Today I woke to the familiar ping sound of my phone alerting me to an incoming email – I relaxed a little when I could see it wasn’t a failure alert. We have plenty of alerting monitoring tools and there is usually something going on that begs some tender loving care, sometimes I even have to open two eyes.
It was a news article from my CFO. Of course, I would never tell him that this was usually a “one-eyer”, this one was something about the latest security alerts in a NY Times article regarding “Meltdown” and “Spectre”.
When I finally woke up enough, I engaged the other eye. I quickly figured out that Meltdown and Spectre, were nothing to do with “James Bond” and were also not the two latest scary characters from the WWE, they were just two more security alerts that seem to arrive all too frequently these days.
Usually, if it is just announcements that my credit cards or personal identity has potentially been stolen for the tenth time, I casually read it and move on, in the complete safety of knowing just how much money they could steal from my accounts. If they knocked on my door I would probably just hand it over to them anyway for being so “creative”.
Anyway, like it or not, as self-proclaimed “Security expert” it sometimes falls upon me to know enough to put a client or a friend, or this case, one of my bosses, minds at rest. Occasionally I have to act on these scare mongering news articles, and protect infrastructure that we are responsible for and respectfully owe our customers both eyes, sometimes more.
I decided to do some early morning research to see what “Meltdown” and “Spectre” were really all about, and just what, if any, action we, as a company, may have to take. I also thought it was a great idea to provide enough information to my friends and colleagues that they were reasonably safe from a Gremlin, or the Credit Card Reaper from visiting their digital wallets in the middle of the night. Which of course, then brought me to write this blog that you are now reading. So, with much (more) ado, here’s everything you need to know about the latest two digital drop outs to invade our Cloud and Mobile “happiness meters”.
Firstly, I think it Is important to point out that most of us are sadly used to the myriad of virus warnings that we see from time to time in the news, a lot of which is innocuous stuff, just drummed up to sell you the latest version of someone’s anti-virus protection.
Of course, lately, if you are running Windows, especially the latest version Windows 10, you are “pretty much” covered by Windows Defender, which is the built-in product that Microsoft now has in their Operating Systems to combat viruses. It does a good job, so these days it has become unnecessary to run additional tools, although some people feel safer running the latest McAfee or Norton or the one of the many tools still available.
Most of which do a really good job of not just picking up viruses, but also slowing your computer down to an intolerable crawl. But I digress….. So we all know about viruses, right?
Occasionally, the news is of a scare that is potentially more harming than a virus, and while these are few and far between, they do pop up from time to time. Meltdown and Spectre are two of these “threats” as we can collectively categorize them. In the case of a virus, it is a security risk posed by someone – a “Bad Actor” (Black Hat) has deliberately written a piece of code that can perform actions on your computer without you being aware of what they are doing.
Actions that may include sending passwords or bank account numbers from your computer to other bad actors who will then attempt to buy all the things on your account that you could never possibly afford! The thing about viruses, as most people have come to know, is that they really don’t just “happen” on their own, they are usually “activated” by the Computer owner clicking on a malicious piece of code, usually in a web page.
You clicking on that link (the one offering to make you rich) – was the “Activation Mechanism” – a HTML link has two elements, the “Text” associated with the subject that you SEE, and then the second element is the target web page of where you will be sent to when you click that link.
In most cases “Buy This” will indeed take you to the item, but as many of us have come to know – the text can say “Click this, it will make you rich” can sometimes contain the target that will actually make you poor, i.e, it will do something very bad on your computer, the delivered code or “Payload” could look through all those cookies that you never delete, or the passwords that you always save. So the “Activation Mechanism” is you clicking a link, which is actually executing the malicious code.
Technically, it’s really only a virus if can be spread to other computers. Its not a virus if it simply runs code on your computer, but it’s a thin line that we won’t argue here, but you could click on a link that searched on your network for other computers to infect, so it then would become a virus. As the code has a given “Signature” i.e. – it contains some form of text that can be detected by a virus checker.
This is the reason why you run a virus “update” once in a while (should be weekly) as your computer downloads new “checks” – it keeps a library of all the known virus threats, and what their signatures look like to try and find a match when it runs a weekly scan of your computer.
Meltdown and Spectre, are not viruses, they are a different kind of threat, and therefore have to be detected and treated in a different way. Meltdown are essentially “bugs” or “flaws” within an operating system that allow a bad actor to access certain parts of your computer. Both could theoretically be used to read information from a computer’s memory, including private information like passwords, photos, messages, and more.
I will tackle Meltdown first. Meltdown is a flaw that only affects the Intel processors, so this flaw does not affect most Apple devices, iPhone and Tablets are safe, as they do not use the intel processors. So as far as Meltdown is concerned, we are talking about Windows and Linux machines and Apple Mac or Mac Books, Linux being mostly a Server Operating System but Windows of course being both a desktop and Server OS.
Meltdown is a flaw that could be exploited by a piece of rogue code running on your PC. Now, this is where my earlier text comes in, the rogue code can ONLY be executed if you perform the “Activation Mechanism” and deliver its payload – it isn’t magic, it can’t just appear or run unless you run it. It should go without saying these days, but resist, resist, resist, clicking on any link that you are suspicious of.
While the Meltdown flaw technically could allow a rogue program to access certain parts of your computer’s memory, it is a really obscure bug and has to be used in a very specific way to actually get anything useful to a Black Hat. To try and explain it in clear and understandable terms, it can only access certain pieces of information that the processor has marked as “no longer useful”.
Even then, it would be a memory dump and it has a very low chance of being useful and an even less chance of actually containing your deepest secret or even your shallowest bank account.
The Meltdown flaw has actually been known to chip manufacturers and device makers for at least a month, but there was a concerted effort to bring all parties together to deliver a congruent “fix” to most devices, that was scheduled for next week. Unfortunately, Linux guys being what they are (sorry Linux guys) – they noticed the fix was scheduled in an upcoming Linux OS patches and promptly it went out to a few media channels and all hell broke loose from there.
This had the effect of rushing out the fix code quicker, and as I write this there is a Windows bug fix that addresses the flaw in Windows 10. It will be automatically loaded and installed along with your usual updates that are typically scheduled on your desktop computer. If you have disabled the Windows Update (because it is pretty annoying) you can perform a manual update that will also bring down the fix. As a reference – the bug is fix in Windows that will get downloaded and installed is described here:
Older versions of Windows will have to wait until Tuesday 9th January to receive the fix in their regular fix release. Linux users are also vulnerable to the Meltdown flaw, but kernel fixes are available in the latest yum update (or apt-get) and fixes all three CVE listings (CVE-2017-5754, CVE-2017-5753, CVE-2017-5715)
Common Vulnerabilities and Exposures (CVE) is a catalog of known security threats. The catalog is sponsored by the United States Department of Homeland Security (DHS), and threats are divided into two categories: vulnerabilities and exposures.
Meltdown does not affect mobile phones or some Apple devices, as these do not typically run on Intel processors, but Apple Mac and Macbook devices are affected.
Spectre – is a whole different issue. Spectre affects a much wider range of devices, including those running on Intel, AMD and ARM processors, which is pretty much everything, including nearly all cell phones.
According to a statement by AMD, vulnerability to the second Spectre variant hadn’t been demonstrated on AMD processors and posed “near zero risk of exploitation” due to differences in AMD architecture. Because of the use of the word “near” there is some skepticism around whether there is indeed a risk on AMD, but we will see further updates from AMD no doubt in coming days.
As there are many versions of mobile phone software running on many different devices, we will not see all mobile phones patched quickly, more likely you will see a mobile update appear on your phone as a matter of routine updates. Or both Android and Apple iPhones you can go into the phone system settings and check to see if there are any updates and download and apply them.
In summary, there certainly is a lot of buzz right now regarding both Meltdown and Spectre, but after careful analysis, the likelihood of this flaw being exploited on a phone near you is very minimal. For the paranoid and purists among us – go run the updates now.
Mark Richards is a Cloud Security Expert, Solutions Architect and most importantly a “White Hat” for Care Analytics.