News, Vision & Voice for the Advisory Community
On a scale of one to 10 the just-disclosed computer 'exploit' is a 10 because Linux is what the cloud lives by
September 25, 2014 — 10:44 PM UTC by Guest Columnist Mike Golaszewski
Brooke’s Note: Trust in the cloud by RIAs has gone from zero to 60 in a few short years. It’s been a godsend for most but it sure does seem like a lot of eggs in one basket. Certainly a lot of cloud providers are scrambling right now. Fortunately, Mike Golaszewski gives RIAs some sense of what direction to scramble in with this timely column.
Now, brace yourself for “Shell Shock,” an even more dangerous threat — a 10 out of 10, according to the Dept. of Commerce’s National Institute of Standards and Technology.
As a financial advisor, you should be worried if you depend on any systems that exist in the cloud or use Unix or any derivative, including Linux.
And you probably do. The cloud and Linux are closely intertwined since users of Linux can save tens of thousands or even millions of dollars by using Linux rather than paying license fees to Microsoft for its server-based operating systems. (There are RIA custodians on Linux.) See: Purchasing too much technology has its own dangers for RIAs.
Since most of the Internet relies on Linux to serve web content and process transactions, there is a very real risk that compromised machines could expose non-public information or be hijacked for other nefarious purposes. Linux is also imbedded as the default operating system on many modern devices, including home and office routers, telephones, mobile phones—even modern television sets and other home devices are likely running Linux. See: RIAs must prepare for post-disaster recovery or regulators will lower the boom.
Easy to exploit
If there is any “good” news from an RIA’s perspective it is that the problem is so big that many providers may rush to advisors’ defense without them so much as placing a phone call. In fact, the security researchers who discovered the bug embargoed the news for several days in order to give big cloud providers and operating system vendors such as Red Hat, Fedora, and Apple time to develop patches. See: How one RIA is running his practice on a Mac and finding it totally doable.
The reason? Not only has NIST classified this as a severe issue, but they’ve also pointed out that it’s an easy weakness to exploit.
Here’s why: Most of us are familiar with the graphical user interfaces that we use to access programs on our Windows and Macintosh machines. These interfaces are known as “shells” and provide a way for us to interact with our operating systems.
Linux and Unix distributions (including Apple’s OS X operating system) include a shell called “bash,” which is the primary way that systems administrators, power users, and, in certain cases, system software interacts with these operating systems. If you’ve ever typed a command while using Linux, Unix, or your Macintosh’s terminal program, you are using bash.
This vulnerability is particularly nasty because bash is so ubiquitous. Many system libraries (toolkits that programmers use to perform low-level systems tasks) call the bash shell to perform common functions like listing, reading or writing files. This means that network-connected machines otherwise invulnerable to web-based attacks can be targets for Shell Shock, as many lower level programs—including the one that retrieves an Internet protocol (IP) address when you first turn on your computer—might use bash to set certain parameters.
By exploiting how bash incorrectly processes something known as an “environmental variable,” a web server or other device using a *nix derivative can be tricked into running almost any command on an affected machine. See: One RIA’s bid to make the technology that makes it possible to use one password.
Bash (stands for “Bourne-Again Shell”) was created in 1988 by a programmer named Brian Fox and released to the world by the Free Software Foundation in 1989. It quickly became the primary method for accessing Unix and was eventually ported into Linux when programmer Linus Torvalds created the operating system in 1991. Since then, bash has woven its way deep into the fabric of both operating systems.
The security vulnerability was discovered a few days ago by security researcher Stephane Chazelas and was released to seclist.org under embargo, allowing vendors who maintain the various distributions of Linux and Unix to patch their systems. It was publicly disclosed Wednesday night, and was assigned the National Institute of Standards and Technology’s highest severity rating on its National Vulnerability Database. See: Schwab’s website went down twice after two 'denial of service’ attacks — so what was up?.
Again, advisors who only use Windows in their IT stack are generally at low risk, since this bug only affects Unix operating systems and its derivatives.
That said, many RIAs have outsourced various operational activities to cloud providers and some of these providers (including many RIA custodians) are likely using Linux as part of their regular infrastructure. And while most smaller advisors rarely stray from Microsoft, those firms with a more complex information technology infrastructure or who are aggressive in their use of technology have likely have deployed Linux due to the tremendous cost savings it affords.
Here’s the bottom line: If you are using Linux or Unix anywhere within your own technology stack (and this includes using Apple’s Macintosh machines), your systems administrators should immediately begin working with your distribution vendors on patching these systems.
You should also take an inventory of your cloud-based solutions and seek assurances from your providers that they are aware of, and have addressed, this issue (keeping in mind that even solutions built strictly on Microsoft’s .NET platform could be at risk, since some vendors offload web storage and just-in-time processing to other cloud-based providers like Amazon’s S3 and Elastic Compute Cloud).
Finally, for those of you using Apple devices, make sure you apply any security updates that are issued in the upcoming days.
Most responsible providers, including custodians and others with large operational budgets, will already be working to address this issue.
That said, keep in mind that since most of the Internet is exposed to this bug, your information could potentially leak in unexpected ways—especially if you follow poor security practices like e-mailing unencrypted information or consistently reuse your passwords from one site to the next. See: With your RIA practice as naked as Kirstin and Kate in the cloud, know two words: Google Authenticator.
Shell Shock is just the latest reminder that the infrastructure we base a lot of our business and services on is decades old, can be quite brittle, and is constantly subject to attack by very creative and clever people. As an advisor, you should make sure to take measured responses to these incidences when they arise, as well as make sure your that your IT staff and technology vendors are continually working to keep your information systems completely up to date.
Mike Golaszewski is a FinTech veteran, most recently serving as the head of product and technology for Advent Software Inc.'s Black Diamond business. Previous to Advent, Golaszewski was responsible for leading the development of the RIA industry’s largest technology platform, Schwab Advisor Center, and also spent time at Pershing LLC where he helped guide the technology strategy for its NetX360 platform. He now provides technology and business consulting services to the financial services industry (and the technology companies that cater to the same) through his boutique firm, element•12 LLC.
Share your thoughts and opinions with the author or other readers.