Spectre of doom - channel reacts to security meltdown

How the channel views the Meltdown and Spectre security flaws, which affect almost every modern computer

The latest security threat to rattle the industry has done so with some poignant timing - most of us had not even taken down the Christmas decorations when the year's first major security crisis came upon us.

The year has not just kicked off with any security threat though. The grim emergence of Meltdown and Spectre represent some of the most significant threats of recent times, with far-reaching consequences and almost every modern computer involved.

What is Meltdown and Spectre?

The UK's National Cyber Security Centre (NCSC) states that Meltdown and Spectre are two related, side-channel attacks against modern CPU microprocessors that can result in unprivileged code reading data it should not be able to. Most devices - from smartphones to hardware in datacentres - may be vulnerable to some extent.

Processors in most devices employ a range of techniques to speed up their operation, states the NCSC. The Meltdown and Spectre vulnerabilities allow some of these techniques to be abused, in order to obtain information about areas of memory not normally visible to an attacker. This could include secret keys or other sensitive data.

Meltdown affects laptops, desktop computers and internet servers with Intel chips, while Spectre affects some chips in smartphones, tablets and computers powered by Intel, ARM and AMD.

"In essence, the vulnerabilities provide ways that an attacker could extract information from privileged memory locations that should be inaccessible and secure," said Nigel Houlden, head of technology policy at the Information Commissioner's office.

"The potential attacks are only limited by what is being stored in the privileged memory locations - depending on the specific circumstances an attacker could gain access to encryption keys, passwords for any service being run on the machine, or session cookies for active sessions within a browser.

"One variant of the attacks could allow for an administrative user in a guest virtual machine to read the host server's kernel memory. This could include the memory assigned to other guest virtual machines," said Houlden.

The industry reaction

The Meltdown and Spectre vulnerabilities continue to develop. The true extent of the potential damage and efforts needed to prevent these are very much a work in progress. However, resellers and the industry at large have already started to size up the impact of the flaws.

"From an information and security point of view, it is horrendous," said Jason Holloway, managing director at security VAR Bridgeway Security Solutions. "The security issues go to the very heart of all modern hardware. Recovering from these issues will take a decade or more until these devices are eventually replaced by modern equivalents that do not have these issues.

"It will be an extremely expensive and painful process for organisations to swap this out. Hence, the only realistic alternative is to work around these issues with the patches the various manufacturers are putting in place."

Holloway said this "workaround" still does not fix the underlying issue which means that how systems are built will need to be revisited, with security in mind from the start.

Continues on next page...

Spectre of doom - channel reacts to security meltdown

How the channel views the Meltdown and Spectre security flaws, which affect almost every modern computer

Craig Hume, managing director of Utopia Computers, said it remains a "fluid situation" for the system builder as the security issue develops.

"We have had clients getting in touch with us about it. We had one client in particular that was dealing with Bitcoin and he was concerned about the flaw," said Hume.

"There is always a part of us that is constantly waiting for the next security flaw to appear, so although this is pretty massive there is always something and we have to deal with that and reassure everyone as best we can."

Hume said that whenever a security issue hits the news, it reminds everyone that their information is not as safe as they thought it was.

"I know of many businesses that are still not doing enough and events like this remind them that they need to be proactive and be more careful about their PCs, networks and the intellectual property which sits on them," said Hume.

Holloway said that despite the severity of the security flaw, from a channel perspective it is business as usual.

"I know that sounds odd in the context [of the size of this threat], but other than selling new hardware as a replacement, there is very little that we can do other than advising everyone to patch," he said.

"There are some pragmatic workarounds ensuring that not only are patches applied, but patch and vulnerably management solutions are deployed if they haven't been before. Increasing the segregation of computer networks through adding internal firewalls limits any negative issues that may arise from hacking those systems that cannot be patched in a realistic timescale."

Holloway said Bridgeway does a lot of work with the public sector, in particular the NHS, and many of the core critical clinical systems such as MRI scanners and X-ray machines are dependent on a manufacturer-supplied PC.

"This can usually not be patched without breaking the support agreement that they have with the manufacturer of the scanner. As a result, the NHS, and manufacturing companies, will find it difficult, if not impossible, to patch some of these vulnerable systems in a timely manner," said Holloway.

"The [industry] response has been mixed - it has caught a lot of people on the hop. The implications of the issue have been hard to comprehend for many and I am not just limiting that to the vendors as many organisations are still trying to get to grips with the full ramifications of these issues."

Holloway said there has been a struggle to release the necessary patches, which are effectively updates of the underlying operating system.

Left in the dark

The BBC reports that the tech industry has known about the issue for at least six months, with everyone involved, from developers to security experts, signing non-disclosure agreements. The channel, as you might expect, was included in the public headcount of those left unaware of the brooding security threat.

"Responsible disclosure means that those at the very heart of this problem - the chip manufacturers and some of the key operating system suppliers - have been working to patch their systems against this for six months," said Holloway.

"If you look at this from a chip designer and manufacturer point of view and place yourself in the shoes of, say, Intel, you have to design a new chip that does not have this security issue and in the process you have to make sure you do not introduce any new security issues. You then have to test it, manufacture billions of chips and distribute them to vendors across the world," he said.

Holloway said that from a hardware manufacturing and distribution point of view, it could be said that six months is nowhere near long enough.