By Mitchell Indelcato
Last year, there was a rapid surge in the use of cyber security. Due to several breaches of security in recent years.
First, there was Yahoo’s pair of breech announcements (the largest and second largest in recorded history), the reminder of having a MySpace account when they were breached, to the disappearance of a Department of Health and Human Services laptop and the Democratic National Committee’s email leak.
There was no end to the amount of private data and information being exposed to the world – not to mention the government’s continuing damage control following the Office of Personnel Management hack in 2015.
Yet, 2017 seems to be outdoing all of that, with last week’s announcement of the Cloudbleed security hole.
Cloudbleed is the name given to a security hole found in the web management company Cloudflare’s family of services.
If the name sounds familiar, it’s because it is similar to the 2014 vulnerability known as Heartbleed. Much like its namesake, Cloudbleed’s potential damage is massively widespread, affecting over 2 million websites and countless users – possibly including members of the ESU community.
To understand the threat one must understand the problem. Cloudflare is a content delivery network for websites. When a website uses Cloudflare, Cloudflare proxy servers makes copies of the site’s content which are either popular or in high demand.
When a user living in Hemlock Suites wants to access a website hosted in Ireland, they receive a live copy of the page delivered by a Cloudflare server in the United States, which is in turn relaying the user’s inputted information to Ireland.
Naturally, this means that the Cloudflare server must handle all data, including passwords, private messages and encryption keys.
The problem begins with the handling of this data. When Cloudflare presents the webpage to the user, it pulls information from the webpage’s code needed for the browser.
If a page’s code meets a certain error criteria, the requested data will be missing, and Cloudflare will attempt to fill it in with data from its own memory.
The error lies in this step – when a Cloudflare server pulls from its memory, it will pull any data, from any website whose traffic passes through the server.
So, if a server houses a copy of both CrunchyRoll and Patreon, a student who visits those websites might receive data from the other sources as well–including passwords, credit card numbers, and private messages.
Although the user wouldn’t normally see this information firsthand, there is a second aspect to the problem.
Search engines like Google function using programs known as web crawlers.
In simple terms, they look up websites in search engines to keep the results up to date, as well as add any new public webpages that are not in the search directory.
These crawlers would look up websites affected by Cloudbleed, and take the information given to them and categorize it in the search engine for anyone to find – unable to identify or discriminate against unrelated, sensitive data.
It also transmits this as ‘plain text’, instead of with encryption, so malevolent individuals scanning network traffic (a common risk on public wi-fi) will be able to read the information as it travels.
So how does this affect ESU? With such a widespread range of websites and apps affected by this vulnerability, it’s almost certain that the average student, faculty or staff member uses one of them.
Uber, Fitbit, 4chan, The PirateBay, Yelp and Ziprecruiter are just a select few of the affected websites.
Websites have been created to check if a website has been affected by the bug, but due to the sheer scale of the problem it is difficult to pin down which individual users are affected.
The best advice is to use one of these services to check if you use an affected website, and change your passwords in the event any of them return as vulnerable.
If your service offers two-factor authentication, then take advantage of it. Above all, make sure your password is not a common word or string of numbers that is easy to guess.
By being proactive, you can keep yourself ahead of the latest data breaches, and prepared for the year ahead.
Email Mitchell at: