Cloudbleed Bug: Will SingCERT Advisory Trigger Action?More than 2,500 Singapore Websites Allegedly Affected by Bug
Cloudflare's recent data breach - dubbed "Cloudbleed" - did not spare any region. The tiny bug in Cloudflare's code caused huge security problems by leaking an unspecified amount of data, including confidential information such as passwords, dating site chats and more.
See Also: Passwords Alone Aren't Enough
In Singapore alone, Cloudbleed reportedly affected more than 2,500 websites, putting data from various organizations in the private and public sector at risk (see: Cloudflare's Cloudbleed: Small Risk, But Data Lingers ).
"Do organizations take these types of government-promulgated alerts and advisories seriously, and do they help drive organizations to ... respond?"
Mohan Veloo, Chief Technology Officer, Asia Pacific, F5 Networks agrees that in the APAC region the consequences from the Cloudbleed bug affecting mobile apps such as Fitbit, Outlook and Uber is a huge cause for concern. As organizations constantly use services provided by Google or Facebook to register or access an app or service, they are actually giving away personal information to the service or app that they want to use and if this app or service is compromised, all the personal information is lost.
While there's a long list of impacted domains - this Pastebin post lists 2,692 sites - just some of the impacted organizations and domains include:
Because of the vast number of industries operating in Singapore, the country appears to be especially at risk from Cloudbleed.
And authorities are responding. The Singapore Computer Emergency Response Team, SingCERT, has issued an advisory on the breach along with recommendations on how to mitigate risks arising from these types of coding error data leaks. SingCERT also issued a call - not for the first time - for local organizations to report any such incidents to it in future.
Shoen Yih Yum, deputy director-critical infrastructure division at the Cybersecurity Agency of Singapore, says SingCERT will be updating the advisory as it gets more updates from Cloudflare.
But SingCERT's Cloudbleed advisory begs this question: Do organizations take these types of government-promulgated alerts and advisories seriously, and do they help drive organizations to not just respond, but to improve the state of their risk mitigation plans and practices?
Some practitioners say SingCERT needs to not just issue alerts, but be given the legal power to ensure that organizations comply with the guidelines it lays down.
Singapore-based Tom Wills, director of payments consulting firm Ontrack Advisory, notes that the Cloudbleed flaw and related leaks were accidental. To date, there appears to have been no malicious activity involved, although some sensitive data was exposed on the public internet, in particular via search engine caches. That's good news, obviously. But Wills says SingCERT needs to do more to ensure enterprises improve their cybersecurity.
Cloudflare, in a postmortem analysis, says Cloudbleed was caused by the company's decision to use a new HTML parser called cf-html. An HTML parser is an application that scans code to pull out relevant information such as start tags and end tags, making it easier to modify the code.
Cloudflare accidentally introduced the bug into an HTML parser, John Graham-Cumming, the company's CTO, says in a blog post. The HTML parser modifies web pages that come through Cloudflare's edge servers for security reasons, such as obscuring email addresses from known scraping bots (see: Cloudflare Coding Error Spills Sensitive Data).
SingCERT issued a related warning on Feb. 17, warning of a critical system vulnerability caused by a parser bug that had been reported to Cloudflare. On Feb. 23, Cloudflare determined the root cause and turned off three Cloudflare features - email obfuscation, server-side excludes and automatic HTTPS rewrites - that were using the same HTML parser chain involved in the leak.
SingCERT officials note that many of Cloudflare's services rely on parsing and modifying HTML pages as they pass through edge servers. As a result, Cloudflare's edge servers ran past the end of a buffer, and returned memory that contained private information within HTTP cookies, authentication tokens, HTTP POST bodies, and other sensitive data. Some data was cached by search engines as part of their crawling processes, which made the leaks hard to contain.
Rather than rely only on Cloudflare's analysis, Dan Yock Hau, director of National Cyber Incident Response Centre, urged website administrators using Cloudflare services to perform their own assessment of what the related risks might be.
Yum cites related warnings from SingCERT, noting that search engines such as Google, Yahoo and Bing may have cached some of the leaked data through their normal crawling and caching processes. Any users' personal information might therefore be at risk.
According to SingCERT, Cloudflare has identified a total of 770 unique URLs of such cached content and secured the cooperation of search engine providers to purge them. Cloudflare has also undertaken other search expeditions to look for potentially leaked information on sites like Pastebin and did not find anything.
Risk Mitigation: How Much is Enough?
But is it enough for a CERT to issue an alert and urge organizations to conduct their own risk assessment? That's what SingCERT recommends - that any website administrators at organizations that use Cloudflare's services refer to the Cloudflare advisory, and perform their own risk assessment. Arguably, however, organizations should expect more from their national CERT than a link to a vendor's security alert.
On the other hand, one of the primary requirements for any security incident is for affected organizations to share related information with the relevant authority, and in Singapore - and elsewhere in the region - I believe is not happening. Singapore's CSA and Personal Data Protection Commission continue to reiterate the need to report breaches to authorities and to seek immediate support to execute a breach response plan. But to date, these entreaties appear to have had little effect. Simply put, organizations avoid reporting breaches, worrying that it will damage their reputation.
In the region, many practitioners also say too many organisations lack the technical expertise required to deploy the latest breach-prevention and detection tech, and continue to rely on legacy systems that have long required need major upgrades. In such an environment, advisories from the likes of SingCERT and CERT-In - India - arguably have very little impact.
In terms of what organizations should be doing, that's well known. OnTrack's Wills says all organizations should be applying rigorous testing and code reviews - at all stages of the software development lifecycle - for anything they build in house, and securing all applications regardless.
Some organizations overlook threat intelligence because they don't think it's relevant, many security experts say. Other organizations don't adhere to information security best practices, meanwhile, because they seem them as being too expensive. And all organizations need to increase their use of two-factor authentication and strong passwords and move away from outdated thinking about forcing password expiration. Above all, however, organizations need to put the right defenses in place, so that they don't have to react to every new bug report.
Veloo says, while changing the password periodically is critical, having a multi-factor authentication (MFA) mechanism as a means to maintain visibility to counter a potential identity compromise is very important.
At the very least, he expects users to turn on notifications of logins outside their usual devices so they aren't caught unaware.
Authorities will help. Going forward, Wills expects SingCERT to more aggressively track breaches and coordinate organizations' response to any new, significant threats that emerge.
To make that happen, however, SingCERT must go beyond issuing guidance, and gain the ability to force organizations to comply.