Intel security bug

ashleyk
ashleyk
Community Member

I was just reading some news about the Intel security bug, which looks like it could be huge. Am I right in thinking that using 1Password is not enough to safeguard us from risks here? I have 1Password on Mac, Windows and Android.

http://www.telegraph.co.uk/technology/2018/01/04/global-microchip-flaw-much-worse-feared-could-haunt-us-time/


1Password Version: 6.8.5
Extension Version: Not Provided
OS Version: 10.13.2
Sync Type: Not Provided

Comments

  • Lars
    Lars
    1Password Alumni

    @ashleyk - It's a great question, and given how things are still developing in more or less "fast and thick" mode right now, it's one for which the answer may change over time. However, the short answer as far as we know now, is: don't panic (assuming you're the kind of person who generally keeps your devices up to date). Or maybe I should say "don't melt down" ;)

    Our Chief Defender Against the Dark Arts, Jeffrey Goldberg, actually has just gone live with a blog post on this very topic, explaining what the ramifications of this may be, and the best way to prevent/mitigate potential threats. Give it a read, and feel free to ask any questions you might have, either here or in the comments section of the blog post itself. Stay safe out there! :)

  • darrenNZ
    darrenNZ
    Community Member

    It is huge @ashleyk and it could entirely compromise 1Password or any password manager!

    However using a password manager is far safer than not using one.

    Exploiting the new bug takes technical sophistication and is difficult to break out of the browser's sandbox.

    If somebody has exploited the bug then it could monitor everything you're doing anyway so it's just as safe to continue using 1Password as you are at the moment and making sure you keep your system patched.

  • Lars
    Lars
    1Password Alumni
    edited January 2018

    You're quite right, @darrenNZ, and it highlights something we try to say as often as we can in different ways: security is a process, not a product. Neither 1Password nor any other piece of software (or hardware, for that matter) can keep you safe in all circumstances. If there was such a thing, everyone would already own it, and the wars between attackers and defenders would be over.

    Instead, 1Password can be a linchpin in your digital security strategy, and used properly in conjunction with other tools such as VPNs and encrypted messaging apps, it can help keep you as safe as you can be in a hostile environment. But if an attacker can gain the ability to execute arbitrary code running as root on your system, then there's little they cannot do. That's why the most critical component of all in any security setup, as Jeff repeats in his blog post, is the user him or herself. One of the most important things to be underscored by this vulnerability discovery is the need to keep your software, including security patches, as up-to-date as possible, at all times. It's never a good feeling to learn from the tech press that there's a new exploit "in the wild" to which you suspect (or you KNOW) you might have been vulnerable. But in virtually all of these cases, you can take some comfort in the fact that most exploits require either some action on the part of the user (clicking a link to a malicious website, etc) or it requires an attacker to be specifically targeting you personally, not just cracking millions of username/password combos from Yahoo or another website.

    So, in all likelihood, you are safe. If you haven't updated your OS or its security patches in a while, now would be an excellent time to do so. If you're tempted to install software from a website or other source you don't fully trust, maybe reconsider that decision (this is in fact also a large part of the reason we tell people not to jailbreak their iOS devices as well). Don't click links or open documents in emails from people you don't know, or even from people you DO know if you weren't expecting such things. But don't "Melt Down," (still haven't gotten tired of that joke :) ) or let it keep you awake nights.

  • ashleyk
    ashleyk
    Community Member
    edited January 2018

    I would have to imagine there will be state hired hackers all over the world seeking to exploit this in addition to criminals. Looking at recent history, we have all seen examples of large companies that were hacked and simply chose not to say anything for months or years, so while this is different to an extent I do wonder if it was foreseeable or if more was known than has currently been disclosed.

    That blog post makes a good point about about "scareware" and I bet we'll be seeing popups all over the place before long saying "your computer has been infected" along with emails.

    My father is heading towards 80 now, but he spends quite a lot of time on his Mac, so I've printed out a sheet telling him never to click on anything or download software, unless it comes through the App Store. He's only visiting fairly safe websites, but you never know when something might slip through.

    At my wife's place of work there are a few thousand employees, so you can guarantee one of them will always click on something stupid when an email arrives and this can cause havoc on large networks.

    Any guesses of the potential implications here for Intel?

  • Lars
    Lars
    1Password Alumni

    @ashleyk

    Any guesses of the potential implications here for Intel?

    I'm so near-universally bad at making predictions that I'll take a pass on prognosticating here, except to say that Intel is the 800lb gorilla of chip manufacturers; I expect this won't signal their demise.

    I also want to make sure I highlight that none of what I've said here, or what Jeff Goldberg said in his blog post, should be construed to mean that we think this is a tempest in a teapot; we don't. It is unquestionably going to have effects on the digital world for some time to come, and we may not even have a good handle on the full extent of it yet.

    What we DO know is that, as always, keeping on top of one's own security as a practice, rather than relying on external tools to do the job for you, is key to staying out of trouble. It's not a magic bullet, but someone who regularly checks for and applies new versions of their software (especially security software) and doesn't try to run old, outdated setups because "it's more familiar" will have a considerably greater chance of surviving this storm - and many others not even known yet - than someone who does not.

    In a networked environment (I mean, a business with an intranet/LAN; we're all "networked" in the larger sense these days), it remains difficult to say from the vantage point of today whether that hypothetical mistake made by that one guy who "clicks on something stupid" could be turned by a sophisticated adversary into something that could be used as a beachhead against otherwise-secure users within the same network, just by association. Given what we know about this right now -- and I stress that's not everything yet, not by a longshot -- I think that's less likely than some people fear.

    You sound like you've spent enough time in this world that the term FUD may be one you know. I think it's important to keep that in mind at the same time we continue to read the disclosures and investigations in the tech press. A good bit of the ramifications of Meltdown and Spectre are somewhat out of our specific lane as a password manager developer because it deals with chip architecture and related topics, things which we don't manufacture/develop and thus about which are not properly qualified to opine authoritatively. But we promise to do our best to investigate as thoroughly as possible the ramifications of this for 1Password users and also for our own 1password.com website/servers, and disclose as much and as quickly as we're able to, should such a thing become necessary. Jeff Goldberg is many times the security guru I am, which is why I tend to agree with his assessment that 1Password is no more vulnerable (and due to the encryption, in many aspects LESS vulnerable) than other processes and applications running on your device(s). As far as we can tell, much of the initial work to mitigate these threats is down to the operating system designers themselves (Apple, Microsoft, others). From there, app developers may need to recompile our code (and thus issue updates) once on patched operating systems, but we'll know more about that in the coming days. For now, don't open 'scareware' (or indeed anything else that you were not expecting), don't install software from anywhere but trusted sources, preferably app stores like the Mac App Store or Google Play, which should have more checks in place and therefore be more trustworthy, and as Douglas Adams once said, DON'T PANIC. :)

  • darrenNZ
    darrenNZ
    Community Member

    Any guesses of the potential implications here for Intel?

    @ashleyk you mean like this? ;)

    Intel was aware of the chip vulnerability when its CEO sold off $24 million in company stock

  • ashleyk
    ashleyk
    Community Member
    edited January 2018

    @darrenNZ That doesn't look at all good under the circumstances. I'm always amazed by situations like this when big chunks of stock are sold by company directors just prior to some bad news breaking publicly.

  • Lars
    Lars
    1Password Alumni

    Now that's an entirely different matter; the effect of the vulnerability itself isn't the same thing as the public perception of any actions that may have been taken by the executives or the front office in relation to it, though I agree @ashleyk that sometimes companies do themselves no favors by the steps they take in response (or prior) to such an event. :dizzy:

  • ashleyk
    ashleyk
    Community Member
    edited January 2018

    @Lars Here in the UK at least, it seems FUD is most commonly employed by politicians and the media as their favoured means of swinging public opinion in their direction. Having started the thread, it may have given the impression I'm overly worried about all of this, but that really isn't the case and I agree we should just use best practices to protect ourselves as far as possible.

    We've seen lots of breaches in security recently, from Adobe to Yahoo and Sony. I didn't suffer any damage as far as I can tell, not least because of 1Password and one time random complex passwords for every site.

    This business with Intel is something different though and I wasn't even aware that a CPU could present a security risk. It also sounds like a potential nightmare for businesses, such as web hosts or rendering farms if talk of patches sapping CPU performance are true.

    It's almost reminiscent of the VW scandal, except we now know that was deliberate and the damage to their reputation must be huge. I know somebody with a car that has been "corrected" and he says it's a pile of junk now; albeit an expensive one that has also suffered heavy depreciation.

  • Lars
    Lars
    1Password Alumni

    @ashleyk - Yup. I certainly doubt Intel intentionally created this flaw, so there isn't that aspect to reputational damage for them. This is a vulnerability discovered by outsiders. And yes, it may have significant impact in exactly the cases you describe, as well as many other related scenarios. What becomes of Intel as a result, it's really not my place to speculate about as a representative of AgileBits. I can't imagine this will have a positive net result for them, but often how a firm handles such things can go a long way toward mitigating potential damage to themselves. I guess we'll all have to see how they deal with it in the coming days and weeks. :+1:

  • AGAlumB
    AGAlumB
    1Password Alumni
    edited January 2018

    Indeed, it's worth noting that we're all beneficiaries of branch prediction in modern CPUs. This isn't a bug; rather, it's been discovered that these performance-enhancing features can be exploited to effectively backsolve to discover data from other processes.

    Also, in spite of the context here, so far it seems that this does is a non-issue on Macs for two reasons:

    • Apple has already issued a patch to mitigate this in macOS 10.13.2, with more in the works for 10.13.3
    • Apple already makes heavy use of PCID (Process-Context Identifiers) on Macs with recent Intel chips, which minimizes the performance penalty of the vulnerability mitigation

    And regardless of which OS and devices we're using, practicing good security hygiene can help us avoid having malicious software running on our systems to try to exploit any vulnerabilities, past, present, and future. Cheers! :)

  • ashleyk
    ashleyk
    Community Member

    According to this article it's been partially mitigated on Macs, but mobile devices are still at risk. http://www.telegraph.co.uk/technology/2018/01/05/iphones-ipads-mac-computers-affected-microchip-flaw-leaves-devices/

    It actually makes me wonder more about an old iMac I have here as a backup that will only run El Capitan, so I hope Apple will release something for that as well. My Mac Pro is running High Sierra, but the computer itself is a mid 2010 model.

  • AGAlumB
    AGAlumB
    1Password Alumni

    Intel's product cycles are pretty inscrutable, but a Mac from roughly 2012 on should have a PCID-capable CPU. Probably something you can figure out by looking up your chipset...though their website is pretty difficult to navigate. Might be easier searching enthusiast websites.

This discussion has been closed.