MY TAKE: Why ‘Meltdown’ and ‘Spectre’ portend a banner year for malicious hackers

So you think 2017 was a bad year for cyber exposures? It is clear to me that we are about to commence an extended run of cyber incursions of unprecedented scale and sophistication.

Four days into 2018 and the world must deal with the disclosure of an all-new class of vulnerability built into the processors of virtually every computing device is active use.

Researchers today announced two distinct hardware flaws – dubbed ‘Meltdown’ and ‘Spectre.’ The good news is that Meltdown and Spectre were discovered by the good guys, who responsibly disclosed the weaknesses to the culpable parties. Prior to today’s disclosure, substantive effort was put into preparing workarounds and patches.

Now the race is on to protect as many devices and networks as humanly possible – before bad guys can exploit them.

“Unfortunately these processor level vulnerabilities seem to indicate a trend: Everyone drop what you are doing and start patching your systems – again,” says Christian Vezina, Chief Information Security Officer at VASCO Data Security. “With the ever increasing amount of software code of out there, I find it interesting that we are still discovering vulnerabilities that are more that 20 years old.”

Attack waves coming

Comprehensive mitigation of something like this is never straightforward. Get ready for waves of opportunistic attacks leveraging Meltdown and Spectre. Elite hacking collectives motivated by criminal profit and/or working at the behest of a nation-state sponsor have a new soft spot to probe. And it’s a big one. A repeat of the blitzkrieg of cyber attacks in early 2014, following the disclosures of the Heartbleed, Shellshock and POODLE open-source software vulnerabilities, seems inevitable.

Like Heartbleed and Shellshock, Meltdown and Spectre represent a here-to-fore overlooked class of systemic flaws; these weaknesses were widely dispersed in the early days of computing — and have gone uniformly overlooked lying dormant in corporate networks.  Now that they have been disclosed, they give elite, motivated hackers yet another pervasive access point to burrow into corporate networks. In short, Meltdown and Spectre expand an already vast attack surface.

Vezina

What criminals and nation-state operatives do with them remains to be seen. But as we start a new year, it is high time to acknowledge that we have all, by now, had our Personally Identifiable Information (PII) compromised not once, or twice, but several times over. The headline grabbing data breaches of 2017 cap a five-year run of hackers relentlessly gutting PII data bases  of just about any high-profile financial institution, media company, tech giant, merchant, government agency and academic institution you care to name.

Converging forces

A vast storehouse of stolen consumer data resides in the nether reaches of the Dark Web. Not  just birth dates, Social Security numbers, answers to security questions, and the like  – but also granular metadata. These rich data sets will never perish and will forever be available to crooks who can then triangulate a targeted victim’s digital footprints with stunning precision.

It’s troubling to think about how elite hacking collectives, with malicious intent, have begun to apply machine learning and data analytics to these large, ill-gotten data sets. Cyber criminals are in position to make more advances in 2018. And now Meltdown and Spectre represent two new wide pathways to wreak more havoc.

Mennes

Awareness is the first step to a robust defense. In the spirit of sharing intelligence for the greater good, Frederik Mennes, senior strategist at VASCO’s Security Competence Center, supplied Last Watchdog with this concise, helpful outline:

MELTDOWN

Core exposure. Normally Intel x86 processors enforce memory separation between the Operating System (OS) kernel and user applications.  Meltdown allows malware to read arbitrary kernel memory, and, hence, memory used by kernel and other applications. This affects desktops, laptops, cloud servers and smartphones.

Impact: malware can read sensitive data used by other applications, including passwords; encryption keys; banking information (e.g. credit card details); documents.

Characteristics:  For end-users, the malware needs to be present on the user’s device.  Retrieval of useful data is not straightforward, hence this is unlikely to be used to address large number of users. Could be used in targeted attacks against specific companies.

Scope:  Intel  x86 processors; almost all processors delivered since 1995 might be impacted, except Atom and Itanium processor released before 2013. Meltdown is confirmed to apply to Intel processors released as from 2010. Status of other processors:

•AMD: impact unclear

•ARM: only one processor impacted

•Android: patches available

•Apple: no public comments so far

•Linux: patches available (KPTI/KAISER patches)

•Microsoft has released patches for Windows, IE, Edge, SQL server on 3/1, also updating cloud and tablets

•Container solutions (e.g. Docker, LXC, OpenVZ): impacted

•Fully virtualized machines: not impacted (access to host kernel space is not possible)

Solution: Users should be cautious when installing software from suspicious or unknown sources; users should apply software patches at OS kernel level.  Patches might cause performance degradation, but regular computer users will probably not notice

SPECTRE

Core exposure:  Breaks memory isolation between different applications, so an application can access RAM of other applications.

Scope: Intel, ARM, AMD processors

Solution:  Software patches exist for specific occurrences.

# # #



*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: http://www.lastwatchdog.com/my-take-why-meltdown-and-spectre-portend-a-banner-year-for-malicious-hackers/