Cyber-security experts are raising the alarm over a new software vulnerability called "Bash" or "Shellshock" that some say could prove more devastating than Heartbleed. On a scale of one to 10, the Department of Homeland Security's National Vulnerability Database calls the severity of the threat a 10.
Prominent security blogger Brian Krebs predicts that the bug will jeopardize millions of digital networks and put countless consumers at risk of identity theft.
“The difference in significance is that with Heartbleed, somebody could grab credentials of a user and do what they wanted, but in this case, if somebody is vulnerable, it potentially allows someone to get full system control of a victim’s system,” David Emm, senior security research at Kaspersky Lab, tells CNBC.
The implications are disturbing. Cyber-criminals could theoretically use the Bash bug to take over your web camera, filming you in your home without your knowledge. They could hack your home security system, router or cell phone. While Heartbleed gave fraudsters access to a system, Bash gives them total control.
“Financial institutions, hospitals, the sort of change-averse and risk-averse organizations that put [these tools] in place 10 or 15 years ago are going to find that their most venerable systems are also their most vulnerable,” security consultant Patrick Thomas tells Fast Company magazine. “And embedded systems, like home automation, routers, and webcams are all essentially lightweight shell scripts providing a web interface over CGI; tons of them are going to be vulnerable and, even worse, embedded systems are notorious for being difficult to patch.”
This means that your personal, financial and medical data may be at risk. Unfortunately, analysts say that the open source code in question is so ubiquitous that it's impossible to identity every place a vulnerability exists. Hackers might use Bash to access your records through your primary care physician's network, your school, your office or your bank. It is simply impossible to ensure total protection from the bug.
The best course of action to guard your privacy in this era of escalating data threats is to adopt an aggressive attitude toward security. This means keeping a close watch on all of your personal, financial and medical records and following up on any inconsistencies or aberrancies.
You should also regularly check your creditworthiness. Remember that each American adult is legally entitled to one free credit report a year from each of the three major credit bureaus, Experian, Equifax and TransUnion. However, in this day and age an annual check may not be sufficient. By the time you uncover fraudulent activity connected to your name, it's possible that significant damage may have already been done. We recommend investing in a credit monitoring service. While such services cannot guarantee your protection against identity thieves, they can alert you to certain activity that may be indicative of credit fraud. This gives you the opportunity to move quickly to stop fraudsters from opening other lines of credit or incurring further charges.
The Bash bug may be bad news, but it is a good reminder to take precautionary steps to help protect yourself from becoming a victim of identity theft.