Solution Providers: Cloudflare Software Bug Shows Need For Better Business Data Security Measures

Solution providers said a software bug found at Internet service provider Cloudflare highlights the need for companies to step up their game when it comes to data security.

The bug, discovered by Google security researcher Tavis Ormandy, led to the leakage of encryption keys, PII data, HTTP cookies, passwords, HTTP POST bodies, and HTTPS requests. The leakage was caused by edge servers running past their buffer and returning memory containing the sensitive data, which was then cached by search engine. Cloudflare said customer SSL private keys were not leaked.

Cloudflare is an Internet service provider that hosts more than 5 million websites, including popular sites such as OKCupid, AgileBits, 1Password, and more.

[Related: Study: Cybersecurity Skills Gap To Widen To A Massive 1.8 Million Worker Shortfall By 2022]

Sponsored post

Cloudflare said in a blog post that the greatest period of impact from the bug was between Feb. 13 and Feb. 18, where around 1 in every 3.3 million requests could have been leaked. That amounts to around 120,000 pages a day. Cloudflare said in a blog post there is no evidence that hackers have exploited the data leakage.

Cloudflare said it turned off three Cloudflare features (email obfuscation, server-side excludes and automatic HTTPs rewrites) to halt the leak. It also launched a cross-functional team to better understand the issue and work with Google and other search engines to remove cached HTTP responses.

"We are very grateful to our colleagues at Google for contacting us about the problem and working closely with us through its resolution. All of which occurred without any reports that outside parties had identified the issue or exploited it," Cloudflare said in a blog post.

The bug is just the latest event to hit an Internet service provider, including a distributed-denial-of-service (DDoS) attack on Dyn last fall, which leveraged distributed IoT devices infected by the Mirai botnet to take down more than 1,200 websites. The events are unrelated and the Cloudflare event is a data leakage bug, not a DDoS attack.

Jack Koons, director for global security solutions at Blue Bell, Pa.-based Unisys, said that, while Cloudflare was quick to resolve the problem at its source, businesses should still be concerned about data that leaked that has now been cached on a server, leaving it out in the wild. He said businesses who are concerned they might be affected should do basic security triage, changing passwords, notifying the IT department and taking inventory of the type of data that may have been compromised and if it has any business or regulatory implications.

Going forward, Koons said businesses should take steps to secure their critical data and assets before they reach the Internet, comparing it to putting on a coat before leaving the house in the winter. He said that includes security steps such as identifying critical data assets, segmentation and encryption.

"If we don't want to catch a cold, we don’t try and change the weather – we just put a jacket on. That same analogy has to be used for the companies that are transiting Cloudflare. You have to put the jacket on by putting basic protections on data," Koons said. "That’s really the conversation that you want to have. The sad part, though, is right now is a lot of organizations aren’t doing it."

Koons said there is also a role for government organizations to step up around this issue, instituting regulations like Europe has with the GDDR around data protections. He compared it to the German Autobahn, which has unlimited speed limits, similar to Cloudflare, but puts strict requirements on car safety and maintenance before cars can drive on the highway.

"That analogy has to be used for the internet. The organization has to provide the security and safety for vehicle so if there's a crash on the high speed network, you're protected. You can't blame the Autobahn," Koons said.

Koons said he hopes incidents like the Cloudflare software bug and the Dyn attack last fall call attention to the need for companies to invest in data security solutions sooner, rather than later.