Cloudbleed is the latest internet bug that puts users private information in jeopardy. News of the bug broke late on Thursday, but there is already a lot of confusion about it and the actual impact it has on people's information.

We compiled this as a guide to Cloudbleed and how you should respond. News of Cloudbleed is ongoing, and we'll update this article as new issues arise. Check back for new information.

What is Cloudbleed?

Cloudbleed is the name of a major security breach from the internet company Cloudflare that leaked user passwords, and other potentially sensitive information to thousands of websites over six months. The Register describes it as "sitting down at a restaurant, supposedly at a clean table, and in addition to being handed a menu, you're also handed the contents of the previous diner's wallet or purse."

The name comes from Tavis Ormandy of Google's Project Zero, who reported the bug to Cloudflare and joked about calling it Cloudbleed after the 2014 security bug Heartbleed.

Is Cloudbleed worse than Heartbleed?

At this point, no. As scary as any internet security breach seems, these were pretty different. Heartbleed affected half a million websites, whereas at this time only 3,400 websites are believed to have had the Cloudbleed bug.

But here's the potentially scary part. Those 3,400 websites leaked private data that came from other Cloudflare clients. So the actual number of websites actually affected could be much higher.

The highly-acclaimed book, "Spy Sites of Washington DC", written by our own Bob Wallace and H. Keith Melton was released by Georgetown Press on February 3. Since that release, the book has been received with wonderful reviews and substantial laud.  NBC4 Washington was the first to bring the book and some of its background to the airwaves:


Link to videos: Spy Sites of Washington DC


100 Percent Chance There Is a Spy Site in Your DC-Area Neighborhood: Author

Robert Wallace, who spent 40 years in the CIA, wrote the book “Spy Sites of Washington, D.C., A Guide to the Capital Region's Secret History”, by Mark Segraves 

The chances you live within walking distance to a spy site are 100 percent for those living in the D.C. area, according to a former CIA official.  Robert Wallace, who spent 40 years in the CIA, wrote the book “Spy Sites of Washington, D.C., A Guide to the Capital Region's Secret History,” which details hundreds of locations in D.C., Maryland and Virginia with connections to espionage.  Walking the streets of D.C., Wallace said locations where spies lived, worked, held secret meetings and conducted dead drops are all around.

“I think it's about 100 percent certain that there is a spy site in your neighborhood, somewhere in your neighborhood,” he said. “I assure you, you can walk to it.”


How an Ex-CIA Employee Got Caught Spying

According to former CIA official Robert Wallace's new book, a former CIA employee from Bethesda tried to sell secrets to the Soviet Union in the 1970s. Mark Segraves reports.

(Published Friday, Feb. 24, 2017).  In December 1976, retired CIA employee Edwin Moore lived in a home on Fort Sumner Drive in Bethesda, Maryland.

“He decided to go to the other side,” Wallace said.

Moore stole enough classified documents to fill several boxes and tried to sell them to the Soviet Union. He wrapped up a sample of the secret documents with a note and threw the bundle over the fence of the Soviet Embassy, which is now the Russian ambassador’s home. A security guard at the embassy found the package and called D.C. police, fearing it was a bomb.  “They come, retrieve the package, determine it isn't a bomb,” Wallace said. “They open the package, and some very alert police officer in Washington says, ‘Hmm, I think the FBI might be interested in this, and in fact, they were.”  Moore’s note instructed the Soviets to deliver $3,000 in cash to a dead drop location by a fire hydrant right across the street from his house, which undercover FBI agents did.


From the Soviet Union to the United States and Back

A rising KGB official who defected to the United States in the 1980s soon returned to the Soviet Union after disappearing from Georgetown. Mark Segraves reports.

(Published Friday, Feb. 24, 2017)  “He's arrested, he's tried, he's convicted, he's sentenced to 15 years in prison and then subsequently paroled after about three years,” Wallace said.


From the Soviet Union to the United States and Back:  The security guard who found the package at the embassy was KGB.

Eight years after turning over Moore’s package of secrets to police, Vitaly Yurchenko returned to the Soviet Union.  “He was a fast-rising officer of the KGB,” Wallace said.  In 1985 after being diagnosed with cancer Yurchenko returned to the United States as a defector.

“He had knowledge of a lot of KGB operations in the United States, so of course we were interested, from a counterintelligence perspective, to debrief him thoroughly, and we did,” Wallace said.  Yurchenko’s defection didn’t last long. One night while having dinner at a Georgetown restaurant that is now the location of an &pizza restaurant, Yurchenko told his CIA security officer he was stepping outside for some fresh air.

“When he walked down the street maybe a block or so he was likely picked up by the KGB at that point,” Wallace said. “We saw him a day or so later on TV announcing that he had been drugged by the CIA for the last three months and he was very happy to be back in friendly hands.”


Spy Tactics Used for a Political Purpose
In his book, Wallace recounts hundreds of spy stories from locations across the area, including the famous garage in Rosslyn where Washington Post reporter Bob Woodward held secret meetings with his Watergate source Deep Throat.  “The Watergate story is in fact an adaptation of espionage techniques for a political purpose,” Wallace said.

Source: 100 Percent Chance There Is a Spy Site in Your DC-Area Neighborhood: Author | NBC4 Washington
Follow us: @nbcwashington on Twitter | NBCWashington on Facebook



New Spy History Reveals Real "James Bond"

Professor Keith Jeffery’s book, “MI6, the History of the Secret Intelligence Service,” reveals that a Commander Wilfred Dunderdale is the most likely model for Ian Fleming’s super spy. While a photo of a fake I.D. shows that he lacked the dashing good looks associated with the big screen incarnations of Bond, Dunderdale befriended Fleming and later claimed to have seen traces of his exploits in the books.

“A man of great charm and savoir-fair, in old age he became an incorrigible raconteur,” Jeffery said of Dunderdale.
The love of cars and beautiful ladies are characteristics attributed to the MI6 man.
“When head of the Secret Intelligence Service Paris station in the 1930s, he had a penchant for pretty women and fast cars,” said Jeffery.
The book says that an iconic scene from the Sean Connery-era Bond movie “Goldfinger” was grounded in reality. In the movie, Bond emerges from the water and takes off his wetsuit, revealing a dinner suit underneath. In real life, an M16 agent wearing a special rubber suit came ashore near a casino in Nazi-occupied Holland. He was met by another agent who sprayed him with brandy to finish off the disguise as a party attendee, and the tuxedoed man slipped into the crowd unnoticed.
Another interesting tidbit is that the spy agency admitted for the first time that several famous English authors, such as Graham Greene, Arthur Ransome and W. Somerset Maugham, were staff members for M16 during World War II.

Source: New Spy History Reveals Real "James Bond" | NBC4 Washington
Follow us: @nbcwashington on Twitter | NBCWashington on Facebook



Vulnerabilities in popular printer models made by HP, Dell and Lexmark expose the devices to attackers who can steal passwords, shut down printers and even steal print jobs.

Academic researchers at the University Alliance Ruhr on Monday published a series of advisories and an informational wiki regarding their findings that said nearly 20 printer models have vulnerabilities tied to common printing languages, PostScript and PJL, used in most laser printers.

“The attack can be performed by anyone who can print, for example through USB or network,” researcher Jens Müller wrote in an advisory. In other cases, an attack “can even be carried out by a malicious website, using advanced cross-site printing techniques in combination with a novel technique we call `CORS spoofing.'”

The vulnerabilities are based on a tool the researchers developed called the Printer Exploitation Toolkit (PRET). The tool connects to a printer via network or USB and exploits the weaknesses in the targeted printer’s PostScript or PJL language. “This (tool) allows stuff like capturing or manipulating print jobs, accessing the printer’s file system and memory or even causing physical damage to the device,” according to the GitHub description of PRET.

The researchers verified the vulnerabilities in printer models manufactured by HP, Lexmark, Dell, Brother, Konica and Samsung. Researchers say the PostScript and PJL flaws have existed for decades as part of known shortcomings in the aging PostScript language.

In total, researchers published six separate advisories tied to PostScript and PJL that ranging from password disclosure, print job captures and buffer overflow vulnerabilities.

One of the attack methods described by researchers allows attackers to access a printer’s file system. This type of attack takes advantage of the web mechanism called Cross-Origin Resource Sharing (CORS) that allows a third-party domain to read web page data such as fonts when performing tasks such as printing.

Researchers explain CORS spoofing and Cross-Site Printing (XPS) together can be used to access a printer via a web-based attack using “a hidden Iframe to send HTTP POST requests to port 9100/tcp of a printer within the victim’s internal network.”


THERE’S A LOT going on in the world, but the slow march of cybersecurity research and incidents plods on no matter what else is happening. This week research showed that many mobile VPNs fall short on delivering security and privacy benefits. International law may be the best mechanism for addressing large-scale ransomware attackson Internet of Things devices (like hotel door locks). Attacks using a stealthy type of “fileless” malware that hides in computer RAM are on the rise. And it’s time to get real about strategies for keeping smart TV manufacturers from spying.

In the political sphere, the Email Privacy Act, which would reform dated and problematic aspects of the Electronic Communications Privacy Act, took a step in Congress toward becoming law. Trump’s Homeland Security Advisor Tom Bossert seems promising—he’s known as an effective and even-keeled dude. And links between Silicon Valley and the Pentagon remain strong in spite of recent political turmoil in the US. Oh, and there’s no easy fix for a clever and effective slot machine cheat developed by Russian criminals that has been plaguing casinos around the world for years. So have fun with that one.

But wait! There’s more. Each Saturday we round up the news stories that we didn’t break or cover in depth but that still deserve your attention. As always, click on the headlines to read the full story in each link posted. And stay safe out there.

Dozens of iOS Apps Are Vulnerable to Man-in-the-Middle Data Attacks

Seventy-six iOS apps are vulnerable to man-in-the-middle data interception attacks, thanks to sloppy configuration that could allow a forged certificate to be authenticated and decrypt data protected by the Transport Layer Security (TLS) protocol, thus exposing it. Will Strafach, CEO of mobile security company Sudo Security Group, found the compromised apps while the company was developing its mobile app analysis product. Problems with TLS validation have been around for a long time, and they’re particularly problematic for apps that handle sensitive data like health or financial information. Nineteen of the 76 apps Strafach found handle this type of “high risk” data. Apple has advocated that iOS developers use its App Transport Security protocol to ensure that every iOS app implements TLS, but ATS alone still doesn’t resolve certificate verification issues. Apple also indefinitely pushed back the deadline to implement ATS—the cutoff was originally supposed to be the end of 2016. Strafach says that hundreds of other apps he analyzed seemed to have the same flaw, but he only pursued analysis of those that he could confirm were jeopardized.

Arby’s Breach Affected Payment Systems at Hundreds of Corporate Locations

Arby’s has been working to address a breach of customer credit and debit card information since it learned of the situation in mid-January. Malware on payment systems at hundreds of restaurant locations around the US captured hundreds of thousands of card numbers throughout the fall. Arby’s says that only a portion of its 1,000 corporate-owned locations were impacted, and that franchise locations were not affected. It says that the malware has been eradicated from its networks. Arby’s Restaurant Group “immediately notified law enforcement and enlisted the expertise of leading security experts, including Mandiant,” the company told Krebs on Security. The investigation is ongoing.