Shostack + Friends Blog Archive


CloudFlare's Post Mortem

In our continuing series of disclosure doesn’t hurt, I wanted to point out Cloudflare’s “Post Mortem: Today’s Attack; Apparent Google Apps/Gmail Vulnerability; and How to Protect Yourself.”

Go take a look, it’s worth reading, especially the updates.

I take three lessons from this:

  1. Disclosing an attack allows you to control the story, and is better than hiding attacks
  2. Multi-factor authentication is hard and expensive. There’s a lot of cruft masquerading as “multi-factor” authentication. It’s hard to move an account system from low-value to high-value, and even harder to operate a mixed system with low-cash value accounts (gmail) and higher value ones (for example, google apps for domains).
  3. Disclosing too quickly has both risks and rewards. The initial assessments may have been inaccurate, but CloudFlare was still able to get on top of the story.

So some takeaway actions:

  1. First, go secure your accounts. If you depend on them, make sure the recovery data is up-to-date and well-protected.
  2. Second, consider using a password manager to help you manage different passwords for each site you use.

  3. Lastly, make sure you have a security response PR plan, and that it includes being or getting ahead of a story.

Thanks to CloudFlare for sharing what happened, and giving us the opportunity to learn from their pain.