Remember Shellshock? How could anyone forget! This thing has totally dominated the news – not just the tech news either – and like Heartbleed before it (inevitably the yardstick we compare it to), the hype has been, well, somewhat overinflated. I get it – it is a big thing – but the press has a way of sensationalising things in a pretty unique way.
Case in point: I wrote Everything you need to know about the Shellshock Bash bug just one week ago. It has since been viewed over 425k times which is rather a record for a blog post on troyhunt.com. But what I found most telling was how sensationally this bug was reported. My favourite news story was from a press outlet that reported how Shellshock would allow attackers to pwn you through your light globes. Yep. Now I did mention the “Internet of Things” in my post and I did refer to the recent LIFX incident where their light globes were coughing up wifi creds but somehow that translated into Shellshock being in the simplest electrical circuit known to man.
With all the fuss going on and all the FUD flying, Pluralsight asked me to create a course on Shellshock which I had to decline primarily on the basis of existing commitments. Clearly my willpower is weak so only 6 days after that I’m very pleased to present to you: Understanding the Shellshock Bash Bug:
I can’t take all the credit – this is my first co-authored course and I was honoured to have Jim Manico step up and get involved. If you don’t already know Jim, he’s a luminary in the security industry; OWASP global board member, international trainer, recently a VP at one of my favourite security companies – WhiteHat – and just a great bloke all round. When I called Jim about this course he was over in San Francisco at the JavaOne conference where among other things, he was busy doing signings for his new book, Iron-Clad Java: Building Secure Web Applications. Despite this, Jim made the time to get up to speed with Shellshock and the Pluralsight authoring process, record in his hotel room and churning out a significant portion of the course in record time. Jim has an infectious enthusiasm which always makes him easy to listen to and adds excitement to everything he talks about.
Here’s the other great things about this course: it’s free. No Pluralsight subscription needed, no credit cards, no accounts, just watch, listen and learn. I’m really happy they’ve taken this approach as at ensures maximum accessibility to a resource that really is in the best interest of the broader community to have access to.
Oh, and just in case you were wondering “what damage has Shellshock actually done?”, here are some great resources that talk about what’s being observed in the wild:
- InfoSec Community Forums: A Collection of Exploits seen in the wild
- CloudFlare: How hackers are using it to exploit systems
- troyhunt.com: The anatomy of a Shellshock attack in the wild
- FireEye: Shellshock in the Wild
Enjoy the course folks, it’s a free offering to the community so do share it generously.