Meltdown and Spectre - James Bond villains surely?
Wednesday 17th January 2018
Recent news articles have abounded with one of the most widely spread and publicised family of computer security vulnerabilities, and have titled them Meltdown and Spectre....
....catchy names in my opinion, but what's going on?
First, let's just cut through the media hype and explain a little here.
These are, quite rightly, serious declarations of problems that exist in a phenomenal number of computers, and that overall the world is to be concerned.
Nothing is really new here though, and this is a problem that has been around for well over a decade, yet it has just surfaced as a result of some security researchers finding some shortcomings in the way that modern computer processors work with Windows, Apple iOS and Linux variants. Actually, it is a little more widespread than just those, as this also affects any computer operating system that takes advantage of a little-known speed efficiency called "speculative execution"
Speculative execution was introduced quite some time ago to help computers work faster, and so much technology has taken advantage of this initiative to gain more computer power. Speculative execution really is just a neat way of ensuring that a computer isn't sat waiting for results before it makes all of its next decisions. This is a way of a computer "guessing" what's likely to happen next and starting to process that guess - sometimes it's right and sometimes it's wrong. For all of the instances the guess was right, computer time has been saved, or all of the times it was wrong, nothing is wasted as those parts of the computer working playing that hunch would've been otherwise sat idle and metaphorically twiddling-their-thumbs.
Now we know that the World's been about to end for the last 15 years or so, what needs to be done?
Some security researchers have just stumbled upon a way to take advantage of this speculative execution to slowly leaks bits of data from the computer's guessed processing, because during this guessed processing time the computer wasn't able to apply its normal due-diligence checks on the security around that processing. Doh!
These leaked bits of data are normally and typically benign, but every now and then some of this leaked data during guessed processing might contain a password, a security key or something else particularly sensitive that are the Crown Jewels that many hack attacks rely upon.
Now, these Crown Jewels might become suddenly more accessible due to this discovery!!
OK, true, but there is a lot of superfluous data that a hacker's attack might need to sift through to get these sensitive data, and they can only really get this information if they are able to place a hack on a computer that can then read the contents of the processors speculative execution storage space.
No mean feat, but yes very achievable. However, to do this effectively does require some expertise, and that such expertise does come at a cost. Nation States no doubt have the funds to exploit this, and serious organised crime similarly so we should expect to see some hack attacks coming out soon about this. Then once one has achieved it, there will be a flood of others.
"My Anti-Virus is up to date!!"
OK, I'm pleased for you, but right at the moment that's not going to help you as there is not sufficient evidence around that would allow the Anti-Virus manufacturers to develop the antidotes.
Right at the moment, the operating system manufacturers are working with the chip manufacturers to try to combat this (it is proving tricky!) and they will be issuing operating system updates as soon as they can, so there is a race against the clock between hackers being able to exploit this and the operating system manufacturers having a defence mechanism. Chip manufacturers take a really long time to change what they do, and they are not going to be issuing updated chips to all computer owners
The best defences that we got are the usual defences for most malware:
- keep patching your operating system from the trusted sources AS SOON AS patches become available
- keep your anti-virus up to date (just do it anyway, irrespective)
- keep your ad-blockers up to date
- employ due diligence on all email traffic when it comes to links and attachments, don't open anything unless you know you can trust it
- ensure that your systems are backed up (just good practice)
- have a response process that allows you to detect compromised accounts and to change passwords
- keep your Security Specialists to hand and on a close leash
- make sure that your computers are all behind a firewall that has been configured to only allow the business traffic that you need, and nothing else.
I'm not panicking and I'm not worried....
.....I am exercising all of the above though!