Meltdown and Spectre and Unwelcome Invites to the Vulnerability Party
By Dallas N. Bishoff, Director, Security Services at PCM Inc.
Today I was once again asked to comment on a new vulnerability. No, it was not Meltdown or Spectre. The details are not important, the reality is. In my response today, I commented that the only thing predictable about the world of information security is we will have vulnerabilities. You can count on it. In fact, you could say, "Get in line." Some will be worse than others, but the road goes on forever, and the party will never stop.
Technology is imperfect, and for many reasons. In the race to release new, competitive features there is the push to be first to market. Short cuts abound, and mistakes will be made. There is no premium in the marketplace for secure software. Product advertising does not promote security as a selling point. I think it is unlikely that your favor piece of technology will posture a snapping marketing message, "Now, 10 percent more secure than ever." Still, there is a thirst for technology. So, let me take a moment and comment on Meltdown and Spectre, and the response in the marketplace. Then, later, I will really give you pause.
In most modern, commercialized and competitive products we have automatic updates. We have those because technology products are presumed subject to flaws. While the vendors cannot always predict how flaws will be detected by the marketplace, there is confidence that flaws will be found. Patches will be necessary.
Secure engineering principals go way back to the beginning of the computer age. In many ways, original engineering of computers actually projected vulnerabilities and failure modes. As an example, how we change passwords on many operating systems invokes a concept called isolation. That is, one process can be isolated from another so that the password change is not visible, and therefore cannot be compromised by another process. However, nothing is perfect, and computers have intentional design flaws that exist as a sort of trade off. The computer must be allowed to work. While side-channel, covert channel, and similar exposures create vulnerabilities that allow computers to operate with a degree of risk, secure engineering has attempted to minimize the ability to exploit such weaknesses. Nothing is full proof. Thus, the security adage, "functionality is the enemy of security." It is, however, functionality that sells technology. Security is something we merely hope might be in there somewhere.
We have become use to software flaws. Meltdown and Spectre are a tad different though. These two new flawed stars are part of the processors that load, execute, and manipulate the data we run on computers. It is ubiquitous in that regard. This is not a debate of whether Apple, Microsoft, or Unix is more secure. Not when the OS runs on platforms with vulnerable processors. This flaw is pervasive. All operating systems are challenged.
Meltdown impacts are largely constrained to servers, desktop, and laptop computing devices. Spectre is more insidious, ranging across smart phones, tables, and other devices that have Intel, AMD, and ARM processors. The ability to invoke the weakness requires a degree of sophistication beyond most individuals, but certainly not beyond the resources and interests of crime organizations and nation states. There are no known widespread compromises reported, as of yet. Still, in the history of vulnerabilities, you can anticipate that this will not be the last processor based vulnerability. The reminder that even processors can be compromised will drive the curious to attempt new ploys, revealing vulnerabilities yet to be discovered.
So, what to do. First, Microsoft, Apple, and other companies are already releasing patches. Apple's High Sierra is already secure. No, the vendors did not make the processors, and certainly not these vulnerabilities. However, their customers are using vulnerable computing platforms, and the vendors mean to protect their customers. Even before the processor manufacturers, if necessary. Regardless of how you get to safe ground, make sure that you apply a patch that can address this, and perhaps future vulnerabilities. You will have to continue to be vigilant, or at least configure your computing platforms to automate the patch update for you. Again, Meltdown and Spectre will not be the last vulnerability, and may not even be the most dangerous vulnerabilities in 2018. The year is young, after all.
Now, to give you pause. The real sleeping giant in the world of technology are your treasured Internet of Thing (IoT) devices. You have more than you know. Most of these devices have processors that are vulnerable to Meltdown and Spectre, too. You might be looking across the room at that lovely Christmas present right now, wondering. Here is what you may not know about a good number of your IoT devices. A significant number of such manufactures do not have vulnerability management programs, do not focus on secure coding practices, and they do not have automated patch update services. Many of those devices access the internet, yet have vendor default passwords configured.
So, how about a good joke. There was a casino with an IoT monitor for a fish tank. The monitor was hacked, followed by the casino. It happened. No joke.