Late last Thursday Google's Project Zero disclosed that Cloudflare (a major provider of a content delivery network, Internet security services, and distributed domain name server services) was leaking sensitive information online. The company has patched the memory leak bug responsible (the flaw is being called "Cloudbleed") and stresses that the problem with its caching infrastructure affected a relatively small set of the websites that use their DNS service.
Bitsight explains on its blog that Cloudflare's problems arose from an error in parsing logic that could lead to a buffer overrun that would output uninitialized memory content onto affected web pages. The websites potentially affected by Cloudbleed were those that had either email obfuscation, server-side excludes, or automatic HTTPS rewrites enabled.
Since popular services (said to include Uber, Fitbit, OK Cupid, and Patreon) use Cloudflare and since data have been leaking for some time, many researchers are advising users to assume their credentials have been exposed, and, of course, to change them.
Ransomware and DDoS remain fixtures of the threat landscape. F-Secure describes the "ruthlessness" of Spora ransomware's controllers. New "TrumpLocker" ransomware turns out to be VenusLocker in disguise.
In the ongoing Moscow cyber-treason trial, it emerges that one of the defendants, Ruslan Stoyanov, is accused of passing state secrets to US companies, notably to Verisign's iDefense cybercrime unit. The accusations date back to 2010, and were leveled by the Russian online payment company ChronoPay.
The FBI is being asked, again, how it gained access to the San Bernardino jihadist's iPhone.