The news was supposed to come out Tuesday, but it leaked early. Last week we learned about three variations of a new class of attacks on modern computing, before many vendors could release a patch -- and we come to find out that the root cause may be entirely unpatchable, and can only be fixed by buying new computers.

Today Microsoft released a patch -- which they had to quickly pull when they discovered that it crashed computers with AMD chips.

Essentially Spectre and Meltdown demonstrate a new way of attacking your smartphone, your laptop, your company's web server, your desktop, maybe even your tv and refrigerator.

Meltdown - Animated
Meltdown in Action

This all sounds dreadfully scary. And it is... but don't panic! Instead, read on to learn how this might affect you, your website, and what you can do to prevent bad things from getting worse.

How will this affect you?

All of these attacks fall into a class of "Information Disclosure." A successful Spectre attack can reveal information you want to keep secret -- mainly your passwords, and security keys widely used to protect information and identity.

Thumbnail

Have any Bitcoin lying around? Your wallet could get compromised with this type of attack. Visit any SSL sites? A secure SSL certificate on a server might have its private key stolen, and incorporated into a fake certificate -- which would make "Man in the middle" attacks from wifi hotspots a lot more effective -- a phisher could set up a fake copy of your bank's website, and there would be no way to tell it apart from the real website, because it has a copy of the real certificate. Use a password manager to keep track of all those different passwords you need for each site? Spectre can make those secrets -- not so secret. This is far worse than Heartbleed.

Over the coming months and years, this will be a headache. Security updates on your phone and all of your computers will be more important to apply promptly than ever before -- because a new 0-day attack could give the attacker the keys to your online kingdom.

The good news is, browsers have already updated with fixes that make a Spectre attack from remote Javascript much more difficult, and Meltdown is nearly patched.

The bad news is, patching for Meltdown means slowing down your computers substantially -- reports suggest by somewhere between 5% and 30%, depending on the types of computing being done. And there isn't really a way of patching Spectre -- it's a design flaw having to do with how the processor caches what it's working on, while using something called "Speculative Processing" to try to speed up its work -- fully preventing a Spectre attack means deploying new hardware processors that manage their low-level caching in a different way.

So preventing Spectre attacks falls more into the realm of viruses -- blocking specific attacks, rather than stopping the vulnerability entirely, at least as I understand the problem. For more, ZDNet has a pretty understandable explanation of the vulnerabilities.

How can they attack me?

To exploit any of these attacks, an attacker needs to get you to run malicious code. How can they do this? Well, for some Spectre attacks, through Javascript running in your browser. Firefox and Safari released updates that make the Javascript timer not so accurate -- having accurate timing to detect the difference in speed for loading particular caches is a critical part of how the currently identified attacks work. But it's scary that this level of attack could be embedded in Javascript on any website you visit...

Browsers are changing faster than ever, though, and I wonder if this will set back some proposed browser features like WebAssembly, which could be a field day for attackers wanting to deliver nasty code to you through innocuous web pages. It's relatively easy for a browser maker to make the Javascript execution environment fuzzy enough to defeat the precision needed to carry out these attacks. WebAssembly? The entire goal of that is to get programmers "closer to the metal" which is going to make it easier to get creative with exploiting side-channel vulnerabilities.

Browser extensions, mobile apps, anything you download and install now have far more opportunity to steal your secrets than ever before.

How will this affect your website?

Your website's host is almost certainly vulnerable. If you are not hosting on dedicated hardware, Spectre basically means that somebody else hosting on the same physical hardware can now possibly gain access to anything in your hosting account.

There are basically 3 "secrets" in nearly every website that's built on a CMS (like Drupal or WordPress) that might be a target:

  1. Your FTP, SSH, or other hosting account logins -- this could give them full access to your site, allow an attacker to upload malicious code, steal data, damage your site, whatever they want.
  2. The private key for your SSL certificate -- this would allow them to create a fake SSL certificate that looks legitimate to anybody visiting their copy of the site. This is particularly a problem for financial institutes, but it could happen to anyone -- this can lead to fake sites being set up under your domain name, and combined with a "man in the middle" used to phish other people, smear your reputation, or a variety of other things.
  3. Any secrets in your CMS -- your login, your passwords, any passwords of users that log into your site, ecommerce data, whatever there is to steal.
Thumbnail

If you're on a "virtual private server" or a "shared hosting account", there will be exploits coming for years, until we've all replaced all the computer hardware that has come out in the last 20 years -- and another tenant on your hardware can potentially attack your site.

And those are just the universally available targets. You may have other things of value to an attacker, unique to you.

"Meltdown" got its name because it melts down the security boundaries between what you can do as a user, and the underlying system that has full access to everybody.

Meltdown does have patches available, and these are getting deployed -- at the cost of disabling CPU features built to make them perform quickly. Which means if you're nearing the limits of what your currently provisioned hosting provides, patching for Meltdown may push you over, and force you into more costly hosting.

What should you do now to make things better?

What you can do now really isn't much different than it was a month ago -- but the consequences of failing to use best security practices have gotten a lot higher. You could stop using technology, but who is really going to do that? And who already has all your data, who might get compromised anyway?

We think there are two main things to think about when it comes to this type of security planning:

  1. Make sure you are doing all you can to avoid an attack, and
  2. Have a plan for what to do if you fall victim to an attack.

Avoid an attack

To avoid an attack, a little paranoia can go a long way. Get something in email you don't recognize, with an attachment? Don't open the attachment. On a public wifi network? Don't go anywhere well known, like a banking website -- wait until you get home or on a network you trust.

Apply all security updates promptly, and verify that you're getting them from the real source. Pay attention to anything that looks suspicious. Expect more phishing attacks for the foreseeable future (as if we didn't have enough already...) Regularly check that any sites or servers you have do not show any signs of unexpected activity, changed files, etc.

It might be hard to detect an intrusion, because if they've hacked you, they will likely be connecting as you -- so set up any 2-factor authentication you can, consider getting security dongles/hardware tokens, and just think about security before clicking that link.

Plan for disaster

Nobody can be perfect. There is no such thing as "secure" -- there's always a way in. The practice of security is really one of risk management -- identifying what the consequences of a given security breach is, what the costs to avoid that breach are, and finding a balance between the cost of securing something and the cost of suffering a breach.

That equation varies for everybody -- but some key values in that equation just shifted -- now the consequences of a minor breach can lead to a much bigger problem than before. Or, perhaps more accurately, now we know about some ways to make these breaches worse, and thus the likelihood of them happening have become higher.

When it comes to a website, the three main risks to consider are:

  • Loss of service (Denial of service -- your website goes away)
  • Loss of data (you lose access to something you need -- e.g. ransomware, hardware failure without sufficient backups, etc)
  • Information Disclosure (revealing secrets that can cost you something)

What has changed now is that these new information disclosure attacks can reveal your keys and passwords, and then an attacker can conduct the other kinds of attacks impersonating you. It used to be that information disclosure was a bigger concern for data you stored in a database, because the operating system takes such special care of your passwords and keys -- but now we've learned the operating system protections can be bypassed with an attack on the CPU. And that this has been the case for the past 20 years.

Do you have a disaster recovery plan that outlines what steps to take if you discover you've been hacked? If not, we can probably help, at least for your website and server. We've written several disaster recovery plans for ourselves and our clients -- reach out if we can help you create one. We can also do the day-to-day work on your Drupal or WordPress site and server to keep them fully up-to-date, with a full testing pipeline to detect a lot of things that can break in an update.

Let us know if we can help!

Share this article with your friends!

Comments (15)

Garmin support center provides a toll free number 1-866-992-8099 in order to reach the problems and queries of the masses. In case, any problems is faced by our Garmin service user we'll be available to help them

05 Oct, 2018

This is my first opportunity to visit this website. I found some interesting things and I will apply to the development of my blog. Thanks for sharing useful information.

10 Oct, 2018

Magicjack accompanies a little USB dongle that fittings into any accessible port and has a standard RJ11 (telephone link) jack on the front. You connect your most loved telephone to the Magic jack customer service number, enable the product to stack on your PC, and inside seconds, you are prepared to influence a neighborhood or long separation to call. One potential ruin to the Magic jack gadget is that it requires your PC to be on every minute of every day to make or get calls. Other VoIP suppliers, for example, Vonage, can keep running without the requirement for a committed PC, however at the value, it's a minor bother that most can move beyond. Different contenders offer comparative arrangements that require a PC, including Skype, yet once more, Magicjack is for the gadget and the main year for UNLIMITED nearby and long separation calling, and ensuing years are (rebates accessible for longer term reestablishments). Magicjack Customer Support Number.
Magicjack Customer Service Number 1-833-783-3300
magicjack Customer Service phone Number

10 Oct, 2018

very nice blog…Keep sharing this type of blogs…Thank you..!!

11 Oct, 2018

Visit at the sign in page of Yahoo Mail and enter the mail address. Presently tap on Next catch.
Select the connection I overlooked the secret phrase, to coordinate the check page. On this page include an elective email address or number.
At the point when the mail address or number showed on the screen at that point tap on Yes.
Presently you will get incite to enter the record key by email or number. Tap on next for check.
From that point forward, you will get the alternative "Proceed and make another secret word." Click on the page reset the secret phrase page and enter another secret key.
Presently you can get to your Yahoo Mail with no issue.

11 Oct, 2018

Your Garmin Customer Service very useful, beneficiary, important and your blog is very easy to understand for Garmin Customer Support issues, keep it up you are providing are 100% best solution for us.

12 Oct, 2018

Our Garmin call center consists of a highly experienced and skilled technicians who are capable of providing excellent and quick solutions to all your problems related to your Garmin device over the phone or via remote access. You may get in touch with our experts’ team by simply dialing toll-free number at any point of time.

16 Oct, 2018

Great article! Thank you for sharing these points as they have helped me understand your blog better. Your writing skills make things extremely clear, while I was reading the article I felt as if someone was teaching me, everything is explained very well. Kindly share more write-ups as these help us a lot and such articles add on to our knowledge. Thank you!
Quicken Support
Quicken Support PhoneNumber
Quicken Customer Support Phone Number/
Quicken Customer Support Number/
Quicken Technical Support Phone Number

17 Oct, 2018
Arlo customer …

If you are having any issue in your Arlo security camera the you can contact to us.
Arlo customer service

19 Oct, 2018
Roku customer …

you have shared the nice post thanks for sharing. if you have any issue in your Roku device then you can contact to our customer care executive.
Roku customer service number

19 Oct, 2018

Hey there..!! We providing The best customer services in the USA If you Getting any glitches related GARMIN GPS SYSTEM...Feel free to Contact us...Our well-trained executives always there to help you out on any issues...Thank you..!!
Contact us:-+1-866-217-4063
Visit:- http://www.gpsupdatehere.com/

21 Oct, 2018

Valuable info. Lucky me I found your website by accident. I bookmarked it. This article is genuinely good and I have learned a lot of things from it concerning blogging.
Thanks!

23 Oct, 2018

Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.