Possible site security breach related to Cloudflare

Amin Sabet

Administrator
Joined
Apr 10, 2009
Messages
10,905
Location
Boston, MA (USA)
Our site was one of many thousands of sites using Cloudflare, which recently disclosed a serious security breach that Cloudflare is suggesting affected a very small percentage of their sites.

More information here:

Incident report on memory leak caused by Cloudflare parser bug
http://gizmodo.com/everything-you-need-to-know-about-cloudbleed-the-lates-1792710616

I do not have any specific information to suggest that our site was directly involved. Cloudflare has said that they will notify owners of affected domains, and I have not received a notification. but as a precaution, it would be a good idea for all members to take the following steps:
  • Change your password on this site as well as any other site which uses the same password.
  • Avoid using the same password across multiple sites, especially ones which require the highest security (email, banking, etc).
  • Use two-factor authentication on the sites which require high security. We offer two-factor authentication as an option on this site.
In order to further enhance security for our members, we will no longer require date of birth entry at registration, and I've purged all date of birth info from our database. Members can still choose to enter this information in their profile, but I'd advise against it.
 
Joined
Oct 1, 2012
Messages
1,677
Location
Moab
If I may suggest; use a password stash tool like KeePass or LastPass. They let you create a password that is unique for every site you go to .

Traditionally someone would compromise a site like this by using SQL Injection or XSS, when they harvest a few thousand usernames and passwords they put them up on the underground market. Each password sells for a few dollars and they try yourUsername@gmail / yourUsername@yourBank etc. So if you have a unique password for each site, you minimize the potential for damage if a site gets hacked.

Neat visualization of common passwords from Top 500 Passwords Visualized — Information is Beautiful
Subscribe to see EXIF info for this image (if available)


-Joe
 

CWRailman

Mu-43 All-Pro
Joined
Jun 2, 2015
Messages
1,362
Location
Scottsdale, Arizona
Real Name
Denny
I hate to point out but there really is no such thing as a SECURE cloud account. 9 years olds have hacked cloud accounts. Anything that uses the cloud is easily hackable so get used to it if you use cloud storage. I have a friend who tests internet security for companies and he has demonstrated these vulnerabilities numerous times. No cloud accounts for me.
 

tkbslc

Super Moderator
Joined
Feb 6, 2015
Messages
7,554
Location
Salt Lake City, UT, USA
I hate to point out but there really is no such thing as a SECURE cloud account. 9 years olds have hacked cloud accounts. Anything that uses the cloud is easily hackable so get used to it if you use cloud storage. I have a friend who tests internet security for companies and he has demonstrated these vulnerabilities numerous times. No cloud accounts for me.
"the cloud" is just servers in the internet. Any vulnerabilities with "the cloud" are the same risks with general internet use. That means email, social, banking, shopping, and even forums as was demonstrated today. You can say "no cloud accounts", but that just means you won't be using the internet.
 

tkbslc

Super Moderator
Joined
Feb 6, 2015
Messages
7,554
Location
Salt Lake City, UT, USA
Just to clarify what the breach was, some security team found that from one cloudfare account, they could extract small chunks of memory from the server itself. The memory chunks were random and contained very random data from any other site/data hosted on that same server. There was no full access to certain accounts, it was just kind of like a dice roll to see what random bit of data came out. It could have been a picture from a random user one time, a video the next, and so on. It is certainly possible that the password database from this site was one of those random pulls from the memory fishing pond, but it is very unlikely based on statistics and odds. And of course Cloudfare has hundreds of servers, so which exact accounts were on the same servers as the hackers? It's not like the typical breech where they had full access and you know they got the data.
 

greenboy

Mu-43 Top Veteran
Joined
May 23, 2014
Messages
706
Location
remote mountain cabin in Montana
Indeed. "The cloud" was a nebulous concept foisted on the public that was ALREADY using the internet, to get them to alternately (1) want to not own content they had paid for, (2) buy services they may not have needed, and (3) solve an actual problem, one that required that users actually understand how to have good backup of all their data.
 
Joined
Oct 1, 2012
Messages
1,677
Location
Moab
I would not say there is no such thing as a secure cloud. The cloud is just a machine (or virtual machine) in someone's data center that is not yours. Can you have an insecure cloud? Absolutely. Can you have a secure cloud ? Absolutely.

Simple steps like using strong passwords, two factor authentication, patching software and periodic audits can make any network or device secure. If you are a juicy enough target people can be relentless, is the user account info for MU43 that target? I'd say no.

Cloudbleed as they are calling this is/was not your average attack vector. I doubt this was exploit d in the wild.

These are however just my opinions.

Joe
 

Levster

Mu-43 All-Pro
Joined
Aug 24, 2012
Messages
1,347
Location
Portsmouth, United Kingdom
No matter how secure a network/server is, there's still a dumb human in charge of their own login credentials! If the really want you they'll target you as an individual. I get a number of phishing attacks everyday and most now look authentic enough to dupe the unwary. One quick check of the originator e-mail address is enough to thwart 99% of phising attacks though. I'll change my password just in case!
 

tkbslc

Super Moderator
Joined
Feb 6, 2015
Messages
7,554
Location
Salt Lake City, UT, USA
No matter how secure a network/server is, there's still a dumb human in charge of their own login credentials! If the really want you they'll target you as an individual. I get a number of phishing attacks everyday and most now look authentic enough to dupe the unwary. One quick check of the originator e-mail address is enough to thwart 99% of phising attacks though. I'll change my password just in case!


One way to stay safe is to never click on links in emails you weren't expecting. If you get a random email from your bank, or ebay, or whoever, don't click on the links. If the message seems legit, just type the bank's main URL in your browser and login normally and check whatever the message said to look at.

When in doubt, contact the company. They'd much rather take a call with an upfront question than spend days trying to fix your hacked account.
 

DriftlessRider

Mu-43 Rookie
Joined
Feb 4, 2016
Messages
17
Location
Fountain City, WI
Real Name
Ed
I had my username and unencrypted password exposed from a hack of different forum. For like $7 I was able to search the leakedsource.com database and find it. It really shook me to see my password sitting there in plain text, available to anyone for a couple dollars. And I had access to many of my forum friend's passwords while I was in there. One quy used qwerty7 as his password for about everything he did. I bet if I was more devious and more bored I could have accessed his email with it, and his bank. Probably, don't know though.

So, now I have a different password for every site I use. I don't even know what they are, they are just random sequences of letters and numbers and characters. I manage them all using LastPass. Maybe not a perfect solution, but I'm a thousand percent more secure than I was before going that route.
 

tkbslc

Super Moderator
Joined
Feb 6, 2015
Messages
7,554
Location
Salt Lake City, UT, USA
So, now I have a different password for every site I use. I don't even know what they are, they are just random sequences of letters and numbers and characters. I manage them all using LastPass. Maybe not a perfect solution, but I'm a thousand percent more secure than I was before going that route.
I've been tempted to do the same. I'm an I.T. Engineer and know the risks, and still I've had a stupid password on some very sensitive (personal, not at work) accounts for a decade. It's just so easy to keep using the same bad ones so you remember.

The one thing that scares me is that LastPass is a goldmine. I am sure every hacker group in the world is attempting to breech their security.
 

DriftlessRider

Mu-43 Rookie
Joined
Feb 4, 2016
Messages
17
Location
Fountain City, WI
Real Name
Ed
I hear you about LastPass being a goldmine. Since the key (master password) isn't on their systems, just your strongly encrypted "vault" file, I'm kinda OK about it. But ... what about a rogue employee? Then again, I don't have that much money to steal and I have no NSA-level secrets. I'm really not that interesting. I don't think I'm a prime target for an attack :)

Because I didn't love the "goldmine" idea I started out using KeePass instead of LastPass, with both a password and a secret-key file. I kept the vault on one cloud provider, the key file on another. I could access the them from all my computers, and even my phone. But ... the lack-of-convenience getting passwords in-and-out of keypass was preventing me from using it.

So, LastPass is where I landed. It does have a nice two-form-factor login setup, I use that and it hasn't been too intrusive.
 

wjiang

Mu-43 Legend
Joined
Sep 7, 2013
Messages
7,571
Location
Christchurch, New Zealand
Your master password for LastPass doesn't even go toward their servers, it's done purely on the local machine. The attack vector would be fake man-in-the-middle phishing type attacks that fake the LastPass software (this has already happened), or a malicious employee actually compromising the real software to leak keys from local clients.

If that happens, the leaked passwords (other than the master) will be pseudorandom, and different across all services, so of no help to future attacks (the old master passphrase needs to be completely scrapped though). As long as you make sure your email is strongly secured via things like two-factor authentication through a reputable provider like Google you should be able to lock it down and use it to recover any compromised services.

You can then wholesale migrate all services to use another system that uses pseudorandom keys for all services (or stick with LastPass if they fix the problem and give assurances that they've dealt with root cause).

I've realised the key is email - my bank and other local services are pretty good about local identification but online services all have email as a final failsafe (some have two factor too). If your primary email gets compromised then yes, you are pretty screwed if you can't get it back.
 

Replytoken

Mu-43 Hall of Famer
Joined
May 7, 2012
Messages
3,649
Location
Puget Sound
Real Name
Ken
Simple steps like using strong passwords, two factor authentication, patching software and periodic audits can make any network or device secure. If you are a juicy enough target people can be relentless, is the user account info for MU43 that target? I'd say no.

Cloudbleed as they are calling this is/was not your average attack vector. I doubt this was exploit d in the wild.
You have outlined important steps that a user can take to help prevent certain types of hacking, but other than using different passwords, there is little that you can do about breaches of a server. And, IIRC, the Cloudflare issue was not an attack, but rather an error in their code that caused buffer overruns on their servers that should have never been allowed to happen (but was discovered). Regarding MU-43 being the target, it does not really matter as breached data is often data mined to see what can be put together with other breached data, not unlike like at leakedsource.com. Personally, I wish they would develop an alternate web from the ground up that was designed with security in mind. We have far beyond what was initially envisioned when the web came to be to the general public.

--Ken
 

wjiang

Mu-43 Legend
Joined
Sep 7, 2013
Messages
7,571
Location
Christchurch, New Zealand
Haha the internet was designed for survivability and loose coupling first and foremost... not much else. I like to say that the web kind of works 90% of the time to 90% of the requirements people want for 90% of people. The same reasons why it's awesome also lead to some of its biggest flaws... but the thing to remember is that it's the only massive network to have survived and is still going strong.
 

ThomD

Mu-43 Top Veteran
Joined
Jun 1, 2013
Messages
602
Location
SF Bay Area
I've realised the key is email - my bank and other local services are pretty good about local identification but online services all have email as a final failsafe (some have two factor too). If your primary email gets compromised then yes, you are pretty screwed if you can't get it back.
This, right here. If your primary email doesn't use two-factor, you are asking for trouble. If your phone doesn't have a password (pin, etc), you are asking for trouble. There are security risks that are out of your control. Don't use that as an excuse not to minimize the risks that you can control.

Obligatory XKCD reference.

xkcd: Authorization


(Why can't I embed a png? And no, I'm not going to upload somebody else's image.)
 
Links on this page may be to our affiliates. Sales through affiliate links may benefit this site.
Mu-43 is a fan site and not associated with Olympus, Panasonic, or other manufacturers mentioned on this site.
Forum post reactions by Twemoji: https://github.com/twitter/twemoji
Copyright © 2009-2019 Amin Forums, LLC
Top Bottom