Open Sesame

 

The latest crisis in computer security comes from news of the Meltdown and Spectre Central Processing Unit (CPU) exploits. Nearly all desktop and laptop computers are affected, and most tablets, smartphones, and other small devices are also affected.* The difference is on account of the types of CPUs used for the various computers and devices. Since home users usually access password protected accounts like email and online banking from smaller devices as well as larger computers, they could see their privacy and online security compromised across platforms. In other words, hackers can exploit a hardware flaw in the CPUs of home computers, and then hackers could use that vulnerability to access private email and banking passwords in software that crosses platforms.

 

עלי באבא מתחבא על העץ
In the story “Ali Baba and the Forty Thieves”, Ali Baba overhears one of the thieves say “Open Sesame” to open the entrance of the cave where they store their loot. Illustration by Rena Xiaxiu.

CPU makers like Intel† are racing to fix the problem, which was first discovered by Google security researchers last June, and internet browser makers, where many users store passwords, are hurrying to tighten security on their end. In the meantime, people need to be vigilant about email and banking security themselves, starting with changing their passwords if they suspect unusual activity in their accounts and running a full suite of anti-virus, anti-spyware, and anti-malware programs on their computers. Those are routine security measures that people ought to be taking already, but unfortunately some folks don’t even do that much. When their computers are compromised by hackers, those home users are often as not completely unaware they are being used as part of a rogue network, called a botnet, to spread spam and other nasties throughout the internet. When everything is linked as with the internet, the weakest links are the easiest targets of hackers.

Even after tightening up individual computer security by using strong passwords and storing them securely, by not clicking on links in untrusted emails, by surfing the web safely using the anti-phishing feature built into most browsers, by regularly updating a security suite and running scans with it, even after all that a careful home user can still have difficulties, whether it’s because of something completely out of their control in the so-called cloud, such as when credit reporting agencies got hacked, or simply because their Internet Service Provider (ISP) momentarily gives them the Internet Protocol (IP) address of a blacklisted spammer, causing their email provider to block their account.

Since the majority of IP addresses are dynamic rather than static, meaning that each time a computer user connects to the internet the device that user is on, or possibly a larger network it is part of, is assigned a different IP address rather than keeping the same IP address from session to session. Because dynamic IP addresses are recycled, it’s a wonder that the unfortunate coincidence of being assigned a blacklisted address does not happen more often than it does. It’s impractical to remove a bad address from the rotation entirely because spammers can jump from address to address so quickly that soon all of them would be blacklisted, or the addresses would have to be prohibitively long.

Alfred Hitchcock’s 1956 film The Wrong Man explores the nightmare of mistaken identity.

The other way to get blacklisted as a spammer is to get hacked as described earlier, either through negligence or bad luck, and end up an unknowing part of a botnet distributing spam to friends and strangers alike. The use of biometrics like fingerprint and iris scans are no better a solution to account security than passwords since hackers have been at work on spoofing mechanisms for biometrics. Police can also compel people to grant access to their computers and other devices when they are locked by biometric measures, whereas they cannot compel people to divulge their passwords. There is no single, simple solution to keeping private data entirely secure on any computer or device as long as it is connected to the internet. It’s like the locks on doors and windows, which ultimately will keep out only honest people. Dishonest people will find a way in if they are determined enough, but it’s better for everyone else if it’s not too easy for them, and if they get caught sooner rather than later.
― Techly

*Post updated to enlarge number of devices affected.

†In November, long after he had learned of the vulnerability in his company’s products, but of course before the flaw had become general knowledge last week, Intel CEO Brian Krzanich sold almost all of his stock in the company for $39 million.