Shellshock, “bash bug” and your website hosting environment

If you website is built upon Linux or Unix hosting then it could be at risk from the so called Shellshock or “bash bug”. The hole in bash was noted on Wednesday, 24 September, 2014, and has been named “CVE-2014-6271: remote code execution through bash” by SecList. The threat level for this has been set at 10 it’s highest threat level.

Now just for clarity Shellshock / Bash Bug is a hole which has existed for 25 years affecting unix and linux systems including Mac OS X, infact I even did a quick check to see if it affected on my 1990 commodore Amiga 500 just to prove that point but thats an aside. The fact is, it’s pretty widespread however the conditions required to affect an attack are fairly specific so immediate you can avoid immediate panic.

Shellshock is one of the most prolific security floors discovered in recent times since it has the potential to affect a vast majority of webservers through apache. Note that I used the word ‘potential’, the reason is that in order for an attacker to gain access to your system they would need to be able to insert a malicious environment variable in to a pre-running program that happened to have been spawned by the bash environment or a sub-command that uses bash. breaking that down a level, what that means is you would need to inject some code in to a bash program and the most likely candidates would be diagnostic CGI scripts and php scripts running in CGI mode that call out to the system().

If you are a website owner hosting with a third party, unless you have a virtual server that you have created yourself it is unlikely you will be able to do much, it will be your web hosts responsibility to get the latest bash patches. Take a look at any php scripts that run cgi keep your software and site as up to date as possible. If you don’t have a backup of your site now would be a good time to get one and if that site is wordpress than a tool like backwpup is one of the best solutions i know of. The reason is that if you are on a shared hosting platform all it could take is one account unassociated with you to be compromised and your site then becomes vulnerable because of sharing the same server environment.

Some actions to take if you are responsible for a web hosting environment
So if you run apache on your servers and run php and cgi scripts things like cpanels /cgi-sys/defaultwebpage.cgi, then take a look at any php or cgi that run the system variable and assess how necessary and secure they are, silo them if they aren’t completely necessary. Use a port scanner like masscan to look for telnet ftp or older versions of apache. These are the things that should come as highest priority to patch or disable.

SEO strategy, the right approach for you and it’s consequences

So you’ve heard of black hat SEO and you’ve heard of white hat SEO and then there’s the middle ground you push the boundaries on what is good practice white hat safe stuff. In case the difference escapes you here’s a brief overview,

The premise with black hat SEO is get ranking at all costs, via things like link pyramids, wheels and countless other service you can buy on certain 5 dollar service sites nowadays. They include link spamming blocks adding to wiki’s and creating profiles on forums that contain very little info except a link with anchor text and possibly the same copied description on another five hundred sites. Unless it’s spun into indecipherable paragraphs which may have started with good intentions but make little to no sense now.

The white hat approach SEO, this includes things like building relationships with other bloggers via commenting, producing link worthy content that people want to share and building a following on social media platforms to help you do it. It’s a relationship based strategic approach that involves finding the right partners in your niche to work with. Working hard onsite to make your pages legible and encouraging interaction and engagement.

The grey hat SEO approach can involve things like purchasing expired domains within your niche with pre-existing links to them and consequently page ranking. Redeveloping the content for the site and then pointing the content to your own site. Effectively this means building a highly targeted link pyramid based on a few specific domains you own and control. It’s hat because whilst you own the domains and produce the content, the specific purpose of these sites is purely to build ranking and therefore not search engine friendly.

So here we are three paragraphs in and I haven’t even mentioned Google, I hate to say but someone has to. when I talk about SEO I generally mean Google or Google properties like YouTube, this is who most SEO’s are targeting and so that’s what we must try to appease. So in case it’s escaped you over the last could of years the big G has got more and more content orientated driving it’s focus away from anchor text and links to greater quality of pages. Everything from page loading speed to bounce rate has a greater place in modern SEO which has led to the growth of the UX or user experience industry.

So now you have the context lets focus on the consequences of each strategy. Black hat can cause a big surge in initial rankings but if/when you get caught out, the damage can take far longer to remove. Get sites that you may not have access to or be able to get hold of to take down negative links is time consuming, I should I made the mistake of testing out some cheap and cheerful SEO tactics on one of my own sites an iPad app review blog. The result big surges in traffic on every post and the initial surge was worthwhile, but the link network got shut down and the rankings never recovered, I’d wasted my time, money and effort for a short term gain before the Google Panda update. Now my approach is more pragmatic, working on producing good content and building a bigger audience, the white hat approach. Personally the grey hat approach appeals but it wouldn’t be something I’d feel comfortable recommending.

A great quote I heard at a lecture only this evening:
“If your business depends on Google ranking, then you haven’t got a business” Ian Hopkins

In the end the strategy you choose will be based on a variety of things from budget to which SEO guy talks the best game the most important thing is to recognise the effect of the strategy you choose. Make sure the SEO’s explain exactly what they intend to do so you don’t get caught out.

Let me know what you think by commenting below.