Executive Position Job Order  |  Executive Candidate Registration
Global Executive Search Recruiting Firm

Up In The Cloud: Stopping The Bleeding
- Executive Leadership Articles

RMA - Global Executive Search Recruiting Firm Solutions - Executive Search Recruiting Solutions Career Center - Executive Search Resources For Employers & Job Seekers Employers & Hiring Professionals - RMA Is Your Source For Top Executive Candidates Job Seekers & Executive Candidates - Your New Career Begins Here! Industry Expertise - Executive Search Recruiting Expertise In 30 Industries Company - Over 20 Years of Executive Search Recruiting Experience News & Articles - Executive Search Recruiting News & Articles Contact RMA - The Trusted Executive Search Recruiting Firm
Your Source For Top Executive Candidates
News & Articles »
News & Articles
Executive Search Firm News
Executive Leadership Articles
Follow RMA On Google+
Follow RMA On Facebook
Follow RMA On Twitter
News & Articles - Executive Search Recruiting News & Articles
Up In The Cloud: Stopping The Bleeding - Executive Leadership Articles

Up In The Cloud: Stopping The Bleeding

Executive Leadership Articles

Up In The Cloud: Stopping The Bleeding

They’re calling it “Cloudbleed,” a recent data leak by a major cloud service provider that could have been disastrous for its victims. Between September 2016 and February 2017, websites using the service randomly attached personal browser data to the ends of webpages. In this case, “personal” means specific information about specific users, although luckily it appears that no passwords or credit card numbers were among the data. Still, we’re talking about 1.2 million detected leaks in that time, more than ample opportunity for someone to create destructive mischief if the wrong person had discovered it.

This data leak is worth examining for two very specific actions: what caused it and how the provider responded when it was discovered.

The service provider introduced a new HTML parser to a small number of its clients’ websites. A parser basically examines the language that powers the website, looking to make sure the language is tight; that is, grammatically correct and practically efficient. Websites can look fine with sloppy code, but they can run inefficiently, thus wasting valuable processing resources, or they can leave vulnerabilities, resulting in crashed websites or open doorways into stored data. The new parser allowed data to fill memory buffers and then overflow them, pushing the extra data out to the website itself. When the parser was rolled out to 6,000 more sites, the number of random data leaks skyrocketed.

When you access a website, especially one with cookies, the computer that generates the website sends your computer all kinds of data, such as the name of the website, the text that appears on it, the colors of the fonts, and all the graphics. Meanwhile, your computer sends data back: what browser you’re using, what operating system your browser is running on, where your computer is located, and sometimes your name, password, and any other info you’ve asked the website to remember about you when you accepted its cookies. The bad parser was randomly spitting some of that info out to users of the sites.

This problem was worsened because search engines visit sites all the time (that’s how they know where to send you when you search for something), caching whatever data the website has. In the old days of the web, this cache was pretty valuable to everyday users, because if a website containing information you were searching for happened to be down (that happened a lot once upon a time; you may have forgotten!), the search engines could show you what the website looked like when they last accessed it. They still do that, but we seldom have need anymore to see the cached site right from the list of search results the way we once did. But since cached search results are still accessible, someone aware of the data leak could search through the caches for any of that leaked data.

When the cloud service provider realized the problem, it immediately closed the leak, then worked with the search engines to search the caches for leaks (and then delete them). This let the provider get a look at roughly how many leaks there were, and whether there were any patterns in the way leaked data was sent to users. Multiple website accesses from a tiny number of IP addresses, for example, might indicate that someone had discovered the leak and was either trying to replicate it or milk it for as much data as they could get. Thankfully, there are no signs that anyone realized what the websites were doing.

The service provider contacted its clients and any customers whose data might have been leaked, informing everyone of what the problem was, what the potential damage might be, and what it was doing to prevent this problem in the future. Unlike recent Internet of Things service providers which tried to cover up their data collection and security breaches, this provider understood that its survival in cloud service depends on trust, and that it could best maintain trust by being as transparent as possible.

So our two takeaways in this week’s adventure in cloud data insecurities are these. First, everything has security ramifications. There’s little reason to suspect that an HTML parser could send user data randomly throughout the web. It would be like checking your home’s smoke alarms for working batteries before leaving the house every night, just to be sure they don’t unlock your garage door. There’s seemingly very little connection between functionality, and yet one thing led to another.

Second, we’re still learning about all this cloud stuff. There are still a whole bunch of other ways data can spill out into the world, and we’re discovering them daily. Accidents will happen even to the best of us, but since we’re all in this together, the best way to deal with problems is to share them, to be out in front of any possible disasters, to take ownership of our mistakes, and to lead the way in solving the problem. Cover-ups in these cases never stay covered up for long, while transparency lets our allies come more quickly to our aid. Cloudbleed could have been a catastrophe, but transparency seems to have stopped the bleeding quickly while hopefully making the community safer in preventing similar issues later.

 

RMA® Executive Search Recruiting Firm Locations:

 
United States & Canada:   Europe, Asia & Pacific:
 
  • Bangkok, Thailand
  • Beijing, China
  • Berlin, Germany
  • Hong Kong, China
  • Kuala Lumpur, Malaysia
  • London, England
  • Madrid, Spain
  • Melbourne, Australia
  • Moscow, Russia
  • Mumbai, India
  • New Delhi, India
  • Paris, France
  • Prague, Czech Republic
  • Rome, Italy
  • Stockholm, Sweden
  • Sydney, Australia
  • Tokyo, Japan
  • Vienna, Austria
  • Wellington, New Zealand
  • Zurich, Switzerland
 
 

Up In The Cloud: Stopping The Bleeding - Executive Leadership Articles

RMA Executive Search Recruiting Firm  /  News & Articles  /  Articles  /  Management: Religion In The Office




Start at the Career Center


News & Articles Links: