Safeguarding the past, present and future of RISC OS for everyone
Account
News | Downloads | Bugs | Bounties | Forums | Library

Latest news


edit

Shellshocked?

Posted by Andrew Hodgkinson Sat, 27 Sep 2014 06:39:00 GMT

Within the last couple of days, you might have heard about a really nasty security problem that’s so important it has already been given a name and an unofficial logo (!):

  • Shellshock on Wikipedia

The server running the ROOL web site was vulnerable to this issue but has been patched, with another patch due for a secondary, much less serious aspect of the bug for which a fix is not yet available.

The circumstances under which the bug can be exploited are complex and need to be assessed on a case-by-case basis for every web site. I’ve had a careful look through the software we use at RISC OS Open and, as far as I can tell without a very time consuming full depth analysis, our server software does not pass through requests from the web in such a way that it would have exposed the buggy, exploitable component. So, even during the day before our server got patched, it doesn’t look like we could have been compromised.

There is evidence of attempts to scan our site for the vulnerability in our server logs. These attempts were not successful.

The most valuable thing we might have stored in our database would be your passwords. Attackers love to get hold of them, then try re-using them on other sites. We do not store your password and never have. We store an encrypted token, using a one-way encryption algorithm. We cannot take the token and run that encryption “backwards” to produce your password, even if we wanted to. All we can do is take the passwords presented to us in log-in forms (which we neither store nor log anywhere), apply the encryption to produce a token, then see if the token matches what we have in our database. As a result, even if our database was compromised and we didn’t know it, password information would not be recoverable in a computationally feasible timescale. It’s easier for attackers to just guess with random and/or common passwords, as with the recent iCloud celebrity photograph breach.

We’re not exactly the most high profile or valuable site on the web :-) but we do get well over a million hits and average around 75GB of traffic per month, so we’re certainly not the quietest. We try to always remain vigilant when it comes to security.

Posted in Web site | Tags bug, critical, security | 1 comment

Comments

Comment on this article

  1. nukeedit
    Andrew Hodgkinson (6) said about 15 hours later:

    (All patches now applied).

RSS feed for this post

Spinner-blue

Social

Follow us on and

ROOL Store

Buy RISC OS Open merchandise here, including SD cards for Raspberry Pi and more.

Donate! Why?

Help ROOL make things happen – please consider donating!

RISC OS IPR

RISC OS is an Open Source operating system owned by RISC OS Developments Ltd and licensed primarily under the Apache 2.0 license.

Categories

  • Miscellaneous (44)
  • New component (36)
  • New documentation (13)
  • New product (49)
  • Press coverage (7)
  • Web site (45)
  • Press release (65)
  • Community (130)

Recent Comments

  • by Richard Walker (2090) on Euro vision of RISC OS welcomes all!
  • by Steve Pampling (1551) on RISC OS 5.30 now available
  • by Chris Mahoney (1684) on RISC OS 5.30 now available
  • by Sprow (202) on RISC OS 5.30 now available
  • by Chris Mahoney (1684) on RISC OS 5.30 now available

RSS Feeds

  • Articles
  • Comments
  • Trackbacks

Archives

  • October 2024 (1)
  • September 2024 (1)
  • July 2024 (1)
  • May 2024 (1)
  • April 2024 (2)
  • February 2024 (4)
  • December 2023 (1)
  • October 2023 (1)
  • May 2023 (1)
  • April 2023 (2)
  • February 2023 (2)
  • September 2022 (1)
Contact Us  |  About Us

The RISC OS Open Typo theme is distantly based on Typo's 'Azure'
Site design © RISC OS Open Limited 2024 except where indicated

Hosted by Arachsys

Powered
This site runs on Rails