PaySimple systems are NOT AFFECTED by Shellshock. You can rest assured that your PaySimple data is safe and secure.
You’ve probably heard about the Shellshock vulnerability that is compromising UNIX, Linux, and Mac OS X systems worldwide.
If you haven’t heard about the threat, or have simply heard the name but not the details, here are the key points:
Shellshock Vulnerability Overview
Shellshock is a vulnerability in the Bash shell (short for Bourne-Again Shell), which is free command processing software utilized by most UNIX, Linux, and OS X systems to enable commands (either transmitted by a user over SSH or Telnet or entered via a script, as is common with CGI scripts on Apache webservers) to be received and executed. The Shellshock vulnerability permits rogue commands to be sent and executed, without authorization, that will enable an attacker to gain unauthorized access to the system and compromise its integrity, access the data stored on it, and/or do just about anything else the attacker can dream up.
The vulnerability was discovered on September 12, 2014 and was found to exist in system implementations dating back to at least 1992– that’s 22 years! Upon discovery, patches were immediately (and very quietly) made available for some systems, and many were patched before Shellshock was widely publicized on September 24, 2014. Not surprisingly the first exploits were documented the next day.
Read Troy Hunt’s blog post, Everything you need to know about the Shellshock Bash bug, for an in-depth explanation of everything Shellshock. For a high-level view, check out Trend Micro’s Shellshock infographic.
Systems Affected by Shellshock
Shellshock only affects systems running the Bash shell. Typically that means those running UNIX, Linux, and MAC OS X (which is based on UNIX.). The UNIX and Linux systems are largely servers, though there are some Linux desktops. MAC OS X is of course a popular operating system for Apple personal computers.
Additionally, many internet-connected devices such as routers, cameras, your “smart” refrigerator, or any other device with an IP address and a Wi-Fi connection, are potentially (but not necessarily) running Bash.
But, and this is a big BUT, they are really only vulnerable to Shellshock if they are directly connected to the Internet in a way that will permit commands to be executed without an authorized user’s intervention. That means if your Apple laptop is behind a firewall, and you haven’t fiddled with any of the advanced UNIX configuration services (which unless you’re and advanced user you haven’t—and if you did you probably already know how to patch and don’t need this post to tell you), you’re likely just fine. The same goes for devices running behind firewalls on your home or office network.
The most at-risk systems are web and other servers running UNIX or Linux that are directly connected to the internet. Unfortunately, according to Hunt’s post, that’s more than half of all web servers—so the concern over Shellshock is understandable.
PaySimple Systems ARE NOT Affected by Shellshock
PaySimple production and sandbox systems use Microsoft servers running IIS and do not use Bash. To be extra safe, we have scanned all of our office, corporate, production and sandbox systems to be sure that no unpatched instances of Bash exist in our environment. They do not!
So, you can rest assured that your personal information and your customers’ personal information is not compromised by Shellshock, and that it remains safe and secure in PaySimple’s PCI Compliant systems.
What You Should Do
Your first line of defense should be to install the latest security patches and updates for all of your devices—that means not only your Apple laptop but also your router, your web tv, and any other device that pushes an update to you.
For you MAC OS X users, you can find links here for patches. Select the one for your version of the OS. Installing those patches will eliminate the Shellshock vulnerability. If you haven’t done it yet, do it now!
You also need to be extra vigilant about not falling victim to scams aimed at exploiting the Shellshock vulnerability. These could be as simple as fake emails asking you to provide personal information in order to register your possibly vulnerable device. Or they could be attempts to get you to run a piece of software, perhaps disguised as a Shellshock patch, that will actually exploit the vulnerability and compromise your computer. (Remember, Shellshock is not likely to execute commands on your personal computer itself, but if you run an exploit program locally you’re toast.) For tips on spotting scams and malicious emails, refer to my previous post How To Identify Online Scams, Urban Legends, and Misinformation.
Once you have your own systems in order, you will want to make sure that all of your service providers, and all of the other online services you use, are patched for Shellshock. It is possible that the service you use to host your small business website was affected, so that is a good place to start.
You can probably easily get in touch with your main service providers. But how about all those other sites where you are just one in several million users? For those, a good place to start is by checking out their website on the Shellshock tester or the ‘ShellShock’ Bash Vulnerability Test Tool. If you find vulnerability, contact the service provider and let them know they need to install the latest patches.
If you have questions about the security of your PaySimple account, or about security best practices in general, please don’t hesitate to contact our Customer Care team. They are happy to help.