Meltdown and Spectre Security Vulnerabilities — Deck Chairs on the Titanic
By
Duane Thresher, Ph.D. January 18, 2018
I have a BS in Electrical Engineering and Computer Science
from MIT, among much other relevant education and experience.
Panicking about the Meltdown and Spectre computer security
vulnerabilities is like panicking about the arrangement of the
deck chairs on the Titanic.
The arrangement of the deck chairs on the Titanic was a safety
issue — theoretically passengers could be blocked by
them — but the actual giant hole in the side of the ship
was the much bigger concern. (For simplicity I won't make the
analogy using the design flaw in the Titanic that actually
caused it to sink — the bulkheads did not reach high
enough and make watertight compartments.)
The Meltdown and Spectre security vulnerabilities are the big
Information Technology (IT) news recently. These were
announced together but are two separate security
vulnerabilities, similar in that they result from CPU design
flaws ("bugs") at the intersection of electrical engineering
and computer science. I won't go into the technical details
because the media and most of the public does not have the
background to begin to understand them and it's not
important.
These security vulnerabilities are theoretical, not something
found already being exploited in the wild. Finding computer
security vulnerabilities is a serious academic (universities
and other research organizations) competition — cash bounties
are even paid for them, as they were for
Meltdown
and
Spectre —
and reporting them is a serious journalistic competition.
Reputations are made on finding and on reporting them, the
worse the security vulnerability found, the more prestige.
They even have publicity campaigns that include official
logos, as you can see from the picture accompanying this
article.
Unfortunately, measuring how bad these security
vulnerabilities are has been reduced to how widespread they
are — the CPU bugs resulting in the Meltdown and Spectre
security vulnerabilities are widespread, affecting many
processor types — without regard to how easy or likely
they are to be exploited. There is no advantage to the
academics and journalists to take this into account so it
isn't.
CPU manufacturers then have to respond — in the extreme
or be accused of not doing enough — to the reported
security vulnerabilities to save their reputations, not
because they think the security vulnerabilities are so
serious.
Again, the Meltdown and Spectre security vulnerabilities are
theoretical and "discovering" them has been many years in the
making, including numerous academic articles. The actual
"discovery" was just outlining a way these CPU bugs could be
exploited as security vulnerabilities.
It's extremely unlikely your average hacker —
particularly since your average hacker is a script kiddie,
using hacking programs written by others — would have
ever found these security vulnerabilities or how to exploit
them. State-sponsored hackers might have been able to, but
they know there are easier more-successful hacking methods;
see ahead.
(This discovering raises a serious ethical issue. Publicly
outlining how to exploit these security vulnerabilities makes
it more likely they will be used in the wild. Academics, who
have a vested interest in arguing so, argue that any security
protection that depends on secrecy is doomed to failure.
However, the best encryption ever invented, RSA, may already
be breakable, by the NSA for instance, but this may be being
kept secret, which is keeping most people protected from the
really bad guys.)
Meanwhile — and this is the giant hole in the side of
the Titanic — easy-to-exploit security vulnerabilities
that have been used to hack millions of people, organizations,
and whole countries — like those in the Equifax hacking
— go practically unaddressed, even though they could
easily be protected against.
I'll outline the most successful, thus most used, hacking
techniques, thus security vulnerabilities.
Humans are computers' biggest and eternal security
vulnerability and social engineering is the general hacking
technique that takes advantage of this. Spear phishing is a
specific technique that has been used with great success by
Russian and Chinese state-sponsored hackers.
In spear phishing, a hacker learns personal details about
certain people on the organization's computer system he is
trying to hack and pretends to be one of these people to
another of these people in an email in order to change
passwords. The personal details have been foolishly provided
by the people in social media like Facebook and act as proof
of identity, like the ubiquitous account security questions
("What is your dog's name?"). For example:
To: Alice [a secretary who can change passwords or have them changed]
From: Bob [an executive; the actual email address is disguised]
Subject: Urgent - change my password
Alice,
How was Eve's [Alice's daughter] birthday party yesterday?
As you know, I am at a conference. I need to log in to get
some important information for my talk. But with all the
stress I have forgotten my password. Please change my
password to "Corky7" ASAP [nice touch, Corky is Bob's dog and
adding a number is good password creation].
Thanks.
Bob
Alice foolishly falls for this, and the hacker has logged in,
stolen all the confidential/classified information, made a
backdoor, and covered his tracks before it is discovered, if
ever.
The Web was not designed for what it is used for today so it
inherently has security vulnerabilities and hacking web apps
is another top general hacking technique. In fact, the recent
Equifax hacking — considered to be the worst ever
— used this technique. This was not to exploit a
previously-unknown ("zero-day") security vulnerability, which
might seem forgivable (it really isn't). No, there was a
patch for the security vulnerability available two months
before the hacking but it was stupidly not
applied.
(See
GoDaddy
Hacks Its Own Customers for another specific web hacking
technique. By the way, GoDaddy should pay me a cash bounty
for pointing out a security vulnerability.)
As you should see from the preceding cases and as is the
actuality, IT incompetence is the root cause of the worst and
most hackings. Panicking about theoretical complex security
vulnerabilities while ignoring this is like panicking about
the arrangement of deck chairs on the Titanic.
IT incompetence at all levels is rampant and causing vast
damage. See Apscitu's
Stop IT Incompetence
website for a more complete discussion of IT incompetence.
Apscitu's mission is to stop IT incompetence to the highest
levels of government and business.