One of my new year’s resolutions is to produce more content on this blog. To that end, I’m introducing a new feature — Hack of the Week. No, not that new person you met who is full of themselves and bad at everything; rather, an exploit, vulnerability or breach that occurred recently. To kick it off, let’s start with a doozy — the two-headed beast known as Meltdown and Spectre, both cache side channel attacks. Both share their own website, a decent indicator of cybersecurity celebrity these days. There are many excellent accounts out there of these two hacks; the short version is that they both impact nearly every computer manufactured since the mid 90s — yes, including the one you’re using at them moment, most likely — and give an attacker access to data in memory. The good news is that there is a fix; the bad news is the trade-off is the fix may potentially slow down our devices.
Meltdown and Spectre were publicly disclosed on Jan 3. Although a few different research groups discovered the vulnerabilities at some point in the past year. If you are reading this, you’re almost guaranteed to be at risk. But since this is a hardware exploit, unless you gave someone else access to your device, either in person or through a file download, your device should be okay (unless you run Javascript willy-nilly, some advice on that here). Vendors have provided patches by now, so as always — patch early, patch often and update your browser and extensions. Now that you’ve taken steps to harden your device, the real risk is any website you visit and your data stored there.
The threat model is slightly different on the web. While various companies' websites have their own chunk of cyberspace, the servers that host these websites may live on the same hardware. A report last year by ZDNet cites a single cloud provider claimed roughly a third of the cloud market share, at the time. So while your banking website and healthcare provider probably don’t live on the same hardware and no doubt have strong security teams, it could be possible that one of their neighbors fell victim to Meltdown or Spectre. So, If your personal device is a stand alone-house, the websites you visit are different rooms in an apartment building… and who knows if there’s a creeper in one of those other units.
The good news is that cloud providers are incentivized to patch their systems to keep their systems updated, including patches for Meltdown and Spectre. And the major players are doing exactly that. The downside is slower machines, as ZDNet reports. The secret for cloud-hosted websites and services won’t slow down necessarily — companies running their websites on cloud providers have two options to mitigate performance loss: 1) host on faster (and more expensive) machines or 2) add additional machines. The question becomes who picks up the additional costs for those solutions.
Patching systems and provisioning heftier systems is short-term solution. Since these are hardware vulnerabilities, long term will require a complete processor chip redesign and physical system upgrade — by no means a quick turn or cheap solution.
An exciting start to 2018.