Graphics by Cassandra Stephenson
As software providers and processor manufacturers race to release patches for two security vulnerabilities that allow hackers to potentially access sensitive data on nearly any computer, Pepperdine IT is urging the university community to immediately apply updates.
Security researchers announced “Spectre” and “Meltdown” on Jan. 3, but the cleanup is far from over. Sensitive data at risk include passwords and login credentials.
The Spectre and Meltdown vulnerabilities exist in processors, meaning all computers are at risk of exploitation, Pepperdine Chief Information Officer Jonathan See said. This includes smartphones, iPads, mobile reading electronic devices and cloud computing services like those provided by Google and Amazon Web Services.
“The danger is if you continue to leave your system unpatched, if you continue to defer any notifications to patch your systems, then your exposure — risk factor — goes up,” See said. “Especially now-a-days when everything is so connected to the internet.”
Though the university and the industry both report no known exploits at this time, both institutions stress that getting systems patched is the highest priority.
Patches, or software produced by industry providers to fix or improve programs, can help mitigate these vulnerabilities and protect data. Users should look for patches available for their operating systems, iOS operating systems (for iPhone users) and browser extensions. Browsercheck.pepperdine.edu scans all browser updates and links users to updates they still need to apply. Users should also update antivirus programs to protect against malicious software and apps that would allow attackers to exploit Spectre and Meltdown, See said.
Pepperdine automatically patches all institution-owned devices, See said, but students, adjunct faculty members and faculty with personal devices need to make sure they immediately update their systems themselves. Pepperdine IT sent out a university-wide email Tuesday with a guide on how to update personal devices.
Spectre accesses sensitive data by exploiting a normal process in a computer’s processor that aims to help computers operate faster, while Meltdown allows hackers to access data through operating systems.
Intel, one affected processor manufacturer, addressed the vulnerability in their CES 2018 Keynote on Jan. 8. Intel has received no reports that the exploits have been used to steal data, CEO Brian Krzanich said in his speech.
“The best thing you can do to make sure that your data remains safe is to apply any updates from your operating system vendor and system manufacturer as soon as they become available,” Krzanich said. For Intel’s part, patches for 90 percent of processors introduced in the last five years were made available on Jan. 14. The remaining processors should have updates by the end of the month.
Google, Microsoft, Apple and other companies are working on patches, some of which have already been rolled out, according to the United States Computer Emergency Readiness Team. Google also recommends enabling “site isolation” which protects potentially sensitive data (like login credentials) that could otherwise be attacked through the browser’s process memory. These patches will help stave off potential security exploits — for now.
Spectre, a hardware-based vulnerability, will likely require multiple, indefinite patches unless the hardware itself is redesigned and replaced (a costly fix). But regularly patching computers should be a normal process for computer users anyway, See said, even outside of patches for Meltdown and Spectre. Though patching can sometimes be a “cumbersome process,” See said that consistently deferring patches and updates creates the most critical exposures to attacks.
Given the existence of the vulnerabilities, See said it’s only a matter of time before someone is able to create a malicious app to take advantage of Spectre and Meltdown to attain sensitive information.
“Why wait when you know this is pretty much going to be coming?” he said.
Student Government Association President Austin Welch said he believes Pepperdine is doing the best they can to tackle this issue.
“I think they are being proactive and reactive about it as best as they can,” he said.
Junior Matthew Garcia said he thinks there is no need to stress about the situation.
“I don’t see the point of stressing out over something that I cannot control, but I guess if the school were to increase their security or work toward counteracting us being at risk, than that would be nice and all give us a sense of relief,” Garcia said. “Like if someone is going to hack my stuff then I don’t really know how to stop that.”
Bryce Hanamoto, Marisa Martin and Kristin Vartan contributed reporting to this article.
Follow the Graphic on Twitter: @PeppGraphic