Have you seen the recent cyber-security news story? If not, you can find it here and here and here, with headlines such as “Security flaws put virtually all phones, computers at risk.”
Is this just our media pushing a story because it’s sensational? Are various news sources echoing scary headlines simply because “Bad news sells”?
Is the sky really falling? What do YOU need to know and do?
This page is designed to answer those questions and more. At the end is a “Hot Tip” on how to know you are safe and secure.
1 - Why do the headlines say “All phones and computers are at risk”?
The headlines are not exaggerating on this. These recently discovered security problems apply to almost all processors built since 1995. This includes processors built not only by Intel (which has been most in the news) but also Apple, Arm, and others.
If your smartphone or computer has a processor (and it does), you are at risk.
2 - What is the name of this new threat?
Actually, there are TWO: Meltdown and Spectre.
3 - What can the Meltdown exploit do?
A hacker can use Meltdown to enter a processor’s cache (see #5). Hackers can view information in the cache and also use that information to backtrack passwords and other sensitive data.
Meltdown is so named because it “basically melts security boundaries which are normally enforced by the hardware.”
4 - What can the Spectre exploit do?
A hacker can use Spectre to trick an application into accessing arbitrary locations in its memory. Hackers can view this information.
5 - What is a cache?
A processor chip caches information which it guesses will be needed again very soon. This enables the processor to run faster. This is kind of like the short-term and long-term memory in your brain: your short-term memory is easier and quicker for you to access. Similarly, a processor chip caches data which it wants to retrieve again quickly.
The word “cache” is both a noun and a verb. The cache is the place where your processor puts information that it has cached (see previous paragraph).
6 - Is there a 3-minute video explanation of these two exploits?
7 - Is my computer/smartphone automatically at risk?
No. The WannaCry attack, in May of 2017, made it possible for computers to be infected simply by plugging them in to the internet—it was like a hole in your computer.
Meltdown and Spectre are not like WannaCry in this regard. Your phone/computer must become compromised before this exploit can affect you.
8 - How might my phone / computer become compromised?
One example is, you could download an infected app from the internet. This could spread to your computer.
9 - Will my Anti-Virus or Anti-Ransomware software notify me if I have been infected / compromised by Meltdown or Spectre?
Not at this time (1/9/2018).
10 - How can I protect myself from Meltdown and Spectre?
The ONLY way to protect yourself is to be CERTAIN that all of your security patches are installed and up-to-date.
The company providing you with IT Services should be doing one of these things:
- using software to automatically push updates
- remotely pushing updates on a schedule you have approved
- coming onsite to push updates.
Are you SURE your computer guy is doing this thoroughly? We are not exaggerating when we say that it could be disastrous if he is not. We have a limited number of free network assessments to give away, see the bottom of this page for details or email Tom@FairoaksIT.com. This is a risk-free way for you to be sure that your computer network (and all of the sensitive and valuable information it contains) has the best security available.
11 - Are security patches available now?
Yes and no. Patches for various software programs have been written and are being written by “the good guys.” By the way, this is what happens any time a new exploit is discovered: The cyber-heroes discover a pathway into data that the cyber-criminals could have used (or have been using). Then the cyber-heroes write software code (a patch) which blocks entry for any cyber-criminals who try to use that exploit in the future.
Microsoft released a security patch within days of this news becoming public. However, this patch was not compatible with many Anti-Virus software solutions, causing the dreaded BSOD (Blue Screen of Death).
Microsoft has informed anti-virus companies of what they need to do for this critical patch to be effectively deployed. All the AV companies are working on it, fast and hard.
If you have a Windows 10 computer, your security patch will be automatically applied within a week of when your anti-virus company updates its software to be compatible with the patch.
Regarding other applications besides Windows 10, and regarding other devices such as Smartphones, tablets, Apple devices, etc: we are all still waiting and watching. The news on this is changing daily.
12 - How long have the hackers been using Meltdown and Spectre?
Good News: At this point (1/9/2018), there is no evidence that any data has been stolen using these exploits. It appears that the good guys were ahead of the bad guys on this one.
Bad News: Cyber-criminals read the news just like we do. Most bad guys are lazy. They don’t look for new vulnerabilities; instead, wait until the good guys discover an exploit and proclaim it in headline news. THEN they use that news to their advantage and start employing the exploit.
So, the clock is ticking for all of us! Make sure your IT company is patching your systems to protect them from this new threat. If you have ANY doubt that your network is fully patched and protected, please reach out to us at Tom@FairoaksIT.com
13 - Will my computer slow down after these security patches are installed?
Probably not. Your computer’s speed is likely to seem the same. When this news broke in early January, rumors were rampant that the security patches would slow down your computer markedly.
Good News: Those rumors of decreased speed have not been proven true. Many people have installed the security patches and seen minimal or no decrease in the speed of their computers.
14 - I am a Fairoaks IT client; is my network patched against these threats?
If you receive monthly services from us, take a sigh of relief and know that “We’re on it!” We are pushing these security patches to our clients as quickly as we can vet them.
15 - Why are these security flaws being discovered NOW, if they’ve existed for years?
That’s a great question, and lots of smart people are working hard to answer it. For some quick thoughts on the matter, see the end of this excellent short video.
16 - Did the CEO of Intel sell a large share of his stock prior to this announcement?
Yes. His sale occurred after Intel knew there was a problem and before the problem was announced to the public. He sold as much as he could. He now holds only the minimum number of shares his position requires him to own. More information here and here.
17 - Are Intel processors the only ones affected by Meltdown and Spectre?
No. Almost all processors made after 1995 are affected; this includes Apples, PCs, and handheld electronic devices (smartphones, tablets, etc.).
18 - Where can I read more?
- Brian Krebs has an excellent article here.
- The gurus at Graz University of Technology, who helped discover and report these vulnerabilities, have an excellent FAQ page here.
HOT TIP: How Can You Know Your Network is Safe and Secure?
Bad News: You can no longer KNOW, with 100% certainty, that your network is completely secure from cyber-villans. If this news story is teaching us anything, it is teaching us that.
Good News: You CAN know that you’ve taken all reasonable measures to secure your network. To do this, you must:
- First - assess the current threats to your network.
- Second - create a plan to protect your data from those threats.
- Third - work with a professional IT service provider to implement that plan.
The first two steps of this simple outline are FREE, for a limited number of small businesses who email Tom@FairoaksIT.com.
For free, one of our senior technicians will come to your office and conduct a comprehensive assessment of your network. We will specifically assess how your network is or is not protected against Meltdown and Spectre.
We will then meet with you to discuss the results of our assessment and our recommended plan to improve your security. If we are a good fit for your needs, you may decide to hire us to implement the plan. HOWEVER, this is TRULY a no-strings-attached offer, just as a way for you to meet the best group of geeks in Metrowest and southcoast Massachusetts. Think we’re a bit big-headed to make such a claim? Well then, don’t take our word for it, just check out what some of our raving fans have to say by clicking here.
If nothing else, you’ll have a valid 3rd party opinion of your network’s security, yours to keep.
This free cyber-security assessment is available to the first 3 businesses with 5-50 computers who email Tom@FairoaksIT.com with the subject line “Guard Against Meltdown!”