Identity Blog

The Digital Security Meltdown

By now you’ve all heard about the latest cybersecurity threats, “Spectre” and “Meltdown”. If you haven’t I don’t blame you. Most people see this as yet another event in an ongoing cascade of cybersecurity threats that seem to come with increasing regularity. So why is this event so important and why should you care? These new threats are extremely far reaching and not only impact your personal computing, but also the future of computer chip production and, therefore, all of computing itself.

What Has Happened?

In the summer of 2017, cybersecurity teams from around the world discovered a design flaw in the computer chips that power our computers, mobile devices and all your internet services. The design flaw was a result of a design that enabled computer chips to run faster.

The trade-off was for speed over security. These flaws exist because, historically, computer chips have been engineered to function as fast as possible, not as safe as possible. For generations of computers, we have demanded the fastest possible chips to help run the fastest possible computers. As a result, 100% safety sometimes took a backseat to speed.

Basically to make the chips faster, they were programmed to predict what the computer was going to do next and fetch the data required for the next process. This saves valuable time by having the data ready for the system to consume. However, in doing so it exposes the protected data store. Someone watching this process will learn about the protected store and in doing so can determine how to access that data.

According to the New York Time, this design flaw can be exploited by hackers to steal the entire memory contents of computers, including mobile devices, personal computers and servers running in so-called cloud computer networks.

Who Is Affected?

Everyone – the design flaw has been seen in Intel, AMD and ARM licensed chips. These chips have been sold with consumer computers, servers and mobile devices since 1995, so the impact is, potentially, both personal and global in scope.

How Safe Are You?

Both flaws require hackers to have malware set up to take advantage of the exploit. However, now that this is all public it will just be a matter of time before this happens. Apple has stated that “while these flaws are extremely difficult to exploit, even by an app running locally on a Mac or iOS device, they can be potentially exploited in JavaScript running in a web browser.”

How Do The Exploits Work?

There are two exploits, “Meltdown” and “Spectre”.

Meltdown – despite being specific to Intel, is considered the more aggressive of the two threats. It works by “melting down” the security that’s supposed to exist between every software application on your computer and the OS which runs that computer. The Meltdown exploit breaks the mechanism which keeps any application on your computer from having access to other data which are supposed to exist in protected system memory, such as:

  • Passwords
  • Security keys
  • Credit card info
  • Text of any kind
  • Any and all supposedly protected information is now considered at risk.

Spectre  –  an exploit which runs on chips made by Intel, AMD and ARD — works a bit differently. Whereas Meltdown works between an application and the operating system, Spectre instead works between multiple applications.

Every application running on your computer has some amount of protected memory stored as it runs. If, for example, you’re running both LastPass and Microsoft Office, each of those applications has its own protected chunk of memory being held securely. Spectre breaks this barrier between applications, making it possible to grab application data being held in protected memory. If one of those applications manages, say, all of your usernames and passwords, then you can understand how threatening this security exploit can be.

What can I do?

Security Patches

This is a “Good News”, “Bad News” situation.

First the good news. Since the exploits were discovered last summer, researchers have been working for months behind the scenes to develop patches before announcing the exploits to the public this week. That means two reasonably good things: it’s highly unlikely that anyone knew about these flaws until this week and software patches to address the Meltdown exploit are now available:

Apple: released fixes for Meltdown in iOS 11.2, macOS 10.13.2, and tvOS 11.2. watchOS didn’t require and fixing, they claim.

Microsoft: released Meltdown patches for their Surface hardware lineup including, the Surface Pro, Book, Studio, and Laptop devices. They’ve posted additional information about patching Windows OS for end-users and servers.

The bad news? The software patches to fix the Meltdown flaw might slow your computer down, possibly by as much as 30% by some estimates. While some speculate that performance may be high, others may defer implementing the patch and not take the performance hit. But remember how we got here in the first place – we opted for speed over security.

In the meantime, Apple claim that that they are seeing “no measurable reduction” on the Meltdown patch and only about a 2.5% reduction with the Spectre fixes they hope to implement on the macOS and iOS updates to Safari.

Two or Multi-Factor Authentication

Over the last couple of years we have seen every increasing numbers of data breaches, Experian being the latest and most well known. These breaches are occurring because malicious hackers want your personally identifiable information. Why? Because that is step one in being able to guess or crack your password.

Using only usernames and passwords to access your online life is not enough. Given that Meltdown and Spectre can easily expose these details, I would rest easier knowing that another authentication existed to keep my digital life secure. Two and Multi-Factor authentication works by requiring a third validation:

  1. Something you are – your identity or your device
  2. Something you know – your password
  3. Something you have – usually a “One-Time-Password” (OTP) in the form of a code

For example, if my Google account credentials were stolen: it would be near impossible for hackers to log into my account. Because they would be logging in from a different device, Google will see that and require Two-Factor authentication. This comes in the form of a six-digit challenge code that Google sends via SMS to my mobile phone. I can easily look up this code on my mobile phone; a malicious hacker cannot. They’d need physical access to my phone within 30 seconds, something that’s not likely to happen.

Please implement two-factor authentication immediately on all of your most precious accounts including, but not limited to: email accounts, social media accounts, internet hosting accounts, password managers, banking websites, and shared cloud storage solutions like AWS, Dropbox, Box and others.

Click here to download a datasheet on LoginRadius’ “Passwordless Login” solution

Related Posts