Avatar feed
Responses: 2
MAJ Intelligence Officer
0
0
0
Edited 8 y ago
As the security POC for more than one org, I've spent a good portion of my day dealing with tons of people who need to be informed what to do about this bug. While the individual risk isn't high, the theoretical chance is still there that all sorts of data ended up in the caches and could be exploited.

This bug is also why many users suddenly found that Google de-authorized the existing authentication tokens to all of their services, forcing people to log in again -- Google didn't use CloudFlare, but tons of sites that use Google as a federated login or that link your account with them to your google profile were.
(0)
Comment
(0)
MAJ Intelligence Officer
MAJ (Join to see)
8 y
The current recommendation is that the risk is exceedingly low, but those that are worried should still to change passwords on any site that didn't have additional safety protocols (example: 1Password used 2 other layers of encryption, so they weren't as vulnerable), and the list of sites is in the thousands. The further recommendation is to use a password manager that gives you unique passwords for each sites so a compromise wouldn't ripple. Third recommendation is to use 2-Factor Authentication whenever a site makes it available (and to use physical tokens or apps like Google Authenticator over SMS messages to your phone when given the chance). 2&3 are recommendations in general, not just regarding this issue.
(0)
Reply
(0)
MAJ Intelligence Officer
MAJ (Join to see)
8 y
Here's a really good write-up about it from noted security researcher Troy Hunt.
https://www.troyhunt.com/pragmatic-thoughts-on-cloudbleed/
(0)
Reply
(0)
Avatar small
LTC John Shaw
0
0
0
This event shows the importance of picking your cloud provider and content cache solutions. Most large organizations require an indemnity clause for damages when security breaches occurr.
Mobile and e-commerce is about trust and security in your PII and payment processing. Even if you have a good agreement the best outcome is no breach at all.
(0)
Comment
(0)
Avatar small

Join nearly 2 million former and current members of the US military, just like you.

close