Blog Entry Archives - Page 10 of 24 - Managed IT Services | IT Support | SF Bay Area & Los Angeles

Getting started with Veeam Explorer for Microsoft SQL Server

Believe it or not, I used to work a lot with Microsoft SQL Server. While I did not call myself a database administrator (DBA), I did know my way around a database or two. Since I’ve been at Veeam, I have always enjoyed telling the Veeam story around using SQL Server as a critical application that needs the best Availability options.

That’s why I took particular interest in Veeam Explorer for Microsoft SQL Server that came in Veeam Backup & Replication. Veeam Explorer for Microsoft SQL Server allows application-specific restores of SQL databases, and also contents of tables, objects such as stored procedures, views and more. Additionally, you can also restore the databases to a specific transaction.

This is a great combination of functionality from the established application-aware image processing with a dedicated tool for database restores in Veeam Explorer for Microsoft SQL Server. Additionally, Veeam Backup & Replication and the Veeam Agent for Microsoft Windows also provide an image backup of the entire system.

For those who are not a DBA, sometimes dealing with low-level SQL Server topics can be a bit overwhelming. To help this process, I created a few scripts to help individuals learn this type of interaction with SQL Server. I put three (and a deleted script) up on the Veeam Github site. To use this script, only an S:\ drive is needed (the path can be changed) to create the sample database and put in a SQL Server Agent job to automatically run a few stored procedures that will insert and delete random data. This creates a database called SQLGREENDREAM.

After running the three scripts to create the database, implement the random number function and set the schedule to create the random data (2 records) and delete 1 record. The SQL Server Transaction Log Backup will show the new database being backed up after the next incremental backup:

Once the interval of the SQL Server Agent job runs (12 minutes in the GitHub script) and the Veeam Backup Job interval passes, the most selective restore point option can be selected in Veeam Explorer for Microsoft SQL Server. This selective option, to restore to a specific transaction, is shown in the figure below:

Once the interval of the SQL Server Agent job runs (12 minutes in the GitHub script) and the Veeam Backup copy interval process through a time when the test data has been run, the restore to a specific transaction option can be visible to the controlled scripting for the SQLGREENDREAM database in the GitHub repository. Then you can see the records in question being just as scripted, 2 records added then one record deleted. Those entries are done by the SQL Server Agent:

From there, the restores can be done with confidence to see how the SQL databases are restored with Veeam. With the sample scripts in the GitHub repository, one can become more comfortable with these restore situations when venturing out of normal comfort zones! If you are using Veeam Backup Free Edition and the SQL Server is a VM being backed up, you can still use Veeam Explorer for Microsoft SQL Server to restore the database to the time of the image-based backup; just no transaction rollback. You can use the NFR program for a fully functional installation also.

This article was reposted from Veeam.com

Best practices from Veeam support on using tape

When speaking about backup storage strategies, Veeam’s recommendation is to keep the initial backup chain short (7 – 14 points) and use general purpose disk that will allow you to recover data in the shortest amount of time. The long-term retention should come from secondary and tertiary storage, which typically boasts a much lower storage cost per TB, but at a trade-off, the RTO when restoring from such storage can take much longer time. Here’s the graphics, which illustrates this scenario:

Additionally, with many new features of Veeam, the tape support now includes putting vSphere, Hyper-V, and Veeam Agents for Microsoft Windows and Linux backups on tape.

One of the most popular choices for backup archival is tape. It is cheap, reliable and offers protection against crypto viruses and hacker attacks. Additionally, it’s offline when not in a tape loader.

With Veeam, IT administrators can use flexible options to create copies of backups and store them on a different media, following the 3-2-1 Rule for the backup and disaster recovery. This blog post provides advice and considerations that will help you create a robust tape archival infrastructure.

How to deploy a tape library and use it with Veeam

When planning and implementing your deployment project, follow the recommendations below:

It is recommended to configure the tape library for use exclusively by Veeam Backup & Replication. Using it together with any third-party tape-recording software (for example, in your evaluation lab) may prevent other software from recording.
To streamline the workflow, use tapes with barcodes. Please check the integrity of the barcodes before you start using the tapes, and make sure the barcode reader is turned on. If you have multiple libraries, ensure that the barcodes are unique throughout the infrastructure.
For increased capacity, use the latest LTO. Since Veeam Backup & Replication 9.5 Update 3, Veeam now supports the LTO-8 format.
If you plan to use encryption for archived data, consider using hardware encryption (implemented in LTO-4 and later). Software encryption can decrease performance.
Do not use hardware compression with compressed Veeam backups. Double compression will not give any benefits and can even increase the size of the file on tape.
Install and check the following:

The latest drivers for your tape library. Remember that only the original (OEM) drivers are supported. Drivers supplied with Microsoft Windows are not recommended.
The latest changer and controller firmware. Changers working via SCSI are supported.

You will need a tape server that will perform most data transfer tasks during archiving to tape. Check the following prerequisites:

This should be a physical machine or a VM connected through iSCSI, since direct pass-through is not supported.
Using a Windows 2008 R2 machine for a tape server is not recommended due to the possibility of performance degradation. Instead, use Windows Server 2012 or later to achieve better performance and seamless operation.
Best practice is to provide a direct connection from tape server to the repository to improve the performance and specify this preferred repo in tape server connections.
If you plan to create synthetic backups, using a deduplication storage is not recommended.

One thing to also consider is to use GFS media pools with the tape support in Veeam. This feature allows longer-term retention to be set easily for tape backups as shown in the picture below:

If you plan to perform file-to-tape archiving for a large number of files (more than 500,000 per job), consider using any commercial edition of SQL Server for Veeam configuration database to support these operations. Configuration database stores information about all files backed up by Veeam Backup & Replication, and using SQL Server Express edition (with its 10 GB limit for a database size) may lead to significant performance degradation. If database size reaches 10 GB, all Veeam operations will stop.

To load or get the tapes from the library, use the import-export slots. If you need to perform these operations manually, remember to stop tape jobs, stop tape server, perform manual operation, start server, rescan or run inventory for the library (to recognize the uploaded tapes) and then restart the tape job.

If the tapes have barcodes, then you can perform the rescan.
If the tapes do not have barcodes, then you should perform the inventory.

What to consider before starting the upgrade

If you are upgrading your Veeam deployment, then you should first upgrade the Veeam backup server.

The tape server will be upgraded after that, using the automated steps of the Upgrade wizard that opens after the first launch of Veeam Backup & Replication console. However, you can choose to upgrade it manually by starting the Upgrade wizard at any time from the main Veeam Backup & Replication menu.

If you are upgrading your tape library, consider the following:

To streamline the process and skip the catalogue step, you can add the new library to the existing media pools, and after the old library is switched off, remove it from the media pools.
After connecting the new library to Veeam server, you should load the existing tapes with their barcodes to that new library and perform the rescan. Then you can switch the old library to the offline state (detach it from Veeam server) and then delete it from Veeam Backup & Replication configuration.

What to consider when planning for tape jobs

Before you start configuring Veeam jobs for tape archiving, consider the following factors:

What entities will you need to archive? Will these be files and folders, or VM backups? Do you need to archive full backups only, or both full and incremental backups?
What is the estimated data size?
How often will you need to archive data?
What will be the retention policy for your data?
How often will the tapes be changed? Will they be exported?
What is the tape capacity?
What tape device will be used for archiving?

After these considerations, it is recommended that you double your estimated number of tapes when planning for the resources.

Conclusion

In this blog post, we’ve talked mainly about tape infrastructure. We recognize that when setting up tape jobs, the learning curve can be quite steep. Instead of explaining all the concepts, we chose a different approach. We’ve prepared a list of settings and a well-defined result that will be achieved. You can choose to use them as they are or as a basis for your personal setup. Check out this Secondary Copy Best Practices Veeam guide for more details.

This article was provided by Veeam.com

Disaster Recovery Planning

It seems like it’s almost every day that the news reports another major company outage and as a result, the massive operational, financial and reputational consequences experienced, both short- and long-term. Widespread systemic outages first come to mind when considering disasters and threats to business and IT service continuity. But oftentimes, it’s the overlooked, “smaller” threats that regularly occur. Human error, equipment failure, power outages, malicious threats and data corruption can too bring an entire organization to a complete standstill.

It’s hard to imagine that these organizations suffering the effects of an outage don’t have a disaster recovery plan in place — they most certainly do. But, why do we hear of and experience failure so often?

Challenges with disaster recovery planning

Documenting

At the heart of any successful disaster recovery plan is comprehensive, up-to-date documentation. But with digital transformation placing more reliance on IT, environments are growing larger and more complex, with constant configuration changes. Manually capturing and documenting every facet of IT critical to business continuity is neither efficient or scalable, sending to us our first downfall.

Testing

Frequent, full-scale testing is also critical to the success of a thorough disaster recovery plan, again considering the aforementioned scale and complexity of modern environments — especially those that are multi-site. Paired with the resources required and potential end-user impact of regular testing, the disaster recovery plan’s viability is often untested.

Executing

The likelihood of a successful failover — planned or unplanned — is slim if the disaster recovery plan continues to be underinvested in, becoming out-of-date and untested quickly. Mismatched dependencies, uncaptured changes, improper processes, unverified services and applications and incorrect startup sequences are among the many difficulties when committing to a failover, whether it’s a single application or the entire data center.

Compliance

While it is the effects of an IT outage that first come to mind when considering disaster recovery, one aspect tends to be overlooked — compliance.

Disaster recovery has massive compliance implications — laws, regulations and standards set in place to ensure an organization’s responsibility to the reliability, integrity and Availability of its data. While what constitutes compliance varies from industry to industry, one thing holds true — non-compliance is not an option and brings with it significant financial and reputational risks.

Meltdown & Spectre: Where Are We at Now?

Meltdown and Spectre still continue to dominate the security news and the more we delve into it, we are starting to understand the depth and breadth of what this now means for the future of the security landscape.

Turns out the three variants of side-channel attacks, Meltdown and two different for Spectre, were discovered back in June of last year [2017] by researchers using speculative execution, which is where processors execute on code and then fetch and store the speculative results in cache. It’s a technique used to optimize and improve the performance of a device. What is important to note with Spectre is that it puts users at risk for information disclosure by exposing the weakness in the architecture of most processors in the market, and the breadth is vast: Intel, AMD, ARM, IBM (Power, Mainframe Z series) and Fujitsu/Oracle SPARC implementations across PCs, physical and virtual servers, smartphones, tablets, networking equipment and possibly IoT devices.

Currently there are no reported exploits in the wild.

Of the two, Meltdown is the easier one to mitigate with operating system updates. AMD processors are not affected by Meltdown. Spectre is a bit more complex to resolve because it is a new class of attack. The two variants of Spectre both can potentially do harm like stealing logins and other user data residing on the affected device. Intel, ARM, and AMD processors are affected by Spectre. Recently, Microsoft released another emergency update to disable Intel’s microcode fix. This original update was meant to patch for variant 2 of Spectre. Unfortunately, that update had adverse effects as there were numerous reports of reboots and instability, so Microsoft issued an out of band update to disable.

Things are still evolving around Spectre and while operating system updates and browser updates are helping to patch for Spectre, it is being reported by some sources that a true fix may be an update to the hardware (processor) itself.

The following is a chart* to clarify each vulnerability:

*Chart is courtesy of SANS/Rendition Infosec. See full presentation here.

It will be important over the next few weeks to stay on top of any breaking news around Meltdown and Spectre. Mitigation efforts should be underway in your IT organization to prevent a future zero-day attack.

This article was provided by our service partner : Connectwise

Security : 3 Pitfalls Facing Privacy in 2018

Earlier this month, CES attendees got a taste of the future with dazzling displays of toy robots, smart assistants, and various AI/VR/8K gadgetry. But amid all the remarkable tech innovations on the horizon, one thing is left off the menu: user privacy. As we anticipate the rocky road ahead, there are three major pitfalls that have privacy experts concerned.

Bio hazard

Biometric authentication—using traits like fingerprints, iris, and voice to unlock devices—will prove to be a significant threat to user privacy in 2018 and beyond. From a user’s perspective, this technology streamlines the authentication process. Convenience, after all, is the primary commodity exchanged for privacy.

Mainstream consumer adoption of biometric tech has grown leaps and bounds recently, with features such as fingerprint readers becoming a mainstay on modern smartphones. Last fall, Apple revealed its Face ID technology, causing some alarm among privacy experts. A key risk in biometric authentication lies in its potential as a single method for accessing multiple devices or facilities. You can’t change your fingerprints, after all. Biometric access is essentially akin to using the same password across multiple accounts.

“Imagine a scenario where an attacker gains access to a database containing biometric data,” said Webroot Sr. Advanced Threat Research Analyst Eric Klonowski. “That attacker can then potentially replay the attack against a variety of other authenticators.”

That’s not to say that biometrics are dead on arrival. Privacy enthusiasts can find solace in using biometrics in situations such as a two-factor authentication supplement. And forward-thinking efforts within the tech industry, such as partnerships forged by the FIDO Alliance, can help cement authentication standards that truly protect users. For the foreseeable future, however, this new tech has the potential to introduce privacy risks, particularly when it comes to safely storing biometric data.

Big data, big breaches

2017 was kind of a big year for data breaches. Equifax, of course, reined king by exposing the personal information (including Social Security Numbers) of some 140 million people in a spectacular display of shear incompetence. The Equifax breach was so massive that it overshadowed other big-data breaches from the likes of Whole Foods, Uber, and the Republican National Committee.

It seems no one—including the government agencies we trust to guard against the most dangerous online threats—was spared the wrath of serious data leaks. Unfortunately, there is no easy remedy in sight, and the ongoing global invasion of user privacy is forcing new regulatory oversight, such as the upcoming GDPR to protect EU citizens. The accelerated growth of technology, while connecting our world in ways never thought possible, has also completely upended traditional notions surrounding privacy.

The months ahead beg the question: What magnitude of breach will it take to trigger a sea change in our collective expectation of privacy?

Talent vacuum

The third big issue that will continue to impact privacy across the board is the current lack of young talent in the cybersecurity industry. This shortfall is a real and present danger. According to a report by Frost & Sullivan, the information security workforce will face a worldwide talent shortage of 1.5 million by 2020.

Some of this shortfall is partly to blame on HR teams that fail to fully understand what they need to look for when assessing job candidates. The reality is that the field as a whole is still relatively new and is constantly evolving. Cybersecurity leaders looking to build out diverse teams are wise to search beyond the traditional background in computer science. Webroot Vice President and CISO Gary Hayslip explained that a computer science degree is not something on his radar when recruiting top talent for his teams.

“In cyber today, it’s about having the drive to continually educate yourself on the field, technologies, threats and innovations,” said Hayslip. “It’s about being able to work in teams, manage the resources given to you, and think proactively to protect your organization and reduce the risk exposure to business operations.

Beyond shoring up recruiting practices for information security roles, organizations of all types should consider other tactics, such as providing continual education opportunities, advocating in local and online communities, and inevitably replacing some of that human talent with automation.

This article was provided by our service partner : webroot.com

Internet Security : How to Avoid Phishing on Social Media

From Facebook to LinkedIn, social media is flat-out rife with phishing attacks. You’ve probably encountered one before… Do fake Oakley sunglasses sales ring a bell?

Phishing attacks attempt to steal your most private information, posing major risks to your online safety. It’s more pressing than ever to have a trained eye to spot and avoid even the most cunning phishing attacks on social media.

Troubled waters

Spammers on social media are masters of their craft and their tactics are demonstrably more effective than their email-based counterparts. According to a report by ZeroFOX, up to 66 percent of spear phishing attacks on social media sites are opened by their targets. This compares to a roughly 30 percent success rate of spear phishing emails, based on findings by Verizon.

Facebook has warned of cybercriminals targeting personal accounts in order to steal information that can be used to launch more effective spear phishing attacks. The social network is taking steps to protect users’ accounts from hostile data collection, including more customizable security and privacy features such as two-factor authentication. Facebook has also been more active in encouraging users to adopt these enhanced security features, as seen in the in-app message below.

Types of social phishing attacks

Fake customer support accounts

The rise of social media has changed the way customers seek support from brands, with many people turning to Twitter or Facebook over traditional customer support channels. Scammers are taking advantage of this by impersonating the support accounts of major brands such as Amazon, PayPal, and Samsung. This tactic, dubbed ‘angler phishing’ for its deepened deception, is rather prevalent. A 2016 study by Proofpoint found that 19% of social media accountsappearing to represent top brands were fake.

To avoid angler phishing, watch out for slight misspellings or variations in account handles. For example, the Twitter handle @Amazon_Help might be used to impersonate the real support account @AmazonHelp. Also, the blue checkmark badges next to account names on Twitter, Facebook, and Instagram let you know those accounts are verified as being authentic.

Spambot comments

Trending content such as Facebook Live streams are often plagued with spammy comments from accounts that are typically part of an intricate botnet. These spam comments contain URLs that link to phishing sites that try to trick you into entering your personal information, such as a username and password to an online account.

It is best to avoid clicking any links on social media from accounts you are unfamiliar with or otherwise can’t trust. You can also take advantage of security software features such as real-time anti-phishing to automatically block fake sites if you accidently visit them.

Dangerous DMs

Yes, phishing happens within Direct Messages, too. This is often seen from the accounts of friends or family that might be compromised. Hacked social media accounts can be used to send phishing links through direct messages, gaming trust and familiarity to fool you. These phishing attacks trick you into visiting malicious websites or downloading file attachments.

For example, a friend’s Twitter account that has been compromised might send you a direct message with a fake link to connect with them on LinkedIn. This link could direct to a phishing site like the one below in order to trick you into giving up your LinkedIn login.

While this site may appear to look like the real LinkedIn sign-on page, the site URL in the browser address bar reveals it is indeed a fake phishing site.

Phony promotions & contests

Fraudsters are also known to impersonate brands on social media in order to advertise nonexistent promotions. Oftentimes, these phishing attacks will coerce victims into giving up their private information in order to redeem some type of discount or enter a contest. Know the common signs of these scams such as low follower counts, poor grammar and spelling, or a form asking you to give up personal information or make a purchase.

The best way to make sure you are interacting with a brand’s official page on social media is to navigate to their social pages directly from the company’s website. This way you can verify the account is legitimate and you can follow the page from there.

Internet Security : Why is ransomware still so successful?

There’s no end to ransomware in sight. It’s a simple enough attack — install malware, encrypt data/system, and ask for the ransom — so why aren’t we stopping ransomware? Security vendors are keenly aware of the issue, as well as the attack vectors and methods, but can’t seem to stay a step ahead, causing ransomware to grow form $1 billion in damages in 2016 to an estimated $5 billion in 2017. There are two basic reasons ransomware continues to be a “success” for cyber criminals.

Reason 1: Malware authors are getting better at their craft

Just when we think we’re getting on top of the ransomware problem, our adversaries alter their tactics or produce new techniques to replicate and cause damage and misery. We’ve recently seen ransomware like WannaCry take advantage of unpatched vulnerabilities in the Windows SMB service to propagate around networks, especially those that had SMB open to the internet — A clever technique borrowed from mid-to-late 90s Windows worm malware like Sasser. We’ve also seen malware writers develop new techniques for installing malicious code onto computers via Microsoft Office. While the threat posed by malicious macros in Office documents has existed for a number of years, we’re now seeing the use of a Microsoft protocol called Dynamic Data Exchange (DDE) to run malicious code. Unlike macro-based attacks, the DDE attack doesn’t give the user a pop-up, prompt or warning, so exploitation is far more effective and successful.

The technological advances made by malware authors are significant, but their soft skills, like social engineering, also keep on getting better. Improved writing, more realistic email presentation, and even solid social engineering tactics are all cause for the increase in their success.

And if you’re good at what you do, make it a service and profit on those that have a similar interest, but lack your skills. Thus, “crime-as-a-service” and “malware-as-a-service” now exist, further perpetuating the ransomware problem. The availability and ease of use of these platforms, means anyone can turn to cybercrime and ransomware with little or no coding or malware experience. These platforms and networks are run by organized cybercrime gangs, for vast profits, so we won’t see them going away any time soon,

Reason 2: We’re causing our own problems

Of course, there’s still one large problem many of us have not dealt with yet, and that’s the weaknesses we ourselves cause that become the entry way for the cybercriminals. WannaCry was so successful because it leveraged an unpatched windows vulnerability. NotPetya did the same. So, what are the weaknesses?

A lack of patching – We continue to shoot ourselves in the foot here, because we don’t have solid protection and prevention routines that include the patching of operating systems and applications — especially those leveraged by ransomware authors to gain access.
Not enough (reliable) backups – A lack of validated backups — the primary ransomware recovery tool — can leave us out in the cold and unproductive. It’s a simple equation: if you have backups, you choose recovery over ransom.
User awareness – Users simply don’t understand the threat, the impact, or the cost of a ransomware infection. But, nor should they really — they have a job to do in accounting or sales, not IT security. Even so, putting in solid phishing training and testing can make a material difference.
A lack of least privilege – The more access a user has, the greater scope of infection the ransomware can have. With 71% of end users say they have access to company data they should not be able to see^[1], IT has some serious work to do to ensure privileges are locked down.
No layered defense – A single security solution, such as an antivirus, can only do so much to protect the organization. You need solutions like IPS, an email gateway, endpoint protection, and more all working on concert to give ransomware as little a chance of succeeding as possible.

Doing something about the ransomware problem

What should you do to stop ransomware being so successful? Hide? Run away? Unplug the internet? Probably none of those ideas are likely to solve this problem, although out of sight and all that. I mentioned briefly above, the idea of many thin layers of defense, and while ‘defense in depth’ might seem a little old school and became extinct when we lost control of the network perimeter, there are some ideas we can borrow:

Defense in depth – Make sure you have a solid, proactive security stance in place, including: patching, least privilege, user training, etc.
Protect the endpoint – Desktop and endpoint protection solutions can offer some degree of protection, however, keep in mind that malware can adapt itself to these solutions and circumvent them.
Plan for the worst – Ransomware seems to find a way and you need to make sure you can recover when it does. Backups, off-site backups and backups on different media types are essential. Make sure you test their recovery too, as you don’t want to be finding out how to restore a backup in anger. They say you train hard to fight easy. Never has that been more true for IT contingency planning.

Get these three things right, and you’ll be a lot closer to stopping the rain of ransomware from ruining your day, night or weekend.

This article was provided by our service partner : Veeam.com

Introducing the Office 365 Secure Score

Ever wonder how secure your Office 365 organization really is? Time to stop wondering – the Office 365 Secure Score is here to help. Secure Score analyzes your Office 365 organization’s security based on your regular activities and security settings and assigns a score. Think of it as a credit score for security.

How do I get to Secure Score?

Anyone who has admin permissions (global admin or a custom admin role) for an Office 365 Business Premium or Enterprise subscription can access the Secure Score at https://securescore.office.com. Users who aren’t assigned an admin role won’t be able to access Secure Score. However, admins can use the tool to share their results with other people in their organization.

How does it work?

Secure Score figures out what Office 365 services you’re using (like OneDrive, SharePoint, and Exchange) then looks at your settings and activities and compares them to a baseline established by Microsoft. You’ll get a score based on how aligned you are with best security practices.

If you want to improve your score, review the action queue to see what you can do to help increase security and reduce risks.

Expand an action to learn about what threats it’ll help protect you from and how you’ll get the job done.

To see the impact of your actions on your organization’s security, go to the Score Analyzer page and review your history.

Click any data point to see a breakdown of your score for that day. You can scroll down to see which controls were enabled and how many points you earned that day for each control.

How will it help me?

Using Secure Score helps increase your organization’s security by encouraging you to use the built-in security features in Office 365 (many of which you already purchased but might not be aware of). Learning more about these features as you use the tool will help give you piece of mind that you’re taking the right steps to protect your organization from threats.

But don’t just take our word for it. Customers who are using Secure Score have seen their score increase 5 times more than customers who aren’t using it. (The increase in score corresponds with the security features being used in their organizations.)

Check out this Microsoft blog post to learn more.

Explained : Meltdown and Spectre CPU vulnerability

Anton Gostev from Veeam wrote a wonderful article on the Spectre and Meltdown vulnerability in his weekly Veeam forums digest. I have reposted it below as it explains the current situation very well:

By now, most of you have probably already heard of the biggest disaster in the history of IT – Meltdown and Spectre security vulnerabilities which affect all modern CPUs, from those in desktops and servers, to ones found in smartphones. Unfortunately, there’s much confusion about the level of threat we’re dealing with here, because some of the impacted vendors need reasons to explain the still-missing security patches. But even those who did release a patch, avoid mentioning that it only partially addresses the threat. And, there’s no good explanation of these vulnerabilities on the right level (not for developers), something that just about anyone working in IT could understand to make their own conclusion. So, I decided to give it a shot and deliver just that.

First, some essential background. Both vulnerabilities leverage the “speculative execution” feature, which is central to the modern CPU architecture. Without this, processors would idle most of the time, just waiting to receive I/O results from various peripheral devices, which are all at least 10x slower than processors. For example, RAM – kind of the fastest thing out there in our mind – runs at comparable frequencies with CPU, but all overclocking enthusiasts know that RAM I/O involves multiple stages, each taking multiple CPU cycles. And hard disks are at least a hundred times slower than RAM. So, instead of waiting for the real result of some IF clause to be calculated, the processor assumes the most probable result, and continues the execution according to the assumed result. Then, many cycles later, when the actual result of said IF is known, if it was “guessed” right – then we’re already way ahead in the program code execution path, and didn’t just waste all those cycles waiting for the I/O operation to complete. However, if it appears that the assumption was incorrect – then, the execution state of that “parallel universe” is simply discarded, and program execution is restarted back from said IF clause (as if speculative execution did not exist). But, since those prediction algorithms are pretty smart and polished, more often than not the guesses are right, which adds significant boost to execution performance for some software. Speculative execution is a feature that processors had for two decades now, which is also why any CPU that is still able to run these days is affected.

Now, while the two vulnerabilities are distinctly different, they share one thing in common – and that is, they exploit the cornerstone of computer security, and specifically the process isolation. Basically, the security of all operating systems and software is completely dependent on the native ability of CPUs to ensure complete process isolation in terms of them being able to access each other’s memory. How exactly is such isolation achieved? Instead of having direct physical RAM access, all processes operate in virtual address spaces, which are mapped to physical RAM in the way that they do not overlap. These memory allocations are performed and controlled in hardware, in the so-called Memory Management Unit (MMU) of CPU.

At this point, you already know enough to understand Meltdown. This vulnerability is basically a bug in MMU logic, and is caused by skipping address checks during the speculative execution (rumors are, there’s the source code comment saying this was done “not to break optimizations”). So, how can this vulnerability be exploited? Pretty easily, in fact. First, the malicious code should trick a processor into the speculative execution path, and from there, perform an unrestricted read of another process’ memory. Simple as that. Now, you may rightfully wonder, wouldn’t the results obtained from such a speculative execution be discarded completely, as soon as CPU finds out it “took a wrong turn”? You’re absolutely correct, they are in fact discarded… with one exception – they will remain in the CPU cache, which is a completely dumb thing that just caches everything CPU accesses. And, while no process can read the content of the CPU cache directly, there’s a technique of how you can “read” one implicitly by doing legitimate RAM reads within your process, and measuring the response times (anything stored in the CPU cache will obviously be served much faster). You may have already heard that browser vendors are currently busy releasing patches that makes JavaScript timers more “coarse” – now you know why (but more on this later).

As far as the impact goes, Meltdown is limited to Intel and ARM processors only, with AMD CPUs unaffected. But for Intel, Meltdown is extremely nasty, because it is so easy to exploit – one of our enthusiasts compiled the exploit literally over a morning coffee, and confirmed it works on every single computer he had access to (in his case, most are Linux-based). And possibilities Meltdown opens are truly terrifying, for example how about obtaining admin password as it is being typed in another process running on the same OS? Or accessing your precious bitcoin wallet? Of course, you’ll say that the exploit must first be delivered to the attacked computer and executed there – which is fair, but here’s the catch: JavaScript from some web site running in your browser will do just fine too, so the delivery part is the easiest for now. By the way, keep in mind that those 3rd party ads displayed on legitimate web sites often include JavaScript too – so it’s really a good idea to install ad blocker now, if you haven’t already! And for those using Chrome, enabling Site Isolation feature is also a good idea.

OK, so let’s switch to Spectre next. This vulnerability is known to affect all modern CPUs, albeit to a different extent. It is not based on a bug per say, but rather on a design peculiarity of the execution path prediction logic, which is implemented by so-called Branch Prediction Unit (BPU). Essentially, what BPU does is accumulating statistics to estimate the probability of IF clause results. For example, if certain IF clause that compares some variable to zero returned FALSE 100 times in a row, you can predict with high probability that the clause will return FALSE when called for the 101st time, and speculatively move along the corresponding code execution branch even without having to load the actual variable. Makes perfect sense, right? However, the problem here is that while collecting this statistics, BPU does NOT distinguish between different processes for added “learning” effectiveness – which makes sense too, because computer programs share much in common (common algorithms, constructs implementation best practices and so on). And this is exactly what the exploit is based on: this peculiarity allows the malicious code to basically “train” BPU by running a construct that is identical to one in the attacked process hundreds of times, effectively enabling it to control speculative execution of the attacked process once it hits its own respective construct, making one dump “good stuff” into the CPU cache. Pretty awesome find, right?

But here comes the major difference between Meltdown and Spectre, which significantly complicates Spectre-based exploits implementation. While Meltdown can “scan” CPU cache directly (since the sought-after value was put there from within the scope of process running the Meltdown exploit), in case of Spectre it is the victim process itself that puts this value into the CPU cache. Thus, only the victim process itself is able to perform that timing-based CPU cache “scan”. Luckily for hackers, we live in the API-first world, where every decent app has API you can call to make it do the things you need, again measuring how long the execution of each API call took. Although getting the actual value requires deep analysis of the specific application, so this approach is only worth pursuing with the open-source apps. But the “beauty” of Spectre is that apparently, there are many ways to make the victim process leak its data to the CPU cache through speculative execution in the way that allows the attacking process to “pick it up”. Google engineers found and documented a few, but unfortunately many more are expected to exist. Who will find them first?

Of course, all of that only sounds easy at a conceptual level – while implementations with the real-world apps are extremely complex, and when I say “extremely” I really mean that. For example, Google engineers created a Spectre exploit POC that, running inside a KVM guest, can read host kernel memory at a rate of over 1500 bytes/second. However, before the attack can be performed, the exploit requires initialization that takes 30 minutes! So clearly, there’s a lot of math involved there. But if Google engineers could do that, hackers will be able too – because looking at how advanced some of the ransomware we saw last year was, one might wonder if it was written by folks who Google could not offer the salary or the position they wanted. It’s also worth mentioning here that a JavaScript-based POC also exists already, making the browser a viable attack vector for Spectre.

Now, the most important part – what do we do about those vulnerabilities? Well, it would appear that Intel and Google disclosed the vulnerability to all major vendors in advance, so by now most have already released patches. By the way, we really owe a big “thank you” to all those dev and QC folks who were working hard on patches while we were celebrating – just imagine the amount of work and testing required here, when changes are made to the holy grail of the operating system. Anyway, after reading the above, I hope you agree that vulnerabilities do not get more critical than these two, so be sure to install those patches ASAP. And, aside of most obvious stuff like your operating systems and hypervisors, be sure not to overlook any storage, network and other appliances – as they all run on some OS that too needs to be patched against these vulnerabilities. And don’t forget your smartphones! By the way, here’s one good community tracker for all security bulletins (Microsoft is not listed there, but they did push the corresponding emergency update to Windows Update back on January 3rd).

Having said that, there are a couple of important things you should keep in mind about those patches. First, they do come with a performance impact. Again, some folks will want you to think that the impact is negligible, but it’s only true for applications with low I/O activity. While many enterprise apps will definitely take a big hit – at least, big enough to account for. For example, installing the patch resulted in almost 20% performance drop in the PostgreSQL benchmark. And then, there is this major cloud service that saw CPU usage double after installing the patch on one of its servers. This impact is caused due to the patch adding significant overhead to so-called syscalls, which is what computer programs must use for any interactions with the outside world.

Last but not least, do know that while those patches fully address Meltdown, they only address a few currently known attacks vector that Spectre enables. Most security specialists agree that Spectre vulnerability opens a whole slew of “opportunities” for hackers, and that the solid fix can only be delivered in CPU hardware. Which in turn probably means at least two years until first such processor appears – and then a few more years until you replace the last impacted CPU. But until that happens, it sounds like we should all be looking forward to many fun years of jumping on yet another critical patch against some newly discovered Spectre-based attack. Happy New Year! Chinese horoscope says 2018 will be the year of the Earth Dog – but my horoscope tells me it will be the year of the Air Gapped Backup.