Mortgage Software Solutions Blog

Solid Steps to Safeguard Against Meltdown and Spectre

ghjfj.jpgTwo defects threaten computers and devices released on the market since 1995.

Meltdown and Spectre are the names given to two newly-discovered bugs terrorizing computers around the world.

At the sound of such unnerving names, it’s hard for security folks at enterprise-level companies to control the panic.

While protocols for dealing with these threats are still on the drafting board, there are solid steps that companies can take to protect themselves.

What are Meltdown and Spectre?

In early January of 2018, the tech world was rocked by the discovery of two colossal security flaws that affect almost every computer and smart device on the market since 1995.

First announced on January 3rd, the bugs’ initial discoveries are being attributed to Jann Horn at Project Zero, a Google-based program for security analysis.

These two separate flaws were simultaneously being probed and announced by a handful of security experts from around the globe. As bits and pieces came out about the exposures, the gravity of the situation became clearer.

Both Meltdown and Spectre exploit weakness in the CPU of most current machines and all their predecessors dating back to 1995.

Since both faults affect major brand-name processors, it means that desktops, laptops, mobile devices, and servers all contain the defects.

The spooky truth is that they affect a majority of computers in use today.

How They Work

Often linked due to the widespread nature of both flaws and the fact that they were discovered around the same time, they do not work in the same way.

The first defect, Meltdown, is named for what it does to affected devices. It sort of ‘melts’ the wall between applications and the machine’s OS and makes it a devastating entryway for hackers.

The second issue, Spectre, is a named for the process from which hackers are able to steal information—namely ‘speculative execution’.

Speculative execution is the technique whereby your device records your computer activity in an attempt to predict future actions. This process helps your device execute tasks quickly, but the records contain sensitive usage information that shouldn’t fall into the wrong hands.

The name also refers to an apparition, which is fitting since companies don’t want intruders ghosting around their private information.

Meltdown affects Intel processors while Spectre affects three kinds of CPU chip: Intel, AMD, and ARM.

Using these newly discovered gateways, popular tech forum Bleeping Computer says, “Malicious program can steal passwords, account information, encryption keys, or theoretically anything stored in the memory of a process.”

Vendors React

In response to the potential devastation, the tech community has seen a wave of security advisories and patches to deal with the bugs.

At the pace that vendors are trying to get information out, some have produced conflicting stories: While AMD maintains that its CPUs have a near zero risk of vulnerability, Microsoft quickly pushed out a patch for AMD devices that has caused computers to stop working.

In the haste to calm the masses, it seems some solutions come with problems of their own.

Beyond the CPU

Browsers are also vulnerable due to these glitches.

Safari came out with a patch in December of 2017 while Microsoft just released patches for IE and Edge. Microsoft announced that Windows 10 is safer to use than older versions, but did not provide further details.

After other vendors bumbled, Google reneged on a patch that was promised for January 23rd. Google’s Chrome browser and OS patch came out Friday the 2nd of February, over a week late.

Adding yet another layer to this confusing frenzy, Anti-Virus programs may be incompatible with some systems (notably Microsoft) so don’t go AV-crazy just yet.

In order to be proactive, here are three solid steps you can take to make sure your company is protected.

  1. Assess Your Risk

Guidelines for action from patches to future fixes are available at each vendor’s site. Your company can build a customized response based on vendor-specific information.

  1. Follow Instructions

Take the recommended steps to mitigate any security risks that would leave your company vulnerable.

A smorgasbord of vendors, from Amazon to Cisco, has released advisories to protect their clients and business partners from dangerous activity.

It’s up to your company’s security team to follow instructions based on the software and hardware that your system uses.

  1. Hold Out for More Information

Unfortunately, these bugs were publicly announced recently. The scramble to provide permanent answers is on.

The best thing to do after the initial patch scare is to await further details and instruction from the tech security community.

Businesses protected by ABT’s monitoring service Network Guardian receive monthly reports detailing security threats. Contact us to learn more.


Topics: mortgage documents mortgage business mortgage industry cloud-based data Mortgage Lending disaster recovery malware network intel spectre meltdown network safety

A Secure Alternative for Transferring Sensitive Mortgage Documents

Securing_documents_from_borrowers_.jpgDocuments aren't really safe unless their transfer is secure from end to end. A mortgage company may store and manage its information with the highest standards, but there is still significant risk if the borrower or seller submits their documents through unsecure channels.

What are some of the best steps you can take to ensure you are meeting security compliance standards and protecting your valuable data when transferring sensitive mortgage documents?

Avoid Email

Email is a simple, popular way to send information. It is also a very unsafe way to transfer confidential information. There's no standard method of encryption for email; Simple Mail Transfer Protocol sends messages by a series of hops from source to destination, with no way to control what servers a message might go through along the way. A "honeypot" server might pass all emails along normally but also grab copies for nefarious purposes.

This scenario is even worse if a sender is using unencrypted Wi-Fi, such as a public hotspot. A criminal can just lurk nearby with a receiver to grab copies of any mail.

Offer a Secure Alternative

What can a mortgage company do about customers sending unsecured documents, and what does it need to do? You can't outright stop people from using email, but you can severely discourage its use for sending confidential data. The best way to discourage this is to provide secure document management alternatives.

Regulations require lenders to handle documents securely. Though it’s not clear whether a mortgage company can get into trouble for accepting emailed documents, regulators will certainly view you in a better light if you present your customers with a secure, convenient alternative.

If confidential customer information is intercepted in transit, this leak can damage the lender's reputation, even if it was the customer's fault. Lending institutions need to take strong measures to avoid unsecure transfers.

Documents also need to be sent to customers securely. The mortgage company has control over this and should strictly follow good practices, both for the customers' safety and to be on safe legal ground. Lenders should never send sensitive documents by email.

Drag-and-Drop or File Transfer Account?

A simple, secure way to let customers provide documents is the drag-and-drop approach. This method lets users upload documents with a secure transfer, and it can be set up with or without password protection.

If there's no password, anyone who discovers the link can upload a document, but this is a relatively minor risk. The destination server allows only uploading, not viewing, of files, so the most that anyone who gets a copy of the link can do is upload fake files. As long as employees exercise normal caution about any information that looks wrong, the chances of harm are small.

Services like Dropbox take a drag-and-drop approach but create an unprotected link which anyone can download. Dropbox allows password-protected documents, but only with paid accounts; the free version isn't well-suited for sensitive documents.

Another approach is to create a file transfer account for each customer. Once they've registered, the software will let them upload and download files. This allows for two-way file transfer between the customer and lender, and customers can review what they've already uploaded.

In a system where customers can download as well as upload files, it is necessary to authenticate the identity of the person creating the account. Confidential personal information, such as the customer's Social Security number, can help with this. For additional security, the lending institution can send the customer a code to enter when registering.

This method offers more options than the drag-and-drop approach, but it is also more complicated to set up. If customers forget their passwords, they will need a procedure to reset them, which often involves emailing a one-time link—a method which has its own security problems.

What's important in either case is to use a secure URL (starting with “https:”) with a properly configured server. A website that doesn't use a secure connection allows eavesdroppers to intercept not only documents but passwords. An unsecure web connection is even riskier than email.

The DocumentGuardian Solution

ABT's DocumentGuardian™ uses the simple, reliable, drag-and-drop approach but beefs it up with more security. The customer receives an upload link; no registration or password is required. Uploading is a simple matter of dragging the file to a window. Files are uploaded via a secure connection and sent directly to ABT's secure data center, where they're available to the lending institution. When a customer uploads a revised version of a document, the old version remains available and can be viewed, compared, or, if necessary, restored.

Equal parts simplicity and security, DocumentGuardian™ is the perfect solution to enable you and your customers to transfer sensitive documents with as little risk as possible.

To learn more about how DocumentGuardian™ and our other mortgage company technology solutions can safeguard customer confidentiality and security, please contact us.

Learn More

Topics: DocumentGuardian mortgage documents security