MyLU Insider

Benjamin Willard

Author: Benjamin Willard

Cloudflare “Cloudbleed” Information Disclosure

Technology Services is closely monitoring an unfolding and wide-reaching security disclosure from the internet content delivery company Cloudflare. The underlying incident — dubbed “Cloudbleed” — potentially exposed sensitive information from internet sites that used Cloudflare during the period of September 22, 2016 through February 20, 2017.

Lawrence does not use Cloudflare, so Cloudbleed affects none of the university’s sites and services like the Lawrence website or Voyager. We are not aware of any impact on third-party service providers who work with Lawrence at this point.

Because Cloudflare serves over 2 million websites, it is possible that you will receive notification from sites and services you use if those services determine that any private information leaked because of Cloudbleed. Compared to other breaches, bugs, and vulnerabilities over the past year, Cloudbleed appears to be a mostly low risk to individual users. Fully understanding the coverage from media outlets can be difficult, but security researcher Ryan Lacky provides good advice for individuals who are concerned about what Cloudbleed means for them:

From an individual perspective, this is straightforward —the most effective mitigation is to change your passwords. While this might not be necessary (it is unlikely your passwords were exposed in this incident), it will absolutely improve your security from both this potential compromise and many other, far more likely security issues. Cloudflare is behind many of the largest consumer web services (Uber, Fitbit, OKCupid, …), so rather than trying to identify which services are on Cloudflare, it’s probably most prudent to use this as an opportunity to rotate ALL passwords on all of your sites. Best practice is to use a long random string for each password, unique for each site, and to manage that collection using a “password manager”, such as 1Password, LastPass, or the built-in password managers in modern web browsers. Users should also log out and log in to their mobile applications after this update. While you’re at it, if it’s possible to use 2FA or 2SV with sites you consider important (using something like TOTP/Google Authenticator or U2F), that’s a meaningful security upgrade, too.

(from the article Cloudbleed: How to deal with it — https://medium.com/@octal/cloudbleed-how-to-deal-with-it-150e907fd165#.7mysif5j1).

Technology Services will continue to track the Cloudbleed incident and will provide further recommendations if necessary.

For those interested, more information is available at the following locations: