Cloudbleed and AWS – Cautionary Tales
Recently, there have been two major events in the online world that have impacted the way people work – Cloudbleed and the Amazon Web Services outage. While neither of these ended up being an attack, they have certainly brought questions of security to the foreground. We’re going to take a look at the two events and see what we can do to prepare for a disaster and protect our websites and our online services from similar events.
Cloudbleed
The Cloudbleed incident began in September of 2016 and was identified by Google in early February 2017. Cloudflare is a company that offers security and content delivery network services to its clients. Their service experienced a buffer overflow error that was leaking encrypted data at intervals onto pages served via Cloudflare. Once the vulnerability was reported, Cloudflare quickly acted and had a patch up within four days stopping the leak. The concerns here are what encrypted data was shared and was anyone collecting this data to exploit it. So far signs are good that this was not the case and that the data was limited. Cloudflare posted a great article detailing Cloudbleed from causes to fixes and continues to be forthcoming with their ongoing research into it.
The AWS outage
On February 28, 2017 Amazon Web Sevices’ S3 experienced an approximately four hour outage that played havoc with the internet. Even if the outage didn’t impact your site directly many associated services and SaaS services were impacted including, Quora, Slack, Giphy and even Amazon’s own S3 status board were impacted. Interestingly, the services of Cloudflare kept sites impacted by the event displaying pages that might otherwise have been offline. Eventually it was found to be human error and a simple typo but the impact online was significant.
What Can You Do
In both of these cases there wasn’t too much that you could have done to stop the events from impacting you. As a site owner, if you weren’t using Cloudflare or Amazon’s S3 services then you may have been spared any issues. However, some of the services that you have integrated into your website might have been affected. As internet users the impacts could have been greater. At Pixel Jar, we currently use no less than six major online SaaS services in our day to day operations, so when one of those goes down it can impact our ability to get things done. So what can we do to protect ourselves and our websites?
Know Your Site and Services
Dustin Meza from WP Engine gave a presentation at WordCamp Orange County last year. In the presentation he talks about steps required to prepare for an upgrade. One of his key points is to make sure that you have a list of of all of the components (plugins/themes) of your website broken down in a list. The list should have the name of the plugin, the rank for each in terms of how critical it is to the site, a description of the functionality used, and instructions for how to reproduce the functionality. This is great advice not just for upgrading but for when you’re having any kind of emergency.
I would expand this list into your services used as well. Knowing what you’re using and why is key to dealing with a quick replacement or understanding what features/services may be impacted. Now, with the S3 outage you may not have known which services were dependent on Amazon but now that you know, add that to the list as a dependency so you’re not surprised if it goes out again. And don’t stop there, you can add as many additional categories to this list as needed. We like to keep track of the costs involved with plugins and services and this is great place to do that as well.
Backups
This one is a no-brainer, make sure that you have backups of your site being performed on a regular interval. If you’re hosting with a larger host like WP Engine then backups are part of your daily life. There are a ton of solutions for making backups if you’re not using a larger host. Everything from Backup Buddy to Jetpack can add this feature.
Passwords for Services
When the Cloudbleed event happened the advice given to the average internet user was to change all of their passwords. The very thought makes anyone cringe. However, using a password manager like LastPass or 1Password makes this onerous task a much more manageable. The tools allow you to create strong passwords and make changing them as easy as updating the existing entries. One other comment about online services – if you’re not using it, take the time to shut it down. You probably gave some personal information when you created a new online account, even if it’s just your email.
Distributed email
This one wouldn’t have protected from either Cloudbleed or the Amazon outage but it is something we recommend. Keep your email servers separated from you website hosting. It was very fashionable for hosts to provide these services packaged as a convenience and an upsell for their customers. However, in the case of your web host having a service outage you’ll be glad that your email is hosted elsewhere. It’s also a good idea to have a non-branded email address as a backup in case your email service goes down.
Security
Finally, if your website is anything more than just a hobby for you, invest in some extra security features. Even if you just pop for the paid version of Wordfence you’re doing more than many users. If you’re making money with your website we strongly suggest protecting your site with a Sucuri account. We previously interviewed Tony Perez who spoke at length about their services. While it may not have stopped either of the events, Sucuri would have your back for restorations.
Take Away
We like to think that we’re in control of our websites and the accounts that we create for online services. The reality is that we have little control over the servers, services, and hosting that make up the internet. Taking stock to prepare for a disaster may just protect these intangible assets from the next unplanned event. If you need help with security, backups, or understanding how your site functions, feel free to reach out for a consultation.
Please note: Links to external companies may be affiliate links. If you use our links, we may earn a small commission.