Akamai Diversity
Home > July 2013

July 2013 Archives

BSidesLV 2013: A Place For Security Newbies

One of the things I've always loved about Security B-Sides is that it offers a nurturing environment for people who are young in their InfoSec careers. An example of that is playing out this week in Las Vegas.

Among the tracks of talks being offered is one devoted entirely to newbies and the more seasoned veterans who have been guiding them along in a successful mentoring program. 

The track -- called "Proving Ground" -- includes talks on everything from learning to do effective public speaking and writing to getting a grip on the challenges of such things as executive management.

This B-Sides tradition goes back to the beginning of the movement. I remember BSides Boston 2010, when a young pup named Joseph Sokoly gave a talk about breaking into the industry and learning to succeed, something he has since done with distinction.

Back then, Sokoly said breaking into the security community wasn't as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his first talk at an event in Austin. "Giving the talk in Austin helped me tremendously," Sokoly said at the time. "It has opened doors. My being here (at BSides Boston 2010) is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again."

His Austin talk also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with that summer's B-Sides Las Vegas event. The rest is history.

"Being proactive works. Put yourself out there and things will open up, but speaking doesn't have to be it. Use Twitter. Start blogging," Sokoly said. 

He's absolutely right. And this week, we're getting to hear from more people who are just getting started. Talks on the schedule include:

--Keli Hay (mentor is Brian Martin), "Never Mind Your Diet, Cut the Crap From Your Vocabulary"

--Franklin Tallah (mentor is Wendy Nather), "The 7 habits of highly effective CISOs"

--Alex Pinto (mentor is Joel Wilbanks), "Using Machine Learning to Support Information Security"

--Wolf Flight (mentor is Terry Gold), "The Truth, You Thought We Wouldn't Know?"

--Doug Moore (mentor is Brendan O'Connor), "Sixteen Colors: Archiving the Evolution of ANSI and ASCII Art"

Black Hat 2013: What's New In Security? Nothing.

I get the question a lot at conferences like Black Hat: What do I see as the next big thing in security? I usually respond with a blank stare. The reason is that I see absolutely nothing new, and haven't for some time.

Some might say that's a cynical, jaded response. I don't think so. Security doesn't need a constant torrent of new trends to be interesting and important.

A decade ago, when I first started writing about the security industry, it seemed as though I was chasing a new trend every year, then every six months. In the beginning the big news always involved worm outbreaks like Sasser and Mytob. First a big vulnerability would be revealed on Patch Tuesday and then someone would exploit it with the malware. Then the trend shifted from covering that to chasing the latest data breach. From early 2005 onward, every time a company announced it had suffered a breach, reporters like me would have to drop everything and chase it. Eventually, breaches were announced so often that it ceased to qualify as breaking news. Then the trend shifted to such things as hacktivism and the rise of cloud insecurity. The one constant along the way has been the challenge of regulatory compliance, from HIPAA to Sarbanes-Oxley and PCI DSS.

But in more recent years, especially the last two or three, I've seen nothing new. It's the same old threats and the same old technological and cultural challenges. 

Gone are the days when I attended security conferences in hopes of catching a new trend. As I see it, we keep coming to these events in hopes of finding some new morsel of information on how to deal a little more effectively with the same old stuff. 

Sometimes fresh insight comes our way. Sometimes we walk away with more questions than we started with.

Will some major shift take place in the next couple of years? Perhaps.

For now, I'm more interested in how we deal with the older problems that continue to vex us.

Black Hat 2013: Remembering Barnaby Jack

A big topic of conversation in Las Vegas this week is the death of famed hacker Barnaby Jack, who was scheduled to give a presentation on how to hack into pacemakers and implanted defibrillators from 30 feet away. His speaking slot will instead be a celebration of his life and work.

"Black Hat will not be replacing Barnaby's talk on Thursday, Aug. 1," event organizers said in a statement. "No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind."

Barnaby was director of embedded security research at IOActive. In a statement, CEO Jennifer Steffens expressed the company's sorrow but also its determination to celebrate his legacy:

"This is an extremely sad time for us all at IOActive, and the many people in our industry that Barnaby touched in so many ways with both his work and vibrant personality. But as a personal friend of Barnaby's for many years I know he'd want sadness to quickly turn to celebration of his life, work and the tremendous contributions he's made spanning well beyond his widely acclaimed professional accomplishments."

His death has hit the security community hard. He is known for his hacking prowess, particularly the 2010 presentation in which he hacked into an ATM machine and got it to spit out money. But in the security community he was family, the guy who always had a smile and could make us laugh. He lived life to the full and his sunny attitude rubbed off on everyone around him.

The week is young, but many glasses have already been raised in his honor.

I had a few conversations with him over the years that I'll always be grateful for. The importance of his work can't be overstated, particularly his focus on hacking implanted medical devices. I suspect his work on that front will lead to advancements that will someday save lives. Some might call that statement hyperbole. But I believe it.

My friend Dave Marcus of McAfee summed it up best in an interview he gave for an article in The Washington Post: "He was a hacker's hacker. He had the kind of skills the rest of us wish we had."

But he was never full of himself, and he never took himself too seriously.

I came here half expecting to see a lot of long faces, which would certainly be understandable. But instead I'm seeing a lot of laughter as people remember his antics.

I think that's how he would have wanted it.

Barnaby Jack

Black Hat 2013: The Benefits of 'Lobby Con'

It's the end of my first day in Las Vegas, where I'm spending the week at Black Hat and BSidesLV. Along with DEF CON, which begins later in the week, these events are important for those of us in Akamai's InfoSec department. It's a place for vital networking and discussion on the threats and defensive measures for which we're responsible.

Also see: "A Black Hat, BSidesLV and DEF CON Survival Guide"

Attending talks is a central part of these conferences. But for me, the most important part is what a lot of us in the security community call "Lobby Con." Essentially, it's hanging out in the lobbies and bars of the conference venues. We relax, enjoy beverages and discuss a wide range of topics. 

Today, I met up with several security professionals I usually only get to talk to on Twitter, LinkedIn, Facebook and Google+ and the topics were, among other things:

--How to keep from burning out in the job and industry;
--The latest DDoS attack activity, where it's coming from and what enterprise security shops are trying to do to blunt the impact;
--The fine art of travel to and from conferences; and
--The never-ending challenge of getting upper management to understand the security issues they face and why they need to invest in defenses.

I had dinner with several people from the security and risk management department of a major financial services company, most of whom I met for the first time. There will be plenty more of that in the days to come.

I've said it before: If you find yourself stressing over how many sessions to attend and there's an opportunity to do some networking in the lobby, go for the networking. 

The talks are important. But while the presentations will help you understand and deal with the challenges of the day, week, month or year, the relationships you forge outside the session rooms will be of critical value for the rest of your career. 

One of the most interesting highlights of our latest "State of the Internet" report -- in my opinion -- involves something called account checker attacks. The big victim here: e-commerce websites.

--Please join us on Sept 26th at 11 AM ET for our next "Crush the Rush" holiday readiness webinar to learn more about how to protect your site and holiday season revenue. Mike Smith, director of our CSIRT Team, and Daniel Shugrue will be detailing the types of attack trends that Akamai is seeing and ways in which other customers have mitigated the latest threats. Click here for more details.

From the report:

In the first and second quarters of 2013, Akamai observed attempted account takeover behavior for a number of merchants resulting from reuse of credentials obtained from other sites. Lists of username and password combinations are available in carder forums or on pastebin, or acquired from compromised merchants. Because users often use the same username and password across multiple merchants and other non-commerce sites, this allows attackers to use the compromised credentials on a number of target merchants. 

It turns out attackers are using automated tools called "account checkers" to quickly fish out valid user ID/password combinations across a large number of e-commerce sites. The bad guys use these tools to quickly identify valid accounts that they then proceed to hijack. Victims reported the following red flags:

•User complained that their account mailing address has been altered
•Multiple other users' information was altered in a similar time frame
•Many failed logins were detected in a short period of time from a small number of IP addresses
•Accounts were reported to be locked.
•All this is followed by an uptick in fraud.

There are many more details of what we found in the full report, which you can download here.


Akamai State of the Internet Report: DDoS Trends

Yesterday, I shared details from the latest Akamai "State of the Internet" report regarding attack traffic and where it's coming from. Today, we look at what the report has to say about DDoS attacks.

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers. It also gives us a look at DDoS attacks as they happen.

Here's an excerpt from the report:

The fourth quarter of 2012 saw 200 reported attacks, while 208 attacks were reported in the first quarter of 2013, representing a slight (4%) increase in the number of attacks reported.  In the third and fourth quarters of 2012, a significant number (72) of DDoS attacks were attributed to the Izz ad-Dim al-Qassam Cyber Fighters (aka QCF) and Operation Ababil.  

In the first quarter of 2013, the tactics of these attacks changed, with the QCF no longer announcing their targets prior to the attacks.  Additionally, the attacks ceased as of March 5, in theory to support a planned operation known as "OpUSA" originating from members of the group "Anonymous".  However it is unknown if this was truly the case, or if the forces behind the QCF were merely pausing to regroup for future attacks.

Figure 03 Q1 2013.jpg

As illustrated in Figure 3, enterprise clients received a substantially greater percentage of attacks in the first quarter of 2013, accounting for 34% of all attacks (67 total), up 14% quarter over quarter.  

The commerce and media verticals stayed relatively close to their 2012 percentages, at 32% vs. 34% for commerce and 21% versus 22% for media.  At the same time, high tech and public sector customers were targeted by substantially fewer attacks as a percentage, at 7% and 4% of total attacks respectively.  

Figure 04 Q1 2013.jpg

As a percentage, first quarter attacks targeting the commerce sector remained relatively stable in comparison to the attacks reported in 2012.   While the distribution of the attacks remained nearly the same, the actual targets were more varied, again following the overall trend of spreading the targets of attacks across multiple sites. 

As highlighted in Figure 4, retail organizations continue to be tempting targets, primarily because they rely so heavily on the Internet for sales and marketing and can be severely impacted if their customers cannot reach their sites.

Figure 05 Q1 2013.jpg

As shown in Figure 5, at the beginning of 2013, financial services customers continued to bear the brunt of the attacks against the enterprise vertical, suffering from 50% of all attacks in this vertical. This is directly related to the attacks performed by the QCF, as it was in 2012.  What is not apparent from the number of attacks is the fact that a number of shorter, less impactful attacks were performed in the first quarter, comprised of probes, rather than full-on DDoS attacks.  

Due to poor Internet hygiene by many ISPs and the lack of enforcement of BCP 38, forged DNS requests are allowed to continue to the name servers, rather than being filtered by the attacker's ISP as they should be.  

For more information on this topic, please refer to the DNS Reflection Defense blog post by Akamai's CSO, Andy Ellis at https://blogs.akamai.com/2013/06/dns-reflection-defense.html.

EdgeBanner.pngI'm pleased to invite you to our 6th Akamai Edge 2013 this October 7 - 11 in Washington, D.C. at the Gaylord National Harbor Resort and Conference Center. Join us and meet up with more than 1,000 of your industry peers and our best line-up yet of industry innovators, as we create the experiences that to drive a Faster Forward World

Our Biggest and Best Customer Conference Yet! 
More sessions, tracks and networking opportunities that have all been designed to provide a broader and more diverse perspective for conference attendees. 

What's New To Help Fuel Your Innovation! 
This Year we'll be offering a Developers' Track - dedicated to technical professionals seeking to develop new experiences leveraging our platform. We'll have sessions on how to bring applications to market more quickly and intimate developer labs giving you detailed insight on how to get the most out of new features in our platform. We're also pleased to introduce the Web Security Symposium, designed for security professionals. Security leaders and your peers will help you think about strategies for securing your organization's data, sites and applications against the ever-evolving threats of today's online environment. 

We're extremely excited about the agenda and the lineup of well-known industry luminaries and tech experts who will be presenting at Edge 2013. So much so that we're introducing new conference discounts to help make attending Edge as easy as possible for all Akamai customers. 

Three Ways to Save: 
  • New Customer Discount: If your company first purchased Akamai services after January 1, 2013, you're eligible to receive a $300 discount on the Full Conference pass. Enter code: 50NEW2013 
  • Edge Alumni Discount: If you've attended an Akamai conference before now you're eligible to receive US$300 off your conference seat. Enter code: ALUM2013 
  • Team Discount: Visit Akamai Edge 2012 With Your Team of 3 or more and save 50% per person. Enter code: GROUP2013 

From customer innovation stories, industry panels, technical labs, partner and government forums to Web security and developers' tracks, there's something for everyone at Edge 2013. Space is limited and by invitation only so we encourage you not to wait and REGISTER TODAY

Join us and be inspired. I look forward to seeing you there! 

Brad Rinklin 
Chief Marking Officer, Akamai
In this video, Akamai CSO Andy Ellis explains why security means different things to different people.

Akamai's latest "State of the Internet" report is rich in detail about attack traffic and other areas of security. I'll be sharing all the security bits with you in the coming days. 

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers.

For today, let's look at what the report has to say about attack traffic and where it's coming from. Tomorrow, we'll take a look at DDoS attack trends.

1.1 Attack Traffic, Top Originating Countries

During the first quarter of 2013, Akamai observed attack traffic originating from 177 unique countries/regions, consistent with the count in the prior quarter. As shown in Figure 1, China remained the top source of observed attack traffic, though its percentage declined by nearly a fifth from the prior quarter. This decline is likely related to Indonesia making a sudden appearance in the second place slot, after a 30x increase quarter-over-quarter. The vast majority (94%) of the attacks from Indonesia targeted Ports 80 (WWW/HTTP) and 443 (HTTPS/SSL), potentially indicating aggressive botnet activity. Hong Kong and India were the only two other countries/regions among the top 10 that also saw quarterly increases in observed attack traffic volume--the remaining countries/regions saw nominal declines, in general. Attack traffic concentration also increased in the first quarter, again owing to the significant volume of attack traffic observed from Indonesia. The makeup of the top 10 list remained largely consistent with the previous quarter, with Italy and Hungary dropping off, and Indonesia and Hong Kong joining. 

In examining the regional distribution of observed attack traffic in the first quarter, we find that nearly 68% originated in the Asia Pacific/Oceania region, up from 56% in the fourth quarter of 2012, likely due to the massive increase seen in Indonesia. Europe accounted for just under 19%, while North and South America originated just over 13% combined. Africa's contribution dropped as compared to prior quarters, as it was responsible for a mere half a percent.


Q1 '13 % Traffic

Q4 '12 %










United States




























Hong Kong







Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution)

1.2 Attack Traffic, Top Ports
As shown in Figure 2, the concentration of attack traffic among the top 10 targeted ports increased significantly during the first quarter of 2013, driven primarily by significant increases in attack volume targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS). In fact, nearly 80% of the attacks targeting these ports were observed to be originating in Indonesia, as referenced in Section 1.1. Despite these increases, Port 445 (Microsoft-DS) remained the most targeted port, though the percentage of attacks targeting it continued to decline, which is an encouraging trend. Of the top 10 targeted ports, Port 3389 (Microsoft Terminal Services) was the only other one to see a decline quarter-over-quarter. Within the list, Port 8080 (HTTP Alternate) was supplanted by Port 6882, used unofficially by BitTorrent. All of the observed attacks targeting Port 6882 were observed to be originating in China. Data from the Internet Storm Center1 shows a large spike in attacks targeting this port late in the quarter; unfortunately, however, there is no information provided on the source of the attacks.

Port 445 remained the most targeted port in six of the top 10 countries and accounted for 70 times as much traffic as the second most targeted port (135) in Romania--ratios in the other countries ranged between 2 to 10 times as much. In Turkey and Hong Kong, the largest number of attacks targeted Port 23 (Telnet)--in previous quarters, this was the case in Taiwan as well; however, in the first quarter, Port 445 was targeted by approximately 5x as many attacks from Taiwan as Port 23. (Interestingly, in the fourth quarter of 2012, Port 445 was not even among the top 10 ports targeted by attacks originating in Taiwan.) The distribution of second-most targeted ports was a bit broader in the first quarter, with Port 23 coming in second in Russia, Taiwan, and Brazil, and Port 1433 coming in second in India and Hong Kong. In the remaining countries, the second spot was held by Port 3389 (China), Port 443 (Indonesia), Port 80 (United States), Port 445 (Turkey), and Port 135 (Romania).


Port Use

Q1 '13 % Traffic

Q4 '12 %


















Microsoft SQL Server




Microsoft Terminal Services
















BitTorrent (unofficial)







Figure 2: Attack Traffic, Top Ports


Video: A Primer on Security Laws

In this video, Akamai CSIRT Director Michael Smith walks viewers through the regulatory minefield. It's a great primer, though we suggest, as always, that you consult your own attorneys to understand how the laws and standards discussed in this video apply to you.

The holiday season is already creeping up and by far will be the most vital online shopping period of the year for retailers. Thanksgiving week will no doubt once again present one of the largest online shopping weeks of the year.  Now, more than ever, time is literally money when it comes to Web performance.  


As online retailers face another big holiday shopping season, they have to make sure they are ready for everything and anything that will hit their site once the critical holiday season begins.  Even a minute of downtime can cost thousands and thousands of dollars and can damage the bottom line and the brand for years to come.

Supporting the majority of today's leading global retailers, Akamai has the expertise and technology to help retailers simplify the process of preparing their e-commerce site for Black Friday as well as helping them to deliver on every big shopping day before and after with situational performance - so that any customer, anywhere can make a purchase as soon as inspiration strikes.

Starting this week, Akamai will be launching a series of "Crush The Rush" Holiday Readiness Webinars to help retailers understand how to properly prepare their site for the biggest shopping season to-date.  Participants will learn first hand how leading retailers have deployed Akamai Solutions specially tuned for holiday traffic, ensuring their sites are scalable and reliable as customers flood their online store.

The "Crush the Rush" series consists of three Webinars focused on different topics relevant to preparing for the rush of the online holiday season.  The first one will be held on July 24th on Situational Performance.  Participants will come away with clear understanding of why looking at performance from an end-user perspective is key for those who wish to "Crush the Rush" this holiday season.  Our speaker, Lorenz Jakober, will be discussing what is Real-User Monitoring (RUM), synthetic vs. RUM testing and the pros and cons for each, why optimizing beyond average load times matters and how performance optimization helps meet rising consumer expectations.

Following Situational Performance, we will also be discussing how Akamai Services & Support engage with the industry's leading brands as well as Web Security and Risk Mitigation throughout the Webinar series.  Our speakers will be sharing recaps and best practices that retailers should be aware of for this holiday season.  Follow us here to find out more details on the "Crush the Rush" Holiday Readiness Webinar Series.  We want to help you beat the rush to the holiday rush.

Akamai InfoSec at Black Hat, DEF CON and BSidesLV

This time next week the security community will head to Las Vegas for Black Hat and BSidesLV. I won't be staying for DEF CON due to family obligations, but several Akamai InfoSec colleagues will be. What follows is a rough outline of where we'll be and what we'll be doing.

Let's start with me...

This will be the first conference I've attended without a press badge, since I'm now working for Akamai. But I'll be writing as much as I always have and posting to The Akamai Blog. Per usual, I'll develop posts out of the talks I attend and the conversations that happen in the hallways. I'll also spend a lot of time talking up our plans for a new Akamai Security page and helping newbies find their way around.

Security Evangelist Dave Lewis will be a speaker proctor at Black Hat, which means he'll be helping speakers get set up right before their talks, help them troubleshoot problems with slides and technology, and so on.

Security Evangelist Martin McKeay will do a lot of blogging and podcasting at all three events. Expect to see him in the hallways a lot, which is where his interviews will take place. 

Joshua Corman, director of security intelligence, will give talks at BSidesLV and DEF CON. Specifically:

--11:30 a.m. Thursday, Aug. 1 at BSidesLV "The Cavalry Isn't Coming: Starting the revolution..." (@joshcorman and @c7five)

-- 11 a.m. Sunday, Aug. 4 at DEF CON 21: "The Cavalry Isn't Coming: Starting the revolution..." (@joshcorman and @c7five)

Corman will also moderate a panel on the weaponization of exploits July 30 at CodenomiCON 2013, which occurs from 4-9 p.m. on Tuesday, July 30.

At least two other Akamai InfoSec staffers will be in Vegas and plan to blog about their experiences.

See you there!


The Effects of Video Failures on Your Audience

Last week we published the below high-level info-graphic showing how online video performance impacts viewer behavior. These stats are based on a scientific research paper released by Ramesh K. Sitaraman, an Akamai fellow and professor of computer science at UMass-Amherst, and S. Shunmuga Krishnan, a senior system software engineer at Akamai. One of my favorite key takeaways is what we're calling the 2-second rule, which shows that videos with a start-up time that exceeds 2 seconds tend to have higher abandonment rates. With each additional second another 6% of viewers abandon, and by the time you get to 10 seconds, half of your audience is gone! As you can imagine, this impacts not only that specific viewing experience, but also the general impression of that publisher's/website's reliability for disseminating information. In fact, according to the research paper, around 91.8% of viewers do not return within 24 hours of a video failure. 

What does this all mean? It means without monitoring the quality of your video streams and how your viewers are engaging with your content, you are literally streaming blind and have no ability to know what is working and what is not.
Check out the below info-graphic for more interesting stats that have a real impact on businesses who rely on video streaming.
Noreen Hafez is a senior product marketing manager at Akamai.

Live from Comic-Con with FUNimation Channel

The comics world is gathering in San Diego this week for Comic-Con® International and Akamai is excited to help FUNimation Channel stream live from the massive conference. Owned and operated by our partner, Olympusat Telecom, FUNimation Channel's originally produced entertainment news show, Random Pop: Live at Comic-Con, is live streaming July 18-20 from 12 PM-6:30 PM PST. The content is being delivered with Olympusat Telecom's OT Cloud and OT Connect services, which leverage Akamai's Sola Media Solutions suite of cloud-based content preparation, storage and delivery tools.
The live stream is available at www.funimation.tv.

In An "Akamai Minute"

As if serving on the order of two trillion content requests a day isn't enough, there's even more happening on the Akamai Intelligent Platform at any given time: video streaming, route optimization calculations, DNS lookups, and content purges, just to name just a few. In the Akamai NOCC, we have both real-time and long-term (days, months, years) views of platform activity and key metrics, giving us a view of what's going on *right now* and what's happened over time.  With so much taking place, we thought it'd be interesting to capture a snapshot of the broad range of activity across the Akamai Intelligent Platform over a nicely manageable timeframe, like a minute.

Talks Of Interest At DEF CON

I've been looking over the Black Hat 2013 schedule to see which talks best fit the issues Akamai's InfoSec team is dealing with daily.

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value.

Here are some agenda items that look good to me thus far. See the full schedule -- with details of the talks listed below -- here

Also see my earlier DEF CON posts here and here.

Thursday, Aug. 1
10 a.m.:
Hacker Law School: Jim Rennie & Marcia Hofmann
Pentesters Toolkit: Anch
5 p.m.:
DEF CON Documentary Premiere
8 p.m.:
DEF CON Welcome Party

Friday, Aug. 2
11 a.m.:
Torturing Open Government Systems for Fun, Profit and Time Travel: Tom Keenan
Backdoors, Government Hacking and The Next Crypto Wars: Christopher Soghoian
1 p.m.:
Prowling Peer-to-Peer Botnets After Dark: Tillmann Werner
Offensive Forensics: CSI for the Bad Guy: Benjamin Caudill
2 p.m.:
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust: Dan Griffin
Evil DoS Attacks and Strong Defenses: Sam Bowne & Matthew Prince
3 p.m.:
Kill 'em All - DDoS Protection Total Annihilation! Tony Miu & Wai-Leng Lee
The ACLU Presents: NSA Surveillance and More: Panel
4 p.m.:
A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It: Daniel Selifonov
5 p.m.:
Unexpected Stories - From a Hacker Who Made It Inside the Government: Peiter "Mudge" Zatko
How my Botnet Purchased Millions of Dollars in Cars and Defeated the Russian Hackers: Michael Schrenk

Saturday, Aug. 3
10 a.m.:
Predicting Susceptibility to Social Bots on Twitter: Chris Sumner & Randall Wald
11 a.m.:
Fear the Evil FOCA: IPv6 attacks in Internet Connections: Chema Alonso
BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware: Josh 'Monk" Thomas
1 p.m.:
We are Legion: Pentesting with an Army of Low-power Low-cost Devices: Dr. Philip Polstra
3 p.m.:
An Open Letter - The White Hat's Dilemma: Professional Ethics in the Age of Swartz, PRISM and Stuxnet: Alex Stamos
5 p.m.:
DNS May Be Hazardous to Your Health: Robert Stucke

Sunday, Aug. 4
10 a.m.:
The Cavalry Isn't Coming: Nicholas J. Percoco and Joshua Corman
11 a.m.:
The Dawn of Web 3.0: Website Mapping and Vulnerability Scanning in 3D, Just Like You Saw in the Movies: Teal Rogers & Alejandro Caceres
HiveMind: Distributed File Storage Using JavaScript Botnets: Sean Malone
1 p.m.:
Utilizing Popular Websites for Malicious Purposes Using RDI: Daniel Chechick & Anat


Oracle Releases July 2013 CPU

Akamai customers and anyone else relying on Oracle infrastructure should know that the database giant has released its latest Critical Patch Update (CPU). 

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities and is usually cumulative. But each advisory describes only the security fixes added since the previous CPU. Oracle delivers these updates every three months.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and VersionsPatch Availability
Oracle Database 11g Release 2, versions,
Oracle Database 11g Release 1, version
Oracle Database 10g Release 2, versions,
Oracle Access Manager, versions,, Middleware
Oracle Endeca Server, versions 7.4.0, Middleware
Oracle HTTP Server, versions Middleware
Oracle JRockit, versions R27.7.5 and earlier, R28.2.7 and earlierFusion Middleware
Oracle Outside In Technology, versions 8.3.7, 8.4.0, 8.4.1Fusion Middleware
Oracle WebCenter Content, versions,, Middleware
Oracle Hyperion BI, versions, and earlier, and earlier, and earlierHyperion
Enterprise Manager Plugin for Database 12c Release 1, versions, Manager
Enterprise Manager Grid Control 11g Release 1, version Manager
Enterprise Manager Grid Control 10g Release 1, version Manager
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3E-Business Suite
Oracle E-Business Suite Release 11i, version Suite
Oracle Agile Collaboration Framework, version 9.3.1Oracle Supply Chain
Oracle Agile PLM Framework, version 9.3.1Oracle Supply Chain
Oracle Agile Product Framework, version 9.3.1Oracle Supply Chain
Oracle PeopleSoft Enterprise Portal, version 9.1PeopleSoft
Oracle PeopleSoft HRMS, version 9.1PeopleSoft
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53PeopleSoft
Oracle iLearning, versions 5.2.1, 6.0iLearning
Oracle Policy Automation, versions 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2Oracle Industry Applications Product Suite
Oracle and Sun Systems Product SuiteOracle and Sun Systems Product Suite
Oracle Secure Global Desktop, versions 4.6 prior to 4.63, 4.7 prior to 4.71Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.1, 5.5, 5.6Oracle MySQL Product Suite

More details on the vulnerabilities can be found on the Oracle website.

Feedback from Yesterday's DEF CON post

Yesterday, I wrote about the controversy surrounding DEF CON 21 and the organizers' suggestion that those working for such government agencies as the NSA sit this one out. I didn't offer an opinion on whether it was the right or wrong move, but captured both sides of the argument and asked readers for feedback. And, when tweeting the post, I argued that while some see this as drama, I saw it as an opportunity for the security community to do things better.

The most detailed feedback came from Chris Hoff. I've known him for a long time and value his opinions. He took issue with what he saw as me lumping the entire security community in with the DEF CON organizers. The decision to encourage NSA types to stay away wasn't something "we" made, he said. It was a decision they, the event planners, made.

Another respected voice in the industry, Robert David Graham, noted that there's a difference between "Feds" and those encouraged not to attend. He also noted that nobody had been banned as I suggested:

Um, I don't think you parsed correctly what the D. Tangent wrote. Nobody is being banned.

also, anybody working for the government coming on their own dime is welcome.

On LinkedIn, Michael Guadagno, a national counterespionage specialist, offered this:

From what we read days ago, it was suggested by one the event organizers the decision may have been made to evade trouble within the spectators. There are no taking sides here and we feel at this point it's a good decision, under the present circumstances. There are good people that attend these events and they all are not on the dark side. Please don't be fooled, no matter what profession or spectator groups attending, in real life there will be an overzealous element ever present. Just our open minded thoughts on this, thank you. 

A few responses from me:

--My goal with yesterday's post was to initiate more discussion, not opine on whether DEF CON's decision was right or wrong.

--I noted in the opening that the "Feds" were encouraged not to come. Further down, I let slip the word "banned." To be clear, no one has been banned.

--When I say "we" or "community" I'm talking about everyone in the security industry -- which, as Hoff noted, includes many communities.

--Though this year's move was made by DEF CON organizers and not the community at large, my suggestion was that all of us could learn something from the fallout. Many in the community are involved in the planning of other conferences, and a thorough analysis of DEF CON's decision and the resulting lessons could be applied when planning other events. That's what I meant when I said we could use this to do better going forward. 

It could be that we end up learning nothing and stumble along to the next drama. As Hoff also noted, "The 'community's' biggest problem (is that) we have immediate anger issues and long-term memory problems."

I certainly can't argue with that, Mr. Hoff.

Thanks to everyone for the feedback. Keep it coming.


DefCon's Fed Drama

With three big security conferences coming up in Las Vegas two weeks from now, much of the InfoSec community's attention is on who won't be at the third event: DefCon. Amidst revelations about the NSA's surveillance activities, DefCon organizers have advised feds to skip this year. It's a first in the 21-year history of this hacker gathering, and reaction has been sharply divided.

Those outraged by the depth of the NSA's activities applauded the move. Others dismissed it as a stunt by DefCon organizers to stir the drama pot and raise public interest in the event. Still others suggest that the Feds wanted to stay away until the dust settled, and that DefCon was giving them an easy out.

One could argue that it's counterproductive and shortsighted to ban the feds. After all, a continuing goal for the community is to foster stronger cooperation between the government and the grassroots level of the security world. Meanwhile, one could argue that all this shock and outrage is silly because we've known all along that the NSA has deep surveillance hooks -- spying on American citizens since the beginning.

In my opinion, the motives of DefCon organizers are beside the point. What's more important is how we go forward.

Is it better to cut people out of security events because they work for the NSA or FBI for the sake of taking a stand against the government spying on citizens, or is it more productive to use these conferences as a way to debate the issues with the very people we're angry with; in hopes they'll go back to their agencies and work toward change?

Discuss amongst yourselves, and feel free to opine in the comments section. Please keep the tone respectful.


Major Areas of Technology within Security

In this Akamai InfoSec video tutorial, Security Intelligence Director Joshua Corman gives an overview of major areas of technology within security.

The Security Team's Role Within An Organization

In this Akamai InfoSec video tutorial, Akamai CSIRT Director Michael Smith gives an overview of the security team's role within an organization.

Cloud Security Made Simple

We in Akamai InfoSec are sitting on a mountain of educational videos, and I've spent the past month reviewing some 40 items. We'll eventually have a place on the Akamai website where you can easily access them all. But for now, I've decided to start making them available via my blog posts. In this episode, Akamai CSIRT Director Michael Smith gives an overview of the cloud, cloud infrastructure and cloud delivery models. 

A Short History Of Cryptography

We in Akamai InfoSec are sitting on a mountain of educational videos, and I've spent the past month reviewing some 40 items. We'll eventually have a place on the Akamai website where you can easily access them all. But for now, I've decided to start making them available via my blog posts. 

The first one is a favorite of mine: CSO Andy Ellis giving a brief history of cryptography. Enjoy!

Talks of Interest at #BlackHat2013

I've been looking over the Black Hat 2013 schedule to see which talks best fit the issues Akamai's InfoSec team is dealing with daily. 

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value. 

Here are some agenda items that look good to me thus far. 

Tuesday, July 31:

9 a.m.:

11:45 a.m.:

MILLION BROWSER BOTNET: Jeremiah Grossman & Matt Johansen

Wednesday, Aug. 1:

10:15 a.m.:

2:15 p.m.:

Simplifying the Transcoding Conundrum

This is the third installment in a series of posts that discuss various challenges of online video and how Akamai's Sola Media Solutions can be used to address those challenges.

One of the most common challenges that we hear from customers - of any type - is the uphill battle they face when attempting to prepare content for delivery to multiple devices. Even dividing devices into categories seems daunting: mobile phones, smart phones, tablets, phablets, laptops, desktops, connected TVs, game consoles ... the list can go on and on. And it only gets worse when you introduce operating systems and brands into the mix.  

There are a lot of ways to go about getting content to multiple devices, but one way or another the content is more than likely going to require transcoding. And when you are talking about adaptive bitrate (ABR) streaming, transcoding is a necessity. To date, transcoding has been an arduous process. There are a myriad of input possibilities - video format, audio format, file container, source file quality - that make up yet another list that goes on and on (seeing a trend here?). Once you've got the file into the transcoding system, what outputs do you want? Or maybe more appropriately asked, what outputs do you need? Considerations like bitrate, number of renditions and frame rate are all in play at this point.  

Talks Of Interest at #BSidesLV

I've been looking over the schedule for BSidesLV to see which talks best fit the issues Akamai's InfoSec team is dealing with daily. 

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value. 

Here are some agenda items that look good to me thus far:

Wednesday, July 31:

Tom Kopchak (CG2): Attacking and Defending Full Disk Encryption

Ed Bellis, Michael Roytman: Vulnerability & Exploit Trends: A Deep Look Inside The Data

Michael "DrBearSec" Smith: Calling All Researchers: A Discussion on Building a Security Research Framework

Alex Hutton (CG2): Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout

Sean Malone: HiveMind: Distributed File Storage Using JavaScript Botnets

Thursday, Aug. 1:

Nicholas J. Percoco and Joshua Corman: The Cavalry Isn't Coming

Javvad Malik: How embracing social media helped me stop the hackers, save the world and get the girl!

Alex Pinto (Joel Wilbanks): Using Machine Learning to Support Information Security

Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme: Breach Panel

Steve Werby: Crunching the Top 10,000 Websites' Password Policies and Controls

BSides Las Vegas 2013 will be held July 31 and Aug. 1 at Tuscany Suites & Casino on Flamingo Ave.

Microsoft's July Patch Load: Many Critical Fixes

Microsoft has released seven security bulletins addressing 34 CVEs. Since so many Akamai customers run Windows environments, we find it important to let you know whenever these are rolled out.

Jonathan Ness, an engineer for Microsoft's Security Response Center, says six bulletins have a maximum severity rating of critical, and one has a maximum severity rating of Important. Below is a table to help you prioritize patch deployments in your environment.

BulletinMost likely attack vectorMax Bulletin SeverityMax Exploit-ability ratingLikely first 30 days impactPlatform mitigations and key notes

(Internet Explorer)

Victim browses to a malicious webpage.Critical1Likely to see reliable exploits developed within next 30 days.17 CVE's being addressed.

(win32k.sys and TTF font parsing)

Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM.

Additional attack vector involves victim browsing to a malicious webpage that serves up TTF font file resulting in code execution as SYSTEM.

Critical1Public proof-of-concept exploit code currently exists for CVE-2013-3660.Public EPATHOBJ issue (CVE-2013-3660) addressed by this update.

Kernel-mode portion of TTF font parsing issue (CVE-2013-3129) addressed by this update.


(.NET Framework and Silverlight)

Victim browses to a malicious Silverlight application hosted on a website.Critical1Likely to see reliable exploits developed within next 30 days..NET Framework and Silverlight exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.


Victim opens a malicious TTF file using an application that leverages GDI+ for font parsing.Critical1Likely to see reliable exploits developed within next 30 days.User-mode (gdiplus.dll) exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.


Victim opens malicious .GIF file using a 3rd-party application that leverages the DirectShow library.Critical1Likely to see reliable exploits developed within next 30 days.No Microsoft end-user applications are known to be vulnerable to the single CVE being addressed by this update.

(Windows Media)

Victim browses to a malicious webpage or opens a malicious Windows Media file.Critical2Difficult to build a reliable exploit for this issue. Less likely to see an exploit developed within next 30 days.One CVE being addressed.

(Windows Defender)

Attacker having write access to the root of the system drive (C:\) places malicious file that is run as LocalSystem by Windows Defender during its signature update process.Important1Likely to see reliable exploits developed within next 30 days.

Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default.

To exploit the vulnerability addressed by this update, attacker must have permission to create a new file at the root of the system drive. (C:\malicious.exe)

The DDoS Paradox

According to the Department of Homeland Security, almost 50 US Financial Institutions have suffered more than 200 Distributed Denial of Service attacks since September 2012 . Because we protect the majority of world's biggest banks, asset management firms, and online brokers, Akamai is in the unique position of having witnessed and actively defended against many of these attacks, and can describe the evolution of attack targets as well as attack techniques. 
Over the past few months, we've seen attackers migrate towards two broad techniques:

  1. Request large objects (PDFs, image files, etc.)
  2. Attack non-cacheable pages (login pages, pages served by adwords, etc.)

Security professionals will be neither surprised nor impressed by these findings. Nor will they question that unprotected sites typically suffer increased response times or downtime when they are victim to these attacks. What might surprise them, however, is how the common responses to these threats is leading, in some cases, to increased latency in sites even when they are not under attack, and in some cases are leaving sites more likely to crash or suffer data exfiltration than they were before "preparedness steps" were taken.

The DDoS Paradox
The tendency to tighten rules and broaden inspections to the point of decreasing performance is what we have come to describe as the "DDoS Paradox". The logical thinking that leads to the paradox is as follows:

  1. CSO at Company ABC reads about attacks.
  2. CSO tightens and broadens rules on Web Application Firewall in order to better prepare for attacks.
  3. Tightened and broadened rules lead to increased inspection of incoming requests which slows down legitimate traffic and makes it easier for malicious traffic to flood and knock down the WAF.

The first outcome (slowing down legitimate traffic) is clearly bad for Company ABC, and good for the threat actors who are looking to cause widespread interruptions to economic activity. The second outcome (knocking down the WAF) is unfortunately good for threat actors who are trying to steal data. If they've launched an application layer DDoS attack that knocks down a firewall, they can then move in with a relatively simple SQLi or XSS attack in order to steal data or install malware on site visitors' PCs.  

For companies trying to protect their web assets, the DDoS Paradox presents a lose/lose situation. Fortunately, there are ways around the paradox. Interestingly, these options involve tightening and broadening WAF rules outside of the data center. In other words, tightening and broadening rules at the edge of the Internet is the best way to ensure that your tighter security measures do not inadvertently lead to deprecation in performance and/or an increased susceptibility to data theft.

Akamai's Kona Security Solutions do just that --- they provide inline, always on, and highly scalable DDoS and application layer defense at the edge of the internet, giving CSOs the ability to respond to attacks without suffering trade offs.


Dan Shugrue is a senior product marketing manager at Akamai.

Bracing For Fresh DDoS Attacks

This morning a story caught my attention regarding the potential for another wave of DDoS attacks. The article, by Tracy Kitten at Bank InfoSecurity, quotes researchers who see modifications being made to Brobot -- a favorite weapon in attacks against the banking sector. 

She wrote:

Experts say distributed-denial-of-service attacks against U.S. banks are not over, despite what's now been a two-month cease-fire by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. Security vendors tell me the group's botnet is growing. And when these attacks do resume, they won't be easy to fight. This next wave of DDoS attacks will be different from what we have seen in earlier waves of attacks, dating back to mid-September 2012, researchers believe. As a result, many of the mitigation strategies and defenses banks have in place could prove ineffective.

Fortunately, Kitten writes, information about new code added to Brobot is being shared behind the scenes among banking institutions. "Now," she says, "banks and DDoS-mitigation providers are just waiting for what will be the fourth phase of DDoS to strike."

Here in Akamai's InfoSec department, Brobot has taken up much time and attention. At SOURCE Boston in April, Senior Security Architect Eric Kobrin gave a detailed analysis of how Brobot operates and where the enabling vulnerabilities can be found.

He noted, among other things:

--The amount of bandwidth flooding websites was substantial. Akamai CSO Andy Ellis recently wrote that BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps. 

--The DDoS attacks are crude, exploiting large networks of compromised machines to overwhelm a website with requests. 

--The battle often comes down to the amount of bandwidth a banking site has and whether it is large enough to withstand traffic from the botnet and customers. 

Kobrin said the compromised machines often get that way because attackers were able to own them through security holes in the online content management systems (CMS) content publishers take for granted. The Wordpress interface you use to blog? It could have been used to make your computer part of the botnet, and it's something you would not notice. That vanity email domain you opened for yourself? That's an easy target, too.

One of the problems is that the hosted service providers build sites to be as accessible as possible and to make them easy for Google to index. As you've heard by now, accessibility and security are often at odds.

"There is no single cause," Kobrin said. "A half a dozen failures have to happen along the way." One such failure is a lack of routine patching. Another failure is that admin access is often easy to get.

What to do about all this? Kobrin offered this advice:

--Banks can build a more defensible online infrastructure, get a better handle on all the apps in its system and build closer relationships with its hosting providers, since attacks usually come from trouble on the provider's side of the court.

--CMS users can be more diligent in adding patches as they're released, and remove unused plug-ins. The more customized your site is, the more plug-ins you probably have sitting there. Users can also add IDS and turn off unused sites.

--Hosting providers can set up safer defaults, offer automatic updates and offer a fully managed CMS.

A Black Hat, DefCon and B-Sides survival guide

Many security professionals are making plans for a week in Las Vegas at the end of this month for three big InfoSec conferences: Black Hat, Defcon and BSidesLV. Several of us from Akamai InfoSec have been going for years and are familiar with what to expect and how to make the best use of our time there. 

If you're a first-time attendee, however, the experience can be overwhelming.

For that reason, each year I put together a survival guide of sorts. In the coming days I'll focus on presentations scheduled for the three events that fit in with trends we've been witnessing in Akamai InfoSec. For now, here's your primer:

Tip 1: Don't let the noise get to you

Black Hat in particular is a noisy event. The vendors, in an effort to really fit in with the attitude of the conference, come up with all kinds of theatrics. One year, a guy was dressed up as a "Mad Russian" hacker mastermind. His attire was a cross between Captain Caveman, Charles Manson and Rasputin. I don't remember the vendor he worked for. I also remember that between sessions, it's hard to move around as people mingle in the middle of crowds rushing from one talk to the next.

The talks themselves are often surrounded by drama, though that part has calmed down in the last couple of years. Sometimes a vendor will try to stop a talk about exploits for a vulnerability in their products. Lawyers are brought in and a mess ensues. This happened in 2005, when Cisco moved to squash a talk by then-ISS researcher Michael Lynn on an exploitable issue with Cisco's IOS router operating system. The move proved to be a waste of time for Cisco, since the story got out anyway. But what was worse, in my opinion, was that a lot of good talks went unreported in the media because everyone was too busy chasing the hype over this one talk.

And so my advice here is to remember what you do in your day-to-day job, find the talks that most closely address the challenges you want to overcome and don't let drama and noise divert you from the plan. 

Tip 2: Make time for B-Sides
At the same time Black Hat is going on, security practitioners will be giving talks at another event called Security B-Sides. This one is for those who maybe couldn't afford to attend Black Hat or DefCon or for those who wanted to speak at those events but were rejected for one reason or another.

It's a more low-key affair than the major conferences, and there are gems to be found on the agenda. The event has gotten considerably bigger in the last couple years but it's still something you'll want to make time for. The content is worth it.

Details for this year's event:

When: July 31-Aug. 1
Where: Tuscany Suites and Casino on Flamingo Ave.

It's more about the networking, anyway
To me, the most important part of the Las Vegas events is the networking. In some cases, you get to finally meet a bunch of people you only knew through Twitter up to that point. You'll also make many new contacts who will offer you a variety of helpful feedback in the years to come.

If there's an opportunity to have coffee with a fellow security practitioner at the same time a bunch of sessions are going on, go for the coffee. The talks may entertain, but it's the relationships you forge over coffee or a meal that will likely lead to useful collaborations and lines of support when you need it most.

Too much drink in public can hurt your career
This last piece of advice is along the same lines as the last one. If you're hitting the parties at night, where the booze is almost always free flowing and paid for by the vendors, remember that opportunities abound to make fresh business contacts. A game of poker and a few drinks can be the stuff future partnerships are made of. I don't drink anymore, or play poker, but I've made valuable contacts just by hanging out and being an observer.

This can cut both ways, of course.

If you enjoy too many free drinks and get plastered, you run the risk of making a big fool of yourself. I've seen some well-regarded security professionals do this many times, and when they do it's all people talk about for the next week.

I wouldn't want to be that person.

I hope you found this helpful. Safe travels and enjoy the week!