2018 certainly knows how to make an entrance. The Christmas turkey has barely been finished and we’re told that nearly every electronic device on the planet with an Intel processor (from servers to PCs, smart devices and more) are susceptible to not one, but possibly two of the worst critical hardware related flaws ever known (Meltdown & Spectre). Flaws that can allow a hacker to steal your data without a hint of detection. In cases like these we often hear “but I have the latest next generation antivirus software”, but it’s not going to help you here I’m afraid. “And I have the latest next generation firewall and a state of the art SIEM solution just installed” – no good for fixing this either. You may even be really good and have your staff trained in security awareness and your systems backed up offsite – but unfortunately neither will address the root cause of this global issue. Even Santa couldn’t help fix this one – that’s how serious this is.
The hardware flaws have been aptly named “Meltdown” and “Spectre”. They sound like something straight out of a James Bond spy movie – and to be honest – the names aren’t far off, given if exploited, spying on you is exactly what a hacker could do. Predictions have already come in from experts that this could be the biggest disaster in IT history, and similar to the KRACK WiFi vulnerability of last year, Meltdown and Spectre could take years to fully fix. While important workarounds are available in some cases and must be put in place (see below) , only a hardware redesign in processor architecture will truly lay these bugs to rest.
To make matters worse, now that the crafty hackers know about it and with the EU GDPR data protection regulation coming into force on the 25th May – we predict, this year is going to see some considerable cyber-attacks that will try to take advantage of at least one of these flaws which may result in some pretty serious data breaches and some serious GDPR related fines. Its time like these one would think “Why did we ever go paperless?”.
How do Meltdown and Spectre work?
There has also been a lot of confusion around what exactly these two vulnerabilities are, and more importantly, how to protect yourself and your business against them so please do read on. Almost any electronic device with a processor is fair game to at least one of these vulnerabilities, be it a server, PC, mobile or smart device.
Firstly, it’s important to explain what exactly speculative execution is, as this is the CPU feature that both vulnerabilities take advantage of. Speculative execution makes for much quicker and more efficient processing, as without it, your processor would be idling most of the time. To put it simply, it takes time for your PC to speak to itself. Your CPU and RAM will both read/write much quicker than, say, your hard drive. There can also be multiple stages to go through when reading/writing to RAM and subsequently the CPU, and this will all add time to each process you undertake. However, through speculative execution, your processor essentially tries to ‘guess’ what the outcome of a query may be. Then, when the actual result comes in from the rest of your PC, if the guess was correct then your CPU has saved you time and will proceed to the next step, or if the guess comes back incorrect, the CPU simply discards that fork and then works with the updated information. Speculative execution has been a core feature in processors for over two decades now, and more often than not, the guesses are correct and save us processing time. This is where Meltdown and Spectre come in. They both take advantage of this feature, although in different ways.
The end result is that they can access data that you don’t want them to access – be it passwords, emails or sensitive business data – and can result in a data breach. You don’t need us to tell you how costly a data breach can be, as this is demonstrated on a weekly basis in the news. Data breaches are costly not only in terms of potential fines, but also the resulting downtime that can occur and the reputational damage. With the EU General Data Protection Regulation coming into force in May of this year, we expect to see the consequences to increase for such breaches.
What’s the difference between Meltdown and Spectre?
In order to be more efficient, certain security checks are not present during speculative execution. Meltdown is able to ‘trick’ your CPU into speculative execution, and then exploits it into allowing the malware unrestricted access to read everything the CPU accesses, through the cache. The scary part? Meltdown can use this vulnerability to read the CPU cache of not just the user that ran the malware, but of any user on that machine, even administrator accounts. So far, this one is only believed to affect Intel and ARM processors (good news for any AMD users).
Spectre, on the other hand, is a bit more technical and a bit more nasty – and it affects all modern CPUs. This vulnerability doesn’t just access the data used in speculative execution, it manipulates it. To take a quick example, let’s say you’ve been asked what the answer to 2 + 2 is, and you’ve been asked to check it 100 times. Chances are, if you do the math 99 times and the answer is always 4, then you’re going to assume that the 100th time will also yield the answer 4. This is essentially how your processor is able to ‘guess’ what’s going to come next. However, Spectre is able to take advantage of this by ‘training’ your CPU and running a process hundreds of times in an attempt to manipulate what it will guess – allowing it to control the speculative execution. Again, this can allow hackers access to important data, such as your passwords, which in turn give them access to everything else on your PC or even on your network. Antivirus software won’t do anything to protect against either exploit.
How do Meltdown and Spectre infect a PC?
At the moment, there have been no cases on these vulnerabilities being used out in the wild. These flaws have existed in most CPUs for the over 20 years, and Spectre in particular is quite tricky to actually execute. However, there has never been more money in cyber crime, which has attracted some very talented programmers over to the dark side, and that’s before you even consider that cyber attacks are starting to see use as political weapons by countries around the world.
The most common vector for these kind of attacks is usually phishing, either through emails or browser-based attacks. An example of such a scenario is an ordinary user at work, who has no admin privileges, browsing the web. They could stumble across a phishing website, which are surprising common and can look quite legitimate, and the site could execute JavaScript to download and install the malware on their machine. This could then access, say, the password of an account on that PC with admin rights, and spread itself across the network. Only one such vulnerable machine would need to be found on a network, even if all the others had been patched.
Another way that malware could be downloaded onto an unsuspecting user’s PC is through third party advertisements online. You could be on a legitimate website that you’ve used many times before which serves ads. Even if the site itself is safe, the ads come from other companies and can sometimes contain malicious code. You don’t even need to click on the ad in some cases, just loading the webpage is enough to let the ad infect your PC. We recommend the use of ad blocking software to counter this.
How do I protect myself against Meltdown and Spectre?
At Tech Guard, we always advise a proactive rather than just a reactive approach to cyber security. This means having a robust and comprehensive cyber security framework in your organisation, as well as a culture of cyber aware employees. This means that when the next unpredictable vulnerability is revealed, you’ll be as ready as you can be for it. When WannaCry hit in May 2017, businesses were woefully unprepared. They were told “patch your machines and train your staff” in order to stay protected against such attacks in future. Then, just a few months later, NotPetya was released into the world, which utilised much the same vulnerabilities as WannaCry. Many businesses had not taken the necessary steps to protect against WannaCry, and found themselves with a crippling bout of ransomware.
With that in mind, there are two main steps that are critical in protecting against both Meltdown and Spectre. Patch your machines, and train your staff. Security vulnerabilities and bugs are found in software all the time. Often, they occur in a single program, but when they affect something as commonly used as Microsoft Windows, or a processor that was designed post 1995, then they have to potential to affects millions of devices (it’s also worth noting at this point that Meltdown and Spectre don’t care what operating system you’re on – they can affect Windows, Mac or Linux/Unix users). The only way for these vulnerabilities to be closed off, at the moment, is through security patchs issued by the relevant vendor.
Patching shouldn’t just happen sporadically or after a major security flaw has been exposed, it should be a regular process for your company. Patches should be tested first in a safe environment to ensure they don’t produce any unexpected side effects and break something critical, then they should be rolled out as quickly as possible afterwards to PCs and servers. If you don’t have the resources or skills in-house to test patches before applying them, then at the very least configure Windows to automatically install critical security patches, which will provide you with the latest protection against security vulnerabilities. For mobile devices, we also advise enabled automatic updates.
Cyber security awareness training is a great way to reduce your risk and prevent the malware from having a chance to exploit your network in the first place. Studies have shown time and time again that cyber criminals find it much easier and more effective to target people rather than trying to bypass firewalls and complex security configurations. It only takes one person clicking a phishing email or allowing a dodgy site to run Flash in order to malware to get onto a network, where it can often spread to servers and infect many other PCs. Teaching ordinary users how to identify phishing emails and how to be safe online is absolutely crucial in the fight against cyber crime, as is maintaining a company culture of being cyber aware and safe. In a time where physical firewalls are no longer as effective as they once were, you need a human firewall in place.
What patches are currently available to keep me secure?
Microsoft – A patch for Windows 10 was released last Wednesday, outside of Microsoft’s usual patch schedule. The following day, a patch for Windows 7 was released, followed shortly after by a patch for Windows 8.1.
Apple – As developers were informed of these vulnerabilities long before the public, Apple developed a patch for High Sierra, Sierra and El Capitan back in late 2017. If you’ve been installing your security patches, you’re probably safe.
Linux – Ubuntu is due to patch this on or by January 9th, with some distros such as Fedora and CentOS already have an available security patch. Most major distros should have updates available this week, and we advise checking online to see if your specific distro has a patch to download.
Android – Google deployed their crack team of programmers, Project Zero, as soon as these vulnerabilities were made known to them. Any Android device with the latest security patch (January 5th) installed should be protected
Additional information on patch availability across various devices can be found here.
There should be a patch available for my PC but it hasn’t downloaded. What’s going on?
Sometimes, a catastrophic security flaw just isn’t enough trouble in itself. There have also been cases on antivirus software actually blocking the security patch from downloading and installing. We would advise you to check directly with your antivirus provider to see if you’re affected or not. If you are unlucky enough to use antivirus which is blocking this critical patch, then you must either wait until your provider fixes the issue or modify your registry to manually tell Microsoft to push out the update to you.
I’m a Tech Guard client, am I protected?
If your company’s cyber security is managed by Tech Guard, then we’re taking care of it for you. The latest security patches are currently being tested to ensure there are no nasty side effects to your critical workstations and servers, and we will work with each of you individually over the coming days to get the patches installed. We will also be rolling out additional security awareness training to make sure users can spot the typical attacks vectors used to spread this kind of malware. If you have any additional queries or concerns, please feel free to get in touch with a member of our technical team.
Additional Resources
Important Guidance from the Data Protection Commissioner on Meltdown and Spectre