Spectre, Meltdown, and Home Computer Security

Spectre isn't just out for James Bond!

There are all sorts of viruses out there.  Some will hunt for credit card and other sensitive information on your computer.  Others will delete your data.  Still others will encrypt your data so that you won't be able to get it back without paying a ransom. 

A new variant is tied to the new crypto-currencies like bitcoin.  Computers are used to "mine" for crypto-gold.  The problem is that it takes a lot of computer power, and a lot of electrical power, too, to successfully search for digital gold.  Some viruses steal your computing power (and energy) by surreptitiously diverting a portion of your computer's resources to mine for gold.  In short, they get rich while you pay for it.  Meanwhile your machine slows down, sometimes becoming otherwise unusable.

There is a constant war between the good guys and the bad regarding security.  There are researchers on both sides looking to find ways that your computer can get breached.

Recently two threats became public:  Spectre and Meltdown.  The former attacks AMD and ARM processors (like the one in smartphones), the latter Intel CPUs used by modern Macs and PCs.  They are particularly nasty because, unlike software exploits that can be patched with new code, these attack via flaws in the hardware of the computer itself.  This makes it harder to fix – worse, the fix is almost guaranteed to slow your computer down a bit.  More bad news: these vulnerabilities (or similar) are in Macs and PCs and affects processors by Intel, Nvidia, and AMD.  In short, virtually all our computers are vulnerable.

So What Can We Do?

To a large extent, what you should do to fight Spectre and Meltdown, is what you should have been doing all along:  1) Keep your computer up to date 2) use a good anti-virus program 3) use a firewall 4) use two-factor authentication 5) use a password manager 6) have multiple backups.

Stay Current
Keeping your computer’s operating system up-to-date is essential.  Microsoft and Apple are both working to push patches.  Since Spectre and Meltdown are both baked into the chips solving the crisis won’t be easy.  In fact, it may not be completely possible.  Apple’s latest patch for iOS, for instance, doesn’t pretend to solve for all types of attacks, but aims instead at the most common way you’re likely to get attacked: your browser. 

Making matters even more complicated is that the patches will cause almost all computers and phones to slow-down to a certain extent.  In some cases computers have completely locked up.

But, doing nothing is not an option.  Experts warn that attempts to weaponized Spectre and Meltdown are already underway.  So, keeping your machine up-to-date is essential:  You need to make sure your operating system, drivers, and programs are current.

Since a primary attack vector will be through your browser, it is essential that you are always using the most current browser available.

Compute with Protection
It goes without saying that computing without virus protection is a bad idea.  Your virus checker should be set to auto-update.  Generally speaking you only need one anti-virus program running on your machine at a time.  However, some are written in such a way to cooperate with others.  On my own system I use an antivirus program and a separate malware program, Malwarebytes.

Use Multiple Password
It is really important to use different passwords on each site you visit, particularly the ones that take your credit card numbers.  Why?  If one site gets hacked, the bad guys don’t get the key to all your accounts.  The trouble is that it is hard to remember all those passwords.  For that reason I suggest a password keeper, such as LastPass.  It will fill in the passwords for you. 

Use a Firewall
Your system probably has two firewalls in place.  Make sure both are actually running.  You’ll find one in your operating system. The other will be in the setup of your router.

 Use Two-Factor Authentication
You’ll find the option to use Two-Factor Authentication on some high profile sites like Amazon and Gmail.  The idea is that if someone wants to change your password without you knowing they will be thwarted because the program will first notify you via a second method (often email or text message).  It can be a real pain, however, if you are travelling and don’t have access to your phone.  Be sure to either turn it off when you are in situations where you don’t have cell access (like when you are out of the country) or print and carry secondary codes in your wallet that can be generated in advance of travel.

Backup, Backup, Backup
My wife’s machine went down this weekend after downloading one of the aforementioned update patches.  She was locked out of her machine.  Fortunately, I simply plugged her into our network, booted from a pre-prepared USB drive, and into her backup that had been taken automatically before her machine crashed.  Viola! She had her machine up and running in almost no time.

 I recommend having multiple backups, preferably one should be off-site, up in the cloud. 

 My program of choice is StorageCraft’s Shadow Protect.  For me, it has been reliable time and time again.  It allows file-by-file or complete disk restoration, so whether you've lost just one file or the whole system is down, you can get back to business fast.