Meltdown and Spectre question.

[Ace McPlane]

Wouldn't forcing 2-step verification on everything stop Spectre from being a problem?

If you had to confirm every single thing important that you log into with your phone, wouldn't you be fine even if someone was watching what you were doing?

That way them getting your passwords wouldn't be a problem.

 

Why don't we just do that for the CPU's that aren't getting patches?

 

Honestly, I think we should be forcing sites that hold onto personal info to make this option available for everything regardless.

 

I could be way off base here.

What do you guys think?

 

I have a haswell processor so I'm wondering myself if two-step verification is enough to feel secure.

 

 

[Oshino Shinobu]

Forcing 2 step authentication would solve quite a few security issues, but it's not really a realistic solution, you can't expect every company to suddenly adopt it, so it's kind of pointless as a suggested solution. 

 

Spectre and Meltdown have been blown way out of proportion though, basically nothing has actually utilised them to cause harm. A big deal has been made out of it due to how wide spread the vulnerability is, but as of right now, it doesn't appear to actually be a serious threat. People are still somewhat on edge after what happened with Eternal Blue, but that was on a whole different level to Spectre and Meltdown. 

[Ace McPlane]

13 minutes ago, Oshino Shinobu said:

Forcing 2 step authentication would solve quite a few security issues, but it's not really a realistic solution, you can't expect every company to suddenly adopt it, so it's kind of pointless as a suggested solution. 

 

Spectre and Meltdown have been blown way out of proportion though, basically nothing has actually utilised them to cause harm. A big deal has been made out of it due to how wide spread the vulnerability is, but as of right now, it doesn't appear to actually be a serious threat. People are still somewhat on edge after what happened with Eternal Blue, but that was on a whole different level to Spectre and Meltdown. 

Yea, I have a feeling it's exploited for more high level, serious things than simple identify theft.

Like cyber-warfare on an international level type stuff.

 

I'm talking more something like 2-step verification being required to use a Visa, Mastercard, Paypal, etc. Things that are more serious and targeted towards where it matters so it's more realistic to implement.

[Coaxialgamer]

2 step can only get you so far. When an exploit can be used to get hold of a private key, it doesn't really so much.

[Jasco1997]

You don't need to worry about Meltdown/Spectre unless you run random executables you find online. If that sounds like you then you have bigger problems such as keystroke loggers or RAT's which are much easier to make and more widespread. 

[LAwLz]

15 hours ago, stateofpsychosis said:

Wouldn't forcing 2-step verification on everything stop Spectre from being a problem?

If you had to confirm every single thing important that you log into with your phone, wouldn't you be fine even if someone was watching what you were doing?

That way them getting your passwords wouldn't be a problem.

 

Why don't we just do that for the CPU's that aren't getting patches?

 

Honestly, I think we should be forcing sites that hold onto personal info to make this option available for everything regardless.

 

I could be way off base here.

What do you guys think?

 

I have a haswell processor so I'm wondering myself if two-step verification is enough to feel secure.

Spectre and Meltdown affects far more things than just logins. If all you want is protect your facebook account then 2-step might be good enough to make it impractical (although by no means impossible) to hijack your account. Spectre and Meltdown could potentially be used to access anything on your computer though, including personal files.

 

15 hours ago, Oshino Shinobu said:

Spectre and Meltdown have been blown way out of proportion though, basically nothing has actually utilised them to cause harm. A big deal has been made out of it due to how wide spread the vulnerability is, but as of right now, it doesn't appear to actually be a serious threat. People are still somewhat on edge after what happened with Eternal Blue, but that was on a whole different level to Spectre and Meltdown. 

There have been more than 130 different exploits found that utilize Spectre and Meltdown out in the wild.

The situation isn't that serious right now, but it could quickly get out of hand and it is important to protect yourself.

 

 

5 hours ago, Jasco1997 said:

You don't need to worry about Meltdown/Spectre unless you run random executables you find online. If that sounds like you then you have bigger problems such as keystroke loggers or RAT's which are much easier to make and more widespread. 

Things like JavaScript could potentially take advantage of the exploit as well. So it's not just executeables.

[Ace McPlane]

2 hours ago, LAwLz said:

Spectre and Meltdown affects far more things than just logins. If all you want is protect your facebook account then 2-step might be good enough to make it impractical (although by no means impossible) to hijack your account. Spectre and Meltdown could potentially be used to access anything on your computer though, including personal files.

 

There have been more than 130 different exploits found that utilize Spectre and Meltdown out in the wild.

The situation isn't that serious right now, but it could quickly get out of hand and it is important to protect yourself.

 

 

Things like JavaScript could potentially take advantage of the exploit as well. So it's not just executeables.

I'm confused on this one.

If I have to confirm every login on another device, how could they still get into anything important?

 

Your email is like your masterkey that everything resets to so wouldn't having two-step verification on that make it pretty much bulletproof other than if you both lose your phone and have someone get your password at the same time?

 

I wouldn't care about facebook or most other things on my computer because I don't keep any sensitive info just lying around.

All that matters to me is that my email is as secure as it can be.

I'm good on that right?

 

[Guest]

It takes a pretty experienced hacker to get to use the spectre / meltdown exploits becase they are like kernel level. They probably can get past 2-step verifiication no problem if they can actually utilise the exploit.

[Ace McPlane]

7 minutes ago, RorzNZ said:

It takes a pretty experienced hacker to get to use the spectre / meltdown exploits becase they are like kernel level. They probably can get past 2-step verifiication no problem if they can actually utilise the exploit.

How though? They'd have to have access to both your computer and phone wouldn't they? That would be a lot of effort to hack one person.

I think it would have to be like high level geo-political warfare for anyone to go that far to hack someone. 

Like, if you're a hacker trying to make money through identity theft and all of that, wouldn't you go after the low hanging fruit? People who would be easy to dupe.

The only way I can see them doing it is by getting a new phone in your name after stealing everything else to do with your identity to do it sort of like what that hacker tried on Linus that one time which didn't end up being enough to compromise him anyways.

I don't know. The only thing I know that's anything close to hacking is how to use hex comparisons, brute force, debuggers, cheat engine, etc to cheat in video games

 

[.Ocean]

11 minutes ago, stateofpsychosis said:

I'm confused on this one.

If I have to confirm every login on another device, how could they still get into anything important?

 

Your email is like your masterkey that everything resets to so wouldn't having two-step verification on that make it pretty much bulletproof other than if you both lose your phone and have someone get your password at the same time?

 

I wouldn't care about facebook or most other things on my computer because I don't keep any sensitive info just lying around.

All that matters to me is that my email is as secure as it can be.

I'm good on that right?

 

Multi-Factor Authentication (MFA) can only solve so many problems, in some cases it can make systems less secure by making them less reliable. Users of technology really aren't that smart, the majority of the time people will forget their token devices, biometric readers are expensive and cumbersome, and they take TIME (time is money).

On top of that, not everyone has all of their 'important stuff' stored in online accounts. For the people that don't a malicious process arbitrarily reading memory is a major issue. There are a lot more important things that can be compromised through these exploits than the password to an online account.

[Guest]

1 minute ago, stateofpsychosis said:

How though? They'd have to have access to both your computer and phone wouldn't they? That would be a lot of effort to hack one person.

I think it would have to be like high level geo-political warfare for anyone to go that far to hack someone. 

Like if you're a hacker trying to make money through identity theft and all of that, wouldn't you go after the low hanging fruit? People who would be easy to dupe.

The only way I can see them doing it is by getting a new phone in your name after stealing everything else to do with your identity to do it sort of like what that hacker tried on Linus that one time which didn't end up being enough to compromise him anyways.

 

I havent asked one unfortunately, but I imagine if you can get kernel access ur a pretty good hacker at any rate and can probably spoof it. I'm not an expert tho and its 2am for me

 

[Ace McPlane]

2 minutes ago, .Ocean said:

Multi-Factor Authentication (MFA) can only solve so many problems, in some cases it can make systems less secure by making them less reliable. Users of technology really aren't that smart, the majority of the time people will forget their token devices, biometric readers are expensive and cumbersome, and they take TIME (time is money).

On top of that, not everyone has all of their 'important stuff' stored in online accounts. For the people that don't a malicious process arbitrarily reading memory is a major issue. There are a lot more important things that can be compromised through these exploits than the password to an online account.

So in other words, be smart, don't keep sensitive data lying around on your computer and use touch ID instead of just a password.

[.Ocean]

1 minute ago, stateofpsychosis said:

So in other words, be smart, don't keep sensitive data lying around on your computer and use touch ID instead of just a password.

Touch ID has its own security concerns. Sensitive files that are kept encrypted and stored on your hard drive are fine. Spectre and Meltdown read your system memory (essentially when your data is in its most vulnerable state, the processing state).

Let me put it this way, lets say you are using asymmetric encryption to communicate online, which everyone on this website is doing but I'm sure you can imagine the big business and government that also apply the same encryption methods. You receive a message and decrypt it using your private key. If you are being attacked by someone exploiting Spectre or Meltdown your private key has been compromised. Not only does this person have the ability to read every encrypted message sent you you using the matching public key, violating confidentiality. They can also use your private key to sign messages as you, violating integrity. AND THEN if this wasn't enough,  you wouldn't even know that your encryption key had been compromised and even when you do find out you have the whole headache of getting new certs and distributing your new public key.

Temporary keys used in encryption are also in danger but I feel like this post is long enough.

[TopHatProductions115]

In case anyone is wondering about the full implications, here is the Google Project 0 and the linked whitepapers:

• https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
• https://spectreattack.com/spectre.pdf
• https://meltdownattack.com/meltdown.pdf

If you have any more questions about the vulnerabilities themselves, please see the whitepaper first. If you have questions about what you saw in the whitepaper(s), please feel free to ask for clarification. This info has been available for weeks now...

[Ace McPlane]

29 minutes ago, TopHatProductions115 said:

In case anyone is wondering about the full implications, here is the Google Project 0 and the linked whitepapers:

• https://googleprojectzero.blogspot.com/2018/01/reading-privileged-memory-with-side.html
• https://spectreattack.com/spectre.pdf
• https://meltdownattack.com/meltdown.pdf

If you have any more questions about the vulnerabilities themselves, please see the whitepaper first. If you have questions about what you saw in the whitepaper(s), please feel free to ask for clarification. This info has been available for weeks now...

 

33 minutes ago, .Ocean said:

Touch ID has its own security concerns. Sensitive files that are kept encrypted and stored on your hard drive are fine. Spectre and Meltdown read your system memory (essentially when your data is in its most vulnerable state, the processing state).

Let me put it this way, lets say you are using asymmetric encryption to communicate online, which everyone on this website is doing but I'm sure you can imagine the big business and government that also apply the same encryption methods. You receive a message and decrypt it using your private key. If you are being attacked by someone exploiting Spectre or Meltdown your private key has been compromised. Not only does this person have the ability to read every encrypted message sent you you using the matching public key, violating confidentiality. They can also use your private key to sign messages as you, violating integrity. AND THEN if this wasn't enough,  you wouldn't even know that your encryption key had been compromised and even when you do find out you have the whole headache of getting new certs and distributing your new public key.

Temporary keys used in encryption are also in danger but I feel like this post is long enough.

Thanks for the info guys.

I think I'm pretty safe as I'm just a gamer that doesn't really use that computer I'm concerned about for anything sensitive.

I'm more interested to know about how this is going to effect things on the bigger picture like in a national security type sense.

Very interesting info.

Thanks again.

[LAwLz]

9 hours ago, stateofpsychosis said:

I'm confused on this one.

If I have to confirm every login on another device, how could they still get into anything important?

Well, is the login info the only important thing you have on your computer? There is nothing else you care about leaking, at all, other than your username and password to websites? I certainly have a lot of things which are also important.

 

9 hours ago, stateofpsychosis said:

I'm good on that right?

Not necessarily. I am not sure how Google's authentication system works or what safeguards they have in place, but my guess is that once you have authenticated yourself (with 2-factor authentication), you get a cookie containing an authentication token, which gets sent with all requests to their server to validate that you are authorized to view your information.

That token could be copied and then used to read data.

 

Think of it like this. If you have your web browser open and logged into gmail in one tab, you don't have to login again if you accidentally close the tab, right? If you close your entire browser you might, but not just the tab. Why is that? How does the web server know that even though you closed the tab, when you open a new one you are still allowed to access your personal files stored on the web server?

That's because websites only validate things like usernames and passwords once, and that's at the time of logging in.

 

Here is a simplified version of how it works:

1) The website asks for your username and password.

2) You enter it.

3) The website checks if your username and password is valid. It might also send a one-time use code for 2-factor verification.

4) Once the website is satisfied with the info provided it either creates a cookie or a token which gets sent to your computer. The way authentication cookies and authentication tokens work are a bit different but they both serve the same purpose. Validating that you're authorized to access content without needing to send your username and password every single time (imagine having to login for every single thread you open on this forum).

5) The cookie or token is saved on your computer.

6) Every time your computer requests data from the web server (for example, you open a new thread), it sends the token with the request, to tell the server "hey, I am authenticated, I am stateofpsychosis so I am allowed to see this content".

 

What would happen if someone stole that authentication token? They could access all the things only you're authorized to see, even though they have never even logged in.

 

There are probably ways to prevent this type of attacks, and I am not sure how Google's authentication system works so maybe they have methods to prevent this, but that's more or less how it works in general (please don't flame me if I got some things wrong, I am not a web developer).

[Ace McPlane]

On 2/9/2018 at 6:35 PM, LAwLz said:

Well, is the login info the only important thing you have on your computer? There is nothing else you care about leaking, at all, other than your username and password to websites? I certainly have a lot of things which are also important.

 

Not necessarily. I am not sure how Google's authentication system works or what safeguards they have in place, but my guess is that once you have authenticated yourself (with 2-factor authentication), you get a cookie containing an authentication token, which gets sent with all requests to their server to validate that you are authorized to view your information.

That token could be copied and then used to read data.

 

Think of it like this. If you have your web browser open and logged into gmail in one tab, you don't have to login again if you accidentally close the tab, right? If you close your entire browser you might, but not just the tab. Why is that? How does the web server know that even though you closed the tab, when you open a new one you are still allowed to access your personal files stored on the web server?

That's because websites only validate things like usernames and passwords once, and that's at the time of logging in.

 

Here is a simplified version of how it works:

1) The website asks for your username and password.

2) You enter it.

3) The website checks if your username and password is valid. It might also send a one-time use code for 2-factor verification.

4) Once the website is satisfied with the info provided it either creates a cookie or a token which gets sent to your computer. The way authentication cookies and authentication tokens work are a bit different but they both serve the same purpose. Validating that you're authorized to access content without needing to send your username and password every single time (imagine having to login for every single thread you open on this forum).

5) The cookie or token is saved on your computer.

6) Every time your computer requests data from the web server (for example, you open a new thread), it sends the token with the request, to tell the server "hey, I am authenticated, I am stateofpsychosis so I am allowed to see this content".

 

What would happen if someone stole that authentication token? They could access all the things only you're authorized to see, even though they have never even logged in.

 

There are probably ways to prevent this type of attacks, and I am not sure how Google's authentication system works so maybe they have methods to prevent this, but that's more or less how it works in general (please don't flame me if I got some things wrong, I am not a web developer).

Well, your cyber security is never perfect, but what I mean is that I'd be more worried about people who actually have anything of value to hack for

Hack me and you're still broke lol

Just kidding.

Cyber security is something to take seriously.

Thanks for answering some of my questions.