Crypto Security: Meltdown & Spectre Attack Exploits

2 66
Avatar for MintDice
4 years ago

With computational systems in the evolving information era, we run a constant cat and mouse game between security researchers attempting to create secure and robust systems against hackers, governments and other prying eyes. This is a nonstop ideological war that will persist for the foreseeable future in a game of incomplete information. On the privacy side of the equation, security/data researchers will argue that your personal data should be your own. Meanwhile, governments will claim that they need to have access to backdoors to enter people's private lives in the name of domestic security. And outside the ideological aisle we have hackers that are often attempting their tricks for personal and/or financial gain. With weakened systems that are brought on by governments or major corporate entities, the overall architecture of computational security declines. This increases the attack vectors for hackers to also enter into your systems, one of the many drawbacks to allowing this sort of behavior to happen in the first place.

As a reader, you are probably a MintDice and cryptocurrency enthusiast, and while we all enjoy the liberties and freedoms that Bitcoin and other cryptos have afforded us, it's also important to stay up to date on the latest cybersecurity threats so that both the MintDice Bitcoin casino stays safe but also for our users who deposit and withdraw with cryptocurrencies can continue to go about their day to day lives uninterrupted by arbitrary or malicious third party actors.

Meltdown & Spectre Exploit

Between the two exploits discussed here, Meltdown was the more serious of the two but also the easier one to fix. Meltdown was nicknamed as such because it effectively melts the security boundaries that are normally enforced by hardware protocols. Ultimately, what Meltdown will do in a practical sense is that it will access the memory, and therefore the secrets of programs and operating systems that are used by the user.

The unfortunate thing about Meltdown is that it is virtually undetectable by standard security protocols because it does not leave any trace by programs that exist today because it is relatively novel. Fortunately, however, there have been patches to fix these vulnerabilities. This does require that users update their operating systems on a frequent basis and other programs to stay up to date with potential threats that exist.

Switching gears over to Spectre, this is the more devilish of the two exploits. Spectre, while not nearly as threatening as Meltdown, is also going to be extremely difficult to fix. Spectre received it's name from the root cause known as speculative execution. Added to that was the fact that security researchers will be haunted by this vulnerability for years to come and we ended up with the name Spectre. Spectre does namely one of two things, it breaks the isolation gaps between programs and targets the standard best practices to keeping programs from leaking their secrets. Ironically, the best practices actually make Spectre stronger than those that don't use the best practices of the computing world today.

As was said just prior, there is no immediate fix for Spectre. Additionally, for both Meltdown and Spectre, since they are novel exploits, there has been no engine to track any traces left by potential third party actors that could have been abusing such security flaws for personal gain. This, unfortunately, leaves security researchers completely clueless as to whether or not these vulnerabilities have been exploiting users the past few decades or not.

Personal Impact of Meltdown & Spectre

With the really basic run down on Meltdown and Spectre, we can mostly toss these into the bucket of generally "bad things". Let's ask a few important questions though:

"Have I personally been affected" - Yes, you have, almost certainly. To what extent is virtually unknowable though.

"What can be leaked" - Virtually everything from passwords to documents and other sensitive data.

"What can I do about this?" - This is the more important question and one that we'll spend time with. Realize that with technology, almost everything will deal with trade-offs at the higher end of situations. By using one type of protocol you'll often gain certain advantages at the expense of others. With Spectre and Meltdown, there's only so much that can be done. Hardware created by AMD released each year often claim to be more Spectre resistant with each new generation of chips. How effective this truly is, is probably another unknown. There are always best practices when it comes to keeping your data safe. Often times, the convenience of keeping your data safe will come at the expense of convenience.

Take cryptocurrency, for instance. By having your cryptocurrency stored on an online hot wallet will probably expose your money to the largest risk from these Meltdown and Spectre attack vectors. If the money you have stored online is small enough in amount, it probably isn't worth worrying too much about these types of problems since sophisticated hackers have bigger fish to fry. However, if or when you have obscenely large amounts of cryptocurrency to worry about, the dynamic changes. You of course can download desktop wallets but keep in mind, for the ultra paranoid, that these wallets are by no means bulletproof because of these very attack vectors we've spent all of our time discussing.

This leads to two more serious options. The first one is to get a hardware wallet, but even that is technically susceptible to various attacks, in theory. To become ultra bulletproof, you would need to get a paper wallet developed with real life tools. This is about as safe as cryptocurrency money can get. Notice that each step of the way we've been sacrificing levels of convenience for greater levels of security. These levels of security should go hand in hand with a user's acceptance of risk and a user's Bitcoin hoard at stake.

Ongoing Threats

Brilliant security researches like Jann Horn from Google has found these two exploits. They have both existed since pretty much the beginning of time so to speak dating back to the 1990s. The fast fix to Meltdown was effectively to lower the processing speed efficiencies for many computers by a fairly dramatic 30-40%. This had to be done since Meltdown was a very serious issue. Meltdown is by no means an anomaly, however. Many other security vulnerabilities have existed in plain sight for decades which include the like of Heartbleed which also just happened to be discovered.

The point being that while there are known threats, two more types of threats also exist. Those are the known unknowns, as in, security threats that the public doesn't know about but are probably being used against society by the few malicious actors pilfering off of the exploits. And then there are the unknown unknowns, things that not even the top end agencies are aware of that could in theory be used against society for whatever nefarious purpose or end goal achievement they come up with.

As a user of technology, it's important for you to decide how much you care. Because at the highest levels again, all you have are trade-offs. As you care more about security, you will often forego other conveniences which could come in the form of using often worse quality open sourced software, paying more money for higher security, spending more time to deal with your security or any other such measures. You need to decide the amount of overall security that is best for your individual case and how much you care to fight back against entities that by definition do not have your best interests at heart.

Generally speaking, we'd recommend adopting at least a mild to moderate amount of security above the norm at an absolute minimum. Often with security or most aspects of life, you can gain the largest benefit in the initial stages with the smallest amount of input. By simply choosing to use a Trezor instead of an online hot wallet, you'll perhaps do yourself a huge favor down the road. Meanwhile, going to very insane depths to get a paper wallet may not be worth all the hassle that comes with such implementations. MintDice may do a few articles in the future which will have relatively easy security implementations that could vastly improve your overall user experience and security while online, so keep an eye out for those MintDice blogs.

This article was brought to you by the crypto dice game on MintDice. Originally posted on MintDice.com.

17
$ 1.62
$ 1.62 from @TheRandomRewarder
Avatar for MintDice
4 years ago

Comments

Wow, this is really good post. Just amazing,, superb,, i really like this post . I am waiting for next post ,,thank you

$ 0.00
4 years ago

Very nice article dear sir ❤️ your article is very informative . Carry on sir . Iam always with you

$ 0.00
4 years ago