STREAMING NOW: Watch Now

5 of the biggest data breaches

On Thursday, credit-reporting company Equifax disclosed that they had experienced a major data breach, affecting up to 143 million people. The company joins Yahoo, Myspace, Target, LinkedIn and more on the list of largest data breaches in history.

Posted: Jan 5, 2018 4:25 PM
Updated: Jan 5, 2018 4:25 PM

The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution -- which,of course, is not a solution -- is to throw them all away and buy new ones that may be available in a few years.

On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world's computers for the past 15 to 20 years. They've been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.

This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer -- maybe one running in a browser window from that sketchy site you're visiting, or as a result of a phishing attack -- can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Exactly how, we don't know yet.

Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling.

Patching against Meltdown can degrade performance by almost a third. And there's no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.

"Throw it away and buy a new one" is terrible security advice, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.

The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren't security teams on call to write patches, and there often aren't mechanisms to push patches onto the devices.

We're already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can't be fixed.

The second is that some of the patches require updating the computer's firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors.

But it couldn't get that update directly to users; it had to work with the individual hardware companies, and some of them just weren't capable of getting the update to their customers.

The final reason is the nature of these vulnerabilities themselves. These aren't normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.

It shouldn't be surprising that microprocessor designers have been building insecure hardware for 20 years. What's surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren't thinking about security. They didn't have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors.

Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.

Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they -- and the research into the Intel ME vulnerability -- have shown researchers where to look, more is coming -- and what they'll find will be worse than either Spectre or Meltdown.

There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.

This isn't to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method among many. All the normal security advice still applies: watch for phishing attacks, don't click on strange e-mail attachments, don't visit sketchy websites, patch your systems immediately, and generally be careful on the Internet.

You probably won't notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don't do all of these fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.

It's a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they'll figure out some clever way of detecting and blocking the attacks.

But more are coming, and they'll be worse. 2018 will be the year of microprocessor vulnerabilities, and it's going to be a wild ride.

Indiana Coronavirus Cases

(Widget updates once daily at 8 p.m. ET)

Confirmed Cases: 32078

Reported Deaths: 2004
CountyConfirmedDeaths
Marion9268539
Lake3320168
Cass15826
Allen130966
St. Joseph120534
Hendricks113067
Hamilton111592
Johnson1086104
Elkhart105728
Madison58258
Porter49021
Bartholomew48133
Clark46138
LaPorte41522
Tippecanoe3753
Jackson3671
Howard36519
Delaware35735
Hancock32127
Shelby31521
Floyd31438
Boone28835
Morgan26224
Vanderburgh2482
Montgomery23117
White2268
Decatur22431
Clinton2221
Grant19121
Noble18921
Harrison18721
Dubois1852
Greene16724
Warrick16426
Dearborn16421
Henry1619
Monroe16011
Vigo1477
Lawrence14423
Miami1391
Putnam1337
Jennings1274
Orange12422
Scott1183
Ripley1126
Franklin1068
Kosciusko941
Carroll922
Daviess8216
Steuben802
Marshall761
Newton7410
Wabash722
Wayne715
Fayette684
LaGrange602
Jasper581
Washington521
Fulton471
Rush452
Jay440
Randolph433
Jefferson411
Whitley402
Pulaski390
Clay391
Owen341
Brown331
Sullivan321
Starke313
DeKalb311
Perry260
Huntington262
Knox250
Tipton251
Benton250
Wells240
Crawford230
Blackford211
Switzerland190
Fountain182
Spencer171
Posey170
Parke170
Gibson142
Ohio130
Warren121
Adams121
Vermillion90
Martin90
Union80
Pike60
Unassigned0154

Illinois Coronavirus Cases

(Widget updates once daily at 7 p.m. CT)

Confirmed Cases: 113195

Reported Deaths: 4923
CountyConfirmedDeaths
Cook738193354
Lake7767250
DuPage7290340
Kane5866153
Will5238258
Winnebago199351
McHenry145268
St. Clair101773
Kankakee80242
Kendall72719
Rock Island63922
Champaign5697
Madison54056
Boone40716
Sangamon33226
DeKalb3313
Randolph2593
Jackson22810
McLean21210
Stephenson1952
Ogle1922
Macon18819
Peoria1858
Clinton17816
Out of IL1771
Union1417
LaSalle14013
Whiteside13310
Iroquois1314
Unassigned1200
Coles1159
Warren1140
Jefferson10116
Knox950
Monroe9211
Grundy892
McDonough835
Lee761
Tazewell683
Cass670
Henry670
Williamson541
Marion500
Jasper457
Adams441
Macoupin421
Perry410
Pulaski400
Montgomery391
Vermilion391
Morgan341
Christian334
Livingston312
Douglas280
Jo Daviess270
Fayette203
Ford201
Jersey201
Washington180
Woodford182
Mason170
Menard170
Shelby161
Bureau151
Hancock150
Mercer150
Carroll132
Franklin120
Piatt120
Crawford110
Fulton110
Bond101
Brown100
Clark100
Cumberland100
Logan100
Moultrie100
Schuyler100
Wayne91
Alexander80
Henderson80
Johnson70
Massac70
Saline70
Effingham61
Greene50
Marshall50
De Witt40
Lawrence40
Richland30
Stark30
Clay20
Edwards20
Gallatin20
Hamilton20
Wabash20
White20
Calhoun10
Hardin10
Pike10
Pope10
Putnam10
Edgar00
Terre Haute
Clear
66° wxIcon
Hi: 79° Lo: 65°
Feels Like: 66°
Robinson
Clear
67° wxIcon
Hi: 76° Lo: 64°
Feels Like: 67°
Indianapolis
Broken Clouds
69° wxIcon
Hi: 79° Lo: 65°
Feels Like: 69°
Rockville
Clear
62° wxIcon
Hi: 80° Lo: 65°
Feels Like: 62°
Casey
Clear
66° wxIcon
Hi: 76° Lo: 65°
Feels Like: 66°
Brazil
Clear
66° wxIcon
Hi: 80° Lo: 65°
Feels Like: 66°
Marshall
Clear
66° wxIcon
Hi: 78° Lo: 65°
Feels Like: 66°
Showers Likely
WTHI Planner
WTHI Temps
WTHI Radar

WTHI Events