How to respond to the most recent data breach scares.
On Feb. 6, 2018, Elon Musk made history as he launched his Tesla roadster into orbit around Mars. The words “DON’T PANIC!” were prominently displayed on the dashboard (a reference to “The Hitchhiker’s Guide to the Galaxy”).
In an unrelated story … a few weeks previous, a bug uncovered and announced by Google’s Project Zero a “CPU data cache timing that can be abused to efficiently leak information.” This gave IT people everywhere a reason to panic.
‘Spectre’ and ‘Meltdown’
Spectre and Meltdown are two CPU chip bugs that allow unauthorized data access from nearly every computer made over the last two decades. And fixing it is not easy. The problem stems from a long-utilized CPU feature called “speculative execution.” Speculative execution is a performance-enhancing feature that’s been baked into nearly every processor since the Pentium Pro (1995)!
Patches are Problematic
Patches are available for some systems, but not all. Additionally, applying these patches is extremely problematic. The bug is very “low-level” or foundational. If there’s a problem at this level, systems don’t boot at all. So, patching it is risky. Additionally, the patches slow your system down. Though, Google reports that they have patched their entire infrastructure with fairly minimal impact.
My team is treating this seriously. When this bug was announced initial patches were released. We began carefully patching, with a significant failure rate in our initial tests, so the patches were revoked. Similarly, because of the failures which may cause systems to be completely unbootable, Intel, AMD and Microsoft put a pause on the patches worldwide. We will continue to monitor the situation carefully.
For home PCs, the risk caused by Spectre and Meltdown is relatively low and the risk of an errant patch causing damage to systems is very high. So, don’t panic and sit tight and do nothing for now. For business PCs and servers, most businesses will have many of the exact same model or similar models of hardware. This decreased variability of hardware will generally allow testing of upgrades on pilot systems. In business systems, the stakes are also generally a bit higher. So, a very deliberate, cautious patch validation process and careful deployment is advised.
Big Risk in the Cloud
While both Spectre and Meltdown incur huge risk is with cloud providers. A CPU-based bug can theoretically break through every possible security layer you put in place. Additionally, since cloud systems are massively scaled, you generally have multiple customers, and many different businesses/entities sharing common hardware (this is called hardware multi-tenancy). This means that you could theoretically have what appears to the cloud provider to be a normal paying cloud client actually be a bad actor trying to figure out a way to exploit the bug and get access to other people’s data!
In a cloud environment, the servers run within a master system called a “hypervisor” which runs on the hardware. Amazon Web Services (AWS) and Google Cloud Services (GCS) run linux-based hypervisors and they have both confirmed that they patched their hardware and/or hypervisors such that the threat has been neutralized. Microsoft Azure runs a Windows Server-based hypervisor called Hyper-V. Microsoft assures that they are patched as well, stating “Azure infrastructure is updated with mitigations against this class of vulnerability.” For all cloud services, it’s important to have a solid review and checklist to ensure that you are working with a good cloud provider. The patch status for Spectre and Meltdown should be on that checklist. Dave Kinsey