Recent press reports talk about a newly discovered form of security threat that involves attackers exploiting common features of modern microprocessors (aka chips) that power our computers, tablets, smartphones, and other gadgets. These attacks, known as “Meltdown” and “Spectre”, are getting a lot of attention.
The chips at issue are those that were designed and marketed to be secure for multiple processes running at the same time. The intent was to have the processes be independent, and to have the flow of data isolated one process to the next.
Research found that passwords and other sensitive data could be accessed by processes not authorized for such access. Chip makers, operating system makers, anti-virus software providers and others are rushing to patch the systems. Initially billed as a hardware fix, security professionals have designed and deployed software patches. The initial software patches made systems run as much as 30% slower. The patches are being optimized to reduce the drag.
There will be a deluge of substantive work to determine the indemnity, IP, breach notification and liability around the vulnerabilities that have been identified to date and those that will emerge in the future. Legal teams and those who serve them must be ready to work together to mitigate its impact, e-discovery, info gov and privacy professionals should be well positioned to assist the security professionals on the front lines.
Garden-variety computer forensics often times provides access to data not intended for harvest: encryption keys, passwords, account access, caches of documents written to disk as an operating system artifact and not erased. This data can be available to those who break into a system. The vulnerabilities exposed with Meltdown and Spectre make multi-tenant systems, that is, cloud based, or systems intended to secure multiple, segregated projects from each other, are at increased risk. The risk is that with a timing attack, an unauthorized intruder could read in memory some of these same encryption keys, passwords and caches of documents.
Hardware upgrades often force changes in operating systems and key infrastructure. Because work product is so critical, and ediscovery depends on hash codes to flag differences in files as small as a character, it is important to know when to test the impact of patches and upgrades on your ediscovery data. As patches have been released, some have worked at the operating system level but not at the anti-virus software level, necessitating a new patch—and new testing.
With patches, there may be changes in how metadata is handled and new impacts on searching (new stop words, perhaps) and document impacts. You may need to accept changes in hashes for the same file, or you may be able to store two hash values, a before and after value. These values not only authenticate collections and native productions, they also provide the framework for data reduction (cost savings) via deduplication.
Patching how chips handle data and how operating systems handle files can introduce changes in how file metadata is handled. Without documenting why metadata looks different, you may be allowing the requesting party an opening to challenge the authenticity of your evidence.
It is likely that Meltdown and Spectre will take months to patch, and that new vulnerabilities will emerge, making this remediation a time and staff consuming event.
Part II will cover a plan for eDiscovery and legal teams to get their arms around the problem and remediate.
Resources courtesy of Christophe Veltos aka @DrInfoSec
Meltdown, Spectre: The password theft bugs at the heart of Intel CPUs • The Register
Meltdown and Spectre
Experts Weigh In On Spectre Patch Challenges
