Serious New Security Issues (Meltdown/Spectre) and How to Address Them

chip blog

A Serious Problem

Over the past few days you may have heard some news about the new security flaws-“Spectre” and “Meltdown”-  affecting the processors on computers, mobile phones & tablets and in the cloud. Current CPU chips from Intel, AMD, Qualcomm, ARM & others have this flaw, which means that these risks cover virtually every computing device. Windows, Linux & Apple products are all affected, as well as embedded processors relying on these CPU chips. This vulnerability is so significant that the US Dept. of Homeland Security has issued an alert.

This issue is caused by a flaw in the fundamental design of these chips called “speculative processing”, which is used to accelerate them. Estimating next steps in an operation & speculatively processing them does indeed speed up these chips (& the computers that run them). However, it also allows a hacker to jump ahead and grab sensitive information (like passwords) prior to the all-important step of being authenticated.

Risks to the Cloud

These vulnerabilities affect cloud services, including those from Amazon Web Services (AWS), Google, Oracle, ADP, etc. and most external hosting environments. Cloud services are particularly at risk, because they rely on virtualization – the creation of virtual CPUs within a physical CPU.   The “wall jumping” nature of the Spectre and Meltdown vulnerabilities allows them to potentially cross the electronic barriers between virtual CPUs (& between different companies hosted on those cloud services).

Spectre vs Meltdown

Spectre breaks the designed isolation between different applications. It allows an attacker to trick error-free programs such as browsers (Firefox, Explorer, Chrome, Safari, Edge, etc.) and gain access to password information. The built-in safety checks in many applications ironically may make them more susceptible to Spectre. All of the common CPU chips today have inherent Spectre vulnerabilities.

Meltdown breaks the fundamental isolation between user applications and the operating system. Any application in theory could steal your data, including simple things such as javascript from a web page viewed in a browser. Every Intel processor with speculative processing is potentially affected. This is effectively every computer with “Intel Inside” since 1995.

Immediate Steps to Take

The best steps to take right now are to patch operating systems and browsers, as well as updating the BIOS and firmware on all affected computers (other than those based on AMD chips, which should hold for the moment). Major computer manufacturers and browser developers are rush-releasing patches to protect their systems.

1. First, check your hardware configurations to see what CPU chip your computers are based on. (Here is how to do that on a Windows 10 machineon a Mac , and on Linux-based  computers.

2. Install patches for vulnerable OS’s, BIOS (Basic Input Output System – software stored on a small motherboard memory chip that initializes hardware and manages the flow of data between the CPU & peripherals) and firmware (embedded software for hardware component control) on phones, tablets & computers using Intel & ARD chips. (Wait on those using AMD chips for now, see below):

  • Android-  Google has issued instructions on how to test your phone’s security level and released patches to its manufacturing partners & supported phones.  It encourages all users to accept the latest security updates.
  • Apple (iPhone, iPad, MAC)-  Yesterday Apple released patches to its mobile platforms (phones/ iPads) and computer systems. iPhones and Tablets should be updated to iOS 11.2.2. Mac OS’s should be updated to 10.13.2 (High Sierra) with the supplemental security update installed. There is some risk that older applications which run on Sierra (10.12) may not run on the new OS.  We have seen this issue with Quickbooks 2014, for example. In this case, another option is to install the new Safari 11.0.2 update for Yosemite (10.11) and Sierra (10.12).
  • Intel-based Microsoft PC’s- Intel has released a tool to test the vulnerability of individual PC’s and a security advisory describing the affected models. This tool should be run to detect possible vulnerabilities and then the OS (for other than AMD-based computers at this point) should be updated (cautiously), following these instructions (Windows). In addition the computer manufacturers’ support (scroll down for a helpful list) should be contacted for instructions on updating the firmware and BIOS.
  • Intel-based Linux PC’s- Intel has released a tool to test the vulnerability of individual PC’s and a security advisory describing the affected models. This tool should be run to detect possible vulnerabilities and then the OS (for other than AMD-based computers at this point) should be updated (cautiously), following these instructions (Linux- should be updated to version 4.14.12). In addition the computer manufacturers’ support (scroll down for a helpful list) should be contacted for instructions on updating the firmware and BIOS.
  • Surface Tablets- These are not vulnerable (whew!) due to their design.

3. Update Browsers:

  • Chrome-  Update to the latest version (63.0.3239.132) by clicking on the About Chrome tab & running the auto-update. Google has promised full protection in Chrome in their planned 64.0 release on Jan. 23, 2018.
  • Explorer/Edge- Microsoft is bundling patches (which actually slow the browser execution a bit) to address these vulnerabilities in with its Windows Updates
  • Firefox- should be updated to version 57.0.4. This contains a protective security patch.
  • Safari- these are addressed by Apple in conjunction with its iOS and OS updates. For older OS’s (Yosemite and Sierra) these are available as a direct update via the App Store – see Safari 11.0.2 update.

4. Update any Virtualization software. These pieces of software allow multiple “virtual” CPU’s to run on a single hardware server. The name of the Spectre and Meltdown vulnerabilities could allow malicious applications to jump across these virtual CPUs. The most commonly-used virtualization system is VMWare from Dell/EMC; their security updates are available here.

5. Get Information from your Cloud Partners on their mitigation efforts. These vulnerabilities affect all of them, and therefore you. Consequently your cloud vendors, hosting partners & embedded systems manufacturers need to provide a plan and timeline for addressing these vulnerabilities.

6. Repeat at Home. To state the obvious, these risks occur at home as well.   Follow the same protocol for all home systems and phones.

7. Be wary of possible phishing attempts mimicking Microsoft fixes! Microsoft patching happens automatically via the internal Windows Update and does NOT require clicking on a link or pop-up to activate! Only install software or patches from the manufacturer (& confirm that the links go to urls from Microsoft.comIntel.com, etc. and not Micorsoft.com or Intell.com, etc.)

Patch Performance Issues

Since most of these patches are new and not fully tested due to time pressures there is a need to proceed carefully. Microsoft patches are known to interfere with some antivirus solutions as well. Anti-virus/malware protection software may need to be turned off during installs and updated or replaced on an on-going basis. In addition, Microsoft updates are making some computers based on AMD chips unbootable (inoperable, because they will not start up). Each company blames the other but a fix is likely to emerge within a week or so.

In addition, since the patches are slowing fundamental processes important to computer speeds, there may be visible performance degradation (cloud services, phones, and laptops will run slower). It appears that patches for Meltdown affect machine performance more significantly than Spectre.

The Longer Term Fix

A real fix vs. patches requires new chip designs and new hardware.   These systems will be accelerated into production and should be on the market within 6 months to a year.

Body1 Approach

We develop and host software and websites on all major OS platforms (Windows, Linux, Mac-OS, Android & iOS). We are closely monitoring this situation and following all of our own advice in this advisory. We have made significant progress in protecting all of our (and your!) systems. In addition, as we continue to upgrade our data centers, we will deploy new redundant hardware with new chip sets that do not have these vulnerabilities.

For More Information

We at Body1 are dedicated to a secure web and are here to help. Please do not hesitate to contact any of us if you have any questions.

 

Cyber Security and Spam: How to Protect Your Website from Attack

CS and S pic 12015 was a year of major cyber attacks. From Ashley Madison’s massive data breach to hackers stealing the personnel information of 21.5 million current and former federal workers, the past year has proven the importance of implementing and regularly updating effective security measures.  Hackers are constantly improving their methods of breaking through cyber security, so security must constantly improve to match it.

CS and S Header 1

CS and S pic 2At Body1, we’ve implemented a multi-tier security system that thwarts everything from viruses to full cyber attacks.  First, we deliver content through CloudFlare, a content caching system that makes web pages load faster and blocks abusive botsand crawlers. Second, we use SSL (Secure Sockets Layer) certificates to encrypt all sites that handle sensitive data. Third, we deploy a firewall to limit unapproved access to our web servers. Fourth, we utilize a load balancer with a built-in intrusion protection system to filter out malicious traffic. These methods allow us to counter cyber attacks before they reach our sites.

CS and S Header 2

CS and S pic 4 On the other end of the security spectrum, Body1 is dedicated to providing ways for users to contact our clients without allowing spam to sneak through. There are many reasons why website owners would want to provide contact information on their site, but an unprotected email address can result in hundreds of spam messages a day. Toprevent spam, we use a javascript form that hides the email address that it sends to, block robots with a swipe captcha, and run all outgoing mail through a spam filter from GFI so that any spam that makes it past the captcha isn’t sent further.

CS and S Header 3

CS and S pic 3Data loss can happen to even the best companies if proper measures aren’t taken. In 2011, Amazon Cloud crashed, permanently destroying many of their customers’ data. Hardware malfunctions, server crashes, system overloads, and malicious attacks can all result in lost data. This is why backing up content and code is critical. Body1 utilizes a redundant content back-up system from CrashPlan that stores duplicate content and code copies locally and distributes it in the cloud.

CS and S Header 4

CS and S pic 5Maximizing uptime is vital to any business that depends, even in part, on the web. The majority of users will never return to your site if it’s down the first time they visit, and even long-time visitors will give up on your site if it’s often down. The best way to minimize downtime is to use a system with multiple layers of redundancy, each layer monitored for latency (slowness) and inavailability. At Body1, we achieve this by utilizing networked hardware and web monitors. Each of our web servers are monitored from global locations in North America, Europe, and Asia by both Hyperspin and Monitor.Us. Any latency can be picked up within five minutes, and the server can be swiftly scheduled for maintenance or, if necessary, replacement.