Cloudbleed: Time for a change...
Cloudbleed: Time for a
It is very likely that some of your data, including personal information and passwords, has been leaked; caused by a programming blunder in Cloudflare’s sourcecode. As such, it’s definitely time to change your passwords.
If you would like ProCheckUp to run a Vulnerability Assessment on your systems as a health check for any other vulnerabilities, please contact us at email@example.com
So, what are we dealing with?
Cloudflare is an organisation whose software is designed to spread websites and online services across the internet, as well as provide hosting and essential internet infrastructure to millions of websites.
The bug was discovered around ten days ago by a member of Google’s security analysts team Project Zero, and after investigation, it appears that it has been in existence since September 2016. ‘Cloudbleed’, as it has since been named (similar to the Heartbleed bug back in 2014), has been leaking chunks of server memory into webpages. In essence, if you have visited a website affected by Cloudbleed, it is possible some of your data has been breached. The Register describes Cloudbleed as "sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse." Cloudfare has now fully explained the exact causes in a blog post.
Am I at risk?
Cloudflare host many popular and well known sites including (to name a few at random) Uber, OKCupid, Fitbit, TFL (Transport for London), Bitpay, Yelp, Curse.com (which includes other curse sites including Minecraftforum.net), bitshare.com, greenwichmeantime.com, opencart.com, runnersworld.com, whatismyip.com, xbmc.org. Although there is no official comprehensive list of affected websites, a Github user has posted a list of sites believed to be compromised, revealing that up to 4,287,625 sites may be at risk.
The good news is that once discovered, the flaw was sealed very quickly. However, it is likely that your data could have been trawled during the six months it was active. At its height, which is estimated to have been between February 13th to the 18th 2017, Cloudflare state that 1 in every 3,300,000 HTTP requests through Cloudflare potentially resulted in memory leakage.
Tavis Ormandy, from Google Project Zero wrote in an advisory: “I’ve informed Cloudflare what I’m working on. I’m finding private messages from major dating sites, full messages from a well-known chat service, frames from adult video sites, hotel bookings […] We’re talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Due to the nature of the breach, it is effectively impossible to confirm whose data has been compromised, so a standard precaution is to change your passwords for all of these sites. If you re-use passwords for sites, as many of us do because we can’t remember different passwords for each and every site we visit, then it is strongly advised that you change ALL of your passwords.
Every month, we seem to be struck with a new breach and have to change passwords as a result. One recommended way to protect yourself even more is to use long passwords. Complex passwords are good, but long passwords are better. The longer the password, the stronger it is (although if it is made up of known words it can be easy to crack).
A password manager may be a helpful idea if you struggle to remember them, as even though they are being targeted daily, password management sites are among the most secure. They use very strong encryption and provide multi-factor authentication tools which are stronger still. When using a password manager, you can assign a different password for each site and have the manager generate a strong password which matches your requirements. Passwords of 12 characters and above which consist of random characters take an inordinate amount of time to crack and are pretty inviolable for even the professional cracker. By using a password manager, you have to remember only the one password. Needless to say, this should be both long and complex.
Contact us at firstname.lastname@example.org for post-Cloudbleed help for your business