Thursday, October 09, 2014
Yahoo! announced on October 8 that the the company's servers had suffered a security flaw. The company was vague about the particulars of these security flaws in its announcement, but whitehat hacker Jonathan Hall claimed later that day that Yahoo! had fallen prey to hackers exploiting the Shellshock vulnerability, according to Data Center Knowledge. Hall, an employee of security consultants Future South, also claimed that the same strategy was used to compromise servers owned by Lycos and WinZip. The whitehat hacker notified the potentially hacked companies and the FBI prior to posting about the incident on his website (and accusing Yahoo! of being well aware of its vulnerabilities prior to the attack). Yahoo! has since denied Hall's claims, and the developing story reflects the tense relationship between bug hunters and big data centers.
A white hat in action
Hall was prompted to begin tracing suspicious online activity when one of his own servers was probed by a botnet, says Ars Technica. The botnet probed his servers for scripts that could be exploited by the Shellshock vulnerability, then followed the probe back to WinZip.com. Hall then unearthed a Perl script running on the WinZip servers that corresponded with an Internet Relay Chat bot. The malicious IRC program was acting as a remote control server, and its code was littered with comments in Romanian. Hall began to monitor the IRC bot on his own, soon discovering bot traffic from lycos.com and yahoo.com. The whitehat contacted the victimized parties and the authorities shortly after the Shellshock exploits become public knowledge.
Accusations of negligence
After taking a detailed account of his experiences, Jonathan Hall posted about his surprise Shellshock hunt on his website, says We Live Security. Hall accused Yahoo! of ignoring multiple warnings that detailed the system's vulnerabilities. The popular search engine responded to these accusations by asserting that the Yahoo!s' server issues were small, and an unrelated security flaw is responsible for the server shutdowns. Yahoo! may be in hot water if it can be proven that the company was aware of these security vulnerabilities and failed to protect the privacy of its customers.
Large data centers commonly manage servers, routers and switches using out-of-band management Console Servers. These devices provide data center managers and network administrators with secure remote management of any device with a serial console port. Perle has confirmed that its wide range of 1 to 48 port Console Servers are not vulnerable to Shellshock.