Information Security
Security Incidents
Meltdown / Spectre

Due to the recently publicized Meltdown and Spectre vulnerabilities, we want to make sure that McCormick faculty and staff computers are getting the latest system and application (including web browser) security updates as they become available. These vulnerabilities affect the basic function of every computer / mobile device, regardless of OS such as Linux, Mac, Windows, iOS, and Android.

Keeping your software up to date is one of the most important things you can do to maintain your computer’s security. In the case of these vulnerabilities, a malicious program can exploit Meltdown and Spectre to access your personal data, which might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents or intellectual property. These potential risks also serve as a reminder to not open unexpected links or attachments in email and to be careful what you visit and download on the web.

As a University, we are working with our IT vendors, school and department IT partners, and our peer institutions to assess and monitor this rapidly evolving event. Presently, there are no reports of this vulnerability being exploited worldwide and we are testing vendor patches as they become available. For the latest information, please read the IT news article: Northwestern Monitoring Meltdown and Spectre Security Flaws

As a school, we need your partnership to help us identify, inventory, and secure all McCormick assets by the end of the academic year. In the coming weeks, you will receive an email identifying your IT support contact to schedule an appointment to discuss your lab center and/or workspace environment.

Keep reading for more information about the risks and impacts of these vulnerabilities as well as Northwestern IT and McCormick’s response.

What You Need to Know about Meltdown and Spectre

Who is affected by the Meltdown and Spectre vulnerabilities?

Anyone who accesses and uses a computer. These include all major chipset vendors (Intel, AMD, ARM), all major operating systems (Windows, Linux, macOS, Android, ChromeOS), cloud providers (Amazon, Google, Microsoft), and application makers. Mitigation of these vulnerabilities will be ongoing and require regular maintenance for the immediate future.

Which computers are at risk for Meltdown and Spectre?

Modern computers are at risk, including servers, virtual environments, cloud environments, desktops, laptops, tablets, and other mobile devices.

What data may be vulnerable if Meltdown and Spectre are exploited?

Any data that is stored in the computer’s memory regardless of whether it is encrypted, including sensitive or personal data, such as usernames, passwords stored in a password manager or browser, private keys, personal photos, emails, instant messages, and other business-critical documents.

How likely is it that the Meltdown and Spectre vulnerabilities will be exploited?

These vulnerabilities were disclosed by security researchers rather than being discovered in an active attack. While there are currently no known exploits, the likelihood of exploitation varies by Operating System, CPU architecture, and several other factors. To exploit these vulnerabilities, an attacker would need to log in and execute code on a local system or find a way to remotely execute malicious code via malware pushed via malicious websites or even through malicious documents.

What is Northwestern IT doing to keep me and my research safe?

Northwestern IT is working with vendors, University school and department IT partners, and our peer institutions to assess and monitor this rapidly evolving event. They are reviewing and testing vendor patches, including facilitating and providing best practices for departments to deploy them. Once the latest patches have been applied, for all compatible devices located within the Northwestern Data Center, Northwestern IT is or will be running the Qualys vulnerability management agent and the Palo Alto Traps endpoint protection agent. For the latest information, see : Northwestern Monitoring Meltdown and Spectre Security Flaw

What is McCormick IT doing to keep me and my research safe?

McCormick IT, in partnership with local IT support, is working to ensure that all McCormick computers are protected and have the latest patches applied, including operating systems, browsers, applications, and manufacturer firmware. Identifying all computers and determining which updates are needed will take time and will require an IT support resource to install some fixes directly on your computer vs pushing them to you in an update. We will be scheduling time with you to assess your computer’s health, which may vary from several minutes to several hours. As part this health check, we will also verify that your system has antivirus protection, data is being backed up with a software such as CrashPlan Pro, potential vulnerabilities are being identified and managed through the Qualys agent, ongoing patch management and security is being managed through Quest Kace or JAMF Casper, and that your data is encrypted using software such as PGP, Windows BitLocker, or FileVault for Mac OS. All of these services are free of charge.

In addition, McCormick IT is also partnering with Northwestern IT and lab contacts to patch and protect systems in the Northwestern Data Center and LG87 in the Tech Building and will be performing similar maintenance to clusters in LG55.

I heard that performance may be impacted when systems are patched. Is this true? What will be the impact?

The nature of the Meltdown and Spectre vulnerabilities may attack commonly used optimizations that were designed to improve performance, but this impact depends on the hardware and workload. Current estimates suggest anywhere from a 5%-30% decrease in overall software performance.

Northwestern IT performed emergency maintenance on the Quest High Performance Computing Cluster on January 8, 2018 to implement threat protection for services while seeking to minimize the effect on research productivity. All performance impacts cannot be avoided but will be monitored.

What can I do to keep myself safe?

Most compromises stem from phishing and/or an exploit of an old unpatched instance of an operating system, browser, or application. To protect yourself, follow tips for securing your identity such as how to identify email scams, using long and complex passwords, backing up and encrypting your devices, and applying the latest patches as soon as they are available. Additionally, work with your IT support to perform a health check on your computer and ensure it is properly installed with the latest antivirus and endpoint management software.

As a precaution in the event you are compromised, keep the phone number to cancel your bank and/or credit cards on file in the event you have no computer or internet and have a plan to change passwords on accounts.

What do I do if I think my computer has been compromised?

While there will not be any traces if you are a victim of Meltdown and Spectre, contact if you suspect you have been compromised. Examples of a compromise could be that your personal information has changed in a system you frequent without your authorization or you replied to an unsolicited email that asked for your login credentials or other personal information that you now suspect to be a scam.