Lindsey Donato, CISA, PMP
Recently, major security flaws found in Intel and other processors have been disclosed by tech researchers; it is said that this set of flaws could let hackers steal sensitive information from nearly every modern computing device containing CPU (central computing processors) chips from Intel Corp, Advanced Micro Devices Inc. (AMD), and ARM Holdings. Suffice to say this is alarming news.
This could impact desktops, laptops, mobile phones and Cloud networks everywhere, as these flaws could allow hackers to steal sensitive data without users knowing. Researchers at Google’s Project Zero, academic institutions and private companies published their findings very recently (Wednesday, January 3, 2018). Here is what you need to know about the discoveries of “Meltdown” and “Spectre,” the security flaws found.
This bug is considered to be the more widespread of the two. “As it is not easy to fix, it will haunt us for quite some time,” one researcher has said.
What is it? This exploit breaks down the isolation between different applications. Spectre can potentially allow hackers to trick otherwise error-free applications into giving up secret information like passwords. It’s been noted that Spectre is harder for hackers to take advantage of, but is also harder to fix and poses a bigger, longer-term problem.
What does it affect? Spectre affects most modern products and processors made by Intel, AMD and ARM. Nearly every computing system is impacted.
What is the fix? “There's no complete software fix against Spectre right now,” said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defense company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behavior in the meantime. While we wait for a new chip to be created, criminals and hackers could further develop the Spectre vulnerability, making attacks easier to execute.
Meltdown is being referred to as “probably one of the worst CPU bugs ever found” by researchers. Meltdown is a particular problem for the Cloud computing services run by the likes of Amazon, Google and Microsoft.
What is it? This vulnerability could allow hackers to bypass the hardware barrier between software applications and the computer/device’s core memory. A device’s core system, known as the “kernel,” can store all types of sensitive information in memory. This means banking records, credit card numbers, financial data, communications, logins and passwords are now at risk. With Meltdown, anything that runs as an application has the potential to now steal your personal data from a webpage on your internet browser. For Cloud services, hackers could rent space on the Cloud service and then grab information like passwords and other private data from other customers in the shared hosted Cloud environment. The flaw in the chip now allows hackers to circumvent the normally strong barriers/securities used to separate and protect users between hardware and software.
What does it affect? Meltdown affects most Intel processors (specifically) made after 1995, excluding the company’s Itanium server chips and Atom processors made before 2013.
What is the fix? Security patches already exist for devices running Linux, Windows and Apple’s OS X. Researchers note that according to some estimates, the fix may slow down their performance by as much as 30 percent, as it requires a change to the way the operating system handles memory. Intel, however, has refuted this, and commented that for the “average computer user” the impact should not be significant and will lessen over time.
Google posted in a blog that Android phones, Nexus phones and Pixel phones running the latest security updates are protected, and Gmail users are also all set. Google also posted that it has updated its G Suite and Cloud services, but that some additional customer action may be needed for its Compute Engine and some other Cloud Platform systems. Chromebook users (if not on already updated to Chrome OS 63) will need to download and install updates.
According to an Amazon blog post, “all but a small single-digit percentage of instances” of its EC2 systems—a service under its cloud computing platform—had already been protected. Amazon also urged customers to patch their operating systems using available updates.
An update from Apple on what is needed for its Mac computers and iOS devices is expected in the very near future.
These new flaws demonstrate the true importance of keeping devices updated and patches applied relatively quickly. Hackers will soon capitalize on these exploits and fold them into their regular attacks. It’s important to stay informed and be mindful that new exploits occur all the time.
Lindsey Donato is a Manager with BlumShapiro Consulting. BlumShapiro is the largest regional business advisory firm based in New England, with offices in Connecticut, Massachusetts and Rhode Island. The firm, with over 450 professionals and staff, offers a diversity of services which includes auditing, accounting, tax and business advisory services. In addition, BlumShapiro provides a variety of specialized consulting services such as succession and estate planning, business technology services, cybersecurity, risk management and litigation support and valuation. The firm serves a wide range of privately held companies, government and non-profit organizations and provides non-audit services for publicly traded companies.