THE INTERNET INFRASTRUCTURE company Cloudflare, which provides a variety of performance and security services to millions of websites, revealed late Thursday that a bug had caused it to randomly leak potentially sensitive customer data across the internet.

The flaw was first uncovered by Google vulnerability researcher Tavis Ormandy on February 17, but could have been leaking data since as long ago as September 22. In certain conditions, Cloudflare’s platform inserted random data from any of its six million customers—including big names like Fitbit, Uber, and OKCupid—onto the website of a smaller subset of customers. In practice, it meant that a snippet of information about an Uber ride you took, or even your Uber password, could have ended up hidden away in the code of another site.

For the most part, the exposed data wasn’t posted on well-known or high-traffic sites, and even if it had been it wasn’t easily visible. But some of the leaked data included sensitive cookies, login credentials, API keys, and other important authentication tokens, including some of Cloudflare’s own internal cryptography keys. And as Cloudflare’s service spewed random information, that data was being recorded in caches by search engines like Google and Bing and other systems.

“Because Cloudflare operates a large, shared infrastructure, an HTTP request to a Cloudflare web site that was vulnerable to this problem could reveal information about an unrelated other Cloudflare site,” Cloudflare CTO John Graham-Cumming explained in a blog post on Thursday. The leak did not expose the transport layer security keys used in HTTPS encryption, but it does seem to have potentially compromised data protected in HTTPS connections. And while Graham-Cumming added that there’s no indication in Cloudflare’s logs or elsewhere that bad actors had taken advantage of the flaw, looking for leaked data that hasn’t yet been scrubbed has become something of an internet-wide scavenger hunt.

The good news is that Cloudflare acted quickly to address the bug. It pushed a preliminary fix less than an hour after learning about the issue, and permanently patched the flaw across all its systems around the world in under seven hours. But while the company has worked with Google and other search engines to scrub caches and rein in the exposed data—so that people can’t just run searches to find and collect sensitive information from the leak—the fallout remains.

As always with all breaches if you feel this may have impacted you, changing passwords etc is a recommendation. For further security, always enable One-Time-Password function if available.

Google Chrome to Shame HTTP sites in favour of HTTPS

From January 2017 Google Chrome will begin attaching warnings to all HTTP websites that ask for passwords or credit card details. This means any website without a security certificate will feature a red ‘Not Secure’ message in the web address toolbar.

 

The decision is part of a ‘long term plan’ hatched by Google ‘to mark all HTTP sites as non-secure’ and was confirmed the search giant on its Security blog. Secure websites will display a comforting green padlock in front of the web address.

What will happen to your HTTP site?

The impact will be purely cosmetic at first but Google has confirmed that site rankings will be better for HTTPS sites.

 

Your site’s functionality will not be affected but your visitors may not enjoy seeing the red warning flag over time. This is open to debate as NASA argues “users become blind to warnings that occur too frequently”.

Getting a Security Certificate

For a long time the only websites that deemed security certificates important were banks and businesses taking payments. But over time more websites jumped on the bandwagon, with more than 50% of websites accessed through Chrome now belonging to the HTTPS camp.

 

Getting a security certificate doesn’t completely guarantee security and does cost money – which is a potential hurdle for new and small businesses. But validation will become more of a necessity over time.

What about other browsers?

Firefox has also confirmed its intent to phase out non-secure HTTP, affirming ‘there’s pretty broad agreement that HTTPS is the way forward for the web.’ Mozilla is even going as far as ‘removing capabilities from the non-secure web.’

Transitioning from HTTP to HTTPS

Turning your HTTP site into a HTTPS one is very much like a site migration. 301 redirects will need to be set up so search engines can find your new address and users navigating to your old HTTP URLs are automatically transferred to your new HTTPs URLs.

 

The basic transition process is:

* Purchase and install an SSL certificate

* Install your SSL certificate on your hosting platform

* Amend website links from HTTP to HTTPs and deploy redirects

 

It may sound easy but the number of SSL packages and hosting solutions on the market quickly complicates things and the tech involved is more advanced than most businesses are open to.

 

PALSS can also offer LetsEncrypt service, free SSL certificates for life, this allows your business to present a fully secure site without the hassle, of course some links etc may need amending to avoid mixed content warnings, but we can help point you in the right direction for this.

Simple contact us to and we can talk through the options

Originally posted Memeburn

It is a testament to the sustained evolution of the cybersecurity landscape that we are still regularly seeing the emergence of new threats. Distributed denial of service (DDoS) attacks and ransomware are both well-established methods of cyber-attack, but we have recently seen a new tactic that combines elements of both: DDoS extortion attacks.

From what we’ve seen of the attacks so far, there is an almost professional approach to the whole process; initially, an email will arrive at the target explaining who the attackers are and even linking to some recent blogs written about them and their extortion tactics.

The email goes on to state that unless a fee is paid (usually around 40 Bitcoin but demands can go into the hundreds), a large-scale DDoS attack will be launched. Alternatively, some emails will only arrive after the attack has started, stating that the attack will only be stopped if the ransom is paid, or the severity will be reduced if a portion of the fee is paid.

We’ve monitored some attacks that start slowly and increase in scale – DD4BC, the company behind the extortion, claims it can launch attacks up to 400-500 Gbps. Such attacks are very rarely that strong, but they are known to last up to 18 hours, however, which is definitely enough time to seriously impact a business.

At this point, it seems that no particular industry is being targeted specifically, but there is one general theme. The targets we’ve seen so far have been those that rely on online transactions to operate, such as financial institutions and currency exchanges.

One endgame to this that we’ve seen is that the extortion element could actually be a diversion tactic, meaning the customer concentrates on the sheer volumetric high-end type of attacks, when the offenders are actually targeting a local application with a different attack vector. This means that hackers could be conducting local application level attacks involving any form of penetration into the application itself. So often the target isn’t actually to bring down or disrupt a website or service but to gain access to an application in order to steal information, whether it’s credentials, financial information, personal data or something else.

It’s understandable that some targets may think the email is junk and ignore it, but that’s not necessarily the best course of action. Of course, that doesn’t mean that paying the ransom is advisable either. That leaves targets with the option of mitigating the attack, despite the emails specifically stating that attempting to mitigate the DDoS attack is pointless. Whilst the protagonists may claim that the attack is too big for even the best technology to cope with, that’s just not true.

Mitigation is possible through a combination of on-premises and cloud-based anti-DDoS technologies. A hybrid approach allows a company to mitigate DDoS attacks that are launched from outside the infrastructure and also cope with local-level attacks targeting the application layer.

A DDoS attack up to 500 Gbps in size can only be stopped with cloud-based technologies. The local network and application level attacks (which will happen if the DDoS is a diversion tactic) has to be stopped with on-premises technologies. So one or the other won’t do; a hybrid approach is the key to protecting your business from the ever-expanding arsenal of the cyber-criminal.