I have been in Michigan for the last week or so, expecting a rather quiet couple of weeks on the technology front. A perfect opportunity to get away while people are easing back into the new year. CES is taking place in Las Vegas which consumes much of the news, with speculation of upcoming trends and product releases (fluff in other words.)
But, on January 2nd, news about a pair of critical hardware vulnerabilities broke, ruining the chance for a peaceful time!
At first the vulnerabilities were reported to be hardware level security failures in processor chips designed by Intel, codenamed Meltdown & Spectre. Although it sounds like a James Bond film, Daniel Craig is nowhere to be found.
If you want to know more about the technical details of the vulnerabilities, google Meltdown or Spectre and you will be presented a massive amount of information. Cloudflare have published an easy to read article on these vulnerabilities. https://blog.cloudflare.com/meltdown-spectre-non-technical/
To avoid technical jargon I will offer a very simple analogy of how these vulnerabilities work.
Any action you undertake on a computer executes huge amounts of code and instructions for a computer to process. A processor uses complex algorithms to determine the next likely action, like a predictive analysis.
For example, if you go to the store and buy bread and milk, it would be likely you also purchase eggs so would head to the egg aisle. If on the walk to purchase eggs you realise you don’t need the eggs, you backtrack and go to the correct aisle. A computer does exactly this but in lightning speed to reduce the perceived time an action takes.
At a hardware level, it is possible to inspect this action being undertaken, like a security camera in the supermarket. Even though the security camera might not know the item you are looking for, it can see all of the actions being undertaken along the way.
Let me make that incredibly clear — passwords, cryptographic information, and other sensitive information can all be viewed just by knowing how the system works, not knowing what data is being executed.
Meltdown & Spectre have caused a blind panic in the tech community, with all chip providers and software companies rushing to fix these issues. Unfortunately, this public disclosure has caused a raft of issues and further panic.
Last year four independent research teams discovered these flaws and privately disclosed these to Intel. A working group was established and key software and hardware players have been working on patches and mitigation techniques for these issues.
Intel released a statement immediately after the news broke, but it was quickly overtaken by mass hysteria. AMD, the rival chip maker, joined the party to say their processors were immune from this flaw, only to be told they are immune from one of the bugs, not all of them.
Linus Torvalds and his Linux team joined the fray, rapidly followed by Microsoft, ARM, Amazon, IBM, and NVIDIA. Suffice to say it’s a bit of a big deal and almost all devices are vulnerable at some level.
Yes Apple fanboys, that means Mac’s too. Sorry about that!
Within the next week many of the anti-virus vendors had patched their products but several had not.
The downside of these fixes is a noticeable performance hit, particularly bad in database applications.
How Not To Solve A Problem
Microsoft, to their credit, rapidly deployed an emergency fix for Windows OS. They also scheduled a mitigation patch through their entire cloud infrastructure.
The fix is a simple OS patch, nothing too scary. Unfortunately for Microsoft, many anti-virus vendor’s software could cause computers to blue screen or fail to boot with the patch so Microsoft came up with a plan: To install the patch a flag must be set by installed Anti-Virus software to ensure compatibility.
Great work, everyone pats themselves on the back, job done right? Wrong. Some Anti-Virus software is, how do we say? Total shit. Many platforms are yet to set this flag so the patches aren’t being installed.
Microsoft made matters worse earlier this week when they announced computers aren’t going to receive any future updates until this flag is set. Although this has put the pressure on companies to fix their products, this is making computers less secure, not more.
How Does This Affect Me?
These vulnerabilities affect everyone, regardless of the devices you use.
The clear message is, don’t panic! Although a threat exists, at this time people aren’t exploiting this on a grand scale. Unless you have nuclear launch codes on your laptop you should be ok. Several mitigation steps exist.
How Do I Protect Myself?
- Regardless of your device you should apply all the latest updates available.
- If you are using a Windows computer:
- I recommend Webroot SecureAnywhere and Bitdefender. All of my clients are secured with Webroot and supporting products.
- Install all feature updates and security updates
- Install all updates from your computer manufacturer (Dell/HP/Lenovo etc.)
- Update your BIOS / System Firmware. Your manufacturer updates should do this on pre-build computers, custom built computers must be updated manually.
- Don’t click on untrusted links, install unknown applications, and generally act diligently online
If you have a technology partner reach out to them — any company should already have a plan in place and be mitigating these risks. If you don’t have a technology partner or are unsure of what should be done, reach out to me via email, phone, or social media.
Insider Trading — How To Get Caught
In related news, the CEO of Intel, Brian Krzanich, has been discovered to have sold as much Intel stock as he could ($20M) late last year. This in itself isn’t illegal, but his sale plan and order was executed after he was informed of the security vulnerabilities.
Pressure has been building against the beleaguered CEO, with the media and shareholders up in arms about the sale. Yesterday two key US senators urged the government to open an insider trading case and SEC probe.
I’m not one to take the moral high ground or offer life advise but what a ridiculously stupid thing for an organisational leader to do. When times get tough pull your equity out? I am sure we haven’t heard the last of this investigation.
To summarise, technology is inherently insecure. All technology is designed by humans, and mistakes or fundamental flaws occur. In good news we have thousands of talented individuals acting as the “Red Team,” poking holes in our understanding and helping make technology more secure.
Don’t panic, and don’t believe the media hype. This isn’t the end of security as we know it, and it sure as heck isn’t going to be marked in our calendars in a hundred years. It has however shown that we need to reevaluate all our decisions, be it design, security, or selling all your shares…
- Critical vulnerabilities in processors have been discovered
- Companies are scrambling to update and secure their products. This has a tangible performance impact
- Not everyone has got the response right, with a few serious bumps along the way
- Don’t panic, but patch. Follow the core steps to being secure online
As always, let me know your thoughts on social media or in the comments below. If you have any questions about these vulnerabilities or how to protect yourself or company, shout out. We are here to help!
Connect with Jacob via:
Phone: +61 4 0525 9005