CloudBleed Bug – Change Your Passwords Now
Cloudflare’s code has an unknown quantity of data that has been stolen. Now that’s a problem, right? That’s a real problem.
This tiny bug in the code apparently just includes things like passwords, personal information, messages, cookies and more, to leak all over the Internet. This was exposed just last Friday, just a couple of days ago.
So, what to do now?
Incident report on memory leak caused by Cloudflare parser bug
The Best Password Managers to Fight CloudBleed
More stories and tech updates at:
Don’t miss an episode from Craig. Subscribe and give us a rating:
Follow me on Twitter for the latest in tech at:
For questions, call or text:
Below is a rush transcript of this segment, it might contain errors.
Airing date: 02/27/2017
Cloudbleed Bug – Change your Passwords Now – What Happened and Why
Craig Peterson: It’s time for another TechSanity check with Craig Peterson. I am not talking about the Oscars so don’t worry about it. I don’t care how many mistakes they made. We are going to talk today about two things. Very, very important things. First of all, wow, Cloudbleed. That’s all I’ll say right now. Major security disaster here for the internet. And then we going to talk about millennials. And millennials, bottom line here, this plane don’t seem to care about mobile security. In fact it was a millennial who works with me who sent me this article. So we’ll talk about that. Of course, a couple of other things as we go through this right here, right now.
Hey, as we get going here, I wanna start with our friends, the millennials, but just to mention, they’ve got some security problems and we’ll get back to this and get into the details here and what you can do about it? If you’re a millennial or if you work with a millennial it’s very important. But first, but first really, I want to talk about a problem. There’s a company out there called Cloudflare and a lot of people have used them. I looked at using them for a while. And they’re a type company that sits in front of your website. And the idea is people go to your website and they’re not actually having to hit your server. Cloudflare will go ahead and serve up the pages for you. They’ll serve up the graphics for you so you don’t have to have as big as powerful a server. Now there’s pros and cons to that. I tried it once. I tried to use Cloudflare and I just didn’t like it because I didn’t like the lack of detail about the people that were actually visiting my website. How many exact hits that I have? What were the hits on? How long were people staying on this page or that page? I just couldn’t get the stats out of them. Now this is a few years ago. They’ve probably improved. And I went a couple different ways. I’m using some software from our friends over at Amazon where I have websites, basically all over the world. And when you are downloading a graphic or something big. For instance if you were listening to my podcast online. I’m not actually serving that from my servers and the idea is there is little edge caching, if you will, that is worldwide. So that if you’re listening to it in the west coast of the US, you’re going to get a West Coast server so it’s gonna be faster for you. If you’re listening to it in France, in the UK, and a lot of people listen to the show over in Europe, you are going to get those large files from a local server. But everything else is being served directly from my server. So that’s why I didn’t really use Cloudflare. It didn’t make a whole lot of sense to me at the time and there are others. There’s competitors for Cloudflare but we’re talking about right now, because we’re talking about something that’s been termed Cloudbleed. Bottom line, change your passwords right now because here’s what’s happened. Many, many websites are using Cloudflare and they’re using them for the exact same reasons I just stated. They are speeding up their websites, the content delivery. It really makes for a better scenario for people visiting your site, for most sites, right? If you’re not a more advanced user, if you don’t understand all of the implications of different types of caching. Breaking up your website so different parts are cached then other parts aren’t and some are located all around the world and others aren’t. I guess it’s pretty complicated.
But many, many, many sites including some of the biggest ones out there use Cloudflare. And I’m looking right now. Medium, how many people go to Medium and read articles? I like some of their articles that are out there. Yelp, I use all the time. Zendesk is used by almost everyone for doing tech support and answering questions from users. Uber.com. The list just goes on and on and on. And it’s kind of scary here. Those are the ones that are thought right now to be some of the sites that are affected.
Here’s the problem. Cloudflare’s code has an unknown quantity of data that has been stolen. Now that’s a problem, right? That’s a real problem. It’s a tiny bug in their code and it’s let an unknown quantity of unknown data. That includes things like passwords, personal information, messages, cookies and more, to leak all over the Internet. And this was exposed, I meant to talk about it on my show over the weekend, but this was exposed Friday. So just a couple of days ago. Now, there is some good news. Cloudflare responded very, very quickly when they were approached by Google’s Project Zero which is a Zero Day project looking for vulnerabilities. They identified the vulnerability. Google contacted Cloudflare and they fixed it pretty quickly. The bad news is that these web sites that are using Cloudflare have been leaking this data for months. Months. Now the Cloudflare is saying that the earliest data leaks go back to September 2016, ok? So that’s a pretty bad, you know, bad amount of time to be that vulnerable. We don’t know if the black hat hackers found the vulnerability. We don’t know if they’d exploited it before its code was fixed here.
Now, wow, big sites like I mentioned Uber, OkCupid, 1Password. Now I’ve advised you guys to use 1Password. It’s more expensive than some of the alternative password managers out there but it really is the best. Now 1Password also using Cloudflare. However, 1Password is saying all of the user data is safe. They do consider things like that. Who’s sitting in front of us and what might that be. Fitbit is, wow, that is a ton of very sensitive user information that is potentially been compromised and that Cloudflare has no idea whether it was compromise, what was taken, what happened here, right? It’s wow. This is incredible. Absolutely incredible. Now it’s going to take some time before we fully comprehend the level of destruction, the level of impact to us out there. It’s crazy here. You’ve got to really use a two-factor authentication system when anywhere that you can. And that’s a very good idea because if someone is breaking in, is using your account, at least with the two-factor system, you’ll know about it and know about it pretty quickly. And they won’t be able to get all the way in. So, you know, that’s important too. Although there are some people who warned that using your cell phone for two-factor isn’t the best idea and that’s absolutely true too, you know. The edge conditions where you might have your phone sitting out and the bad guy happens to be your roommate. They can now get into your accounts even if you have to the two-factor thing. So, you know, take it with a bit of a grain of salt. It’s not a Panacea to have two-factor, but it is going to stop someone that’s sitting over in the former Soviet Union trying to hack into your account. It should stop them. Unless they really want to because you could also fake the text messages and you can redirect them as we found last year, where are all of these calls in the suburbs of Washington DC, were routed through Russia. Now at which point you have to assume the Kremlin was able to listen to all these phone calls. Ok, so none of this is a Panacea. OK?
There’s a blog post that Cloudflare put out there. They issued it stems from using a new HTML parser that had a problem with it. It’s called a CF HTML. But anyways, we don’t know who’s been hacked here or whose data’s been stolen. Cloudflare’s claiming only a very small number of requests led to leaked data. But since a vulnerability has been out there for about 6 months, who really knows how much is in the wire? Or in the wild I should say. So change your passwords. Changed them now. Use a password manager like 1Password. Make sure you’ve got different passwords on every system. Make sure you’ve got different usernames whenever you can. I, you know me, right? If you’ve been listening to 2 my radio show for the last 10 years or my podcast, you’d know I’ve been saying to use fake identities online all you can. Obviously you can’t do that with your banks or other places that require your correct, your actual information. But if you’re using some random website, why are you using your real identity? And you can find out more, if you need more information, by all means reach out to me contact me. Because I’ve been hacked before. I’ve had this sort of a problem. I’ve learned the hard way and I hope you don’t have to learn the hard way as well. But just go to http://CraigPeterson.com and do a search for a fake user names, or fake pass… just fake… and I’ll have a whole bunch of information on there. You can ignore the fake news stuff as you’re going through that.
Alright so let’s talk about our next thing here pretty quick and that’s the millennials. You know, frankly, we’re not going to have enough time today to do this so we’ll try and do this tomorrow. We’re going to get into this. There is a lot of information. Wired was just talking about this. Again here, we’ll talk about an article that’s been out there for a while coz I think it’s important but we’ll get to that tomorrow. And again you can find all kinds of great information right up there on my website http://CraigPeterson.com. Make sure you sign up for my newsletter. You’ll find that also on my website or you can just text me 855-385-5553. Pull out your phone. Open your texting app, 855-385-5553. Have a great day and we will chat a little bit more tomorrow. We’ll talk about Millennials and what you can do about their lack of concern over security. Another little bit of a security sanity check. Take care.
Don’t miss any episode from Craig. Visit http://CraigPeterson.com/itunes Subscribe and give us a rating!
Thanks, everyone, for listening and sharing our podcasts. We’re really hitting it out of the park. This will be a great year!