Lessons from Meltdown and Spectre — and how to stay safe in the world of uncertainty
by Gene Shablygin, on Tue 09 January 2018
News about vulnerabilities hit the headlines almost daily. As each one is discovered and properly patched, they become history and usually do not pose any long-term threat. But when it appears from nowhere (zero-day) it can have devastating consequences, causing significant damage to the unprepared. Think Pearl Harbor – surprise can be really damaging.
Indeed, Meltdown and Spectre vulnerabilities, being promptly discovered and mitigated (initially in software, with future hardware architecture improvements) are not expected to cause any damage to the companies who promptly attend their vulnerable systems. However, looking at the commonalities in these vulnerabilities, and comparing them to notorious vulnerabilities of the past, like Heartbleed (CVE-2014-0160) and Venom (CVE-2015-3456) to name a couple, we can easily identify one very important issue – one way or another, external malicious programs can gain access to your program data. You never know what kind of data can be accessed in a new vulnerability, so the only reasonable assumption is that any data in your program, database or file is vulnerable.
Obviously, it is impossible to make all the data you are working with safe, because at the moment it is used, it must be decrypted and accessible. However, it is possible to minimize the footprint of possible attack.
The most prized target for most hackers is user credentials. Since (unfortunately) as of today most of the computer systems still relay on human-manageable credentials, stealing usernames and passwords is the easiest way to get access to all other information. From Target to OPM, from Clinton’s e-mail server to DNC – stolen credentials were the keys from the kingdom. And vulnerabilities like Meltdown and Spectre, Heartbleed and Venom, along with many others, known and unknown, is a path for the hackers to their prized targets.
So, there are a few “simple” ways to protect your systems, your data, your customers from many existing and upcoming threats:
Do not use human readable credentials for access control. Eliminate usernames and passwords for good. As long as you start sign-in dialogs with “username,” you open your system to various attacks;
Do not rely on simple salt for hashing, and on “whole disk” or “whole database table” encryption. Salt and encryption keys in such systems are constantly needed for access to data, and thus most likely stored in RAM or cache most of the time, making them the easiest target in Meltdown-type attacks.
Technologies eliminating these vectors of attack exist, although, unfortunately, not yet widely used. To stay ahead of the competition, system architects and business owners must adopt them as soon as possible, not to become the next Equifax.
One of the technologies addressing both problems is WWPass Distributed Data Storage. To learn more, contact us at firstname.lastname@example.org.