The year 2018 welcomed the tech industry in shock. The Spectre and Meltdown critical vulnerabilities rock nearly every machine in use, allowing attackers to steal memory content within entire computers, mobile devices and cloud servers.
Such a massive, wide-reaching tech catastrophe was the result of a lack of oversight creating potential liability in other industries. A comparable scenario would be to wake up one day and discover that X-Ray machines in every doctor’s office, hospital or medical clinic actually cause significant damage, and that the devices were untested and put to market regardless.
Vendors like Google, Amazon and Microsoft have already created a patch to take care of the Meltdown vulnerability, which allows user applications to snag information from the device’s operating system memory.
The patch, however, is not yet released and is expected to now be rushed out in coming updates.
To break the two vulnerabilities down into one sentence:
- Meltdown breaches the segregation that exists between user applications and an operating system.
- Spectre breaches the segregation between different applications which can force one compliant application to cough up its contents.
To describe the steps of executing Meltdown:
- Load a byte of memory from the kernel, which leads to the inevitable crash of the device.
- Use that loaded byte to load one of the 256 cache-lines, which happens before the crash is registered—so even though the data is disregarded, the data is still cached.
- Measure which of the 256 cache-lines are fast. (According to @ErrataRob.)
There isn’t a fix for Spectre, which creates a massive problem the likes of which no other industry really has faced.
Even though this affects around the last 20 years of chips and devices, how specifically does this affect the dark web? Dark web servers are hosted generally by people or organizations that operate on the fringe; regardless, they are hosted on servers using chips.This issue affects nearly everyone hosting a dark web site.
If a dark web site uses a form of shared hosting, which many do, then it’s possible for someone to gain access to a server and, for instance, perform an attack and move to another part of the server machine (another customer’s data) and steal information including SSH keys, site information (personal details), or any other form of data.
These vulnerabilities are a major problem for anyone acting in anonymity on the dark web.
If they have any identifying information stored within their site—client facing or not—and their site is using a remote host, then they should be concerned that someone else could share their darknet hosting provider, performing the Meltdown attack and gaining access to their data.
Meltdown can and will be patched. In doing so, there are estimates that a significant percentage of chip performance will be lost.
It’s the age-old issue of speed verses security. I know which side I’d rather be on, but when the industry is always measuring chip speed, in this capitalist system, nobody stops to look around if the car is going 120 mph.
Spectre, though, is perhaps more troubling. It’s essentially unfixable for now, which means we will be waiting for major hardware upgrades to take care of the flaw. It is much harder for any hacker to implement, thankfully,
Sandboxing, process separation, containerization and proof-carrying all rely on a faithful CPU in their foundation for security. Spectre blows this always. This fact is worrying for the dark web and for anyone who is hosting.
It’s presently unclear how these vulnerabilities affect running Tails in a VM, and whether any remnants are left behind on the CPU, waiting for Meltdown or whether Spectre allows full-blown leaking to the core system CPU.
More to come.