Massive Intel software vulnerability is a reminder to always protect sensitive data

Just as we are welcoming a new year, we are presented with a new kind of cyber threat. Security researchers uncovered a pair of significant vulnerabilities first thought to be limited to Intel processors. It was later revealed this also affect Intel’s peer chipmakers AMD and ARM.

If unchecked the weaknesses could cause economy-wide disruption. Data exfiltrated from the combined number of devices running Intel, AMD, and ARM chips sounds a lot like “all useful data.” There’s not much of a silver lining there.  

Ways to remedy these vulnerabilities are equally unappealing, and include permanently slowing down processing speed. It’s no wonder chipmaker stocks took a hit while the Dow, the S&P 500, and the Nasdaq all rallied. Not great.

{mosads}{mosads}Truthfully, how concerned should we be? A closer look helps us understand how these vulnerabilities function so we can find a long-term solution. It’s critical we identify the solution as soon as possible, because there’s a much bigger fight on the horizon.

Here’s the breakdown.

The Kernel Page Table Isolation (KTPI) vulnerability called “Meltdown” mainly affects Intel processors, and is the lesser of two evils. Meltdown can be more easily neutralized with a software patch.

The other weakness, “Spectre,” affects Intel, AMD and ARM processors and is more difficult to remedy than pushing a software update. Spectre actually has everything to do with the basic architecture of the chips we use in a significant amount of today’s hardware.

Spectre exploits a flaw in processor logic by allowing an application to execute code that reads from protected memory when it shouldn’t. An example could be JavaScript reading your device’s RAM where an otherwise-reliable, secure password manager is running. The bad-guy script then sends the credentials directly back to Mordor.

What makes Spectre so daunting is that you don’t even need to have an active malware infection on your machine to fall victim. It can be exploited by something as basic as visiting a webpage containing malicious JavaScript (similar to Malvertising).

It seems the average person has little to fear as long as they update as soon as a fix is released. The conversation is turning to a larger discussion about whether OS updates with these patches will hobble our cherished performance, and the overall effect slower speeds will have on global business.

Current fixes in Linux systems reportedly are increasing CPU usage as it slows down CPU instruction processing power. It’s unclear if this kind of performance loss can be reversed. If that dent in capability is significant, it’s a different problem than the foundational issue of having basically no data security.

Database servers might get hit with around 20 percent performance loss. If permanent, that translates into a lot of frustration and early device obsolescence.

Centralized systems stand to lose the most. A bank, insurance, payments or even government IT admin’s web browser could suddenly read private SSH or potentially record you entering passwords into other applications.

Which brings us to the larger responsibility we face — securing the enterprise. In the event that an enterprise admin’s workstation is compromised it could open the door to yet another mass credentials breach.

2018 will be the year when the vulnerability of centralized systems of all kinds comes under scrutiny. This is yet another opportunity to fully reimagine the technology that will secure access to our connected world.

The one way to deliver trust across our connected world is to put privileged data, and access to it, back in the hands of those to whom it belongs.

For now, here’s a few key recommendations to keep us all secure. Keep as little sensitive data in memory as possible, and when you get a security update from a trusted source — action that update. Don’t open email from those you don’t know, or download attachments. Never share your passwords, and never visit untrusted websites.

George Avetisov, CEO of HYPR Corp., a leader in decentralized authentication.