All Computers and Servers At Risk from Spectre and Meltdown

by Victor Lund on January 18, 2018

Every computer device – server, laptop, desktop, every router, every wireless router, every network printer, every network fax machine, and every phone is impacted. Don’t freak out. Being impacted and being attacked are two different things. We are going to explain what is happening in layman terms and help you get through it.

Right before Christmas, researchers discovered that there is a security vulnerability (like an open door) that exposes computers built after 1995 to risk. Google found it (nod in reverence to Jann Horn of Google who was a key researcher who found both vulnerabilities – Meltdown and Spectre. If you want to geek out – visit this website – https://spectreattack.com). Basically, all of your usernames and passwords go through your chipset without encryption. This means that the door is open, not that you are infected with a virus. If you want to super geek out – look at Jann Horn’s blog – https://googleprojectzero.blogspot.com

Here is the layman’s understanding of the issue. Unless you live under a rock, you have heard about Intel processors. Intel is a brand, and all brands of processors are open to attack. Processors are the electronic pieces of hardware that do all of the work on all computer, kind of like your brain. This is not a vulnerability that is limited to only Intel processors. It impacts all processor manufacturers on all device. If you know what a Kernel is, that is what is open to attack. Basically, every chip set in every electronic device after 1995 is at risk. Again, it is not a virus, it’s a flaw and there is a risk that the hardware can be attacked. Everyone, everywhere is at risk and it will impact every device you use and every cloud service you use. Your anti-virus software will not prevent this attack – in fact – it may block the software patch from being installed properly. Read what your antivirus vendor tells you.

Typically, when researchers learn about this stuff, they privately go to the manufacturers and let them know about it. That is what Jann and others did. Then they go to work finding a fix, and afterwards they announce both the problem and the solution at the same time. If researchers talk about the problem before there is a fix, it encourages nefarious hackers to exploit the problem. To some extent, the problem was leaked before the fix. Grrrrr – damn reporters, right?

This is a hardware flaw and there is no way to fix the hardware issue yet (engineers are working on it). For now, it is being fixed with software. Trust me, the smartest people in the world at every technology company in the world are working on it. The software patch is already out at every major company. It is not perfect, but it is already out. By the way – you can forget about getting a refund or free repair on your devices. That will not happen.

The way that companies are applying patches is not fully public. Obviously, nobody is going to tell you how they are defending against attacks as that will inform hackers about how to work around the defenses but patches can be reverse engineered and expose the fixes allowing attackers to possibly subvert the current patches. It’s a battle between the good team and the bad team, and both teams have spies. This is a huge opportunity for people that create ransomware. I imagine that the software shield that is being published with the updates by installing a software shield that encrypts data before it goes in and out of the processor. This will slow things down a little bit, estimates are anywhere from 7% – 17%.

What you need to do right now

Today, it is important that you update all of your software on all of your devices. Do it today. Not tomorrow or next week. I would also recommend that you keep trying to update your software every few days or once a week. That’s all. It’s a moving target whereby each update will make your shield a little better and the performance of your devices and software incrementally better. Nobody has any clue how long this may go on. For now, just update every week or every time you are prompted.

You may have already seen an alert on your TV. I know that Direct TV required me to restart my Direct TV box. That was the patch being installed. You are likely to see a lot of these patches being pushed. Always say yes. Make sure to update your wireless router at home! Update any network device like your printer, your fax machine, etc. Everything that is connected to a network of any kind.

What Happens Next

Stay relaxed and focus on your job. There is nothing that can be done to avoid this problem. Just be mindful that software that you are using may be wonky. The patch that is being published to your devices when you update has the impact of slowing down your processor (basically, the patch is installing a software security shield around the hardware to protect against attacks).

Note to CEOs and tech professionals:

  1. It is vital that you make sure to run updates on every device – servers especially. If you are in the AWS Cloud or Azure Cloud, don’t worry – they are applying patches for you. If you have not heard anything – call them. Rule of thumb is that if you own the server – you need to run the updates.
  2. If you have not already been notified by your software service providers (i.e. MLS vendor or website vendor), you should reach out to them and ask. Many of the small software companies in real estate may not have the sophistication to know what is going on and may not have applied the patches with system updates. Better to ask than be surprised later on with an outage because they were clueless.
  3. Tell your people that systems may be operating more slowly and make sure that every device that connects to your network has had the update. Painfully easy process to gain compliance is to change all of your router passwords after you update them. Check that they have performed the updates before you release the new password.
  4. Only open one tab at a time in your browser. Multiple tabs can leak data and increase the Spectre vulnerability. Also, log out of everything when you finish, don’t just close the browser. That prevents your session (which is still open) from being exploited.

It will take weeks or months to get through this, and we will all be walking hand and hand, one update at a time. Just stick with it until you hear that we are in the clear.

Leave a Comment

Previous post:

Next post: