How Computers Work

I will be teaching a new class at the Ferndale Public Library on Saturday, September 22, 2-3pm. My grandson Christopher and I made ourselves available for an hour every two weeks to help people with their computing questions and problems last year, taking the summer off. We found out a lot about the kinds of difficulties folks have with computers.

As an engineer, I can’t work with anything unless I know how it works. Many people know how to use a computer, more or less, but they don’t know how it works—what’s happening inside those desktops, laptops, tablets, and phones. In the Saturday class, I’ll be talking about how it all works. When you understand how computers work, using them becomes easier for a lot of folks. Computers have tremendous power, and many limitations. Asking them to do things that are not possible or extremely difficult, causes frustration, and often, users don’t know what is easy and what is hard. In this class, I’ll try to lay the groundwork for understanding, rather than simply pushing the buttons on computers.

Putting the class together has been a challenge. I plan to explain digital computing in ways that I haven’t seen outside a few engineering classes. I hope the presentation will be clearer, easier to understand, and more revealing than anything I have read or seen for beginners. Christopher is a teenager who used computers from preschool, I wrote my first program in 1967. Between the two of us, we cover a lot of territory.

Christopher and I will also be back on every 1st and 3rd Wednesday at the Ferndale Public Library from 3p to 4p, starting Wednesday, September 5. Last year, we handled questions on email, setting up a Linux development environment, and folks who may have been hacked. We’re excited to see what will be bothering folks this year. We’re ready for anything… I hope.

Spectre and Meltdown

Will Spectre and Meltdown be the flagship computer security crisis of 2018? There is a good chance that it will be, although I doubt that many personal computer users will be directly affected.

Good news

These flaws are hard to understand and take advanced engineering skills to implement; when implemented they are hard to exploit; I struggle to imagine results that would be worth a hacker’s trouble. Also, exploiting these flaws on a computer you do not already have access to is close to impossible. Consequently, good basic computer hygiene will protect you from these attacks as well as everything else thrown at you. In addition, the exploits are read-only; they do not corrupt data or processes.

The patches are going out this week to all the major operating systems and so far, the bruited predictions of devastating across-the-board 30% performance degradations have not proven out. 10% degradation and only in limited circumstances seems more realistic according to early testing reports.

Less good news

Nevertheless, the fallout from Spectre and Meltdown is likely to cause migraines and insomnia among computer security experts for months, even years to come. And the picture is not quite as rosy for businesses, especially for businesses that rely on virtual computing in various forms, as it is for individuals.

Scope

These are not your garden variety zero-day exploits. When I wrote about KRACK a few months ago, I explained that the flaw is particularly bad because it is in the standard and every correct implementation is vulnerable. The Spectre and Meltdown flaws are in the processor chip design. Intel processors have the worst problems and they perform the vast majority of computer processing in the world today, but AMD and ARM processors are also affected. That covers most of the rest of computing, including phones and tablets. For reasons I will elaborate on later, I suspect other processors have not been cited only because no one has looked hard enough yet.

The patches that have been applied are crack sealers; they do not repair the broken foundation that caused the cracks. Fixing the source of the cracks will require new processor designs and new chips. In order to explain just what Spectre and Meltdown are, I have to explain several unfamiliar concepts.

Protection rings

One of the pillars of computer security is called a “protection ring.” They are what prevents one computer process from interfering with another. For example, without protection rings, forcing a user to pass through a login gate before using a computer is easier to circumvent. Protection rings have been built right into the silicon of most processors since the eighties and the concept goes back to the beginnings of multi-processing in the 60s.

To science fiction readers, I liken protection rings to Asimov’s laws of robotics—they are intended to be intrinsic in all computers. In theory, protection rings when properly used make it impossible to break into a well-written operating system without physically altering the processor. When a computer is hacked into, it usually stems from a flaw in the operating system’s use of protection rings, not the physical processor chip.

The Spectre and Meltdown flaws are special because they are gaps in the integrity of privilege rings that were inadvertently built into the processor chips. To see how these gaps were opened, we have to look at concepts of modern processor design.

Multi-core processors

One of these concepts is “multi-core processors.” Before the advent of multi-cores, the capacity of processors was beginning to be limited by the great physical speed limit: the speed of light. When a processor reaches a certain number of instructions per second, it is limited by the time a signal takes to travel across the chip at the speed of light. The processor can’t move on to the next instruction in less time than it takes to read he previous instruction’s results.

Processor designers got around that by putting multiple processors, cores, on a single chip. In theory, by putting two cores on a chip, the speed is doubled. But that does not really solve the problem because taking advantage of the doubled speed requires complex and expensive changes in program design.

Speculative execution

The designers hit on a solution to this: speculative execution. Most computer programs are long chains of “if-thens”. If X condition is met, do Y; if it is not met, do Z. Traditional computers first evaluate X, then decide whether to perform Y or Z. With speculative execution, at the same time one core evaluates X, another core performs Y, and a third performs Z. Depending on how X comes out, Y or Z is discarded. This is a gross simplification, but in the time a single core uses to evaluate X, the three cores already have both the Y and Z results. Thus, the multi-core processor executes a conventionally written program in much less time than a single core. And the speed of computing doubles in 18 months again. Nifty, huh?

Not so nifty. Those discarded speculative chunks of execution can be manipulated in such a way that protection rings are violated. I won’t go into how it’s done. A Google researcher explains it here.

Migraines and insomnia

I am not optimistic when I think about what these defects reveal about processor design. Software development underwent a revolution in the early part of this century when security rose in priority. You can read about it in my book, Personal Cybersecurity. Security was a neglected step-child in the pioneering days of software development in the last century, but around 2000, the industry realized that computing would die if software was not built with more secure methodologies. The revolution is still going on, but the slap-dash attitude toward security that characterized the software cowboys of the 90s is gone.

Spectre and Meltdown tell me that the security revolution did not make it into processor design. Makes you think about why the CEO of Intel sold a big block of Intel stock after the flaws in Intel chips were discovered.

I am afraid we have not heard the last of chip level security flaws. I hope processor designs are not easy pickings for hackers, but the fact that these flaws have been present for at least a decade is daunting. Also, to completely eradicate these flaws, processor chips or entire computers will have to be replaced, which suggests that heads will ache on for years.

Coming soon

I wrote a blog on hypervisor hacking and one on virtual machine security for Network World last year that are affected by the Spectre and Meltdown flaws, but I’ll save comments on the safety of virtual computing for another blog.

Ransomware Protection Strategies for Small Business

I was chatting with a lawyer yesterday about cybersecurity and he mentioned that he has heard that law offices in our county have been hit with ransomware in the last few months. Law offices are a ripe target for ransomware because the confidentiality and integrity of their records are vital. Lose their records, lose their business. The same applies to many other small businesses.

What is ransomware? Ransomware is malicious software used by a criminal to deny the rightful owner of a computer system access to vital system resources and demand payment to restore the resources. Usually, ransomware encrypts data and demands Bitcoin or other untraceable cybercurrency payment for decrypting the data.

What should these offices and other small business do to protect themselves from ransomware? I suggest a two-pronged approach: prevention and damage control.

Prevention

Take steps to avoid a ransomware assault in the first place. The practices below are basic cyber hygiene for everyone that will lessen the chances of all forms of cybercrime.

  • Use a good anti-virus scanning utility. Keep it up-to-date and scan regularly.

    Wondering which utility? Windows Defender, the default Windows 10 anti-virus is a good choice. It’s already installed, doesn’t get in the way, and does a competent job. Are 3rd party tools better? The anti-virus business is highly competitive. Which utility is best changes rapidly. I use Windows Defender myself because it is convenient, and Microsoft has invested in keeping Defender among the best, which is good enough for me. Whatever you do, use an anti-virus utility and keep it up to date.

  • Use only supported operating systems and applications and subscribe to automatic updates. New vulnerabilities show up every day. Accept the manufacturer’s help in patching up the holes as the appear.

    If you don’t trust your vendor’s updates, get rid of their software. If you don’t, you put your business at risk. The only exception to this rule is when you have special software that is frequently broken by security patches. At that point, you are strapped and dependent on the maintainer of your special software. Avoid this situation if you can.

  • Be cautious of links in web pages, emails, and messages. If a link looks dodgy, skip it. Be doubly cautious about attachments to emails and messages. If you are not sure where something came from, don’t open it. If there is a question, call the sender and confirm that it is legit. Links and attachments are the most common entry points for ransomware.

Damage control

If you are diligent in following these three practices, a criminal will have a hard time entering your computer system and might pass it by for easier prey, but you have no guarantee. Let your guard down an instant and you are vulnerable. A smart criminal who is intent on assaulting your system is likely to eventually succeed no matter what you do. However, if you plan ahead, the game is not over when you get a ransom note. Your backups are critical in recovering from a ransomware assault and a lot of other computer system mishaps.

  • Backup your system regularly. I favor reputable cloud backup services because they tend to be automated and trouble free. The most likely time for ransomware to hit is the day someone forgot to run backups, or the janitor switched off the external backup drive by mistake.
  • Test your backup system regularly. All backup systems are complex mechanisms that sometimes fail. Your only assurance that they are working is a recent successful test. I always assume that a backup system that has not been tested recently does not work. I have seen disasters in the aftermath of backup systems that were assumed to be working but were not.
  • Protect your backups. Smart ransomware attempts to mash your backups. Put up barriers to protect them. Check the documentation on your system or talk to your IT technician on how to do it effectively.
  • Have a plan. A rock-solid backup system is the foundation for recovery but consider what you will do the instant a ransom note pops up. I suggest immediately ceasing all activity, detaching from all external networks, and running a virus scan. Then contact an experienced technician for help. Do not shut the system down or restart if you can avoid it. Some recovery methods depend on recovering data from memory that disappears on shutdown or reboot.

Call law enforcement

Local law enforcement may not be able to help because the criminal is likely to be in a different state or country. Keep them informed anyway. Unreported crimes encourage law breakers. Some states have cyber crime task forces with real muscles that work with the FBI and the Department of Homeland Security to shut these operations down. If local law enforcement can’t help, report the crime to the FBI’s Internet Crime Complaint Center. (IC3) If cyber crimes are not reported, funds will not be allocated to fight cyber crime and laws will not be written or changed to reflect the injuries done by these criminals.

Consider cyber insurance

Cybercrime is not that different from conventional theft and damage. I understand that cyber business insurance is becoming more common. I am not familiar with the costs involved or the efficacy of the policies, but your business insurance agent is likely to be able to help. Nonetheless, remember that avoiding or controlling damage is less disruptive to business than insurance compensation and insurance seldom makes up the whole cost of an assault.

A final note

Ransomware and other forms of cyber crime are real threats. In 2016, over 1.3 billion dollars in losses were reported to the FBI. Those who take steps to protect their business will suffer less and may completely avoid becoming victims.

 

Bluetooth Is Not Getting Safer

Over a year ago I published Seven Rules for Bluetooth at Starbucks. Recently, Armis, a security firm specializing in the Internet of Things (IoT), announced a new set of Bluetooth vulnerabilities they call BlueBorne. If you read “Seven Rules”, you have a good idea of what BlueBorne is like: hackers can get to your devices through Bluetooth. They can get to you without your knowledge. Windows, Android, Apple, and Linux Bluetooth installations are all vulnerable. Most of the flaws have been patched, but new ones are almost certain to be discovered.

Some of the flaws documented in BlueBorne are nasty: your device can be taken over silently from other compromised devices. Using BlueBorne vulnerabilities, hackers do not have to connect directly to your system. Someone walks within Bluetooth range with a hacked smartphone and you are silently infected. Ugly. Corporate IT should be shaking in their boots, and ordinary users have good reason to be afraid.

What should I do?

A few simple things make you much safer.

  • Be aware of your surroundings. Bluetooth normally has a range of 30 feet. More with special equipment, but whenever you don’t know who might be snooping within a 30-foot radius sphere, you are vulnerable. That’s half way to a major league pitcher’s mound and roughly three floors above and below.
  • Keep your systems patched. The problems Armis has documented in BlueBorne have been patched. Don’t give the bad guys a free ticket by leaving known soft spots unprotected. Make them discover their own holes. By patching regularly and quickly, you cut out the stupid and uninformed hackers. Smart hackers are rare.
  • Turn Bluetooth off when you are not using it or you enter a danger zone. When Bluetooth is turned off, you are safe from Bluetooth attacks, although you may still be affected by malware placed on your device while Bluetooth was turned on.

The seven rules for Bluetooth I published a year ago are still valid. Follow them.

Seven basic rules for Bluetooth

  1. Avoid high-stakes private activities, like banking transactions, when using Bluetooth in public.
  2. If you are not using Bluetooth, turn it off!
  3. Assume your Bluetooth connection is insecure unless you are positive it is encrypted and secured.
  4. Be aware of your surroundings, especially when pairing. Assume that low security Bluetooth transmissions can be snooped and intercepted from 30 feet in any direction, further with directional antennas. Beware of public areas and multi-dwelling buildings.
  5. Delete pairings you are not using. They are attack opportunities.
  6. Turn discoverability off when you are not intentionally pairing.
  7. If Internet traffic passes through a Bluetooth connection, your firewall may not monitor it. Check your firewall settings.