By now you’ve likely heard something about Meltdown and Spectre, the newest vulnerabilities to hit the information security world, and wow are they big problems. A pair of security holes that put every PC, laptop, device and server at risk for massive data breach, not to mention placing big red targets on cloud service providers who, as information juggernauts, are in a rush to fix things, FAST. Trying to understand what’s going on however, is easier said than done: there are lot of technical details in the actual breakdown of what went wrong, most of it too much for your average computer user. My personal favourite explanation still comes from Randall Munroe, writer of xkcd, which show’s just how bizarre the discussion has gotten.
If you’re not a system engineer or researcher, but still want to understand what’s going on, here’s a guide for the rest of us.
What are Meltdown and Spectre, and what to they do?
Meltdown and Spectre are exploits, discovered backdoors in computing devices that if used, could allow information on the target machine to be compromised. If a malicious hacker used the Meltdown or Spectre vulnerability on an unsuspecting device, they could see every piece of data on that computer’s memory, from every day documentation to highly sensitive encryption keys and passwords.
Why are Meltdown and Spectre such a big deal?
First, exploits as a whole are huge problems: they represent holes in security that can then be used against the user, in this case to steal information. What’s more, Meltdown and Spectre are unique because the ‘hole’ is part of the processor chip’s design, and it is the processor that allows a device to run in the first place. Meltdown affects Intel processors, while Spectre can affects all processor chips made since 1995 by Intel, AMD and ARM; in essence every device out there. Worse, while companies like Apple, Google and Amazon can and are trying to ‘fix’ the problem, their fixes may slow systems down, and will only be able to go so far: to fully solve this issue, Intel, AMD and ARM will need to fix the flaw within the processor chip design; not an easy task by a long shot.
To use a human example, think of it like discovering you hold with your DNA the gene for cancer, one that becomes active if you eat a specific food. You could take medicine to limit the problem or go on a very specific diet, but all your life that risky gene is still going to be there. Adding to your discomfort is knowing that while the medicine will protect you, it comes with potential side-effects such as slowing down your metabolism, making it something of a bitter pill to swallow.
Wait, but what can do I do about this? Don’t tell me I need all new devices!
Easy there, and hold on to your wallet: this might be a big problem, but there are also big brains out there working on the solution who recognize ‘replace it all’ isn’t going to fly with half the world’s individuals, businesses, organizations and government offices. For now, here’s what I recommend:
1. Relax, backup, and update your stuff.
First, some good news: odds are high no one has used Meltdown or Spectre against you yet. That’s the verdict of Apple and most IT companies, who agree if such a major security backdoor was in play before now, we would have heard about it much sooner.
The bad news is, now that it is known, hackers will use it. If your machine or device has an update, you’ll want to install right away; the sooner the better. Due to early flaws in some patches however, do yourself a favour and follow the oldest saying in the IT book: before an instal, back up your stuff somewhere safe, like on a portable drive. Likewise, avoid going to Microsoft for the software and wait until the update comes to you, via Windows Update. If you’re on Apple, the Updates tab in the App Store will take care of you. In addition to your system, keep an eye out for updates to your web browser, your antivirus, and your PC manufacturer, along with other software if available, and do update all devices: phones and tablets are not immune to this one. Reports suggest that some may see a side-effect of a slower system, but the alternative, giving sensitive data and passwords away to a malicious actor who comes a calling, still makes the update worth it.
2. Hold off on new purchases, and don’t buy anything yet.
As discussed, a big part of the problem with Meltdown and Spectre is that the vulnerabilities are in the processor chips themselves, meaning the only final fix will be new hardware. That said, as tempting as it may be to buy a new device, now is not the time, unless you’re already tech-savvy and looking to replace a few parts, like the graphics card. While Intel has publicly stated they are fixing the problem, the emphasis for new buyers should be ‘fixing’: anything on store shelves right now, and anything that comes out until the fix is made and gets through the supply chain will by default be vulnerable. True a software patch will protect you, but if shopping for a new device why bother? If you can afford to wait, do so, and keep an eye on news and reviews of new systems, buying after someone who really knows the hardware believes the problem is solved.
Victoria McIntosh is an Information and Privacy professional residing in Halifax, Nova Scotia. With over six year’s experience, she is committed to assisting clients with the growing challenges of controlling their information resources through strategic information management, data governance, and privacy controls. Victoria has received an honours BA in History from Mount Allison University, an MLIS degree from the University of Western Ontario, and is certified by the International Association of Privacy Professionals as an Information Privacy Technologist. She works best with a fresh cup of coffee in her hands, or a sleeping puppy on her foot.