Skip to content

Internet security company springs big data leak…millions at risk. Not your problem

February 26, 2017
cloudflare-leak

Online security company Cloudflare has been accidentally leaking customer data for months.

People aren’t actually saying that every cloud has an unencrypted lining but they are saying that every website protected by the online security service Cloudflare has been leaking encrypted session and user data—including credit card numbers and passwords—for months now and that millions of affected website users should promptly change their passwords!

Cloudflare, which provides million of online servers/websites with firewall-like traffic-filtering to protect against malicious hacking exploits, such as distributed denial of service attacks, announced on February 23 that it had a long-standing internal memory leak flaw. Cloudflare called it a “parser bug”, while the Internet security community-at-large dubbed it “cloudbleed” for its similarity to the Heartbleed memory overflow bug of three years ago.

It’s comforting how everyone pays lip service to security

The memory leak flaw was brought to Cloudflare’s attention on February 17 by Tavis Ormandy from Google’s Project Zero, which is tasked with finding such hidden code flaws.

The same day that Cloudflare went public, Ormandy took to Twitter to announce that Cloud flare-protected websites, including Uber, 1Password, FitBit and OKCupid had been leaking customer HTTPS [encrypted] sessions for months.

World’s platform for change asks you to change your password

Change.org, which hosts millions of online petitions and is one of Cloudflare’s clients, sent out the following vaguely-worded email on Saturday (February 25) to all registered users (including myself) recommending that we all change our passwords immediately:

“We wanted to share some information we received recently from Cloudflare, a popular web services provider that we use at Change.org, about a security issue that may have exposed the personal information of some users who utilize their services. We have received confirmation from Cloudflare that there is no evidence that Change·org has been directly affected by this issue. However, when issues like this occur, it’s always a good idea to change your password to provide an extra level of security, which you can do at the link below: [omitted]

We want you to feel safe when using our services and we have been monitoring this situation closely to ensure it does not affect our users. If you are ever in doubt about the security of your accounts with us, feel free to contact Change·org directly through our Help Center.

The Change·org Team”

In fact, no one is suggesting that there is any evidence that any of these potential memory leaks from hundreds of millions (if not billions) of encrypted web sessions have been exploited by anyone. But it’s a good idea to “refresh” your passwords every so often, regardless of external evidence.

You can cry “Heartbleed”, or “Wolf”, only so many times!

Three things can be assumed to happen as a result of this latest Internet security bug. Firstly, all website users affected will receive a direct notification advising them of the fact and recommending that they change their passwords.

Secondly, the memory leak bug will be fixed.

And thirdly, most Internet users will conclude that this latest dire warning of an Internet security flaw affecting millions and millions of users is much ado about nothing—just like every similar warning of the last few years (not to mention that “world-ending” Y2K bug of  the year 2000).

After all, unlike a few of the malicious Microsoft Windows viruses and worms of yesteryear, which visibly destroyed data and took down bazillions of Windows computers, the high-profile software bugs of recent years have appeared to be mostly hype as far as end users are concerned.

The last four years alone have seen at least 11 highly-publicized “catastrophic” computer security flaws which have variously been said to affect “thousands of websites”, “millions of users” and/or “billions of users’ mobile devices; these have included:

The Microsoft Server Service Vulnerability (2008), the Kaminsky DNS Bug (2008), the GNU Bash Shellshock bug (2104), the OpenSSL Heartbleed bug (2014), the SSL 3.0 POODLE attack (2014), the BadUSB exploit (2014), several Flash zero day hacks (2015), a Java Serialization Vulnerability (2015), Stagefright (2015), the VENON vulnerability (2015), the glibc bug (2016) and the Cloudbleed bug (2017).

Besides the Microsoft server flaw, the Flash zero day exploits and the Java bugs, it’s an open question how materially the rest of these security flaws have affected ordinary users.

Notably, at least three of them were announced and widely publicized (complete with catchy names and distinctive logos) as very grave threats by IT security firms—Heartbleed by Codenomicon; Stagefright by Zimperium and VENOM by CrowdStrike.

No one who pays attention to distributed denial-of-service (DDoS) attacks against websites can forget how aggressively Cloudflare has publicized both itself and the danger of DDoS attacks; particularly its successful mitigation of what it described as the “biggest” DDoS attack of its kind, against the servers of Spamhaus in 2014. Cloudflare described this DDoS attack as reaching an unheard-of 400 gigabits per second (Gbps)!

The marketing of Internet flaws—but at who?

Not to say that security flaws are not exploited by malicious coders. And yes, there is online identity theft and online credit card fraud aimed at individuals but the later two categories are very fuzzily documented—with no reliable numbers of actual consumer losses to online fraud.

Arguably, in the main, when we see online security flaws being exploited, it is not ordinary users who are materially affected but rather the providers of online services.

If webmail accounts are hacked or Internet Network Time Protocol servers are hacked, the most common object is not to steal user information but rather to add to a botnet army to be used to wage some kind of DDoS attack on an online server.

And if a DDoS attack uses a backend Internet security flaw to take down a social media service, such as Twitter—as happened on the morning of October 21, 2016—who really suffers? The vast majority of Twitter users are simply inconvenienced. Even the commercial users of Twitter are not really out-of-pocket. It is Twitter itself that loses both face and revenue.

Particularly now that user-level operating system software bugs are patched automatically by Linux, Microsoft, Apple and Google (but only Google-branded mobiles and Chromebooks, not non-Google-branded Android devices), such public announcements of Internet security flaws can mean very little to ordinary users beyond making some of them vaguely nervous.

Arguably reports of security flaws and DDoS attacks which exploit such flaws—most of which originate from Internet security companies—are aimed over the heads of end users and straight at the companies doing business online.

Basically, these reports serves as marketing; helping to scare up new business for said Internet security firms, or shore up the business these firms already do with websites and social media platforms.

Even the recent announcement of “Cloudbleed”, which makes the premier mitigation company Cloudflare look kind of lame, arguably has a clear message for companies running Internet platforms, namely that paying for only one level of mitigation is just not enough!

Any level of unease that ordinary Internet users may feel when reading about such security flaws is—I am sorry to say—just the unavoidable collateral damage of the global mass marketing system. Please do not take it personally. It’s just business. Click the image to enlarge it.

4 Comments
  1. ‘Cloudbleed’ great term. For every ‘secure’ system there’s an equal and opposing ‘data hack’ that can get in to it. That’s just the way it is.

  2. wait– how?

    regardless of the fact that the data goes through cloudflare… if i have an “encrypted connection” between my browser and say, yahoo (not that i would use yahoo) then the only people that should be able to decrypt that data is myself and yahoo (and the usual nation-state suspects.)

    im aware of kludgey mitm attacks on things like the “https” string, but that doesnt sound like whats happening here.

    this is very surprising, and not because i ever thought counting on cloudflare was the best thing in the world. they were too big not to fail.

    • Indeed, You ask the key question! Wired magazine’s detailed piece on Cloudbleed says “leaked data included sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys” and then, in the next paragraph, says that “the leak did not expose the transport layer security keys used in HTTPS encryption” (???).

      I’ll be doing a follow up post. I’m not sure what is more significant, the flaw that is Cloudbeed itself or the flaws in the coverage of Cloudbleed.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: