The Hack Heard Around the World
Industry experts are currently quite concerned about the computer vulnerabilities dubbed Spectre and Meltdown. These vulnerabilities leverage a flaw in Intel processing chips which allows access to and retrieval of any data stored in computer device memory. To make matters worse, Intel processing chips are found in a wide variety of computational devices from computers to smartphones. Given the scope of these vulnerabilities, most computing devices are vulnerable, and we should take basic security measures. As of January 19, 2018 we have not seen any successful attacks.
Ways to Stay Secure
While the discovery of these vulnerabilities is relatively new, the best safeguards -- applying basic device security -- against them are not new. Did you know, for example, that a common attack vector for stealing data is to go through web advertisements (also known as malvertising)? Meltdown can run through JavaScript (one of the primary programming languages of the Internet), so avoiding "malvertisements" is critical to keep your data and devices secure. It is for this reason that running a trusted ad blocker like uBlock Origin provides essential protection.
In case ad blocking fails and malicious ads pop up or hackers attempt to infiltrate your device another way, make sure your operating system and applications (programs) are up-to-date. The good news is that current security patches fix a lot of the malicious code already out there. In fact, due to the scope of the threat that Spectre created, Intel, Microsoft, and Apple have already pulled their resources together to deliver security patches to protect against it. Patches have also been released for the Linux operating system. It is a bit trickier to protect applications (because there are so many of them and so many different manufacturers) but just as important, because Meltdown also attacks applications. Since most applications are currently undergoing “hardening” (making more secure), updating your applications frequently is the best way to take advantage of these protective efforts.
Note that the patches which resolve the Intel chip vulnerabilities have been tested, but they tend to slow down processors anywhere from 5-30%. Additionally, the patches that have been released are incompatible with some antivirus programs, so be sure to test prior to applying the patch.
A solid first and last line of defense is to be cautious about the data you save on your computer and phone. Hackers make a profit from Spectre and Meltdown if the data on your computer or phone is worth stealing. The more sensitive the data on your personal device, therefore, the more valuable it is to hackers. Before storing data on your device, consider the following questions:
- Why would I save this information on my device?
- How am I saving it? Is it encrypted?
- Is this something that I can remember or store elsewhere, e.g., as a hard copy or in offline storage?
It's always a best practice to minimize or eliminate the amount of sensitive data you have on your devices -- whenever possible. Remember: No one can steal your sensitive data if you don't store it on your devices.
If You Are Still Concerned…
Information Security (Infosec) is here for you. Email us at [email protected] if you want additional guidance about the best ways to protect yourself against these (or any other) vulnerabilities. Our job is to protect your data, and we love what we do.
Additional Resources
General information:
- https://www.lawfareblog.com/spectre-advertising-meltdown-what-you-need-know
- https://www.safecomputing.umich.edu/security-alerts/apply-updates-computer-chip-vulnerabilities%E2%80%94meltdown-spectre
- https://blogs.gwu.edu/gwinfosec/2018/01/05/meltdown-and-spectre-security-vulnerabilities-what-you-can-do-now/
- https://www.redhat.com/en/blog/what-are-meltdown-and-spectre-heres-what-you-need-know
Vulnerability Details:
- https://spectreattack.com/
- https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.htm
- https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00088&languageid=en-fr
- https://www.amd.com/en/corporate/product-security
- https://developer.arm.com/support/arm-security-updates
Microsoft Patch Guidance:
- https://support.microsoft.com/en-us/help/4072699/windows-security-updates-and-antivirus-software
- https://www.microsoft.com/security/blog/2018/01/09/understanding-the-performance-impact-of-spectre-and-meltdown-mitigations-on-windows-systems/
Antivirus Compatibility:
AMD Athlon users reporting crashes after applying Microsoft patch: