Am I getting old, or is everything a mess?

Internet security has always been hard, and requires vigilance. However, whether it's the effect of old age or just that life is getting completely out of hand, the last few months have been nuts.

It used to be that we could just try our best to keep up with vulnerabilities, patch, and upgrade away. That made everyone feel reasonably secure, and made it easy to laugh when things like the Equifax breach happened because someone didn't patch a well-known vulnerability. Okay, I didn't laugh, I was too busy freezing my accounts, which in itself was an interesting and time-wasting proposition.

But recently we're seeing a whole slew of new things that are a little frightening. The SPECTRE and Meltdown vulnerabilities opened a whole new world of pain. For the first time almost all computers became vulnerable to a hack based on hardware. Worse, it's based on a feature of almost all modern processors of any type. At the moment most system admins are in never-never land on this. Meltdown was easy to "fix" - but at the expense of losing a lot of server performance in some workloads.  The difficult we do immediately. And in the case of my own company, since a lot of our servers are AMD based, the problem didn't apply to those machines, which was good.

But what worries me is SPECTRE. The impossible takes a little longer.  In the long run the fix will be to completely replace all of the computers in the world with new, non-vulnerable systems that do not yet exist. Imagine being told that we just discovered that all cars are death-traps, and the only solution is to buy new cars that are not being made. And that my be very slow and gas-guzzlers because it turns out that fuel injection is the culprit. It's not going to get fixed. And the band-aid solutions all revolve around getting BIOS patches (which mostly will not exist for any computer more than 2 or so years old because manufacturers stop supporting motherboards) or general firmware patches for your operating system.  So far those have also been a disaster.  Intel has only built new firmware for recent CPU models, and even those were quickly recalled because they kept crashing systems. There's a new set of patched firmware out, but it doesn't apply to most of the hardware my company runs because we are cheapskates and mostly have older hardware. I know that there is no economic possibility of replacing that hardware while I am still working.

Now in the last few days we're seeing a whole bunch of new threat from UDP amplification techniques against memcache daemons.  Now, amplification attacks are not new, but these are horrific. Sure, they depend on servers out on the Internet that are not appropriately protected against mounting attacks - but there are a lot of those servers out there. Embarrassingly, a couple of our own servers were vulnerable due to a messy firewall rule that was mis-configured. There are thousands of other vulnerable servers out there that have been used for a few DDOS attacks of a size nobody has ever seen before.  And you ain't seen nothin' yet. Today we hear that there are now extortion attempts running to pry money out of providers to not have their systems taken down with these attacks. We fixed ours, but you can bet lots of other folks have not.

All of this points toward the frightening and ever-present possibility of seeing a day when the internet just -- dies.  Completely, or nearly so. Most security experts will tell you it's a possibility. Many will tell you it's likely as soon as someone with enough resources decides it's worth doing.

I have to admit - it's one of those points when retirement is starting to look like a good option. Every time we have a little anomaly on our servers I have to wonder - is this just a little hardware failure?  A glitch? Or is it the beginning of the big one. And if it is - what can I do about it?

Add comment

Follow Wis.Community on:

Published on

March 5, 2018

Posted By

Community

Wiscommunity Section

Tech News