outsourcing expertise. Our professionals deliver credible legal advice to providers and acquirers of IT and business process outsourcing (BPO) services.
  • We work alongside companies, many with disruptive technologies, that seek funding, as well as with the venture capital firms, institutional investors and corporate ventures that want to invest in exciting business opportunities.
  • Our regulatory specialists work alongside Kemp Little’s corporate and commercial professionals to help meet their compliance obligations.
  • With a service that is commercial and responsive to our clients’ needs, you will find our tax advice easy to understand, cost-effective and geared towards maximising your tax benefits.
  • At Kemp Little, we advise clients in diverse sectors where technology is fundamental to the ongoing success of their businesses.They include companies that provide technology as a service and businesses where the use of technology is key to their business model, enabling them to bring their product or service to market.
  • We bring our commercial understanding of digital business models, our legal expertise and our reputation for delivering high quality, cost-effective services to this dynamic sector.
  • Acting for market leaders and market changers within the media industry, we combine in-depth knowledge of the structural technology that underpins content delivery and the impact of digitisation on the rights of producers and consumers.
  • We understand the risks facing this sector and work with our clients to conquer those challenges. Testimony to our success is the continued growth in our team of professionals and the clients we serve.
  • We advise at the forefront of the technological intersection between life sciences and healthcare. We advise leading technology and data analytics providers, healthcare institutions as well as manufacturers of medical devices, pharmaceuticals and biotechnological products.
  • For clients operating in the online sector, our teams are structured to meet their commercial, financing, M&A, competition and regulatory, employment and intellectual property legal needs.
  • Our focus on technology makes us especially well positioned to give advice on the legal aspects of digital marketing. We advise on high-profile, multi-channel, cross-border cases and on highly complex campaigns.
  • The mobile and telecoms sector is fast changing and hugely dependent on technology advances. We help mobile and wireless and fixed telecoms clients to tackle the legal challenges that this evolving sector presents.
  • Whether ERP, Linux or Windows; software or infrastructure as a service in the cloud, in a virtualised environment, or as a mobile or service-oriented architecture, we have the experience to resolve legal issues across the spectrum of commercial computer platforms.
  • Our clients trust us to apply our solutions and know-how to help them make the best use of technology in structuring deals, mitigating key risks to their businesses and in achieving their commercial objectives.
  • We have extensive experience of advising customers and suppliers in the retail sector on technology development, licensing and supply projects, and in advising on all aspects of procurement and online operations.
  • Our legal professionals work alongside social media providers and users in relation to the commercial, privacy, data, advertising, intellectual property, employment and corporate issues that arise in this dynamic sector.
  • Our years of working alongside diverse software clients have given us an in-depth understanding of the dynamics of the software marketplace, market practice and alternative negotiating strategies.
  • Working with direct providers of travel services, including aggregators, facilitators and suppliers of transport and technology, our team has developed a unique specialist knowledge of the sector
  • Your life as an entrepreneur is full of daily challenges as you seek to grow your business. One of the key strengths of our firm is that we understand these challenges.
  • Kemp Little is trusted by some of the world’s leading luxury brands and some of the most innovative e-commerce retailers changing the face of the industry.
  • HR Bytes is an exclusive, comprehensive, online service that will provide you with a wide range of practical, insightful and current employment law information. HR Bytes members get priority booking for events, key insight and a range of employment materials for free.
  • FlightDeck is our portal designed especially with start-up and emerging technology businesses in mind to help you get your business up and running in the right way. We provide a free pack of all the things no-one tells you and things they don’t give away to get you started.

Second serious bug in three months puts internet in shellshock

Further to the Heartbleed bug which we discussed in June, on 24 September 2014 another family of bugs (dubbed “Shellshock” or “Bashdoor”) were made known to the public. Nicola Fulford, privacy and data protection partner, discusses the potential significance of this and what it may mean for online security.

What is Shellshock?

The Shellshock vulnerability is a family of serious security bugs that exists in the widely used Unix Bash shell.

The Bash shell is a command-line interpreter that provides a user interface for the Unix operating system (as well as for Unix-like systems). It was released in 1989 as a free software alternative to existing shells and has since become a favourite, having been distributed as the shell for the GNU operating system and default shell on Linux and Mac OS X, as well as having been ported to Microsoft Windows, DOS, Novell NetWare, and Android.

The Shellshock bug allows attackers to utilise the Unix Bash shell’s improper handling of “environment variables” to execute arbitrary commands – those of the attacker's choice on a target's machine or process. This is considered the most powerful effect a bug can have as it allows an attacker to completely take over a third party’s machine.

How does Shellshock work?

The Shellshock vulnerability has been widely compared to Heartbleed in its severity, as it can be similarly exploited to compromise potentially millions of servers and systems.

The breadth of possible attack through Shellshock is significant. Aside from exposing servers, laptops, desktops and smartphones, the widespread use of Bash on non-computer devices (such as routers and other devices in the “Internet of Things”) means it is possible for attackers to gain control of a wider type, and number, of vulnerable devices. In addition, the Shellshock bug allows remote code execution on Internet daemons (such as web servers) through multiple attack vectors, including CGI, OpenSSH, DHCP, and in some instances OpenVPN. In turn, vulnerable web servers can be exploited in a variety of ways to replace the environment variables in Bash with actual commands that a computer requesting a web page shall carry out without verification.  

Within hours of the initial disclosure of the Shellshock bug in September, attackers used the vulnerability to create botnets (a collection of internet-connected programs communicating with similar programs to perform tasks) consisting of linked compromised-devices. A widely used botnet, “Mayhem”, is installed through a PHP script that attackers upload on the vulnerable servers. Once installed by the target server, Mayhem's malicious executable and linkable format (ELF) library file then downloads additional plug-ins and stores them in a hidden and encrypted file.

These plug-ins allow attackers to use the newly infected servers to attack and compromise not only that device but also additional devices and sites. Attacks may take many forms, but in most instances consist of:

  • data theft: the unlawful or unauthorised acquisition of (often personal and/or confidential) digital information from compromised devices by an attacker
  • distributed denial-of-service attacks (DDOS): several systems flooding the bandwith or resources of a targeted system or website
  • vulnerability scanning: assessing computers, systems, networks, and/or applications for further weaknesses that can be exploited (either immediately or after the Shellshock vulnerability is resolved)Who is at risk from Shellshock attacks?

The Shellshock bug is of most concern to users whose device utilises a Unix-based operating system (such as Linux and Mac OS X), namely:

  • Apple OS X users: as Apple OS X is derived directly from Unix, Apple users running this operating system are particularly exposed to risk as a result of the Shellshock vulnerability
  • Linux users: similarly to Apple, the Unix Bash shell constitutes the default shell on Linux operating systems
  • web servers / system administrators: security firm Netcraft has released statistics suggesting that 51% of all web servers, and 74% of “active” web servers, may be vulnerable. In fact, a failed attack on an Australian web server was reported just one day after the vulnerability was made public. This attack relied on the attacker replacing ping commands with new commands that instructed the server to connect to a third website, download malware, and install it. Had this been successful, it would have allowed the hacker to remotely control the compromised server

Users of other computer operating systems, such as Windows, or mobile devices (including smartphones and tablets), such as iOS and Android, need not worry unless their device has been custom-configured to use a Unix-based software. However, this is unlikely other than for system administrators and/or other relatively sophisticated users.

In addition, all users, whether of a vulnerable computer or not, should bear in mind that other non-computer hardware (such as routers) may run on Unix-like software. Even though the main device may not be susceptible to attack, the vulnerability in non-computer hardware may in turn expose the user’s network to risk of attack.

How is Shellshock different to other cyber-attacks?

The collection of data or assumption of device control through the Shellshock vulnerability is not a target attack by hackers, but is instead a flaw built into a key feature of a widely-used operating system that is able to be utilised by hackers.

Unlike both Heartbleed and conventional cyber-attacks, however, the Shellshock vulnerability:

  • provides attackers with a wider number of potential targets, both as a result of Bash’s widespread use across a number of different devices (both computer and non-computer) and through the potential to gain control of web servers
  • gives attackers broader capabilities in connection with the target device than would conventionally be possible, as this particular vulnerability allows attackers to install malware and gain control of compromised devices in addition to simply stealing data
  • provides an easy mechanism to misappropriate compromised devices as there are several variances of vulnerabilities within the family of Shellshock bugs, which provide multiple attack vectors
  • has allowed prolonged access to data and devices as a result of the vulnerability having existed since 1994, giving attackers significantly more access to data than would be possible through a conventional targeted-attack and even the Heartbleed vulnerability

What can be done to combat it?

The key issue with the Shellshock vulnerability is that it is open to abuse by attackers for as long as the vulnerable version of Bash is in use, with the only resolution being to install a patch for the vulnerable version of Bash. Considering the key users at risk:

  • Apple OS X users: Apple has offered a patch for OS X users, although it has been noted that, unless a vulnerable computer is linked to or being used as a web server, most users’ home firewalls will prevent any Bash hacks. Leaving computers on and connected on a constant basis may increase exposure, as attacks are geared to devices that “listen” for communications from other devices
  • Linux users: patches have similarly been made available for most Linux distributions that are commonly used by home users, such as Ubuntu and Linux Mint, as well as for routers and other non-computer devices. Similarly to Apple, it is expected that most users’ home firewalls would in any event protect their computer devices from Bash hacks
  • web servers: web servers, in particular self-managed ones, are not configured to deploy updates and patches automatically. Web server administrators will in most cases have to patch the vulnerability manually, which may therefore result in the relevant web server remaining susceptible to attack for a prolonged period of time despite patches being readily available
  • system administrators: larger providers of network systems, such as Akamai, have published patches to fix sections of the vulnerability. However, as with Heartbleed, different system administrators will release patches at different times, so users must either wait or attempt to patch the vulnerability manually (wherever possible) 

How do you respond to a data breach caused by the Shellshock vulnerability?

The Shellshock vulnerability has again demonstrated the importance for both individuals and businesses to ensure that they are aware of all known security risks, and take action promptly upon becoming aware of any such risk. The easiest way to avoid potential vulnerability is to keep all systems and software up-to-date at all times.

However, in certain circumstances, as seen with the Shellshock bug, the underlying vulnerability is not known to the application or architecture’s creators and, therefore, the vulnerability is not dealt with in new releases of software and/or updates. In these instances, businesses and individuals are likely to find themselves exposed to risk of data theft or other attack in the time between the vulnerability being discovered and a suitable patch being issued.

Businesses should ensure that security response plans and procedures, as well as sufficient technical and procedural controls, are in place to deal with any data breach (whether resulting from vulnerabilities in systems or otherwise). All employees and other individuals should be made aware of these plans and their respective roles under such in order to ensure a swift response and resolution where a security issue does arise.

In the event of a breach, these plans should be put into action and, wherever possible, the compromised systems should be removed from the network (including all Internet connectivity) and isolated until the installed malware has been removed and a full virus scan is complete. Businesses will then need to assess the likelihood of any personal, confidential, or private data having been stolen by attackers before the system was able to be isolated, and where relevant notify the affected individuals and (if serious enough) the Information Commissioner’s Office of such breach. Systems should not be reconnected until the Shellshock vulnerability is fully eradicated and the relevant patch applied to the compromised Unix-based system.

Does this latest family of bugs demonstrate a wider threat to online security?

Although targeted cyberattacks against individual organisations have been commonplace for a number of years, these are often viewed as isolated and unique incidents and tend not to cause widespread concern amongst unaffected organisations and individuals. There is no contesting, however, that vulnerabilities in both OpenSSL (Heartbleed) and the Unix Bash shell (Shellshock) demonstrate a more widespread threat to the general Internet community as a whole. The fact that these security issues exist in popular applications and fundamental computer architecture, and the significant duration of exposure attached to these issues, has resulted in the security of the building blocks of computing to be scrutinised in greater detail than ever before.

However, it is not just security experts and researchers that are interested in finding vulnerabilities in systems and applications. Potential attackers are similarly searching for gaping holes in security infrastructure that can be exploited to obtain valuable personal and confidential information, or control of devices. This has led to the wider security of the Internet being questioned, and security experts theorising as to which attack vectors may be used next by attackers.

In light of recent high-profile attacks resulting from a number of security issues, security experts have suggested that wider threats to online security may exist in:

  • no “in flight” encryption: as discussed in our article on the increasing use of consumer cloud-based document storage services (such as Google Drive and Dropbox) by businesses, serious concerns exist as a result of cloud services failing to encrypt data during the initial “in flight” stage from a user’s device to the service provider’s servers. Businesses are increasingly using these services for the storage of confidential and personal information, which holds significant value. Security experts note that a flaw in the limited security that is provided by cloud service providers for the initial “in flight” stage may result in widespread attacks on business data across multiple platforms
  • open source application servers: mismanagement of systems may give rise to further security vulnerabilities. Open source application servers, such as those used for enterprise tools like SugarCRM, often contain numerous vulnerabilities as a result of mismanagement by failing to proactively identify and repair security flaws through frequent penetration testing. These vulnerabilities may allow attackers to obtain access to, and control over, management tools (such as customer relationship management tools) that are in widespread use across multiple organisations
  • POS systems: numerous target cyberattacks on retail organisations, including Target and TKMaxx in the US, have occurred in recent years. Security experts have suggested that vulnerabilities in vendors’ POS systems, in particular those produced by startups and younger companies, would allow a widespread attack to occur in relation to multiple retail operations at the same time, rather than being limited to just a single organisation as is presently the case
  • mobile devices: although not commonly thought of by users, mobile devices such as smartphones and tablets are equally as susceptible to cyberattacks as desktops and laptops. Presently the Android market is subjected to 95% of all mobile malware. It is possible that vulnerabilities similar to Heartbleed and Shellshock could be found in core components of mobile devices.  This might give attackers access to a greater amount of personal and private data, including tracking geolocation and listening to / recording conversations, as well as control over a device, as mobiles tend to hold data of more significant value than that contained on desktops and laptopsThe Shellshock vulnerability may pose significantly greater issues than those faced as a result of the recently discovered Heartbleed vulnerability. The ability for attackers to easily gain control of servers and non-computer devices broadens the potential risk profile attached to the Shellshock bug, and in turn increases the potential for not just immediate data theft but (through the use of vulnerability scanning) further security breaches even after the vulnerability has been patched. As with any cyberattack, business users in particular should ensure their processes and procedures are in place should an attack occur, and should take all steps to ensure all Unix-based systems and applications are up-to-date and patched. Wherever possible, avoiding a security breach as a result of the Shellshock vulnerability is significantly more cost-effective than resolving and recovering from such.

For more information, please contact Nicola Fulford.