Spectre blog post

This commit is contained in:
georgeowell 2018-01-14 22:45:58 +00:00
parent 0939401b25
commit 8ad7fd5fed
3 changed files with 153 additions and 3 deletions

View File

@ -71,7 +71,7 @@
<p> <p>
A grounded and principled understanding of the cybersecurity domain can ensure A grounded and principled understanding of the cybersecurity domain can ensure
your organisation is not liable to any unwanted security threats. We provide your organisation is not liable to any unwanted security threats. We provide
structured training. structured training taliored to your threat model.
</p> </p>
</li> </li>
</ul> </ul>

View File

@ -1,8 +1,8 @@
--- ---
layout: post layout: post
title: Our Founding Principles title: Our Founding Principles
description: Autonomic Co-operative And Our Core Values. description: Autonomic Co-operative And Our Core Values
image: pic01.jpg image: thinkpad.jpg
category: values category: values
date: 2017-10-03 date: 2017-10-03
--- ---

View File

@ -0,0 +1,150 @@
---
layout: post
title: Spectre and Meltdown
description: A Spectre Is Haunting Our Processors...
image: spectre.jpg
category: values
date: 2018-01-11
---
Autonomic have now completed the process of applying patches to to all
of our servers in response to the so called Spectre and Meltdown
vulnerabilities. Our upstream providers have also confirmed that they have
patched their infrastructure. We will monitor the situation as it develops.
We are currently super busy with clients so we decided to repost the
excellent security bulletin from our friends over at [Rise Up](https://riseup.net/)
which goes into detail oh how to update various operating systems. All credit
to them for the rest of this blog post.
## The Facts
As you have probably read, there are three related security problems in
contemporary CPUs. These vulnerabilities open the potential for a
nefarious program to steal passwords, secrets, and personal information
from you computer, even if the program is just Javascript loaded from a
web site you visit. These vulnerabilities are as serious as they sound,
and you should take action to upgrade your software.
* The first flaw, called "Meltdown," affects nearly all Intel CPUs and
has been fixed with updates to most operating systems.
* The two other flaws, called "Spectre," apply to nearly all CPUs built
in the last 20 years, not just Intel, although they are more difficult
to exploit. There are no permanent fixes for Spectre available at this
time, although if you update your software you will make these attacks
much less likely.
You should take *both* these steps now, for all your devices:
* Upgrade your web browser (see below). These fixes make the new
attacks against CPUs more much difficult.
* Upgrade your operating system. There are updates available for
Windows, macOS, and GNU/Linux that fix the Meltdown vulnerability for
Intel CPUs and provide some mitigations for Spectre. Additionally, new
releases of iOS and Android have mitigations for Spectre.
Better fixes will continue to arrive in the next weeks/months for your
operating system and software. Please keep your system up to date!
## Browsers
By updating your browser, you can make it significantly harder for an
attacker to steal secrets off your computer using Javascript loaded from
a web site you visit.
Firefox version 57.0.4 and later [includes mitigation measures](https://www.mozilla.org/en-US/security/advisories/mfsa2018-01/)
against Spectre attack.
Edge has been updated to include Spectre migitations. When you apply the
latest Windows update, you will get the new version of Edge.
Safari will be updated very soon, according to Apple. Check the App
Store updates.
Chrome will include Spectre mitigations starting with version 64, to be
released Jan 23. In the mean time, you can change your configuration to
greatly mitigate [against the Spectre vulnerability by enabling](https://support.google.com/chrome/answer/7623121?hl=en)
"site isolation."
Additionally, please see [Rise Up's better browsing guide](https://riseup.net/en/better-web-browsing) for
instructions on best practices for securing your web experience (which
will also help mitigate against these new attacks).
## Windows
For Windows 10, you must first upgrade any anti-virus software before
upgrading Windows. [Failure to do so may make your computer stop working](http://www.theregister.co.uk/2018/01/04/microsoft_windows_patch_meltdown/).
To upgrade Windows 10:
```
Select the Start button, and then go to Settings > Update & security > Windows Update, and select Check for updates.
```
Now is a good time to enable automatic updates:
```
Select the "Start" button, then select "Settings" > "Update & security" > "Windows Update" > "Advanced options"
and then under "Choose how updates are installed", select "Automatic (recommended)".
```
If you are running Windows 7 or 8, an update is also available.
## macOS
If you already have macOS version 10.13.2 then you are [protected against Meltdown](https://support.apple.com/en-us/HT208394).
Otherwise, to upgrade macOS:
```
Open the App Store app on your Mac. Click "Updates" in the App Store toolbar, then use the "Update" buttons
to download and install any updates listed.
```
Now is a good time to check enable automatic updates:
```
Select the Apple menu, then select "System Preferences" > "App Store" > "Automatically check for updates".
```
Apple plans to soon release an update to Safari browser to provide some
mitigation against Spectre.
## iOS
Apple has said that iOS is affected by Spectre, and an update to
mitigate against most of the new attacks has been released. If you have
iOS version 11.2 or later, [then you are good](https://support.apple.com/en-us/HT208394).
To check for new updates, go to `Settings > General > Software Update.`
## Android
The bad news is that Android is vulnerable to Spectre and unless you
have a Google-branded phone or run a custom firmware you might not get
an update for months, if ever. However, the consensus among security
researchers at the moment is that the Spectre attack is difficult enough
that there are probably easier ways to compromise an Android device.
Yeah?
There is one thing you can do now to make your Android device more safe
against these new CPU attacks:
* Turn on ["site isolation" in Chrome](https://support.google.com/chrome/answer/7623121?hl=en)
* Upgrade Chrome Browser after Jan 23.
* Alternately, use Firefox for Android.
## Debian/Ubuntu GNU/Linux
Run "Software Center" or "Software Updater."
Alternately, open a terminal and type:
```
sudo apt update
sudo apt upgrade
sudo reboot
```
## Fedora GNU/Linux
Open a terminal and type:
```
sudo dnf --refresh update kernel
sudo reboot
```