yconic is the place where you can give and get the help you need for your life as a student. To help keep our community an enjoyable, helpful and safe place for all members, please adhere to the following guidelines.
1. Be nice to people. It's okay to provide constructive criticism, but there is no need to insult other members. For example, "X major is over-saturated right now. You might have trouble finding a job" is fine. "Your major is dumb. Have fun working in fast food," is not helpful nor appropriate.
2. Ask actual questions. If you're looking for help with something, titling a thread "HELP, I DON'T KNOW WHAT TO DO" isn't going to appeal to the members that may be best suited to help you. Be specific and title your post with relevant information.
3. Don't abuse the anonymous feature by pretending to be multiple people. Surprise, surprise, we know who posts what :)
4. Please only tag relevant interests when you create a new thread. Adding unrelated interests is unlikely to get you the help you're looking for and can frustrate other members.
5. Avoid spamming. This includes replying to your own thread for the sole purpose of moving it up the discussion feed.
6. Don't expose other people's personal information. If someone is posting anonymously, please respect their privacy.
7. If you see something you don't like, click the 'Report' button in the post menu and a moderator will review it. Please avoid commenting on inappropriate posts as this only encourages them.
8. Did a post help you? Click the "Was this post helpful?" button to help us recognize our most helpful members and so that other people will know the response was...you guessed it, helpful!
If you do not respect our guidelines, you may be temporarily or permanently banned from the yconic community.
People aren’t actually saying that every cloud has an unencrypted lining but they are saying that every website protected by the online security service Cloudflare has been leaking encrypted session and user data—including credit card numbers and passwords—for months now and that millions of affected website users should promptly change their passwords!
Cloudflare, which provides million of online servers/websites with firewall-like traffic-filtering to protect against malicious hacking exploits, such as distributed denial of service attacks, announced on February 23 that it had a long-standing internal memory leak flaw. Cloudflare called it a “parser bug”, while the Internet security community-at-large dubbed it “cloudbleed” for its similarity to the Heartbleed memory overflow bug of three years ago.
It’s comforting how everyone pays lip service to security
The memory leak flaw was brought to Cloudflare’s attention on February 17 by Tavis Ormandy from Google’s Project Zero, which is tasked with finding such hidden code flaws.
World’s platform for change asks you to change your password
Change.org, which hosts millions of online petitions and is one of Cloudflare’s clients, sent out the following vaguely worded email on Saturday (February 25) to all registered users (including myself) recommending that we all change our passwords immediately:
We want you to feel safe when using our services and we have been monitoring this situation closely to ensure it does not affect our users. If you are ever in doubt about the security of your accounts with us, feel free to contact Change·org directly through our Help Center.
In fact, no one is suggesting that there is any evidence that any of these potential memory leaks from hundreds of millions (if not billions) of encrypted web sessions have been exploited by anyone. But it’s a good idea to “refresh” your passwords every so often, regardless of external evidence.
You can cry “Heartbleed”, or “Wolf”, only so many times!
Three things can be assumed to happen as a result of this latest Internet security bug. Firstly, all website users affected will receive a direct notification advising them of the fact and recommending that they change their passwords.
Secondly, the memory leak bug will be fixed.
And thirdly, most Internet users will conclude that this latest dire warning of an Internet security flaw affecting millions and millions of users is much ado about nothing—just like every similar warning of the last few years (not to mention that “world-ending” Y2K bug of the year 2000).
After all, unlike a few of the malicious Microsoft Windows viruses and worms of yesteryear, which visibly destroyed data and took down bazillions of Windows computers, the high-profile software bugs of recent years have appeared to be mostly hype as far as end users are concerned.
The marketing of Internet flaws—but at whom?
Not to say that security flaws are not exploited by malicious coders. And yes, there is online identity theft and online credit card fraud aimed at individuals but the later two categories are very fuzzily documented—with no reliable numbers of actual consumer losses to online fraud.
The source of the problem – which was discovered accidentally by Google Project Zero bod, Tavis Ormandy – was a memory leak caused by a broken HTML parser chain.
However, it was compounded by the fact that leaked data was then cached by search engines.
The leaked data included “private information such as HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data,” Cloudflare CTO, John Graham-Cumming explained in a lengthy blog post.
“We quickly identified the problem and turned off three minor Cloudflare features (email obfuscation, Server-side Excludes and Automatic HTTPS Rewrites) that were all using the same HTML parser chain that was causing the leakage. At that point it was no longer possible for memory to be returned in an HTTP response,” he added.
Although Graham-Cumming claimed the bug was fixed globally in under seven hours, it may have been leaking highly sensitive data for months.
“The greatest period of impact was from February 13 and February 18 with around one in every 3,300,000 HTTP requests through Cloudflare potentially resulting in memory leakage (that’s about 0.00003% of requests),” he added.
In fact, given the extent of the info cached by search engines, Cloudflare clients will now be under pressure to inform their own customers of the extent of the privacy snafu.
“The examples we're finding are so bad, I cancelled some weekend plans to go into the office on Sunday to help build some tools to cleanup. I've informed Cloudflare what I'm working on,” said Ormandy.
“I'm finding private messages from major dating sites, full messages from a well-known chat service, online password manager data, frames from adult video sites, hotel bookings. We're talking full https requests, client IP addresses, full responses, cookies, passwords, keys, data, everything.”
Although he praised Cloudflare for its response to the issue, it’s also true the firm’s bug bounty offers little in the way of rewards for white hat researchers – free t-shirts, rather than money.
Former Google click fraud boss and current Shape Security CTO, Shuman Ghosemajumder, argued that it is “one of the widest exposures of confidential and sensitive consumer data ever observed.”
“This incident has many people suggesting that everyone in the world should change all of their passwords immediately,” he said.
“The total exposure is likely not that large – i.e., not all of your passwords have been compromised – but the problem is that almost any one of your passwords on over four million websites could have been compromised, so the safest course of action is to act as though all of your passwords were compromised.”
Kaushik Narayan, CTO at Skyhigh Networks, analyzed over 30 million enterprise users worldwide and found 99.7% of companies have at least one employee that used a Cloudbleed vulnerable cloud application.
“This means hackers could have stolen user passwords for these cloud applications – and may even have access to session keys exposed, while a session is live. But this user-data also revealed another surprise – out of 128 enterprise-ready applications that could have been compromised, only four were vulnerable,” he added.
“Cloudbleed is the latest in a string of vulnerabilities that should be of concern to enterprise IT security and a reminder us of the problems caused by user password reuse across corporate services and personal web sites and cloud services.”
The advisory has come in the wake of the growing challenge posed by cyber criminals, many of whom are based abroad and thus out of the jurisdiction of the local law enforcing authorities.
"Modern electronic crimes have come to be a great challenge for the entities concerned in the county due to the international nature of the crime. Many of the cases also are of a sensitive nature involving the personal and private aspects of the victims," Colonel Ali Hassan al-Kubaisi, head of the economic crimes prevention section at the Criminal Investigation Department of the Ministry of Interior, said.
In a statement issued on Sunday, the official said cyber criminals have made "great advancements" in their modus operandi which make it difficult for the ordinary people to escape their attacks. "The most common ways of online crimes are blackmail and fraud." He said such crimes are witnessing a "major advancement" due to the rapidly developing technology, as criminals quickly adapt their styles and methods with such development.
"To combat such crimes, Qatar has issued Law No 14 for 2014, which has provisions to fight most forms of online crimes and provide for strict penalties for each category of such criminal action." The official said that many people "overuse and misuse" new online technologies to insult or defame others thinking that they would not be easily caught by the security department. But he said criminals cannot escape the long arms of justice.