Meltdown and Spectre – What Are They?
Meltdown and Spectre are the names given to two different, yet similar, vulnerabilities against most modern processors that run in computers today. These exploits allow an attacker to access bits of memory that they shouldn’t normally have access to. These vulnerabilities can be exploited through malware which could be installed onto a device via a phishing attack, visiting a malicious website or from installing a malicious application.
Who is Affected?
Meltdown affects only Intel processors while Spectre affects Intel, AMD and ARM processors. Smart phones, tablets, laptops and servers are all potentially affected. Because these flaws are at the processor architecture level, it does not matter which operating system is being run – Windows, MacOS and Android are all equally vulnerable.
Meltdown and Spectre are particularly dangerous to virtualized servers and cloud computing providers. In a virtualized environment where multiple companies may be sharing a single piece of hardware, the boundaries in place to sandbox protected data are threatened. For companies that store unencrypted data, this could be a serious data leakage concern. What is more concerning is that even some forms of encrypted data are at risk — companies that rely on cloud-based, server-side encryption are at-risk as the encryption keys used to perform encryption functions must exist in memory on the vulnerable device. Keeper does not rely on server-side encryption, so we are not at risk from this type of attack.
How is Keeper Affected?
Keeper’s cloud infrastructure is hosted on Amazon AWS. Amazon AWS virtualized computing systems are known to have been affected by Meltdown and Spectre. As of today, these systems have been patched by Amazon. Prior to the patch, an attacker hosted on Amazon AWS cloud computing systems could have potentially exploited Spectre and/or Meltdown to access Amazon’s host system or other virtualized instances on the host system. All systems hosting Keeper’s Virtual Private Cloud (i.e. Keeper’s Cloud Security Vault) have been patched by Amazon AWS. Note that Keeper utilizes Linux-based instances in its environment, which have been addressed as noted in Amazon’s official response.
While it was theoretically possible that an attacker who may have, prior to the security patch, already gained access to Amazon’s hardware, it’s important to know that data stored by Keeper is always encrypted within our zero-knowledge security architecture. Under this security architecture, only the Keeper user has knowledge and control of their master password and the encryption keys that are used to encrypt and decrypt their information – on their individual devices (not in the AWS cloud infrastructure). These encryption keys are generated, on-the-fly, client-side. Therefore, even if there was a breach of information (the user’s encrypted data stored in Keeper’s Cloud Security Vault at Amazon AWS), there is no risk of a customer’s data being decrypted and thereby exposed by a brute-force decryption attack. Because the attacker does not have access to the client device, master password and the decryption keys (which are client-side generated), it would take a hacker over one billion years to decrypt the data.
Zero-Knowledge Security Architecture
Keeper is a Zero-Knowledge security provider. Zero Knowledge is a system architecture that guarantees the highest levels of security and privacy by adhering to the following principles:
- Data is encrypted and decrypted at the device level (not on the server)
- The application never stores plain text (human readable) data
- The server never receives data in plain text
- The server does not have access to the encryption key
- No Keeper employee or 3rd party can view the unencrypted data
- The keys to decrypt and encrypt data are derived from the user’s master password
- Multi-Layer encryption provides access control at the user, group and admin level
- Sharing of data uses Public Key Cryptography for secure key distribution
Data is encrypted on the user’s device before it is transmitted and stored in Keeper’s Cloud Security Vault. When data is synchronized to another device, the data remains encrypted until it is decrypted on the other device.
Steps You Should Take to Protect Yourself from Meltdown and Spectre
1. Protect Your Desktop Computers
- Protect yourself with the latest AntiVirus and Malware removal products. A list of recommended applications from PC Mag is listed here.
- Always insure you have the latest security patches installed from your OS.
- Don’t install suspicious applications on your computer or device.
- Do your homework on the companies that operate the software you install.
2. Protect Your Mobile Devices
- Don’t install suspicious apps. The app store vetting processes cannot be trusted to protect against all malicious applications. We also recommend installing anti-malware software on these devices.
- Enable auto-updates of all system and application updates on your devices. When prompted to perform an update, do it immediately.
3. Protect Your Web Browsers
- Enable ad blocking – With recent reports that Javascript engines are a potential target of these vulnerabilities, we suggest that you enable ad blocking software to remove the possibility of malicious ads to target users.
- Be vigilant about which websites you visit. Don’t trust any links posted in social media or news sources, as they do not accurately vet their sources in most cases.
- Don’t install browser extensions that you don’t trust.
4. Ask the Right Questions of Your Software Vendors
- How and where is data stored?
- Where is the application hosted?
- Are your applications hosted on a cloud service that is actively patching their systems or are you self-hosting your own servers in a data center?
5. Prevent Phishing Attacks
- Generally speaking, do not click on links that are sent to your email, unless you expected the email to be sent.
- Remember that emails can be easily spoofed by attackers and phishing attempts. Just because you receive an email that appears to be from someone you trust, you cannot assume that the email is valid. The only way to confirm that an email is legitimate is if either you receive confirmation from a different channel (e.g. phone call) that the email was legit, or if you anticipated the email based on an action you took (e.g. signed up for a new product or initiated an email from a website or service).
6. Always Enable Two-Factor Authentication (2FA) on Keeper and Other Applications
- Any website, service or application that supports the use of two-factor authentication should always be use. On Keeper, visit the “Settings” or “DNA” screen to enable two-factor authentication. Keeper supports Google Authenticator, Text Message, Duo Security and RSA SecurID.
7. Change Your Keeper Master Password and Critical Website Passwords Regularly
- We recommend at least every 60 days. Keeper’s “Dice” button generates strong and random passwords. The Keeper Browser extension helps you easily change a website password by simply visiting the website’s “Change Password” screen.
- Keeper Enterprise customers can enforce this requirement on Keeper end-users through the Keeper Admin Console.
- From any Keeper application, simply visit the “Settings” screen to reset your Master Password, Security Questions and update additional security settings.
If you have any questions, please contact us at security@keepersecurity.com.