[03-01-17] The WGAN Morning News
Joined Ken and Matt today to discuss what happened with one of the biggest cloud service providers. Just last week, Cloudflare was reported to have a bug that leaked passwords, account information, like credit cards, phone numbers, home addresses, cookies, and more.
Sites as big as Uber have made the list of those who are using their service and have also been affected. Imagine all the information that has been leaked from Uber.
The Best Password Managers to Fight CloudBleed
Incident report on memory leak caused by Cloudflare parser bug
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 03/01/2017
Cloud Bleed – What Happened – What to do about it
Matt Gagnon: We are pleased to be joined by Craig Peterson, our tech guru who is here to tell us about all things technology. Craig, how are you?
Craig Peterson: Good morning. You changed your passwords, right?
Ken Altshuler: So Craig, I was gonna say, do you know how many passwords I have?
Matt: When I get an emergency email from Craig Peterson and tells change your password right now. I change it right now.
Ken: I have about like 50 passwords out there.
Craig: Yeah, yeah.
Ken: So how am I supposed to? I don’t even…
Craig: They’re all the same.
Matt: Oh they’re all the same, Craig. They definitely are.
Ken: Well, no. Do you want me to tell you what they are in the air, Craig?
Craig: Is it p@ssw0rd? Did I guess it?
Ken: No. And it’s not 12345678 either. Just so you know. So why should we all change our passwords?
Matt: What is cloudbleed?
Craig: Yeah. Big question here. It’s amazing to me that this is not getting a whole lot of coverage out there. And yes, as we mentioned before on the show, that was John Podesta’s password. So, we know Ken is smarter than Podesta, right?
Ken: We’re going away.
Matt: That’s not a high bar, Craig. Not a high bar.
Craig: You got a standard here. Here’s what’s happened. If you go to a website online, you expect response. And fast response, right? It used to be people would wait 10 seconds or even more for a webpage to load. Now people don’t wait if that webpage takes more than just a second or two. So, if you have a website online, whether it’s your soccer team, where people may be a bit more tolerant of the slow page load. Or you’re a business, where people aren’t that tolerant, you need it to load fast. So there’s one service out there that has been very, very, very popular called Cloudflare. Now, I used that myself for a little while and then I kinda quit using them because I didn’t like them. But at any rate, what they do is they sit between your website and the rest of the world. So that when someone comes to your website, they’re really going to Cloudflare. And Cloudflare keeps copies, caches of the information that’s on your website, so they can serve it up zippy quick for whoever it is who’s looking for it. They have servers located in different parts of the world. So if you’re in Seattle, it’s gonna be just as fast as if you’re in Bangor. And the same thing’s true if you’re in France or China, etc. Well, here’s what happened. They had a bug in their code. There’s a library that they were using to parse the html. To parse the interaction between your web browser and the website. And that code had a major bug that was causing a leak. Now the worst part of this leak is that the information that was leaked was also picked up by web crawlers like Google. Like Bing. Like all of the other ones that are out there.
So here’s what happens now. Their information leaked, which means your information leaked. Therefore, bad guys have your info. We don’t know how much. We don’t know exactly what. But we do know that the bad guys now, since September last year, had access to your usernames, your passwords. Potentially, all of your banking information. All your credit card information. All your home address. Your business address. Your phone number. The new car you bought. Anything you would’ve put out onto the web into any website is potentially compromised since last September. How’s that for a shocker?
Matt: So what you’re suggesting to us is perhaps we should panic and run in the street with our pitchforks and torches and all that?
Craig: Yeah. Light your hair on fire.
Matt: Light our hair… well I don’t have any hair Craig, so I don’t know what I’m gonna do. In all seriousness though, you mentioned that this isn’t been getting a heck of a lot of attention in the media. Why do you think that’s true? Is it because it’s the millionth time something’s leaked? And we’re numb to it now? I mean, is that it?
Craig: I don’t know. That might be the case. You know, it really might be, Matt. It’s hard to say. I can tell you that at this point we just don’t know the impact of this thing, right? We’ve only really known about it since Friday. And it’s complicated, right? This is something complicated to understand. Something complicated to explain to someone. But it is absolutely huge. And they’re calling it cloudbleed, kinda named after another huge internet leak that occurred a year or two ago.
The other thing, Matt, is at this point, we don’t have any victims that had come forward yet. So, you know, you may have had your information compromised. You may have caught it by keeping track of your bank statements, credit card statements, etc. But you may not have attributed it to this problem. And let me tell you, this is huge. You know, you guys have heard of Uber. I know Ken has.
Ken: I have.
Craig: Uber is one of the companies that use Cloudflare. What information have you given Uber? You know, just think about this. This could be huge, huge, huge, huge. So, at this point, we’re not sure exactly what happened here. You know, some people say, oh it’s only one in three million chance that your information got out. Yeah. But if you’re one out of those three million, and by the way, they’re talking about one in of the three million, not people, but transactions. Think about the transactions on there. Ken, think about the information that Uber has about you. So, we’re advising right now. What I’m telling everybody is to do two things, and I’ve got this up on my website, what you need to do is get a password manager if you don’t have one already. So my favorite is 1Password. LastPass is a good one. People can just text me, I’ll respond with links to all of these if you want to. My text number is 855-385-5553. And I’ll send you links to this.
So, number 1, get a password manager. Use it. Have it generate a unique, randomized password for every website. So number 1, let’s make sure that your authorizations here to the websites are no longer compromised. Coz one of the things that was compromised was the cookies and the login cookies which means the keys for you to get into these websites were also compromised. So use a password like this. Generate random password. One of the things I like about 1Password is if a website is thought to have been compromised, when you use this password manager called 1Password, it’ll pop up a little red bar and it’ll tell you this website’s thought to have had its passwords compromised. So let’s go ahead and change it while you’re here, ok? So that step two, change all your passwords. You know frankly, guys, when was the last time you changed your passwords anyways?
Matt: About 2003.
Ken: Yeah. I only do it if they tell me to.
Craig: So it’s like every, you know, when it’s clock moved forward or backwards, daylight savings time, you change your batteries in your smoke alarms, right? Now’s the time to change all your passwords. Now’s the time to commit to using a password manager. And for the next 6 months, pay close attention to your financials. Pay close attention to the information you have on these websites out there. This is scary guys. This is really scary. I’m not Chicken Little here. I did not light my hair on fire. This is real.
Ken: We’re talking with Craig Peterson, our tech guru. Craig, I need your follow up on password managers. Because I’m not familiar with that. Is this something that establishes new password for every website you go on? I’m not familiar with this.
Craig: There’s a few of them out there. And I’ve been using them for years. But here’s the idea. You know, we all tend to use one or two different passwords. And even usernames or email addresses when we sign up for websites. So, problem is, if you use the same password more than once, if a website… let’s say you use the password for your bank. And you use that same password for, you know, this mess around site.
Craig: Yeah. A mess around site. One you don’t really care about.
Craig: And what happens if the mess around site that you go and you play poker with some friends, what happens if that site gets compromised? Coz their security is not gonna be as good as the bank. So your mess around site’s password and username are compromised. Bad guys have it. Guess what they’re gonna do? One of the first things they’re gonna do is try and use it at the bank. See, if Ken’s username and password works at XYZ Bank, Bank of America, right? And they’ve got ways to do that so that they don’t get shut down while trying these passwords. So the idea behind a password manager is you can’t remember all of these. Put them in Post-It notes and hiding them in your drawer is not safe, ok? It is not a good way to manage passwords. So password managers are piece of software where you have a master password that you use to unlock it. It ties directly to your web browsers and it can generate randomized passwords for you. A different one for every website. And then, we go to the website. It’s gonna ask you to login, and the password manager can now pop, you type in your master password, it’ll automatically fill in the correct user name and password for that website. So that you can now have a unique username, a unique password, and a randomized password. So it’s hard to guess. And so that the bad guys cannot use big data. When they compromise these small sites to try and get your money from the big sites.
Matt: Until, of course, they hack into 1Password and get all the passwords from the password place that protects the passwords, right?
Craig: Yeah. But 1Password is safe from this particular cloudbleed problem. Yeah, that’s a potential problem as well which is why two-factor authentication is so important nowadays. Many sites lets you do that. Ken, you mentioned Amazon earlier. You can set up two-factor authentication. Just look for it on the website. Usually what they’ll do is send you a text message if you’re trying to do something important. And you can type in the code that it texts you. That’s good enough for most people. Unfortunately, that can be compromised too, but it’s, you know, I wouldn’t suspect them to try and compromise President Trump’s account. I would not expect them to try and compromise Matt and Ken’s accounts.
Matt: Indeed. Alright, Craig Peterson, our tech guru joins us every Wednesday at this time. Thank you so much for joining us Craig. We’ll talk to you again next week.
Craig: Alright. 1Password, it’s a little more expensive, and LastPass. All of that on my website, http://CraigPeterson.com.
Ken: Thanks Craig, we really appreciate it.
Don’t miss any episode from Craig. Visit http://CraigPeterson.com/itunes. Subscribe and give us a rating!
Thanks, everyone, for listening and sharing our podcasts. We’re really hitting it out of the park. This will be a great year!