The Citadel Perspective
A fascinating week in the information security world: the discovery of three extremely subtle bugs – vulnerabilities – in the computer chips that drive the world has everyone – properly – concerned. What a tremendous – hopefully painless – learning lesson. So let’s lay it out.
- What’s going on?
- What do we do about it?
- What does it mean?
What’s Going On?
- Nearly every computer on the planet is vulnerable to these newly discovered security vulnerabilities, known collectively as Spectre and Meltdown. The Meltdown vulnerability is so subtle that it took researchers over 20 years to discover it.
- From the website Meldown and Spectre: Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.
- For technical details, see the last two resources below.
- The industry is not hearing of any active attacks. Precaution is in order. Panic is not.
- While the threat is real, a cybercriminal must have access to the machine being exploited.
- For home and office users, access usually takes the form of physical or Internet access. The two major Internet access points are email and a web browser.
- IT organizations also have to be concerned with risk from cloud services. There’s also a deeper protection an IT organization can provide to PCs and similar devices that home or office users may be challenged with.
- There are only two relevant differences between today and last week:
- We know these vulnerabilities exist and must now take care of fixing them
- The enemy also knows these vulnerabilities exist and will seek to exploit them
What Do We Do About It?
Home & Office Users: As in all things cybersecurity, a proper cyber guardian perspective is in order. This means rigorously patching operating systems, browsers, and other applications.
- As a precaution, Microsoft won’t update unless your antivirus has been updated
- See the list below for some guidance
- If you use Chrome, set it to render pages in ‘strict isolation’ per the link below
- If you know how to patch your BIOS, do so; otherwise seek out qualified support
And always be on guard for a cyber phishing attack. If you’re not sure, don’t!!! As cyber Patriot Ben Franklin said, distrust and caution are the parents of security.
- Make sure IT keeps an eye out for BIOS updates and the like as hardware manufacturers will be updating their BIOS to protect against Meltdown and Spectre exploits
- Assist your users with their home computing devices
- Pay close attention to all cloud-based services, such as Amazon, Google, Microsoft Azure, etc. Please contact us if you’d like more information on protecting your sensitive information available accessible via the cloud.
What Does It Mean?
The discovery of Meltdown and Spectre illustrate again that cybersecurity management – managing the security of an organization’s sensitive and critical information assets – is a moving target. There is not a security budget in the world that last week had a line item for Meltdown and Spectre remediation; now there’s not even time to get the budget item approved.
This is the way strong cybersecurity management is; why cybersecurity management so benefits from strong cybersecurity leadership.
Good cybersecurity leadership sees the discovery of vulnerabilities like Meltdown and Spectre as a normal part of the usual flotsam and jetsam that comes our way. While the industry has considerable work to do to get ahead of these vulnerabilities, good cyber guardians – with sound practices and tight discipline – will bat these vulnerabilities aside the way a Stanley Cup goalie bats aside a shot from the blue line. IT organizations following the SecureTheVillage Code of Basic IT Security Management Practices won’t even break a sweat.
Overview; Practical Things
Scary Chip Flaws Raise Spectre of Meltdown: Apple, Google, Microsoft and other tech giants have released updates for a pair of serious security flaws present in most modern computers, smartphones, tablets and mobile devices. Here’s a brief rundown on the threat and what you can do to protect your devices. KrebsOnSecurity, January 5, 2018
How to protect yourself from Meltdown and Spectre CPU flaws: On Wednesday, researchers revealed serious flaws in modern processors that could affect practically every Intel computer released in the last two decades — and the AMD and Arm chips in your laptops, tablets and phones, too. Read more here. CNet, January 5, 2018
Why Your Web Browser May Be Most Vulnerable to Spectre and What to Do About It: Security researchers this week revealed details of Spectre and Meltdown, massive security vulnerabilities found in microprocessors made by Intel, Advanced Micro Devices and others. Fortune, January 4, 2018
How to protect your PC against the major ‘Meltdown’ CPU security flaw: Details have emerged on two major processor security flaws this week, and the industry is scrambling to issue fixes and secure machines for customers. Dubbed “Meltdown” and “Spectre,” the flaws affect nearly every device made in the past 20 years. The Meltdown flaw primarily affects Intel and ARM processors, and researchers have already released proof-of-concept code that could lead to attacks using Meltdown. The Verge, January 4, 2018
Industry Updates and Responses
Apple confirms iPhone, Mac affected by Meltdown, Spectre flaws, but Apple Watch unaffected: Apple has issued a statement regarding the Meltdown and Spectre vulnerabilities, confirming all Mac systems and iOS devices are affected, but saying there are no known exploits impacting customers at this time. ZDNet, January 5, 2018
Mozilla Firefox 57.0.4 Released with Meltdown and Spectre Patches: Mozilla has just released an updated version of Firefox browser that includes fixes for the Meltdown and Spectre bugs discovered in Intel, AMD, and ARM processors. Softpedia, January 5, 2018
Google is prepping a Chrome update to mitigate newly disclosed CPU exploits: Mark your calendars, folks—on January 23, Google will roll out a Chrome update (version 64) that will contain mitigations against Meltdown and Spectre, the names given to recently disclosed vulnerabilities affecting a whole bunch of processors. PC Gamer, January 4, 2018
In the meantime, see How to enable Strict site isolation mode in Google Chrome: Strict site isolation is a new experimental feature of Google’s Chrome web browser that ensures that processes are limited to pages from one site. GHacks, December 8, 2017
Microsoft Releases Emergency Updates to Fix Meltdown and Spectre CPU Flaws: Late last night, Microsoft issued out-of-band updates that address Meltdown and Spectre, two security flaws said to be affecting almost all CPUs released since 1995. BleepingComputer, January 4, 2018
Intel starts issuing patches for Meltdown, Spectre vulnerabilities: Intel says it has already issued updates for the majority of its processor products released in the last five years. ZDNet, January 4, 2018
Meltdown and Spectre: Bugs in modern computers leak passwords and sensitive data. Meltdown and Spectre exploit critical vulnerabilities in modern processors. These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.
Industry Meltdown, or Just a Spectre?: By now you may have heard of “Spectre” and “Meltdown,” names for a new category of side-channel information disclosure vulnerabilities. These issues enable a malicious memory read across previously-solid security boundaries, are difficult to mitigate, and affect a staggering variety of modern hardware architectures, the extent of which is still not completely clear. That alone is cause for major industry-wide concern, but for most users the best course of action is to maintain a level head and continue to exercise good security hygiene: keep systems patched with the latest security updates, and make use of traditional security controls to prevent attackers from gaining a local foothold. SecurityEvaluators, January 4, 2018
Meltdown and Spectre – Understanding and mitigating the threats – SANS DFIR Webcast [VIDEO]: On Jan 3 2018, two new vulnerabilities (Meltdown and Spectre) were introduced that are in the architecture of processors in nearly every computer and other devices using CPUs. Code to exploit these vulnerabilities in some cases is now publicly available and we can expect that more capable/modular code will be released soon. During this webcast, we’ll walk through how the vulnerabilities work, what is being done to patch them, the performance impacts of patching, and probable exploit scenarios for the vulnerabilities. SANS, January 3, 2018