Bob Gourley is a member of the cyber advisory board of TheCipherBrief.com He was interviewed on the topic of the flaws recently announced in Intel and AMD chips. The following is from that interview:
Cybersecurity researchers have discovered two major software vulnerabilities in the Intel microprocessors inside the vast majority of all computers. Dubbed “Meltdown” and “Spectre,” the vulnerabilities could allow hackers to siphon off the entire memory contents of computers, mobile phones and servers that run on cloud networks.
Two Cipher Brief experts – Bob Gourley and Michael Sulmeyer – offered distinctly different takes in conversation with The Cipher Brief, adapted below.
Bob Gourley, former director of intelligence (J2) at DoD’s first operational cyber defense organization: Everything is vulnerable now. Everything.
New computer security vulnerabilities affect every modern computer chip. Here is what to do about it.
The vulnerabilities in computer chips publicly disclosed on Tuesday are unlike anything I have ever witnessed before. Researchers call these vulnerabilities “Spectre” and “Meltdown.” I call them a hot mess.
Here is why this is unique: This is a vulnerability in hardware design. There is a feature in all modern computer chips that helps speed up the processing and optimize performance. This feature is called “speculative execution.” Security researchers at Google’s Project Zero found that this feature, which is designed into the hardware itself, can be exploited in ways that give unauthorized users access to information in the system’s memory, including passwords and encryption keys. That can open up the entire system to an adversary who seeks to exploit it.
The vulnerability applies to personal computers, computers in data centers and the cloud, mobile devices and many embedded systems. It applies to many medical devices, transportation systems and infrastructure systems. It applies across our energy distribution infrastructure. It applies to every base, post, camp, station, ship and depot in the U.S. military. They are all vulnerable now.
The Google team are community minded players and began working with others soon after their discovery. This means that a larger team of security researchers have been working on this for quite a while. Patches are coming to operating systems to mitigate these risks. The patches should be out in a matter of days.
However, in most cases these patches are going to reduce the functionality of the computers they are installed on. Essentially what they are doing is turning off the great feature everyone wanted. The computers will be less functional. Imagine having a computer that you bought and paid for now operating at 30 percent less capability. How much do you feel you should have paid for that computer now?
The time it takes between a vulnerability being disclosed and exploited is shrinking. The countdown clock has started. Patches must be provided, tested, deployed, and systems patched fast. We have to fix this or attacks will occur in ways we have never considered before.
Over the last 20 years, we have seen the security community come together to work many other big vulnerabilities. This is certainly not the first and won’t be the last. But it is the first I have ever seen that has such widespread damage potential. And it is the first that is going to cause so much degradation once put in place. The patches themselves will be like a self-inflicted wound that makes computers perform worse. This is ugly.
My recommendation:
- Review all your processes for patching now. You are going to patch everything.
- Review your IT budget. You may very well be buying new computers sooner vice later
- Prepare to accelerate your cloud transition. This is yet another reason to move to the cloud, where you can take advantage of the great engineering of a well-managed service provider.
For more see: Intel Inside? Our Experts Debate Threat in New Chip Flaw
Cybersecurity is a key component of both our CTO-as-a-Service offerings and our Technology Due Diligence line of business. Please contact us for more information on any of these topics.