Cloudflare Attack Proves Hackers Are Relentless

Last week's attack on Cloudflare hack resulted from four unrelated vulnerabilities and proved just how relentless hackers can be.

Cloudflare is a web security and performance service. It’s whole purpose is to make your site safer, faster and operate more efficiently using a web master-crowd sourcing methodology. That’s why it was so ironic that it got hacked last week.

In the interest of transparency, and in the spirit of the service itself, Cloudflare explained exactly what happened and how a series of rather unrelated services were exploited resulting in the attack.

And it was a crazy set of circumstances, as Cloudflare explained on the company blog, that came together for a hack. Just to show anything can happen, read the entire episode: It started with a phone company network vulnerability, continued with a GMail account recovery PIN problem, moved onto a Google Apps flaw that let the hacker bypass two-factor identification and finally with all those defenses down, the hacker relied on Cloudflare’s ability to send out transactional emails using BCC.

And there you have it folks. Just that easy. Just that quick. Just a few simple steps and the hacker was waltzing around inside Cloudflare’s systems.

It’s a bit mind boggling actually that anyone would go to all this trouble just to disrupt what is a very useful service. As the Cloudflare introductory video points out, its service provides smaller businesses with the kinds of functionality that is typically only available to big companies with deep pockets.

What could possibly motivate someone to go to all this trouble to take down a valuable service? Apparently because we have a lot of bored hackers out there whose talents could probably be put to better use than mucking about in other people’s systems. Unfortunately, solving puzzles like finding a series of unrelated exploits seems more fun, I guess.

All that aside though, it shows just how vulnerable every site is to attack (as the Cloudflare introductory video clearly points out). Just yesterday came news that LinkedIn had been attacked and passwords stolen. LinkedIn does not appear to have been quite as forthcoming as Cloudflare.

At first, it wouldn’t confirm the attack, then later admitted that it had been attacked and that some passwords had been stolen. Something clearly happened, and unlike Cloudflare, LinkedIn isn’t be completely open about what it was (although they might not know yet).

That’s the typical response to a hack; to circle the wagons, but it’s much better to be upfront with your users and let them know what went wrong. As we’ve seen, this can happen to anyone at any time.

These hackers are clearly relentless, clever and resourceful and they find ways into systems most of us couldn’t even dream of. Until the hackers back off–and that doesn’t seem to be happening anytime soon–secure your sites as best you can and hold on.

And when an attack happens, fess up, clean up and move on.

2 Comments

  1. Varinder says:

    The intent of hack-attack varies from fun, self-promotion, money-making to subduing competition. What is really worrying is that most of the hacks are successful due to either lack of social-engineering awareness or poor configuration setup.

  2. Mark says:

    I can understand why CloudFlare would be hacked. They are actually very malicious individuals themselves.

Trackbacks/Pingbacks

  1. LinkedIn’s Sloppy Security Should be a Lesson to All | Real User Monitoring - [...] I wrote in a post last week, Cloudflare Attack Proves Hackers are Relentless, hackers are surprisingly creative when it …

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>