WCTS Responds to Spectre/Meltdown Cybersecurity Threat
January 22, 2018
Shortly after the arrival of the new year, reports of a new computer security threat known as Spectre/Meltdown began to circulate ominously in the internet news sphere. The threat targets a vulnerability in most computers, tablets and phones containing chips made after 1995. Through the vulnerability, personal data accessible to one program (usually private to that program) can be made available to another.
Linc Nesheim, Whitman’s Information Security Officer, warned the community of the threat in an email sent January 5. It is probable, however, that researchers and companies have been aware of the weaknesses for some time before their public disclosure.
“My reading is that it’s been probably close to six months or more since the research community became aware that this is a possible vulnerability,” Nesheim said.
Microsoft, Apple, etc. were likely notified by researchers upon the initial discovery. They then quickly began work on software patches to mitigate exposure to the deeper-rooted hardware issue. Other companies have followed suit, releasing similar patches that generally operate by avoiding the use of speculative execution, a feature that increases operating speed by predicting the browsing path most likely to be taken by the user, and loading (speculatively executing) it before even selected. As such, patches bring with their increased security a requisite decrease in pace.
“I think the cloud vendors are the ones that might take this performance hit you hear about. They say this is going to slow things down by 30 percent. It’s the Amazon folks, Google compute folks … they’re the ones that have thousands and thousands of computers running.”
For now, these patches remain preemptive. The vulnerabilities’ theoretical backing, though publicized, is yet to be exploited by hackers.
Additionally, Nesheim urged individuals (after patching their technology) not to worry.
“Conceivably it’s possible, but at this point, you’d have to have an unpatched chip, an unpatched operating system, and unpatched browser and a bad actor trying to get through those layers.”
Of course, this relies upon the assumption that users have been downloading updates as they become available. Computers owned by the college have been updated, but students’ personal electronics are at greater risk, as they are not guaranteed to be up to date software-wise.
Of this, he advised students to, update their operating system “as frequently as [they] can. Whenever a new patch comes out, have it happen.”