Meltdown and Spectre.
Care to guess what these two words represent? They're not rock bands, and they're not new Marvel villains ready to face off with the Avengers. (Disclaimer: Ok, so my Marvel-ous coworkers have corrected me; there are actually some minor Marvel characters named Meltdown and Spectre. These aren't them.)
In many ways, they're more dastardly. These real-world nemeses have the potential to destroy the online universe of any and every user of a laptop, computer or mobile device.
Wait. What?
Meltdown and Spectre are two similar but separate computer hardware bugs that have put the entire cybersecurity community on high alert. Companies that create, sell and support computer hardware, mobile devices, operating systems, and anti-virus software are scrambling to find fixes and quickly adapt their products to protect users from these newly-discovered threats.
Bank Independent's team of cybersecurity superheroes alerted us to the existence of Meltdown and Spectre when the issues first appeared on the radar of security experts. They have taken and continue to pursue every precaution to protect our systems, and therefore secure your personal and financial information. That's always our first priority.
We also feel strongly about providing you with the information you need to know about protecting your own devices. We're sharing this with you today not to alarm you, but to be sure that you are aware of potential issues that could affect your business and personal systems, plus help you to understand what is being done in the industry to keep you from becoming a victim of these computer vulnerabilities.
So with that said, here's what you need to know:
Meltdown and Spectre are NOT malware.
As we've shared in earlier blog posts, malware is an umbrella term for sneaky programs that gain instant and invasive access to your systems with the intent to steal data, trick you into providing entry to password-protected sites or even lock up your computer system until you pay a ransom. Malware is usually spread online via email, websites, pop-up ads or the like, and is most often triggered to invade your system when you click on a link or open an attachment.
Meltdown and Spectre are a design flaw in the main processor chip - the CPU - of modern computers. The flaw is in the hardware, not the software, which adds a different twist to the usual cybersecurity threat. According to the official Meltdown and Spectre webpage, everyone with a personal computer, mobile device or cloud account are "most certainly" affected by these vulnerabilities. Unfortunately, the flaw actually has been around for years, but was only recently discovered and reported by independent research teams.
How could Meltdown and Spectre affect my computers and mobile devices?
Basically, these hardware flaws allow programs in your systems to access and potentially steal data that is stored or processed on your computer. Unlike malware, these malicious programs don't disperse code that spreads across your entire system. Instead, the flaw simply provides an access point for these programs to reach in and grab sensitive information--which could include passwords stores in a password manager or browser, your emails, personal photos, instant messages and even critical business documents.
Are Meltdown and Spectre different vulnerabilities?
Yes, and your computer may be affected by one or both. It's like Meltdown and Spectre are partners in crime, working together on different aspects your system to achieve the same goal: "un-securing" secure information.
So, normally your computer processor would keep applications and programs from accessing system memory where secure information may be stored. Chips are created with built-in virtual barriers to keep these areas separated.
Meltdown breaks down these barriers, basically "melting" the security boundaries. Spectre tricks other applications into accessing information; because it's not easy to fix, it "haunts" the system for a long time.
A potential light in the darkness of cyberspace
There might be a bit of good news here amidst the gloom and doom in the press, though. Despite the flaw, your information could sit safe and untouched in the memory of your CPU if there are no outside forces attempting to take advantage of the Meltdown and Spectre hardware flaws. In other words, something (someone) has to instigate the action to retrieve this exposed information, so unless the bad guys have been able to access your computer to spread malicious software, you may be unaffected.
In fact, one blog reports that so far, "it doesn't look like the Spectre or Meltdown flaws have been used in an attack" yet.
Unfortunately, the experts say that users probably wouldn't be able to detect if someone has used Meltdown or Spectre to access your computer's memory because these intrusions don't appear in traditional log files and was not monitored by most antivirus software...until now, perhaps. As stated earlier, this is an all-hands-on-deck situation with most every software provider, computer company, and antivirus service. They're working diligently to provide patches and updates that will protect you from Meltdown and Spectre. Some have become available with variable levels of protection (Apple, Google and Microsoft released updates last week), but others are still in production.
What you can do to protect yourself
There is still a LOT of work being done to determine how to fix and or secure your device; some blogs are publishing updates on new patches and resolutions on a daily basis (THIS is a good one).
When it comes right down to it, your ultimate goal in protecting the security of your systems still boils down to securing your system from hackers and protecting yourself from malware. If the bad guys can't get in, they can't take advantage of the flaws.
Here are some tried and true cybersecurity practices that we all should exercise at all times--not just when we're alerted to a new cybercrisis:
- Accept and execute updates to your device, software and operating systems as they become available. In addition to fixing "bugs" and adding features, these updates can contain valuable software patches that protect you from newly-discovered vulnerabilities.
- Never open attachments or click links within a suspicious-looking email. If you get an email that is supposed to be from a trusted source but seems wonky to you, never hesitate to call that person or company to confirm that the email is legitimate. By "wonky," I mean that the email may contain misspelled words, inaccurate URLs, unusually-worded messages, strange punctuation, out-of-the-ordinary sender information...basically anything that doesn't look right. Opening an email to read the contents is usually ok; it's the attachments and links that usually kick off the malware code.
- Use strong, hard-to-guess passwords. Stay away from dictionary words, family names, significant dates, and business names. Use a combination of lower- and upper-case letters and include numbers and special characters if the program allows you to do so. Sometimes password parameters allow 100+ character passwords, so you could create a passphrase that's easy for you to remember but hard for others to guess.
This is by no means an exhaustive list, but there are a ton of resources on the web (including the Bank Independent blog) that regularly offer cybersecurity tips and alerts to new cyberthreats. Several government websites, like the United States Computer Emergency Readiness Team's site , Homeland Security's Stop.Think.Connect. site, or any of the links listed here are excellent options.