The end of the world you say?

ozgurSecurityLeave a Comment

In light of the recent discussion surrounding the vulnerabilities named Meltdown and Spectre I think we should take a step back and look at this with a bit of perspective. Due to a premature disclosure, these vulnerabilities received a lot of media attention and that is good in terms of awareness – and an absolute majority of vulnerable systems will be patched in the near future.

As far as host security is concerned, we’re your service provider and we’ve got you covered, but you mustn’t let up one bit about guest security and patch your systems as soon as humanly possible. Vulnerabilities should always be taken seriously and should always be patched in a timely manner but doomsday rhetoric and end of the world scenarios in the media can be problematic. Because if we look at this as objectively as we can, this was a serious vulnerability but not a critical one. I know for a fact that this is not the last vulnerability we have seen and there will come a time when really nasty vulnerabilities, ones that may actually be the end of the world, could show up. Let’s try not to cry wolf to many times before that.

So, why do I think that this isn’t something that should create panic? Well it all comes down to hack value. I will do my best to explain this in the in a not so technical manner. To my fellow geeks out there who will bash me for it – this will be simplified and not 100% accurate but enough to show my point.

First, let me explain the vulnerabilities as simply as I can.

Basically, by utilising the vulnerabilities Meltdown and Spectre someone with bad intentions (I don’t like the term hacker but that is a separate story for some other time) could gain access to private information temporarily stored on said processor. You see, this is a hardware bug and it affects processors and their way of processing data. Now, which types of processors you ask? Well, If I say Intel processors I think most people, even not particularly techie ones have heard that name. And, the cherry on top is that this brand covers a huge part of the billions and billions of processors installed on any type of devices, anywhere in the world – You see the problem?

Why is this serious?

In many hosting scenarios today customers share the same hardware for whatever they are hosting on their virtual machines, shared hosting accounts or what have you. This is true in clouds, shared webhosting and in some container services.

For these industries, it is crutial to ensure that each customer can only reach their own information and not that of other customers. This is also the reason why these vulnerabilities are serious for cloud providers like ourselves.

What is hack value?

But when looking at the risk of this causing harm you need to determine the hack value. Hack value is the amount of useful i.e. valuable information that someone with bad intentions can gain vs the involved risks and the amount of cost and effort to obtain the information. The bigger the hack value the bigger the risk of being exploited.

Why these particular vulnerabilities are of low hack value

The vulnerabilities allows me to start a virtual server in a cloud and write a program that reads information stored in the memory of the physical CPU that my server is using. If another customer is sharing the same physical CPU and has stored information in the memory of that CPU then that information might be exploited.

However, the probability of gaining “useful” information from this approach is low. Information in CPU memory is information that are in use at the moment so it is usually fragmented and changes a lot over time so you would need to do a major copying of information flowing through the CPU memory over a period of time to obtain useful information. Add to this that you have no way of knowing who you share CPU with at any given moment and this changes a lot in cloud environments since workloads are usually distributed over several CPUs.

Detectability

In our type of hypervisor, an attempt to exploit these vulnerabilities to gain useful information is also detectable and gives out a pattern that raises red flags at most cloud providers. There is no known exploits and an attempt to create one would either require a lot of resources at a lot of places at the same time or if you are trying to fly under the radar it would take way too long and by then the vulnerabilities would have been patched. A simple analogy would be to check in to a random hotel room and using a power drill to place microphones into the walls in order to record any conversations in the neighbouring room. You have no way of knowing who will occupy the room next to you and going through all the recordings would take a lot of effort. Add to this that the risk of being detected is quite high and that in turn does not give a very high hack value.

The key here is detection. This is not the last hardware related vulnerability we have seen but if you have a good detection and alerting system in place you can stand guard agains major damages. If you rely solely on the firedepartment to save you when your house is on fire, chance are that your damages will be a lot higher compared to having fire alarms installed and extinguishers available.

I am usually met with arguments like; “What if all firemen are unavailable at the same time?” Well yes that would be bad but back to probabilities. If you use a provider that takes security seriously then you are usually well protected just by thier detection systems. If you use a provider that takes shortcuts in security, my guess is that there might be more serious and unprotected vulnerabilities.

To be perfectly clear these vulnerabilities are serious and should be handled accordingly but as a cloud provider you should not rest your security framework solely on having flawlessly designed hardware. Similar things will happen again and you should have planned for this to some extent.

Blowing things out of proportion

The next problem with blowing things out of proportion, besides from crying wolf too much, is the fact that we tend to focus on problems that are not the weakest link in the security protection you deploy.
A recent customer of mine was very concerned about these vulnerabilities and put in a lot of resources in handling the problem. Since it had huge media attention, the security team at the company even had to report directly to the board of directors regarding the handling and mitigation of Meltdown and Spectre. To prove a point, I walked in to their office and even though they have a staffed reception I was able to tailgate a delivery guy and access a restricted area, the actual office where the employees have their desks. Walking around a few minutes I found a computer. I was plesently surprised that the computer was locked and that they were using smart card login. However, they hadn’t disabled the option to “use password instead” which I of course had to try. I typed “password” which didn’t work but i got the hint link to show up. The hint said “frog” and I entered “kermit”, you guess what happened…

My point

We should direct our resources and efforts to what has best effect of keeping you safe even if it is boring and does not get as much headlines. A bigger firetruck versus installing fire alarms in every room. If you want to broadcast news in an end of the world fashion make sure it actually poses an immediate and imminent risk or it will drain resources from what might well be more urgent concerns. To emphisise you should alwas patch vulnerabilities in a timely and urgent fashion but this should already be a natural and well established procees within any IT organization today. If these vulnerabilities makes you realize for the very first time that you should do security patching then you have bigger problems than Meltdown and Spectre.

 

 

namnlöst-150508_01-högupplöstKim Hindart, CSO at City Network, has a long background in information security with previous experience from News and media industry, IBM, Swedish Army and Big Telcos. He is a long term enthusiast in Open Source projects like Symbian, Android and Open Stack.When not involved in security work, he likes to play around with databases and mobile operating systems. According to Kim, Internet access and cheese are the big necessities of life.

SaveSave

SaveSave

SaveSave