It’s no secret that Facebook tracks user data, as anyone who has seen an add related to a topic they just posted about can attest — but the alleged illegal data mining of more than 50 million users that was acquired by Cambridge Analytica is raising new concerns about the security of personal information stored on Facebook. Facebook has since banned the analytics firm and the parent company Strategic Communication Laboratories, but with Cambridge Analytica handling social media campaigns related to President Donald Trump’s presidential bid and the U.K.’s Brexit vote, the scrutiny will likely continue for some time.
On Wednesday, March 21, Facebook CEO Mark Zuckerberg broke his silence and shared a post detailing what happened and what the network is doing prevent similar access. Facebook says users impacted by the data misuse will be notified, but added that the list of security changes announced this week is only the start, with more adjustments coming over the next few weeks. Cambridge Analytica says the company has done nothing wrong and, so far, has appeared to cooperate with investigations.
So what do Facebook users need to know about the illegal data mining? Here is what we know so far.
Users didn’t have to authorize an app to have their data minedSome of the user data in question was accessed by authorizing the app “thisisyourdigitallife,” by Global Science Research, a personality app that told users the information was anonymous and for physiological research. Granting access to a third-party app prompts a pop-up screen that says what data the app will have access to, requiring the user to agree to the terms before allowing access. The app was also reportedly boosted by Amazon Turk, a program that pays users to complete surveys and other online tasks. Global Science Research allegedly sold that data to Cambridge Analytica.
That is not why the app’s developers and Cambridge Analytic are under fire, however. Around 270,000 people actually accessed the app. However, the app didn’t stop there; it also gathered data on those users’ friends, and friends of friends, until it had access to information from more than 50 million accounts, as detailed in The New York Times. This means the vast majority of users who had their data stolen never authorized the app to access their accounts, thus prompting the ensuing controversy and Facebook’s ban of Cambridge Analytica.
While wasting three minutes of your life taking a quiz to find out what kind of potato chip you are is nobody’s proudest moment, granting an unknown company access to your data, and that of your friends, is an irrationally high price to pay.
Third-party apps can no longer access your friends’ data — and Facebook is still doing moreFacebook says that today’s platform doesn’t allow third-party apps to access the same information from your friends. This change was made in 2014 when Facebook removed the API that allowed developers to access data on a user’s friends.
While third-party apps have not had access to friend data for years, Zuckerberg says the platform will take several steps to further protect user data. Third-party apps will now only stay connected for three months, preventing one-time use apps from monitoring data in the background. The network is also launching an audit of all the apps that used friend data prior to 2014 — and removing anyone who doesn’t cooperate with the audit as well as apps that misused data. And while users could always look in the settings to see what apps have access to their data, Facebook will put the tool right in the newsfeed over the next month so users can easily check the permitted apps.
In an official blog post following Zuckerberg’s statement, Facebook also said that they would be informing users involved in any data misuse, including users that were impacted by the “thisisyourdigitallife” app. By expanding the existing bug bounty program, the network also hopes to find data misuse faster by rewarding hackers that find those loopholes for the company to correct.
“I started Facebook, and at the end of the day I’m responsible for what happens on our platform,” Zuckerberg wrote. “I’m serious about doing what it takes to protect our community. While this specific issue involving Cambridge Analytica should no longer happen with new apps today, that doesn’t change what happened in the past. We will learn from this experience to secure our platform further and make our community safer for everyone going forward.”
Facebook knew about the data in 2015Facebook discovered the misuse of data from journalists back in 2015. The app’s creator, Dr. Aleksandr Kogan, claimed he was using it for an academic study — and insists he didn’t think he was doing anything wrong. When Facebook found out about the data the app was gathering in 2015, it asked Global Science Research to delete it — and thought the company did. When Facebook received reports suggesting that the deletion never happened, they suspended the company from the platform and launched an investigation.
A lawsuit filed by investors said Facebook should have disclosed this information.
Facebook is losing money — and that might be a good thingAdvertisers often choose Facebook because the company can target a specific customer using legal, publicly shared information to advertise, say, diapers only to new parents. The scandal, however, is affecting the company’s value. In just the first two days, the company’s stock lost around $60 billion dollars in value.
While that’s not good news if you invested in Facebook stock, for the average user, that impact could be a good sign — Facebook isn’t going to sit by idly and lose billions. Social media platforms are profit-driven companies, and a threat to the bottom line can spur a rapid change of course. Just look at how fast YouTube changed advertising policies when advertisers boycotted the platform after seeing their ads inserted in hate speech videos.
This isn’t the first time Facebook has been scrutinized over privacyIn 2011, Facebook faced a list of seven complaints from the Federal Trade Commission about user privacy. One of those complaints said that “Facebook represented that third-party apps that users installed would have access only to user information they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.”
A second complaint on the list sounds familiar in the midst of the current scandal, which reads “selecting ‘Friends Only’ did not prevent their information from being shared with third-party applications their friends used.” Additionally, while Facebook claimed it verified that participating apps were secure, the FTC said this was not true. Facebook settled the complaint, agreed to get user approval before allowing apps to access data, and agreed to allow privacy audits.
Mandel Ngan/Getty ImagesIn 2017, Facebook faced legal fines in France and the Netherlands for violating privacy protection laws in those countries. At the time, the government organizations said that Facebook didn’t allow enough privacy controls and that the platform was also using browser history without user consent.
That turmoil in France and the Netherlands likely prompted Facebook to announce a new Privacy Center, designed to help users understand just how their data is used. The Privacy Center hasn’t yet rolled out, with Facebook planning to launch it in May 2018.
The U.S., U.K., and FTC are all investigatingMore information will likely come over the next few weeks as several groups dig into the controversy. Facebook reportedly met with Congress for two days following the scandal. Facebook hired a private investigative firm — but the U.K.’s Information Commissioner’s Office asked the group to leave as it pursued its own investigation. The FTC is also investigating how the information was used, according to Bloomberg.
As the investigation continues, additional details will likely become available. Currently, it’s unclear exactly how the data was used, which campaigns the data was used in, and if those campaigns had any major impact. Cambridge Analytica is claiming no wrongdoing.
Facebook claims it was deceivedWhile Zuckerberg and Chief Operating Officer Sheryl Sandberg are usually quick to make a public apology in the wake of an incident involving the platform, the two have been unusually quiet until today’s post by the CEO. A Facebook representative saidthat’s because the two are “working around the clock” but said that the platform is “outraged we were deceived” and is taking steps to protect user information.
While information wasn’t stolen in a hack-like breach, Zuckerberg called the mishandling of data a breach of trust.”This was a breach of trust between Kogan, Cambridge Analytica and Facebook,” he said. “But it was also a breach of trust between Facebook and the people who share their data with us and expect us to protect it. We need to fix that.”
Andrew “Boz” Bosworth, the company’s vice president of augmented and virtual reality and the former vice president in advertising, said Facebook is set up so that personal data isn’t sold to other companies. “Yes developers can receive data that helps them provide better experiences to people, but we don’t make money from that directly and have set this up in a way so that no one’s personal information is sold to businesses,” he wrote in a Facebook post. “We are able to show better ads when we know more about people relative to other businesses, so giving data to them is the opposite of a good strategy. Also if people aren’t having a positive experience connecting with businesses and apps then it all breaks down. This is specifically what I mean when we say our interests are aligned with users when it comes to protecting data.”
This isn’t the only questionable practice Cambridge Analytica is accused ofWhile misuse of user data is at the heart of the scandal, that’s not all Cambridge Analytica is facing. British undercover reporters set up several meetings with the company and recorded CEO Alexander Nix suggesting creating a sex scandal to discredit an opponent. Cambridge Analytica has cried foul and said it never intended carrying out those suggestions.
Users can revoke authorization to third-party appsWhile even the former owner of WhatsApp is calling for users to delete Facebook, there are settings users can adjust to limit shared data and view which third-party apps have been authorized. This may not prevent illegal access to data if someone finds a way to access information outside of Facebook’s rules, but it’s a start for users who would rather not cut all ties with Facebook.
If the revelations that Cambridge Analytica acquired the records of 50 million Facebook users has you wondering how to protect your own personal information, you may already have discovered the maze of privacy settings the social networking site offers.
First, the good news: the feature that allowed the most egregious data harvesting used by the company that gave Cambridge Analytica its data is no longer on the site.
Before 2016, Facebook apps could ask for permission to access not only your own data, but also the data of all your friends on the platform. That means that around 300,000 people could sign up for a personality test quiz, and in the process hand over information of 150 times that number.
Now, however, Facebook apps are only allowed to gather information from users who have directly signed up for them, greatly limiting their reach. That change was made in 2014, and rolled out to every Facebook app over the course of 2015.
But it’s still the case that apps which you have directly enabled can harvest a significant amount of data from your account – often information which you might be surprised to know you’re handing over.
The app settings page on Facebook is the place to manage the apps you’ve given access to. Clicking on the link will bring up a list of apps under “logged in with Facebook”. Hopefully you’ll recognise most of them – if there’s any you don’t, consider clicking the “X”, deauthorising them from your account.
You might also want to click on the edit button under the “apps others use” heading lower down the page. This takes you to your privacy settings for the modern version of the same feature Cambridge Analytica profited from. The information others can hand over on your behalf is limited, but still includes data such as your date of birth, religious and political views, and activities, interests and things you like. Consider unchecking all the boxes. According to Facebook, leaving them all checked will make your friends’ “experience better and more social”, which doesn’t seem like a good trade-off for you.If that’s not enough for you to feel safe, maybe now’s the time to delete your Facebook account altogether.
That’s somewhat harder to do. If you go through the account settings, Facebook will attempt to push you to “deactivate” your account, which “will disable your profile and remove your name and photo from most things that you’ve shared on Facebook”. Notably, it won’t remove any of your data from Facebook’s servers, and your account lies dormant hoping you will change your mind.
If you actually want to delete your information from Facebook, the real setting is hidden in a help document with the title “how do I permanently delete my account?” Clicking on “let us know” on that page will take users to the real account deletion screen. Clicking “delete my account” will take you to another screen. Filling in your password and proving you aren’t a robot on that screen will finally… deactivate your account. Wait two weeks after that, and then, at long last, Facebook will begin the 90 day process of deleting all your data from the site.
By September, then, you too could be Facebook-free.
Security researchers have disclosed a set of security flaws that they said could let hackers steal sensitive information from nearly every modern computing device containing chips from Intel and AMC.
SAN FRANCISCO — Apple says all of its Macs, iPhones and iPads contain a security flaw that requires an update. It's not alone. Any owner of a PC, tablet or smart phone should make sure that automatic software updates for their operating systems are enabled after security researchers this week revealed a broad flaw in Intel and other chips that could allow hackers to access data previously thought to be secure.
What you should do about it?Every major software company has been pushing out updates to fix the problem. Make sure you allow your computers and phones to automatically install software updates and patches as they are released. These will likely be modified as companies craft the best work-arounds, so it’s not likely to be a one-time deal — update early and often!
Those on Microsoft products will needs to first determine which version of the Windows operating system they are running, then run a query on the Microsoft support siteasking "update Windows" along with the version they're running.
Apple products will automatically update themselves, or at least prompt users to update them.
Google Chromebooks self update. Many, but not all, phones running the Android operating system also do, or will ask if the user wants their operating system updated. You can also go to the settings app on the phone, tap About Device and then tap System Updates to see if an update is available.
Many security companies are suggesting users also make sure their security software is up to date. As soon as hackers create code to use this new flaw, security software will help flag and possibly stop them.
What products are affected?Potentially everything that's got a central processing unit or CPU, which means PCs, Macs, laptops, smart phones and tablets. But patches are coming fast and furious.
Microsoft has already pushed out a patch for Windows 10 and other Windows versions will be updated on Tuesday, January 9. If you have auto updates enabled, you should get this upgrade.
Apple on Thursday said that it has already released patches in iOS 11.2, macOS 10.13.2, and tvOS 11.2 to help defend against Meltdown, and that Apple Watch is not affected by Meltdown. The upgrades come via auto updates.
The company plans to release mitigations in Safari to help defend against Spectre "in the coming days," it said in a blog. The company also said it will continue to develop and test further patches for future updates of its operating system.
Google has published a list of all its devices and software that might need updates and what users have to do to install them, though many (like Chromebooks) will self install.
Amazon’s AWS cloud computing service expected all its computing systems to be patched by the end of the day Wednesday. Customers were also told to patch their operating systems to be fully secured.
What chips are affected?
Intel, which makes most of the chips used in PCs, is the most heavily affected. It said Thursday it has already issued updates for the majority of CPUs — the chips that handle the instructions a computer receives from hardware and software, sometimes known as the "brain" of the computer — introduced within the past five years. By the end of next week it expects to have issued updates for more than 90% of processors introduced within the past five years.
Chip-maker Advanced Micro Devices, whose products are mostly used in corporate server computers and personal computers, originally said it didn’t believe its products were at risk for the flaw. It has since updated that to say that one of the potential attacks could be used on some of its chips. It encouraged its customers to use safe computing practices, including “not clicking on unrecognized hyperlinks, following strong password protocols, using secure networks, and accepting regular software updates.”
ARM, whose chips are primarily used in smart phones and electronic devices such as e-readers, televisions, cable boxes and cars, said that only a small subset of its chips were vulnerable and listed them on its website. It has also published a technical paper outlining how the flaws can be mitigated.
How did this happen?There are actually two exploitable flaws, though they’re related. They have been given the James Bond-esque names Meltdown and Spectre. Both use what’s known as a side-channel analysis attack. Basically, malicious code can be written that allows an attacker to see information stored in what was previously believed to be a secure portion of a computer’s central processing unit, or CPU.
What's the problem that makes this possible?
It’s something no one had realized was an issue for 20-some years. Back in the early 1990s, in an effort to speed up computer processing, computer chip engineers hit on the idea of letting computers guess at what data would be needed next. It was called “speculative execution.” It’s something like a salesperson who sees a man pick out a pair of slacks in a store and so grabs a belt and a jacket that match because they might be what he looks for next.
In the computer, it could be that you go to the banking section of your password management program. The speculative execution function then pulls all your banking passwords into the protected memory portion of the CPU because it’s making a good guess you’ll ask for that next.
Meltdown allows full access to the protected memory space, so it’s potentially more dangerous. It appears to only affect Intel chips manufactured since 1995.
Spectre allows malicious code to trick access random portions of the protected memory. It is believed to affect processors made by Intel, Advanced Micro Devices and ARM.
The real issue is that the flaws allow cyber criminals a new set of tools to steal passwords and other critical data.
“The scope impacts a large set of the computing devices that we rely on, from PC to phones and back-end services consumers rely upon, such as servers and the cloud,” said McAfee chief technology officer Steve Grobman.
How much could the hackers see?The exploit could allow an attacker to open a window that let's them look at what’s being rolled into and out of that protected memory space, says Atiq Raza, chairman and CEO of Virsec Systems, Inc and the former president of AMD. Depending how long the hackers can keep the window open “they could see a very significant amount of data scroll by. Even if it's just for a few seconds, a humongous amount of information could go through,” he said.
How did this exist for so long?An excellent question, which hasn't been answered yet.
The flaws were discovered over the last several months independently by several teams, including Google’s Project Zero security team, researchers at Graz University of Technology in Austria, the University of Adelaide in Australia and the universities of Pennsylvania and Maryland, along with researchers at security firms Cyberus Technology, Rambus and Data61.
The researchers alerted chip and software companies, which began writing patches and fixes. Everything was supposed to be announced on January 9th.
As companies started to make changes to their software to allow them to implement the patches, security researchers noticed something was going on. This created buzz in the broader computer security community. When the security news site The Register published a story on January 2, it became impossible to wait and Intel and Google went public with the information.
Has anyone actually made use of this exploit yet?Not that we know of. It’s a very complex and rarified attack and one that until a few months ago no one even realized was possible. That said, exploiting this bug wouldn't leave traces so it's difficult to know if it's being used "in the wild," as security researchers say.
But the race is now on, says Tony Cole, vice president of global government and critical infrastructure with computer security company FireEye. “I’m sure everybody on the attacker side is busy reading everything that’s out and trying to figure out how to use this. It’s being worked on as we speak.”
Apple AAPL +0.48% recently confirmed its nasty secret: iOS slows down iPhones. Software enabling the iPhone 6 and iPhone 6S to be throttled was introduced in iOS 10.2.1 and Apple admitted the iPhone 7 was added to that list in early December through iOS 11.2. But new research suggests the most serious iPhone slowdown will be one that hits Apple itself…
In a new research note Barclays' analyst Mark Moskowitz estimates Apple is expected to lose millions of iPhone sales as owners realise they can rejuvenate their existing phone just by replacing the battery. Especially in conjunction with Apple’s 11 month ‘plea bargain’ to reduce the price of battery replacements from $79 to $29.
AppleApple iOS 11
Breaking down its figures, Moskowitz states Barclays believes approximately 518 million iPhones (77% of all iPhones in circulation) will be eligible for Apple’s battery promotion, which covers the iPhone 6, iPhone 6S and iPhone 7. In a “base case scenario” Barclays expects over 10% (54M) to take up the offer giving Apple an additional $1.56BN in revenue.
The flip side it points out is 30% of those who swap their iPhone battery are predicted to cancel their upgrade plans for 2018 costing Apple $10BN and 16M iPhone sales. To put this in context, Barclays expects Apple to sell 56M iPhones in Q1, though I feel CLSA is closer to the mark when it recently stated sales will be closer to 30M.
But the bigger picture is what happens to iPhone sales long term.
What happens once the message spreads and even mainstream iPhone owners realise they can ‘rejuvenate’ their iPhone every 12 months for the cost of a new battery? Apple isn’t helping itself here either since the ever spiralling cost of new iPhones (the iPhone X starts from $999, before tax) is making long term ownership essential for any user who struggles to justify living on the hamster wheel of continual upgrades.
AppleHow futuristic is the iPhone X if its performance is throttled after 12 months?
And what of each latest and greatest iPhone? When users understand that software designed to monitor and throttle it will be released just 12 months after launch, it is likely to take the shine off. After all it isn’t just speed Apple confesses throttled iPhones lose, its official list includes dimmed displays, reduced speaker volume and even disabling the camera flash.
None of which accounts for the future sales decisions of iPhone owners who now feel they were duped into unnecessary upgrades.
Apple’s response has been to claim it is business as usual. That its practice of slowdowns is a praiseworthy feature for prolonging battery life and one it plans to continue. But this doesn’t wash. Apple’s biggest rivals have fallen over one another to stress such precautions aren’t necessary on their handsets and Samsung even promises 95% battery capacity retention for a minimum of two years. So much for the unavoidable physical limitations of lithium-ion batteries, Apple.
All of which means Barclays’ analysis is hugely significant. Not merely because it highlights short term iPhone sales losses, but because it reflects users finding a different path: one of fixing over upgrading that tears open Apple’s famous ‘Reality Distortion Field’. The genie is out the bottle and no amount of ‘magical’ rhetoric is going to put it back in…
Technology companies are working to protect their customers after researchers revealed that major security flaws affecting nearly every modern computer processor could allow hackers to steal stored data — including passwords and other sensitive information — on desktops, laptops, mobile phones and cloud networks around the globe.
The scramble to harden a broad array of devices comes after researchers found two significant vulnerabilities within modern computing hardware, one of which cannot be fully resolved as of yet. Experts say the disclosure of the critical flaws underscores the need to keep up with software updates and security patches and highlights the role independent research plays in prodding tech companies to minimize security weaknesses.
On Thursday, Apple confirmed that all Mac systems and iOS devices are affected.
Researchers at Google’s Project Zero, academic institutions and private companies published their findings on the vulnerabilities on Wednesday. They said the flaws were discovered last year.
The more pervasive flaw of the two, dubbed Spectre, leaves the world's supply of microprocessors potentially vulnerable to attack, the researchers said. Although hackers will find it harder to take advantage of Spectre, it is also more challenging for computer manufacturers to ward off, the researchers said. “As it is not easy to fix, it will haunt us for quite some time,” the researchers said, explaining why they chose to call the flaw Spectre.
There's no complete software patch for Spectre right now, said Michael Daly, chief technology officer of cybersecurity and special missions at Raytheon, a defense company. The long-term solution may rely on a hardware redesign, he said, with software patches acting to monitor and stop malicious behavior. In the meantime, criminal actors and nation states could further develop the Spectre vulnerability, making attacks easier to execute.
“Right now it's kind of tricky to take advantage of it,” Daly said. “But it's not going to stop there. They will improve on it.”
The other flaw, called Meltdown, affects most Intel processors made after 1995. And although security patches exist for devices running Linux, Windows, and OS X, the researchers said, the fix may slow down their performance by as much as 30 percent, according to some estimates.
Intel and AMD both said that Google told the companies about the threats last summer. “Intel is committed to responsible disclosure. In this case, the security researchers presented their findings in confidence, and we and other companies worked together to verify their results, develop and validate firmware and operating system updates for impacted technologies, and make them widely available as rapidly as possible,” the company said in a blog post Wednesday.
Intel also played down concerns about slowed performance because of the updates, noting that for the “average computer user,” the impact should not be significant and will lessen over time. “Check with your operating system vendor or system manufacturer and apply any available updates as soon as they are available,” the company said.
On Thursday, Apple confirmed that all Mac systems and iOS devices are affected, but that no known exploits have impacted its customers. In a post on its website, Apple said updates to its operating systems for iPhones (iOS 11.2), Macs (macOS 10.13.2), and Apple TVs (tvOS 11.2) would defend against Meltdown. The company said it will soon release a new version of its Safari web browser to protect customers against Spectre. Further updates of iOS, macOS, tvOS, and watchOS will be released to limit the threat of the vulnerabilities, Apple said.
Microsoft said in a statement Thursday that it is not aware of any of these vulnerabilities being used against its customers. “We are in the process of deploying mitigations to cloud services and released security updates on January 3 to protect Windows customers against vulnerabilities affecting supported hardware chips from Intel, Arm, and AMD,” the company said.
Google said in a blog post Wednesday that its popular web browser Chrome, its cloud services and other applications have been or will soon be updated to protect against the newly disclosed vulnerabilities.
Amazon said Wednesday in a blog post that “all but a small single-digit percentage of instances” of its EC2 systems, a service under its cloud computing platform, had already been protected, and urged customers to patch their operating systems using available updates. The founder and chief executive of Amazon.com, Jeffrey P. Bezos, also owns The Washington Post.
In a post on the company's website Wednesday, AMD said that one variant of the Spectre vulnerability was resolved by software and operating system updates. Another variant of Spectre, the company said, has “a near zero risk of exploitation” on its processors. But AMD also told its customers that “total protection from all possible attacks remains an elusive goal” and encouraged them to regularly update their software.
On Thursday, Intel's stock closed down 1.8 percent to $44.43 a share. But AMD jumped more than 5 percent following the publication of the security flaws, to close at $12.12 a share.
In a statement Thursday, Arm said that the majority of its processors are not affected by Spectre or Meltdown but confirmed that it has been working with Intel, AMD and other partners to develop defenses against the vulnerabilities.
“It's a positive thing that we have independent verification — researchers looking for vulnerabilities,” Daly said. “Most of the software vendors welcome that interaction as long as you see this disclosure in private first, so you have a chance to fix the bugs.”
Intel may have dominated most of the news surrounding the kernel bug in processors, but it’s not just Windows and Macs that are at risk. In addition to Meltdown, there is also a “branch target injection” bug called Spectre that affects mobile ARM processors found in iOS and Android phones, tablets, and other devices that could also expose your data. Here’s everything we know about it so far.
This post has been updated with information from Google about protection against possible Spectre attacks that shouldn’t impact performance.
TABLE OF CONTENTS
Apple has been mum on Spectre and how it affects iOS devices, but presumably the risk will be equally small.
Your Google Pixel 2 XL was already patched, as long as you have automatic updates turned on.
Are any phones at more risk?The newest Android phones are in much better shape than older ones. Google’s latest security patch, which was released in December, “includes mitigations reducing access to high precision timers that limit attacks on all known variants on ARM processors.” That means all Pixel phones have been patched (assuming automatic updates are turned on), as well as Nexus 5X and 6P, as well as the Pixel C tablet.
How can it be fixed in non-Google phones?Just like Meltdown, Spectre can only be patched via software. Some newer Android phones (such as the Samsung Galaxy S8 and Note 8) have already been updated, and other manufacturers should start pushing out their own updates within the next few weeks, as well as Apple’s iOS devices. However, many Android phones will likely remain vulnerable.
What if my phone doesn’t get updates anymore?A hacker could potentially trick an otherwise safe app on your phone into handing over your personal info such as passwords and encryption keys. However, an attacker would need access to your unlocked phone as Spectre is unlikely to be implemented or triggered remotely.
The iPhone 5c could be at risk.
Is my iPhone affected by the Spectre CPU flaw?Apple has been mum on this whole issue, but even though it makes its own processors for iOS devices, some are still likely affected. Apple bases its A-series chips on ARM architecture, including some susceptible processors. According to ARM, the following chips and phones may be affected:
Will my phone slow down when the updates are issued?The patch doesn’t appear to have a noticeable effect on performance, but it’s a much harder to measure than on a phone than it is on a PC. Google says it has developed a new mitigation called Retpoline that protects against possible attacks with “negligible impact on performance.” It has deployed the patch on its own systems and shared it with industry partners.
Are the iPad and AppleTV affected?The full extent of affected devices won’t be clear until Apple releases some sort of press release, but some of the ARM chips above are used in other Apple devices as well:
A pair of nasty CPU flaws exposed this week have serious ramifications for home computer users. Meltdown and Spectre let attackers access protected information in your PC’s kernel memory, potentially revealing sensitive details like passwords, cryptographic keys, personal photos and email, or anything else you’ve used on your computer. It’s a serious flaw. Fortunately, CPU and operating system vendors pushed out patches fast, and you can protect your PC from Meltdown and Spectre to some degree.
It’s not a quick one-and-done deal, though. They’re two very different CPU flaws that touch every part of your operating system, from hardware to software to the operating system itself. Check out PCWorld’s Meltdown and Spectre FAQ for everything you need to know about the vulnerabilities themselves. We’ve cut through the technical jargon to explain what you need to know in clear, easy-to-read language. We’ve also created an overview of how the Spectre CPU bug affects phones and tablets.
The guide you’re reading now focuses solely on protecting your computer against the Meltdown and Spectre CPU flaws.
How to protect your PC against Meltdown and Spectre CPU flawsHere’s a quick step-by-step checklist, followed by the full process.
Where to update Windows 10.
Microsoft pushed out an emergency Windows patch late in the day on January 3. If it didn’t automatically update your PC, head to Start > Settings > Update & Security > Windows Update, then click the Check now button under “Update status.” (Alternatively, you can just search for “Windows Update,” which also works for Windows 7 and 8.) Your system should detect the available update and begin downloading it. Install the update immediately.
If you don’t see it for whatever reason, you can download the Windows 10 KB4056892 patch directly here. You’ll need to know whether to grab the 32-bit (x86) or 64-bit (x64) version of the update. To determine if your PC runs a 32- or 64-bit version of Windows, simply type “system” (without the quotation marks) into Windows search and click the top listing. It’ll open a Control Panel window. The “System type” listing will tell you which version of Windows you’re running. Most PCs released in the past decade will be using the 64-bit operating system.
The System information you’re looking for.
Apple quietly worked Meltdown protections into macOS High Sierra 13.10.2, which released in December. If your Mac doesn’t automatically apply updates, force it by going into the App Store’s Update tab. Chromebooks should have already updated to Chrome OS 63 in December. It contains mitigations against the CPU flaws. Linux developers are working on kernel patches. Patches are also available for the Linux kernel.
Now for the bad news. The operating system patches will slow down your PC, though the extent varies wildly depending on your CPU and the workloads you’re running. Intel expects the impact to be fairly small for most consumer applications like games or web browsing. You still want to install the updates for security reasons.
Check for a firmware updateIntel’s Core i7-8700K CPU is vulnerable to Meltdown and Spectre.
Because Meltdown’s CPU exploits exist on a hardware level, Intel is also releasing firmware updates for its processors. “By the end of next week, Intel expects to have issued updates for more than 90 percent of processor products introduced within the past five years,” it said in a statement on January 4. The company also released a detection tool that can help you determine whether you need a firmware update.
Actually getting those firmware updates is tricky, because firmware updates aren’t issued directly from Intel. Instead, you need to snag them from the company that made your laptop, PC, or motherboard—think HP, Dell, Gigabyte, et cetera. Intel’s support page dedicated to the vulnerability includes links to support pages for all of its partners, where you can find any available firmware updates and information for your particular PC. Most prebuilt computers and laptops have a sticker with model details somewhere on their exterior.
Enabling Site Isolation in Chrome 63.
Microsoft updated Edge and Internet Explorer alongside Windows 10. Firefox 57 also wraps in some Spectre safeguards. Chrome 63 made “Site Isolation” an optional experimental feature. You can activate it right now by entering chrome://flags/#enable-site-per-process into your URL bar, then clicking Enable next to “Strict site isolation.” Chrome 64 will have more protections in place when it launches on January 23.
Keep your antivirus activeFinally, this ordeal underlines how important it is to keep your PC protected. The Google researchers who discovered the CPU flaws say that traditional antivirus wouldn’t be able to detect a Meltdown or Spectre attack. But attackers need to be able to inject and run malicious code on your PC to take advantage of the exploits. Keeping security software installed and vigilant helps keep hackers and malware off your computer. Plus, “your antivirus may detect malware which uses the attacks by comparing binaries after they become known,” Google says.
The CPU catastrophe will hit hardest in the cloud Cloud platforms have patched fast — but the hardest work is yet to come
This week, two disastrous new processor vulnerabilities spilled out into the open — and the tech world is still coming to terms with the damage. The vulnerabilities, dubbed Meltdown and Spectre, affect nearly every processor made in the last 20 years. Meltdown is the immediate threat, with proof-of-concept exploits already available, but Spectre is much deeper and harder to patch, potentially leading to generations of more subtle exploits in the years to come. The result has left nearly every major technology company scrambling to protect themselves and their customers.
The focus so far has been on personal devices, with a flood of patches already available this morning, but many experts think the most severe damage is likely to come when the exploits are turned on cloud services. “These vulnerabilities will allow one tenant to peer into the data of another co-hosted tenant,” says Mounir Hahad, the head of threat research at Juniper Networks. “This is the reason many organizations steer clear of hosted services when it comes to processing sensitive information.”
THE SPECTRE ATTACK IS MUCH MORE POWERFUL IN THE CLOUDBoth Meltdown and Spectre deal with data leaking from one part of the computer to another, which makes them particularly dangerous when a single device is shared between users. With lots of commands running in parallel, the attacks found a way to extract data from the processor cache through a complex timing attack, sidestepping the usual privileges. Executed right, that could let a low-level process like a web plugin get access to passwords or other sensitive data held in a more secure part of your computer.
On a personal computer, that attack would be most useful for privilege escalation: a hacker running low-level malware could use a Spectre bug to own your whole computer. But there are already lots of ways to take over a computer once you’ve got a foothold, and it’s not clear how much a new processor attack would change things.
But privilege escalation is much scarier in the cloud, where the same server could be working for dozens of people at once. Platforms like Amazon Web Services and Google Cloud let online companies spread a single program across thousands of servers in data centers across the world, sharing hardware the same way you’d share an airplane or a subway car. Collective hardware isn’t a security problem because even when different users are on the same server, they’re in different software instances, with no way to jump from one instance to another. Spectre could change that, letting attackers steal data from anyone sharing the same chip. If a hacker wanted to perform that kind of attack, all they’d have to do is start their own instance and run the program.
Cloud services are also a lucrative target for anyone hoping to cash in on Spectre. Lots of midsize businesses run their entire infrastructure on AWS or Google Cloud, often trusting the platform with sensitive and potentially lucrative information. Bitcoin exchanges, chat apps, even government agencies all keep passwords and other sensitive data on cloud servers. If you’re running a modern web service, there’s simply no other choice. If someone did set a new exploit running on a cloud instance, there’s no telling what kind of data might shake out.
RESEARCHERS WILL BE FINDING NEW VARIANTS AND EXPLOITS FOR YEARSSo far, cloud platforms are taking the threat seriously, and doing everything they can to contain it. Amazon Web Services, Google Cloud, and Microsoft Azure all immediately deployed patches against the Meltdown attack, and there’s no indication that the available exploits could work against any of those platforms. Where there have been lingering vulnerabilities, it’s because companies are waiting on patches from third parties, like the Windows-based instances of Amazon EC2. The major platforms have handled the immediate response well, and there’s no reason to think we’re headed toward a cloud catastrophe in the days immediately to come.
(Reached by The Verge, a Google representative said the company’s cloud services had been protected against both Meltdown and Spectre, although they declined to elaborate on the Spectre protections. Amazon did not respond to a request for comment.)
What’s more worrying is what happens in the next few years. Deeply rooted vulnerabilities like Spectre can be hard to stamp out. Researchers will be finding new variants and exploits for years — much like we saw with Stagefright — and not all of the new tricks will be as well-publicized as Spectre and Meltdown were. It’s easy to imagine an undiscovered Spectre exploit falling into criminal hands six months from now — and when it does, platforms like AWS and Google Cloud will be extremely tempting targets.
It’s particularly daunting because those platforms undergird almost all of what we think of as the internet. They run nearly every program on your phone, stream your songs and shows. It’s hard to think of a piece of information on the internet that doesn’t pass through those servers at some point, even just for caching. In a material sense, they are the internet. And while they’re staffed by some of the best security teams in the world, the attack surface is almost unlimited. Dealing with the fallout from Spectre will be one of the hardest security problems the system has ever faced — and it’s a problem that won’t go away anytime soon
Microsoft has been bundling a password manager that features a dangerous flaw with some versions of Windows 10, a Google security researcher has revealed. Tavis Ormandy noticed that his copy of Windows 10 included Keeper, which he had previously found to be injecting privileged UI into pages.
The version that Microsoft was including with Windows 10 featured the same bug. What does this mean? In short, it allows any website to steal passwords from you.
Keeper was included in some Windows 10 installations as a browser plugin, and it included the very same vulnerability that Ormandy had reported nearly a year and half earlier. With little more than a couple of very easily implemented tweaks, he found that it was possible to steal passwords that are stored within Keeper.
Ormandy shared details of the vulnerability on Twitter:
Tavis Ormandy✔@tavisoI created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability.
11:43 AM - Dec 15, 2017He also posted on the Project Zero page, saying:
I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called "Keeper" is now installed by default. I'm not the only person who has noticed this:
I assume this is some bundling deal with Microsoft. I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they're doing the same thing again with this version. I think I'm being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works.
Nevertheless, this is a complete compromise of Keeper security, allowing any website to steal any password.
Having been made aware of the problem, the developers of Keeper issued a patch within 24 hours, saying:
This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a 'clickjacking' technique to execute privileged code within the browser extension.
There have been no reports of the vulnerability having been exploited.
Wow, this is a bad one. On Macs running the latest version of High Sierra — 10.13.1 (17B48) — it appears that anyone can log in just by putting “root” in the user name field. This is a huge, huge problem. Apple will fix it probably within hours but holy moly. Do not leave your Mac unattended until this is resolved.
The bug is most easily accessed by going to Preferences and then entering one of the panels that has a lock in the lower left-hand corner. Normally you’d click that to enter your user name and password, which are required to change important settings like those in Security & Privacy.
No need to do that any more! Just enter “root” instead of your user name and hit enter. After a few tries, it should log right in. There’s no need to do this yourself to verify it. Doing so creates a “root” account that others may be able to take advantage of if you don’t disable it.
The bug appears to have been first noticed by Lemi Orhan Ergin, founder of Software Craftsman Turkey, who noted it publicly on Twitter.
Needless to say, this is incredibly, incredibly bad. Once you log in, you’ve essentially authenticated yourself as the owner of the computer. You can add administrators, change critical settings, lock out the current owner, and so on. Do not leave your Mac unattended until this is resolved.
So far this has worked on every preference panel we’ve tried, and when I used “root” at the login screen it immediately created and pulled up a new user with system administrator privileges. It didn’t work on a 10.13 (17A365) machine, but that one is also loaded up with Aol bloatware — sorry, Oath bloatware — which may affect things.
A potential fix is to log into the “root” account and change its password to… well, anything. But the safest thing is to not expose your device to any unfamiliar environments until the bug is fixed.
We’ve asked Apple for comment, but I’m guessing they’re pretty busy. We hope they have a fix soon because no one should leave their Mac unattended until this is resolved.
Thecomputerheale.com makes no claims about the efficacy of the information contained in the documents and related graphics published on this website for any purpose. All information, documents and graphics are provided "as is" without any kind of guarantee of effectiveness. Thecomputerhealer.com hereby disclaims all responsibility for the manner in which the information offered on this website is used by you.
In no event shall Thecomputerhealeronline.com be liable for any special, indirect or consequential damages or any damages whatsoever resulting from the loss of use, data or profits arising out of or in connection with the use or performance of information available from this website.
The documents and related graphics published on this website may include technical inaccuracies or typographical errors. Changes are periodically added to the information on this website. Thecomputerhealer.com reserves the right, at its discretion, to change or modify all or any part of this agreement and the content on website at any time, effective immediately upon publication of this notice.
Your continued use of this website constitutes your binding acceptance of these terms and conditions, including any changes or modifications made by Thecomputerhealer.com as permitted above. If, at any time, the terms and conditions of this agreement are no longer acceptable to you, you should immediately cease using this website.