Above Image Credit: The Internet Society
2017 Was an Unprecedented Year for Data Vulnerabilities
Dark Reading, a widely-read cyber security news site wrote in the 3rd quarter of 2017 that “2017 has broken the record for security vulnerabilities.” That was even before the year was completed. In another more recent article, Trend Micro listed all of the major exploits which occurred in 2017. Of those Cloudbleed and the Krack Attack seemed to garner the most widespread publicity in the category of security flaws, whereas the WannaCry and NotPetya attacks made one specific category of virus known as ‘ransomware‘ a household word.
Cloudbleed, in February of last year, was significant because it was identified early on as potentially being as extensive as 2014’s Heart Bleed. But the main company involved, Cloud Flare, responded in an exemplary manner with almost immediate intervention and patching. Their quick actions kept Cloudbleed in check.
Krack Attack, which occurred much more recently in November, was also very successfully mitigated because major hardware vendors like Microsoft and Apple came out with hardware specific patches very early in the process too.
Krack Attack was unique for most of us because it was the first time we learned about how major vulnerabilities followed a specific protocol in terms of how and when they are first announced to the public. We learned that oftentimes serious vulnerabilities are only publicly announced after any vendors which are impacted have been notified first, and given the opportunity to develop solutions prior to the vulnerability’s first public announcement.
One could only hope that in 2017 we’d seen the worst of it.
Sadly, 2018 has barely begun, and already the 2 biggest vulnerabilities ever discovered to date were just announced a few days ago.
Meltdown and Spectre
What are Meltdown and Spectre?
Meltdown and Spectre are 2 new massively extensive vulnerabilities that were first leaked to the press around January 3, 2018. The reason they are so massive is because these 2 security risks impact virtually every kind of computing device being used today. Everything from small IoT devices, to cellphones and tablets, on up to computers and very large servers are vulnerable. It’s not just a matter of if they are vulnerable either….because they all are vulnerable…without a doubt. Essentially anything that has an operating system and can access the Internet is affected by these 2 new vulnerabilities.
How Could A Vulnerability Be So Extensive?
The names given to these 2 security flaws provide just an inkling of the devastation they could entail. That these are the most significant set of vulnerabilities discovered to date is without question. Wired describes the public’s reaction as ‘a critical mass of confusion’ resulting in pandemonium.
One aspect that has an even more confounding impact is the fact that these vulnerabilities have actually been in existence for about 20 years.
Some have likened them to very old skeletons in the architectural closets of systems’ frameworks.
Simply understanding what the exact risks are is challenging. Multiply that by 2 and it gets more confusing still. A quick description is that the most highly protected data that’s managed by devices, things like passwords and encrypted data, has been found to have previously unrecognized avenues of unauthorized accessibility. That means that unauthorized users could gain ready access to the data you guard most closely. This recent TechCrunch article does the best job I’ve found explaining what these vulnerabilities are and what they mean to everyday users like you and me.
Graz University of Technology based in Australia, was instrumental in detecting the Meltdown security vulnerability. They’ve published an informative website which provides users with lots of great information about both flaws.
After reading TechCrunch’s article you should have a fairly good appreciation for the extent and seriousness of the problem. One thing to note is that it was the press, a UK publication, the Register, who revealed these vulnerabilities to us long before they should have or would have, had the protocol we learned about during the Krack Attack been in effect.
Another really interesting aspect of both security flaws is how they were discovered. Both flaws have existed for a very long time…since the early 1990’s generally. But 4 separate discoveries of them were made almost simultaneously, in the few months leading up to this public announcement. Wired wrote a fascinating retrospective on how this happened yesterday (Sunday 1/7/18) entitled ‘Triple Meltdown: How So Many Researchers Found a 20-Year-Old Chip Flaw at the Same Time.’
Was this earlier than planned announcement good or bad?
Probably a little bit of both. It’s good that we know about it asap…but bad that many hardware vendors haven’t yet had an opportunity to write and release their patches.
What can users do now?
Since every kind of hardware is affected, and hardware patches will be the only true fix, you can only wait for your hardware vendor to supply the patches and then make sure to install them. The TechCrunch article also notes that some of these patches will, more than likely, have some unforeseen negative consequences for users. Hardware processing speeds will more than likely decrease and other software incompatibilities may arise as a result of the patches.
But even those negatives don’t warrant not installing the patches when they are available. And as you’ll see below, Intel believes that their patches won’t have any negative speed implications for users. The fact that patches can even be used to address the situation is a huge plus since it was believed by many industry experts when the news first broke that nothing short of complete replacement of all offending hardware would mitigate the problem!
If you’re an Apple user, an Ars Technica article that was just published today states that Apple has already released patches. ios 11.2.2 and macOS High Sierra 10.13.2 both include patches for both security problems.
Is there anything else users can do right now?
Perhaps the best advice I can give you is to be proactive when it comes to safeguarding your personal data. Use password managers and consider protecting all of your devices with firewalls. And always make sure you keep your operating systems as up to date as possible.
Find Out More Information About Your Specific Hardware
Gizmodo has put together a really helpful website which gives more information about the status of patches for various types of hardware. It appears that they are updating this site whenever new information becomes available. Consider the Gizmodo site as the best ‘one stop shop’ if you’re inclined to only want to check out one additional source of information.
Learn More About What Firewalls Are and How They Can Help You
If there can be any good aspects of these 2 new vulnerabilities one may be that it doesn’t appear they can be leveraged remotely. But that isn’t set in stone nor does it mean that remote threats can be discounted. Probably the most significant threats to average users come from remote sources.
The good news here is that there is something you can use to arm yourself with significantly greater protection. That extra protection can come from hardware Firewalls.
Firewalls, which are designed to keep intruders away from every single type of Internet capable device in your home, might possibly be the best way to protect yourself and your family’s personal data from remote intervention. So, while in this instance, Firewalls won’t really help you out…they certainly won’t hurt anything. Yet in the vast majority of circumstances which threaten homeowners…Firewalls can go a very long way towards providing protection which is light years beyond what most users have currently.
Even better though is the fact that these types of devices are just making their entrance into the home market. Previously, hardware firewalls would have been cost prohibitive for homeowners. But several vendors recently began introducing models which are specifically designed for home use…and they’re priced very reasonably too! We’re talking a few hundred dollars here instead of thousands of dollars…which was the case even a year ago!
I’ve been working on a series of articles which introduces Firewalls to new users. But I still have several parts I need to write. So far, I’ve only written the first 2 parts, which are:
Part 1 | What Hackers Don’t Want You to Know About Firewalls
Part 2 | Beginner’s Guide to Firewalls for Small Networks | Network Design
New Information Shows That Intel & Much of The Related Computing Industry Learned About Both Vulnerabilities in June 2017
The earliest consequences have just begun filtering in over the last few days. On Friday (1/5/2018) Ars Technica reported that 3 class action law suits have been filed against Intel. Because Intel provides more CPU chips than any other processor vendor in the for desktops and laptops. Apparently Intel was first notified about these vulnerabilities in June of 2017. According to Intel, they’ve already begun releasing patches and dire performance predictions are very overblown. They don’t anticipate that most users will even notice performance decreases at all.
However, the fact that Intel’s CEO, Brian Krzanich, sold millions of dollars worth of Intel stock upon learning about the vulnerabilities has many speculating about the deeper, more nefarious intentions of Intel.
In what is perhaps the most enlightening article I’ve read regarding timing of these vulnerabilities discoveries, Bloomberg Technology’s new article pictured above ‘It Can’t Be True…‘ lays out, in great detail, what was discovered by who, when, and when it was communicated to Intel and the larger computing hardware industry. I was surprised to discover that both vulnerabilities were discovered last June, and both were reported to Intel within days of their discovery.
Slashdot.org is reporting that some of Microsoft’s Meltdown and Spectre patches are bricking some AMD PCs.
Using the combined resources of the above Bloomberg article and Wired’s ‘How So Many Researchers Made the Same Discovery‘ article mentioned earlier, we now know that Google has already patched most everything they need to because it was a young Google security employee who was one of the first to discover both flaws and inform Intel about them. It’s also now evident that many more patches have already been released and have been in operation for quite some time. However, an equally large and important sector of the industry was kept in the dark until the Register made their public disclosure on January 2nd. Their actions in fact led Intel to make a their own public disclosure on January 3rd.
Given the newness of the information to such large sectors of the population this will undoubtedly mean there will be more patches released that will have unintended consequences like Microsoft’s. What’s more troubling still is that it appears to many as if these 2 discoveries may just be the ‘tip of the iceberg.’ It seems to worry a significant number of industry experts that more flaws may be forthcoming. That fact coupled with the disclosure that the NSA doesn’t always see fit to disclose security flaws that they uncover, but rather chooses to exploit them first for their own gain, casts a distinct cloud of darkness over what the future may hold for the larger data and cyber security world.
Please feel free to leave me and my readers any comments by scrolling further down the page until you see the small Comments box.