5 of the biggest data breaches

On Thursday, credit-reporting company Equifax disclosed that they had experienced a major data breach, affecting up to 143 million people. The company joins Yahoo, Myspace, Target, LinkedIn and more on the list of largest data breaches in history.

Posted: Jan 5, 2018 4:25 PM
Updated: Jan 5, 2018 4:25 PM

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which,of course, is not a solution -- is to throw them all away and buy new ones that may be available in a few years.

On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15 to 20 years. They've been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer -- maybe one running in a browser window from that sketchy site you're visiting, or as a result of a phishing attack -- can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Exactly how, we don't know yet.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling.

Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

"Throw it away and buy a new one" is terrible security advice, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren't security teams on call to write patches, and there often aren't mechanisms to push patches onto the devices.

We're already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can't be fixed.

The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors.

But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.

The final reason is the nature of these vulnerabilities themselves. These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors.

Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown.

There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method among many. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites, patch your systems immediately, and generally be careful on the Internet.

You probably won't notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don't do all of these fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks.

But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.

Terre Haute
Clear
58° wxIcon
Hi: 82° Lo: 58°
Feels Like: 58°
Robinson
Clear
55° wxIcon
Hi: 80° Lo: 56°
Feels Like: 55°
Indianapolis
Clear
60° wxIcon
Hi: 79° Lo: 59°
Feels Like: 60°
Rockville
Clear
57° wxIcon
Hi: 81° Lo: 58°
Feels Like: 57°
Casey
Scattered Clouds
57° wxIcon
Hi: 80° Lo: 58°
Feels Like: 57°
Brazil
Clear
58° wxIcon
Hi: 81° Lo: 58°
Feels Like: 58°
Marshall
Clear
58° wxIcon
Hi: 81° Lo: 57°
Feels Like: 58°
Clear, Cool Overnight
WTHI Planner
WTHI Temps
WTHI Radar

WTHI Events

 

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Confirmed Cases: 283559

Reported Deaths: 8774
CountyConfirmedDeaths
Cook1414305187
DuPage17091554
Lake16636487
Will13720376
Kane12889325
St. Clair6421188
Winnebago5634149
Madison5511136
Champaign453820
McHenry4506118
Peoria335249
McLean322322
Rock Island290175
Kankakee269477
Sangamon231144
Unassigned2244236
Kendall196625
Tazewell167821
LaSalle165856
DeKalb152638
Macon145444
Coles141730
Williamson137142
Jackson125024
Clinton110120
Boone108223
Adams105510
Randolph92811
Effingham8481
Whiteside71320
Vermilion6734
Ogle6626
Grundy6545
Henry6475
Monroe64215
Morgan64023
Knox6313
Bureau61211
Jefferson58438
Marion5270
Macoupin5237
Franklin5143
Union50724
Stephenson4986
Christian46311
McDonough46015
Logan4481
Crawford4203
Woodford4126
Cass39311
Fayette3893
Jersey38714
Shelby3664
Iroquois35919
Livingston3556
Lee3531
Montgomery34813
Perry34215
Warren3192
Saline3073
Bond3045
Douglas2937
Wayne2645
Jo Daviess2532
Lawrence2522
Carroll2184
Greene2187
Moultrie2083
Cumberland2044
Jasper2039
Washington2031
Hancock2013
Richland1764
Pulaski1671
White1640
Fulton1570
Clark1562
Johnson1490
Wabash1491
Clay1420
Mason1341
Mercer1335
Piatt1320
Pike1211
Menard1200
Edgar1128
Massac1062
De Witt1051
Ford1005
Marshall990
Scott760
Alexander741
Gallatin712
Hamilton670
Henderson660
Edwards640
Putnam550
Stark542
Schuyler480
Calhoun470
Brown450
Hardin370
Pope261
Out of IL30

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Confirmed Cases: 114236

Reported Deaths: 3548
CountyConfirmedDeaths
Marion21067764
Lake10397321
Elkhart6477109
St. Joseph6312105
Allen6113201
Hamilton4803109
Vanderburgh353630
Hendricks2694123
Monroe253136
Tippecanoe234713
Johnson2291123
Clark218756
Porter210546
Cass19399
Delaware191861
Vigo180324
Madison161975
LaPorte140540
Floyd135161
Howard129263
Warrick123436
Kosciusko121117
Bartholomew115557
Marshall99724
Dubois96418
Boone96046
Hancock91743
Grant90334
Noble90032
Henry79326
Wayne75114
Jackson7469
Morgan70938
Shelby66829
Daviess65828
Dearborn64728
LaGrange63411
Clinton59514
Harrison56624
Putnam54211
Knox5139
Lawrence51028
Montgomery50721
Gibson4964
White48314
DeKalb46811
Decatur45839
Miami4313
Greene42235
Fayette41913
Jasper3902
Steuben3787
Scott36711
Sullivan33312
Posey3160
Jennings31212
Franklin30325
Clay2995
Orange28824
Ripley2878
Carroll27313
Wabash2638
Washington2631
Whitley2617
Starke2597
Adams2553
Wells2513
Jefferson2473
Fulton2352
Spencer2283
Huntington2253
Tipton22122
Perry21613
Randolph2117
Jay1760
Newton17211
Owen1681
Martin1640
Rush1544
Pike1431
Vermillion1270
Fountain1202
Pulaski1161
Blackford1143
Brown1043
Crawford1040
Parke972
Benton880
Ohio787
Union780
Switzerland690
Warren391
Unassigned0226