Cyber Week in Review: January 5, 2018

Here is a quick round-up of this week’s technology headlines and related stories you may have missed:

Welcome to 2018! Say hi to Meltdown and Spectre. The bombshell disclosure of two serious and pervasive flaws in the design of computer processors rocked the computing industry this week. The disclosure by cybersecurity researchers at Carnegie Mellon University put computer operators in the unenviable position of replacing vulnerable hardware (which will likely be prohibitively expensive) or mitigating risk through a series of imperfect software patches.

Both security flaws are sizable and involve exploiting vulnerabilities in the central processing unit's architecture to provide access to backchannel data. The first one, dubbed Meltdown, exploits a flaw in a crucial memory cache called the Translation Lookaside Buffer in order to give an unauthorized program access to a system’s privacy memory. This flaw affects nearly every Intel processor—which is bad news for Intel’s stock prices and everyone that bought an Apple product in the past twenty years. A robust patch exists, although the fix will degrade performance as much as 20%.

The second flaw, Spectre, on the other hand, affects Intel, AMD, and ARM processors and essentially tricks applications into disclosing information that would otherwise remain walled off to unauthorized programs. Cybersecurity researchers agree that an attack utilizing the Spectre vulnerability will be difficult to pull off, but also difficult to effectively patch, thereby making the risk associated with this flaw a long-term threat and likely impossible to altogether avoid—at least until everyone upgrades to a new generation of CPUs.

While it will be months before we fully understand the full implications of Meltdown and Spectre, there are a few clear takeaways. First, the Meltdown and Spectre show the systemic hazard of a computing industry that lacks diversity. Around 90% of personal computers and servers are powered by Intel chips, making any security flaws in Intel chips an industry-wide problem. Second, cloud computing services, which run multiple programs for many users on shared hardware, will be especially vulnerable to Meltdown and Spectre, since hackers can essentially steal data from any user running programs on an infected server.

Iran tightens internet controls in response to protestors. As protests rage in cities across Iran, the government is tightening internet controls in an effort to quell the unrest. On Sunday, state television announced that authorities had blocked Instagram and Telegram in order to “maintain peace.” Social media played a prominent role in the so-called Green Movement that rocked the country in 2009, turning the internet into a central battleground between the government and opposition. Authorities have since ramped up censorship, turning the internet into a so-called “filternet.” At the same time, Iranians turned to Telegram, an encrypted messaging app, to evade censors. With authorities now blocking Telegram, Iranians are left with few other alternative platforms to organize on. Signal, one suitable alternative, is not available in Iran. This, ironically, is not because of the government’s effective internet controls, but because U.S. sanctions prevent companies from securing the proper license to supply communication technology products in Iran.

Iranian state-run media IRIB has aired a (propaganda) segment showing Iranians who claim that they are happy that Telegram was blocked, because now they have more time to spend with their loved ones. pic.twitter.com/kUp4WYevFN

— Maryam Nayeb Yazdi (@maryamnayebyazd) 4 January 2018

Tehran’s offensive cyber capabilities on the rise. A new Carnegie Endowment for International Peace report sheds light on Iran's developing its cyber capabilities. The report, which utilizes hackers' chat logs and covers Iran's cyber activities over a ten-year period, shows how hackers associated with the Iranian government are becoming more sophisticated. It also shows the hackers’ day-to-day frustrations with poor pay, slow internet, and finding skilled talent. The report’s authors warn that although Tehran’s cyber capabilities remain unsophisticated in comparison to the United States, Iranian hackers have been highly successful at employing basic tactics against unprepared targets. 

India’s leaky biometrics database. The operator of India's national biometric database may have a massive data breach on its hands, exposing the country’s citizens to the potential loss of sensitive personal data. The Aadhaar program, often referred to the largest database of people in the world, maintains a record of nearly every Indian citizen and links each citizen’s unique identification number to personal information and sensitive biometric data. The project was intended to improve Indian’s access to social programs; however, poor security standards have exposed the database to repeated breaches. Last spring, a series of leaked caches posted online exposed the biometric data of 130 million Indians. The current security breach, which arises from unauthorized users gaining access to the database, appears to be even worse. One journalist was able to buy full administrative access for the equivalent of $8 dollars over WhatsApp. The agency responsible for the Aadhaar program said it has made a police complaint against those responsible for selling access.