Categories:> Small Business

Implications of Meltdown and Spectre Bugs for small businesses and sole traders

Over the last few days you may have come across some headlines referring to Meltdown and Spectre, the names given to two security bugs in the processors of virtually every modern computer.

Security researchers discovered some time ago that it was possible to exploit the way that all modern computer processors work.

More from Google’s Project Zero

They informed companies like Intel some time ago (in June), to give them the heads up to enable them to fix the flaw or release patches. An indicator of the severity of the flaws is the payment of a ‘bug bounty’ to the researchers by Intel, and the CEO of Intel selling all of his shares in the company in November, prior to the news becoming public.

Intel insists that this flaw is in fact a feature of Modern Processors, and not a bug. But then they would say that as the alternative is recalling and replacing pretty much every processor on the planet! It’s not just intel either, AMD and ARM are also affected by this. That means computers, operating systems and phones made by Apple, Microsoft, Google, Linux and everyone else.

What do the vulnerabilities enable hackers to do?

Meltdown

(https://meltdownattack.com/meltdown.pdf)

“probably one of the worst CPU bugs ever found”

This security flaw enables an attacker to bypass barriers and access core memory. In effect, enabling them to see passwords, remotely execute code, and escalate privileges. A compromised ad on a website that you visit, or an email attachment could steal your passwords and private data and even install malware or ransomware onto your computer, or whatever the attacker wants. Hackers will be adding these exploits to their arsenal right now, and any ‘script kiddie’ with the attack code will be able to take advantage.

The patch, known as KAISER, has a detrimental effect on the performance of your computer.

Spectre

(https://spectreattack.com/spectre.pdf)

“Spectre attacks involve inducing a victim to speculatively perform operations that would not occur during correct program execution and which leak the victim’s confidential information via a side channel to the hacker.”

Combined with other exploits, attackers can achieve reliable remote code execution, de-cloaking anonymity solutions, stealing passwords, defeating encryption and more. It will require the hacker to be able to execute code on your machine, again this can be in the form of compromised software or possibly a Javascript program on a website. This will be harder to take advantage of (maybe only by advanced hacking teams such as those employed by nation states), but also much harder to fix, likely involving replacement of CPU hardware!! Spectre seems to be an apt name for this bug.

How do we mitigate these vulnerabilities?

Ok bear with me here. Think of your computer as a garden. It has a fence around it, and the gate is locked. Think of the code that attackers have written to use these vulnerabilities as badgers.

Normally, the badgers can’t get in your garden to eat all your produce. But they are devious, they will try to trick you into opening the gate by pretending to be the postman (email attachments), or hitching a ride with the newspaper delivery (website javascript). And so on.

So the best defence is to be very careful about who you open the gate to.

Web site Javascript

Don’t visit dodgy websites on your work computer, such as those offering torrent downloads or porn. Install an ad blocker (https://getadblock.com/) because even legitimate websites can serve up adverts which may be compromised. Make sure you are using an up to date browser, and keep it updated. We recommend Chrome, Opera, Safari, Tor or Firefox.

Websites and Web servers

These vulnerabilities also affect web servers, and while there are patches, you’ll be relying on sys admins to perform updates. So some websites may well become compromised. Keep an eye on your own website, and exercise a bit of extra caution when using passwords and personal data on other websites.

Passwords

Don’t use the same password on more than one website. This limits the damage should your password be stolen. Use a password safe such as Lastpass (https://www.lastpass.com/) or KeePassX (https://www.keepassx.org/). Go through all the websites you have an account with, and change the password for a random one. I know, this takes time but it’s worth it.

2 Factor Auth

Turn on two factor authentication for any website account (such as your Gmail account) that you can. This will mean that to log in on a new computer you will need your password, and a secondary device, such as a mobile, which will be sent a security code. You enter the security code to log in.

This extra layer of security will protect you if a password is compromised.

OS updates

Don’t use an out of date OS such as Windows XP, MacOS El Capitan or an old (unsupported) version of linux. Make sure you are on the most up to date version by running all the updates. If your computer is not able to get up to date then you’ll need a new one, as the one you have is not safe to use for anything important. Don’t click ‘not now’ for the updates, install them.

Mobile devices

Yes, your Smartphone or Tablet also has a vulnerable processor. Ensure it is encrypted with a long hard to guess passcode, and make sure you have installed all updates. If you are using a Android stock browser (the one that comes with your phone), consider installing Google Chrome from the Play store, rather than using the stock browser. Same goes for older iPhones, windows phones or Blackberrys.

Backups and encryption

Make sure that all your important business documents and data are securely backed up off site. It is also wise to ensure these backups are encrypted. In fact it’s the law if you store personal data such as customer emails or staff records. If your computer is hit by ransomware, at least you won’t lose those documents. Be aware that those backups are also vulnerable if stored in the cloud so if you are able to backup to another physical storage too, that is a good idea. Make a USB recovery media to enable you to get a computer back up quickly if the worst should happen.

Other plans and insurance

If your computers or your web server are targeted by a skilled individual, there is really not much you can do. They will succeed. That was true before these bugs were discovered, and will likely always be true. It is a wise move to consider what that would mean for your business and how you would deal with it. Have a plan in place to mitigate the impact to your livelihood. But don’t lose sleep, most small businesses are not really much of a target for hackers.

Data Protection

You should review your data protection policies in light of these bugs, and don’t forget that new regulations come into force in May 2018.

More from the ICO here:

https://iconewsblog.org.uk/2018/01/05/meltdown-and-spectre/

Share