Meltdown and Spectre Security Vulnerabilities -- Deck Chairs on the Titanic
By Duane Thresher, Ph.D. January 18, 2018
I have a BS in Electrical Engineering and Computer Science from MIT, among much other relevant education and experience. Panicking about the Meltdown and Spectre computer security vulnerabilities is like panicking about the arrangement of the deck chairs on the Titanic.
The arrangement of the deck chairs on the Titanic was a safety issue -- theoretically passengers could be blocked by them -- but the actual giant hole in the side of the ship was the much bigger concern. (For simplicity I won't make the analogy using the design flaw in the Titanic that actually caused it to sink -- the bulkheads did not reach high enough and make watertight compartments.)
The Meltdown and Spectre security vulnerabilities are the big Information Technology (IT) news recently. These were announced together but are two separate security vulnerabilities, similar in that they result from CPU design flaws ("bugs") at the intersection of electrical engineering and computer science. I won't go into the technical details because the media and most of the public does not have the background to begin to understand them and it's not important.
These security vulnerabilities are theoretical, not something found already being exploited in the wild. Finding computer security vulnerabilities is a serious academic (universities and other research organizations) competition -- cash bounties are even paid for them, as they were for Meltdown and Spectre -- and reporting them is a serious journalistic competition. Reputations are made on finding and on reporting them, the worse the security vulnerability found, the more prestige. They even have publicity campaigns that include official logos, as you can see from the picture accompanying this article.
Unfortunately, measuring how bad these security vulnerabilities are has been reduced to how widespread they are -- the CPU bugs resulting in the Meltdown and Spectre security vulnerabilities are widespread, affecting many processor types -- without regard to how easy or likely they are to be exploited. There is no advantage to the academics and journalists to take this into account so it isn't.
CPU manufacturers then have to respond -- in the extreme or be accused of not doing enough -- to the reported security vulnerabilities to save their reputations, not because they think the security vulnerabilities are so serious.
Again, the Meltdown and Spectre security vulnerabilities are theoretical and "discovering" them has been many years in the making, including numerous academic articles. The actual "discovery" was just outlining a way these CPU bugs could be exploited as security vulnerabilities.
It's extremely unlikely your average hacker -- particularly since your average hacker is a script kiddie, using hacking programs written by others -- would have ever found these security vulnerabilities or how to exploit them. State-sponsored hackers might have been able to, but they know there are easier more-successful hacking methods; see ahead.
(This discovering raises a serious ethical issue. Publically outlining how to exploit these security vulnerabilities makes it more likely they will be used in the wild. Academics, who have a vested interest in arguing so, argue that any security protection that depends on secrecy is doomed to failure. However, the best encryption ever invented, RSA, may already be breakable, by the NSA for instance, but this may be being kept secret, which is keeping most people protected from the really bad guys.)
Meanwhile -- and this is the giant hole in the side of the Titanic -- easy-to-exploit security vulnerabilities that have been used to hack millions of people, organizations, and whole countries -- like those in the Equifax hacking -- go practically unaddressed, even though they could easily be protected against.
I'll outline the most successful, thus most used, hacking techniques, thus security vulnerabilities.
Humans are computers' biggest and eternal security vulnerability and social engineering is the general hacking technique that takes advantage of this. Spear phishing is a specific technique that has been used with great success by Russian and Chinese state-sponsored hackers.
In spear phishing, a hacker learns personal details about certain people on the organization's computer system he is trying to hack and pretends to be one of these people to another of these people in an email in order to change passwords. The personal details have been foolishly provided by the people in social media like Facebook and act as proof of identity, like the ubiquitous account security questions ("What is your dog's name?"). For example:
To: Alice [a secretary who can change passwords or have them changed]
From: Bob [an executive; the actual email address is disguised]
Subject: Urgent - change my password
How was Eve's [Alice's daughter] birthday party yesterday?
As you know, I am at a conference. I need to log in to get some important information for my talk. But with all the stress I have forgotten my password. Please change my password to "Corky7" ASAP [nice touch, Corky is Bob's dog and adding a number is good password creation].
Alice foolishly falls for this, and the hacker has logged in, stolen all the confidential/classified information, made a backdoor, and covered his tracks before it is discovered, if ever.
The Web was not designed for what it is used for today so it inherently has security vulnerabilities and hacking web apps is another top general hacking technique. In fact, the recent Equifax hacking -- considered to be the worst ever -- used this technique. This was not to exploit a previously-unknown ("zero-day") security vulnerability, which might seem forgivable (it really isn't). No, there was a patch for the security vulnerability available two months before the hacking but it was stupidly not applied.
(See GoDaddy Hacks Its Own Customers for another specific web hacking technique. By the way, GoDaddy should pay me a cash bounty for pointing out a security vulnerability.)
As you should see from the preceding cases and as is the actuality, IT incompetence is the root cause of the worst and most hackings. Panicking about theoretical complex security vulnerabilities while ignoring this is like panicking about the arrangement of deck chairs on the Titanic.
IT incompetence at all levels is rampant and causing vast damage. See Apscitu's Stop IT Incompetence page for a more complete discussion of IT incompetence. Apscitu's mission is to stop IT incompetence to the highest levels of government and business.