Major CPU security flaws affecting ALL computer systems

Major CPU security flaws affecting ALL computer systems

Meltdown and Spectre are the names of two serious security flaws that have been found within computer processors. They could allow hackers to steal sensitive data without users knowing, one of them affecting chips made as far back as 1995.

What are Meltdown and Spectre?

Meltdown is a security flaw that could allow hackers to bypass the hardware barrier between applications run by users and the computer’s core memory, which is normally highly protected.

Spectre is slightly different. It potentially allows hackers to trick otherwise error-free applications into giving up secret information.

Is it serious?

Yes. Meltdown is “probably one of the worst CPU bugs ever found” according to Daniel Gruss, one of the researchers at Graz University of Technology who discovered the flaw. It is very serious in the short term and needs immediate attention.

The problem with Meltdown is that anything that runs as an application could in theory steal your data, including simple things such as javascript from a web page viewed in a browser.

Spectre, on the other hand, is harder for hackers to take advantage of but is also more difficult to fix and is expected to be a bigger problem in the long term.

What kinds of devices are affected?

Practically every computing device affected by Spectre, including laptops, desktops, tablets, smartphones and even cloud computing systems. A few lower power devices, such as certain Internet of Things gadgets, are unaffected.

What is a processor?

The processor, or central processing unit (CPU), is the primary chip in a computer that carries out the instructions of a computer program – in essence, the brain of the computer.

When you command a program to do something, it is the processor that carries out that command, co-operating with the rest of the system to perform whatever task is needed.

There are other types of processors, including graphics processing units (GPU) or graphics cards, co-processors such as sensor chips that detect motion or similar physical conditions, but the term “processor” without a caveat is generally exclusively used to describe the CPU.

Does it only affect Intel processors?

Spectre affects all modern processors, including those designed by Intel, AMD and ARM, but Meltdown is currently thought only to affect Intel chips manufactured since 1995, with the exception of the Itanium and Atom chips made before 2013.

What can be stolen?

Credit cards could be at risk due to Meltdown.
Pinterest
 Credit cards could be at risk due to Meltdown. Photograph: Alamy Stock Photo

The core system, known as the kernel, stores all types of sensitive information in memory. This means banking records, credit cards, financial data, communications, logins, passwords and secret information could which is all be at risk due to Meltdown.

Spectre can be used to trick normal applications into giving up sensitive data, which potentially means anything processed by an application can be stolen, including passwords and other data.

Is it already being used to steal data?

The UK’s National Cyber Security Centre said that there is no evidence that Meltdown and Spectre are actively being used to steal data at the moment, but the nature of the attacks make them difficult to detect.

Experts expect that hackers will quickly develop programs to launch attacks now that the information is available. Dan Guido, chief executive of cybersecurity consulting firm Trail of Bits, said: “Exploits for these bugs will be added to hackers’ standard toolkits.”

What can I do about it?

Users can do little to avoid the security flaws apart from update their computers with the latest security fixes as soon as possible. Fixes for Linux and Windows are already available. Chromebooks updated to Chrome OS 63, which started rolling out in mid-December, are already protected.

Android devices running the latest security update, including Google’s Nexus and Pixel smartphones, are already protected. Updates are expected to be delivered soon. Users of other devices will have to wait for the updates to be pushed out by third-party manufacturers, including Samsung, Huawei and OnePlus.

On Thursday night, Apple advised customers in a blog post to update their devices’ operating systems and only download software from “trusted sources such as the App Store”. The company also said that “there are no known exploits impacting customers at this time”.

If you are running old and unsupported operating systems or old phones which are no longer receiving updates, then there is no fix and your devices will remain vulnerable unless you upgrade your operating system.
I do offer Windows 10 upgrades for anyone that is not able to do this themselves.

Will the fixes slow my computer?

While the fixes for Spectre are not expected to have much immediate impact on the performance of computers, the nature of the fixes needed to protect against Meltdown could have a significant impact.

That’s due to the separation of the application and kernel memory required by the various operating systems to prevent the flaw being used to access protected data. Separating the two memory systems like this means that tasks that constantly require the kernel do to things, such as writing files to disk or sending data over a network, could be significantly slower due to the increased time it will take for the processor to switch between the application memory and the kernel memory.

Some early estimates predict up to 30% slower performance in some tasks. Whether users will notice a difference on their computers will depend on the task they are trying to do. Gaming, browsing and general computing activities are unlikely to be affected, but those that involve lots of writing files may become slower.

Some technologies, such as Intel’s Process-Context Identifiers (PCID) that was included with the company’s processors since 2013, can lessen the impact of the fixes if taken advantage of in the operating system.

Who found it?

Meltdown was independently discovered and reported by three teams, including Jann Horn from Google’s Project Zero, Werner Haas and Thomas Prescher from Cyberus Technology and Daniel Gruss, Moritz Lipp, Stefan Mangard and Michael Schwarz from Graz University of Technology in Austria.

Spectre was independently discovered by two people, including Horn and Paul Kocher, who worked in collaboration with Daniel Genkin, from University of Pennsylvania and University of Maryland, Mike Hamburg from tech firm Rambus, Lipp, and Yuval Yarom from the University of Adelaide and Data61.

What about cloud services?

The problem is magnified for cloud services such as Amazon’s Web Services and Google’s Cloud Platform, due to the scale of their computing resources and the potential impact on performance of the fixes.

Amazon said it was in the process of patching systems with all but a “small single-digit percentage” of its Amazon Web Services EC2 systems already protected, but that “customers must also patch their instance operating systems” to be fully protected.

Google also said that the majority of its systems were updated, but that some additional customer action may be needed for its Compute Engine and other Cloud Platform systems.

Microsoft said it was in the process of deploying fixes to its cloud systems.

 

BT customers targeted by Indian call centre scammers

BT customers targeted by Indian call centre scammers

BT customers in the UK have been targeted by call centre scammers in India – with one person reporting they were defrauded for thousands of pounds this week.

The issue appears to have been going on for more than a year. Some customers said the fraudsters knew their personal details.

One victim reported he had he got a call from someone this week asking for him by name, talking about his existing broadband problems which he had reported to BT previously. This individual claimed he had malware on his computer and said he need to access his machine via a third-party client.

“Within the hour he had over £1,000 in two payments from his bank account. Fortunately, Lloyds stepped in on the second larger payment and stopped it progressing,” said his son-in-law, who asked not to be named.

A BT customer forum thread entitled Possible Scam has hundreds of comments dating back from last year.

Another recently wrote they had already been in touch with BT about their broadband prior to receiving a call from an Indian man stating that he was calling from BT.

“He asked me to confirm the postcode and address which he gave to me over the phone and then my date of birth. At that point, I said no and he hung up. Clearly a scam call and weirdly never had to call BT until the last few weeks and all of a sudden a call.”

Another said the same thing happened to him, adding that the caller was very plausible until they wanted remote access to his PC hard drive.

“She even knew my address, phone number and both mine and my husbands name… so had access to some of our details.”

Fraud appears to be a growing problem across the sector. Last month TalkTalk was hit with a £100,000 fine after the data of the records of 21,000 people were exposed to fraudsters in an Indian call centre.

A BT spokesman gave the usual spiel: “BT takes the security of its customers’ accounts very seriously. We proactively warn our customers to be on their guard against scams. Fraudsters use various methods to ‘glean’ your personal or financial details with the ultimate aim of stealing from you. This can include trying to use your BT bill and account number.”

He advised customers should never share their BT account number with anyone and always shred bills. “Be wary of calls or emails you’re not expecting. Even if someone quotes your BT account number, you shouldn’t trust them with your personal information.”

He said: “We’ll never ask customers for personal information out of the blue and we’ll never call from an ‘unknown’ number. If we’re getting in touch about your bill, it will usually be from either 0800 328 9393 or 0800 028 5085.” ®

More ways to get paid with PayPal

More ways to get paid with PayPal

Get paid anywhere with PayPal Here

Accept card and contactless payments easily without monthly fees using just your mobile phone and the PayPal card reader.

 

PayPal HERE

I  am now setup with PayPal here, and can provide you with an onsite demo (Kent only) and training in using the card reader. If you do not already have paypal, I can help you setup paypal, a full merchant account if you also need online processing and anything else e-commerce related.

Contact Me

Accept all types of payments, cards or contactless, including Apple Pay and Android Pay. Payments reach your PayPal account in seconds.

paypal payment types

Accept all types of payments

Contactless

Smartphone or Smartwatch

Chip & PIN

Magnetic swipe

paypal here contactless

PayPal HERE smartphone payment

PayPal HERE chip and pin

PayPal HERE magnetic stripe

 

PayPal.Me, your link to getting paid back.

Create your paypal.me link, share it and start receiving money, Simples!

Use it to split a bill with friends or accept payments from customers. Anyone can use it.

LEARN MORE

This feature is most definitely very long overdue, and I am frankly surprised it has taken PayPal so long to get this done, it isn’t exactly difficult to do.

Why would you need this?

If you normally deal in cash and you are onsite with a client, but they do not have the cash, you can just send them your

If you normally deal in cash and you are onsite with a client, but they do not have the cash, you can just send them your paypal.me link, or type it for them on their computer, tablet or phone, and get paid right there on the spot.

Sold something on gumtree, at a car boot sale etc, just send them your link to get payment.

Welcome to the new wordpress blog

Mango Blog was great for the few years I have used it, but it rarely gets any updates (only 1 in the 3 years I have used it I think)  and what few plugins there are, many of them are dead, and the rest are not being maintained or updated either.
The cfformProtect anti-spam plugin seems to be failing more and more, I have not even been able to post on the mango blog forums for the last couple of years as cfformprotect wont let me, despite informing laura many time, this has never been fixed. So I can only assume other must be having this same issue on sites running mango blog are probably losing comments due to people being unable to post.

Sadly I couldn’t really find any good reason to stick with Mango other than misguided support for CF just for the sake of it. I have been using WordPress for just about everything else I do for several years now, and it really is a no brainer in most cases as it effortlessly does everything you need with its plethora of plugins and then some.

So I have finally bit the bullet and moved my blog to WordPress as well.

Moving all my content from my old blog is proving to be a chore, there is no easy way to do this, the rss import is the closest I came, but it doesn;t import the images and mango doesn’t show all posts on the rss feed either. So I will have to keep the old blog online as well until I find a way to do this or write a tool that does it for me.