What Should Entrepreneurs Know About Meltdown and Spectre?
If you’ve been paying attention to tech news lately, you’ve probably heard about Meltdown and Spectre. Their names sound like comic book supervillains, but in reality, they’re as capable of wreaking damage as are Magneto and Venom -- except that they damage businesses.
If you're a business owner, you need to understand what your resulting vulnerabilities are and what you can do to protect your business.
What are they?
Essentially, Meltdown and Spectre are known security bugs that have the potential to affect nearly every computer or digital device in the world. Most security bugs affect either hardware or software -- for example, they might come from a problem with the way your device was constructed or represent a vulnerability to outside influence associated with the back-end code of an app or specific program.
Meltdown and Spectre are different: They exist at an architectural level within processors. Inside a kernel, the core of a computer’s operating system, data passes through in a plain, unencrypted form. Within the system, there are powerful protections designed to shield this unencrypted data from being observed or interfered with by outside sources.
Yet Meltdown and Spectre techniques are able to get around those protections. Hypothetically, this allows them to observe any actions you take on a computer, such as typing out a password, accessing private information or sending encrypted communications.
Meltdown, specifically, affects Intel processors, and exists as a kind of brute-force attack, breaking through the shield that prevents applications from reaching the kernel memory.
Spectre, meanwhile, affects Intel, AMD and ARM processors. And that means it can affect smartphones, wearables and almost anything with a chip in it; rather than breaking down a barrier, Spectre works by tricking an application into revealing ordinarily protected information.
How they were discovered
Meltdown and Spectre were initially discovered -- and given cute names and logos -- independently by three separate teams operating around the same time. Those team members included Jann Horn of Google Project Zero, Werner Haas and Thomas Prescher of Cyberus Technology, and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz of the Graz University of Technology.
The timing of those discoveries, within mere weeks of one another, seems surprising, given that these bugs had been present for more than 20 years. However, the coincidence actually wasn't that surprising: Many bugs are discovered by multiple teams independently and around the same time, even if they’ve been dormant but existent for years.
There are many possible explanations, including the fact that multiple teams might be inspired or prompted by the same circumstances and that teams tend to withhold such information until the bug is discovered by others.
Should you panic?
The worst-case scenario is a bad one. If someone has been using Meltdown and Spectre to spy on your devices, they could easily steal your passwords and compromise your data. And, because almost every device in the world is affected on some level by these vulnerabilities, you aren’t immune from the possibility.
If hackers got to your device before the bug was discovered, your information may already be compromised.
Even so, there’s no reason to panic. There are software patches for both Meltdown and Spectre, which effectively guard against their use. If those patches are applied, you’ll be protected from present and future attacks -- though if you’ve already been affected, there’s no way to retroactively undo that damage.
What you should do right now
So what should you do to deal with these vulnerabilities? Four things:
- Update your devices. Take whatever personal and professional devices you have and make sure they’re equipped with the latest OS and software updates. If you have your devices updating automatically, this should have already taken place -- but it never hurts to double check.
- Keep an eye on your important accounts. Just in case your device was affected before the patches were applied, keep an eye on your most important accounts. If you notice any suspicious activity, report it right away.
- Change your passwords. As an extra precaution, consider changing your passwords, and choosing strong, multi-character passwords as your replacements.
- Watch the news. Keep an eye out for more updates in case the story develops.
Meltdown and Spectre were scary because they've taught us a valuable lesson: Security bugs and vulnerabilities can lurk anywhere, sometimes for decades before they’re discovered. But these bugs, in particular, are officially squashed -- assuming you've installed the requisite patches.
If you install the latest patches, the only attacks you’ll need to worry about are the ones that have already occurred. And if you monitor your accounts carefully, you can respond to any suspicious activity immediately.