Akamai Diversity
Home > January 2014

January 2014 Archives

Top Tweets of the Week: 1/24 - 1/31

It's Friday - so it's time for our next installment of "Top Tweets of the Week"! This week we launched our latest Akamai State of the Internet Report, (along with a brand new iOS app), helped stream the Grammy's, and found out that you'll lose viewers if you webpage takes more than 3 seconds to load. Have a great weekend, and don't forget to keep on tweeting!

A Preview of #BSidesSF

For those planning the trip to San Francisco next month for RSA Conference and BSidesSF, there's a lot of good talks to choose from. Here's a look at the BSidesSF agenda. I apologize in advance to those I missed. These are the items that piqued my interest at first glance. 

As a mother of an athlete that grew up aspiring for the London 2012 Olympics when I saw this story about Olympic athletes requesting that their families stay home it broke my heart.

A Drop in DDoS Attacks for Q3 2013

For the first time in nearly a year, Akamai researchers saw a drop in the number of DDoS attacks targeting customers. The details are outlined in the newly-released State of the Internet Report for the third quarter of 2013.


China Again the Top Producer of Attack Traffic

Akamai released its Third Quarter 2013 State of the Internet Report yesterday. On the security side, we saw a return of sorts to the status quo.

Live Streaming from Mercedes-Benz Fashion Week

More than a century ago, clothing designer Tiger of Sweden was founded with the radical idea of sending its tailors to customers rather than waiting for customers to visit the shop. During this week's Mercedes-Benz Fashion Week Stockholm, the cutting-edge designer is again bringing its fashions to the people, this time by way of live streaming the showcase of its 2014 Fall and Winter clothing lines.

With no margin for error, production company Studio Bon has selected Akamai's digital media solutions to deliver the live event online, ensuring it has the scale, reach and reliability to enable a global audience of press, purchasers and consumers to experience the look and spirit of the new collections across geographies and devices. 
Over the last six years, Akamai's State of the Internet Report has primarily been available as a PDF download or a printed report. We've also made related data available through map- and graph-based visualizations on the State of the Internet page on www.akamai.com, as well as posting related news and information on the @akamai_soti Twitter feed.

Today, we're bringing that all together in a new mobile app for iOS users. Available for download from the iOS App Store, this new app brings it all together through an easy-to-use interface.

Podcast: James Arlen at #ShmooCon 2014

At the recent ShmooCon conference, industry leader James Arlen discussed the need for better business etiquette among security practitioners.


Next Akamai Meet-Ups in February

UPDATE: Due to scheduling conflict the Reston Meetup event has been moved to Wednesday, March 19th, 2014. Our sincere apologizes for any inconvenience"

Akamai's Professional Services team is hosting two new security-focused meet-ups in February. These interactive technical sessions cover key trends and tips for Akamai customers. To learn more about our upcoming events, read below.

Punish Users for Security Mistakes?

In the world of information security, complaining about the user is a sport as old as the profession itself. Users falling for phishing attacks. Users failing to install patches. The list of complaints goes on.


Top Tweets of the Week: 1/17 - 1/24

It's that time of the week again! This week, CEO Tom Leighton went to Davos for the World Economic Forum and chatted with Bloomberg News about innovative technology, while Bill Brenner starts looking forward to RSA and we all learn about the "Business Value of a Fast Website." I hope you enjoy this week's edition of "Top Tweets of the Week"

The Business Value of a Fast Website

While everybody agrees a fast site is better than a slow one, mobilizing business to invest in making their site faster often requires showing how this preference translates to dollars. In this video Ravi Maira, VP Web Experience Products at Akamai, explains how performance ties to the top and bottom lines, and backs it up with public data.


In the past several weeks, Akamai was in a unique position to witness a massively orchestrated attack, designed to map Internet facing web servers that are susceptible to certain specific vulnerabilities.

ISO 30111 Vulnerability Handling Processes Published

One of the big news items from ShmooCon 2014 was that the ISO 30111 Vulnerability Handling Processes is now published. The document, edited by Microsoft Senior Security Strategist Lead Katie Moussouris, has been a long time coming. Specifically, it outlines how vendors should investigate, triage, and resolve all potential vulnerabilities, whether reported from external finders or via the vendor's internal testing.


#ShmooCon, Day 2: For the Love of LobbyCon

I've said it about other conferences: The most important activity -- even more so than attending talks -- is the networking that goes on in the lobby, something that's become popularly known as LobbyCon. It's especially true for those attending ShmooCon here in the nation's capital.

#ShmooCon, Day 2: Instant Messaging Insecurity

At Akamai, one of our security policies goes something like this: If you want to do instant messaging for personal matters, use whatever you want. If you want to discuss company business on IM, however, you have to use a specialized instant messaging program we've set up specifically for communication between colleagues.


#ShmooCon, Day 2: Security Tools You Can Use

As the second day of ShmooCon 2014 dawns over Washington DC, I'm reflecting on the talks that kicked off the weekend yesterday. Particularly useful was a presentation by security practitioner Rob Fuller called "Attacker Ghost Stories: Mostly Free Defenses That Give Attackers Nightmares."


Top Tweets of the Week: 1/10 - 1/17

It's been another busy week here at Akamai! We had the next installment of our web technology video publish, a security bloggers take on why he is attending Shmoocon and a few other interesting things that happened this week. Hope you enjoy this installment of "Top Tweets of the Week!" Happy Friday!

#ShmooCon, Day 1: Schwag for the Security Messaging Win

After getting my badge for this weekend's ShmooCon conference in Washington DC, I excitedly emptied the contents of my bag on the table. Schwag. Lots of it. There was a wooden airplane kit. A harmonica. Stickers aplenty. All branded with the names of various security vendors and organizations. 

Responsive Web Design & its Performance Pitfalls

Responsive Web Design (RWD) is a powerful new approach to tackling the challenge of mobile browsing, which advocates having a single website for all devices, but one that adapts to the device width & capabilities on the client itself. While powerful, RWD brings with it a set of performance concerns. This video explains what RWD is and - more importantly - how to understand and avoid the performance concerns it entails.


 

Your January 2014 Patch Tuesday Update

Patch Tuesday is an important calendar item for Akamai customers, given how dominant Windows machines are in many companies. What follows is Microsoft's January 2014 Security Update. 

A New Resource for Training Kids in Internet Safety

I got a message this morning from an Akamai colleague who read yesterday's blog post on the HacKids security conference for children. He wanted me to know that he is doing something similar. Stefano Buttiglione, one of our senior solutions architects, says a school in his home town in Italy asked him to do a training course on the risks of social media to kids and their parents. It started as a one-day Danny Lewin Community Care event and blossomed from there.


HacKid Conference: Security Training for Kids

As I've written before, we in Akamai InfoSec take our security training very seriously. We also know that our success as a security operation depends on the skills and talents of the future. So when I see great examples of training for younger generations, I'm compelled to mention it here. For this post, the subject is the HacKid Conference scheduled for April 19 and 20 at the San Jose Tech Museum of Innovation.

Top Tweets of the Week: 1/3 - 1/10

Happy 2014! 

The first full work week of the year has brought us tons of great news. We attended CES, made an announcement regarding our role in the streaming of the 2014 Winter Olympics, added a new member to our Board of Directors and even put up some great window decorations. Check out what happened this week in this edition of "Top Tweets of the Week".
Overall, we can look back on 2013 and feel very good about the results for the industry as a whole. Earlier in the year I recall a survey stating that over 40% of bankers expected another financial crisis in the near future. Thankfully that didn't happen. Other good news for 2013: no European country defaulted; the Euro held together; home prices in the U.S. are up; the S&P 500 went up an incredible 30%; the U.S job market the best since 2008; and last but not least, my youngest son is graduating from college and the job market for new grads is the best it has been in years!

Like Skipfish, Vega is Used to Target Financial Sites

Yesterday, we told you about how attackers were exploiting the Skipfish Web application vulnerability scanner to target financial sites. Since then, Akamai's CSIRT team has discovered that another scanner, Vega, is being exploited in the same manner.

Skipfish and Vega are automated web application vulnerability scanners available by free download. Skipfish is available at Google's code website and Vega is available from Subgraph. These are scanners intended for security professionals to evaluate the security profile of their own web sites. Skipfish was built and is maintained by independent developers and not Google. In addition to the code being hosted on Google's downloads site, Google's information security engineering team is mentioned in the Skipfish project's acknowledgements. Vega is a Java application that runs on Linux, OS X and Windows. The most recent release of Skipfish was December 2012 and Vega was August 2013.


Overview

According to Wikipedia, WordPress is a free and open source blogging tool and a content management system (CMS) based on PHP and MySQL, which runs on a web hosting service. Features include a plug-in architecture and a template system. WordPress is used by more than 18.9% of the top 10 million websites as of August 2013. WordPress is the most popular blogging system in use on the Web, at more than 60 million websites.

Attackers Use Skipfish to Target Financial Sites

Akamai's CSIRT team has discovered a series of attacks against the financial services industry. In this instance, the bad guys are exploiting the Skipfish Web application vulnerability scanner to probe company defenses.

Skipfish is available for free download at Google's code website. Security practitioners use it to scan their own sites for vulnerabilities. The tool was built and is maintained by independent developers and not Google, though Google's information security engineering team is mentioned in the project's acknowledgements.

In recent weeks, our CSIRT researchers have watched attackers using Skipfish for sinister purposes. CSIRT's Patrick Laverty explains it this way in an advisory available to customers through their services contacts:

Specifically, we have seen an increase in the number of attempts at Remote File Inclusion (RFI). An RFI vulnerability is created when a site accepts a URL from another domain and loads its contents within the site. This can happen when a site owner wants content from one site to be displayed in their own site, but doesn't validate which URL is allowed to load. If a malicious URL can be loaded into a site, an attacker can trick a user into believing they are using a valid and trusted site. The site visitor may then inadvertently give sensitive and personal information to the attacker. For more information on RFI, please see the Web Application Security Consortium and OWASP websites.

Akamai has seen Skipfish probes primarily targeting the financial industry. Requests appear to be coming from multiple, seemingly unrelated IP addresses. All of these IP addresses appear to be open proxies, used to mask the attacker's true IP address. 

Skipfish will test for an RFI injection point by sending the string www.google.com/humans.txt or www.google.com/humans.txt%00 to the site's pages. It is a normal practice for sites to contain a humans.txt file, telling visitors about the people who created the site.

If an RFI attempt is successful, the content of the included page (in this instance, the quoted Google text above) will be displayed in the targeted website. The included string and the user-agent are both configurable by the attacker running Skipfish. 

While the default user-agent for Skipfish version 2.10b is "Mozilla/5.0 SF/2.10b", we cannot depend on that value being set. It is easily editable to any value the Skipfish operator chooses.

Companies can see if they're vulnerable by using Kona Site Defender's Security Monitor to sort the stats by ARL and look for the presence of the aforementioned humans.txt file being included in the ARL to the site. Additionally, log entries will show the included string in the URL.

"We have seen three behaviors by Skipfish that can trigger WAF rule alerts," Laverty wrote. "The documentation for Skipfish claims it can submit up to 2,000 requests per second to a site."

Laverty said companies can blunt the threat by adjusting Summary and Burst rate control settings to detect this level of traffic and deny further requests. Also, a WAF rule can be created that would be triggered if the request were to contain the string "google.com/humans.txt". 

There is no situation (other than on google.com) where this would be a valid request for a site, he said. 

skipfish.jpg

SPDY & HTTP 2

HTTP is one of the powering forces of the Internet today. However, HTTP has barely changed in over a decade, and carries with it many limitations that cripple our everyday user experience. SPDY, and subsequently HTTP/2, aim to address those limitations and offer a new and improved way to access content on the web. This video explains these new techniques, along with their limitations and status.

Why I'm Attending ShmooCon 2014

Here at Akamai, we're busy preparing for RSA Conference 2014. It's the biggest security conference of the year, and we send a platoon of employees every time. Given our role in securing the Internet, it's a no-brainer.

But there are many other conferences we attend each year, because:

  1. We have a lot of information to share about attacks against Akamai customers and how the security team continues to successfully defend against them.
  2. We have to stay on top of all the latest threats and attack techniques so we can continue to be successful. Conferences are an important place to do that.
Next week, I'm attending one of the lesser-known conferences: ShmooCon 2014 in Washington DC. In recent years, I've found some of the best content at this event, and I've learned a lot. It's also an excellent place to meet other security practitioners that can become important allies. Some of the most important contacts I've made were at ShmooCon.

The unfamiliar usually chuckle or cock their heads in puzzlement when I tell them about ShmooCon. The name throws them off, and it's not a traditional business conference. ShmooCon is organized by the Shmoo Group, a security think tank started by Bruce Potter in the late 1990s. Attendees represent the full cross section of the security industry. There are hackers, CSOs, government security types and everything in between. More than a few people have compared it to the Black Hat conferences of old or a smaller version of Defcon.

The event has inspired a lot of thinking outside the box -- not just in terms of the talks, but in how attendees travel and network. In recent years people have carpooled to ShmooCon. For three years in a row I traveled to and from the event in what we called the Shmoobus -- An RV crammed with hackers making the journey from Boston to Washington DC. Those 12-hour drives made for a lot of bonding. With such a long trek, there's time to delve into deep discussions about the challenges of our jobs.

The Shmoobus is no more, unfortunately. But what I learned about security on those journeys will last a lifetime.

For more information about ShmooCon, visit the website. The full agenda is posted, including one of my favorite parts of the event, Friday-night "fire talks" -- 15-minute presentations where speakers are challenged to dive right into the core of their content.

I'll write about the talks and other ShmooCon events from this blog.

shmoocon_0.png
Two of the most prominent evolutions in the web application attacks landscape are scale and volume. Nowadays, attackers use tremendous amounts of computing resources such as those provided by cloud computing and botnets, in order to mount distributed large-scale attack campaigns over the Internet while keeping their identity hidden. From a security defense point of view, such attacks are a nightmare - they are much harder to detect and mitigate, as their origins are scattered and change rapidly. Current attempts to analyze a limited set of the malicious traffic usually results in incomplete understanding of the campaign, its nature and scale.

In this article we will show how the analysis of large-scale, global multi-site traffic may reveal interesting trends and malicious behavior patterns, and as a result can help improve protections against the next round of attacks.

Prior to initiating such distributed massive scale attacks, attackers try to compile a long list of vulnerable targets. In most cases they will target exploits in commonly used web application platform such as Joomla, WordPress or Drupal.

In a recent research that was conducted by Akamai's threat research team, using Akamai's security big data platform (Cloud Security Intelligence), the team came across a malicious campaign which focused on web applications with outdated modules of Joomla - one of the most commonly deployed content management systems. In this specific campaign, the attackers were trying to inject backdoors to the vulnerable web applications.

Deeper analysis into the attack campaign's traffic revealed that the attackers were trying to exploit Joomla's content editor, which allowed web users to upload files. This capability made Joomla susceptible to malicious file upload, and in turn to remote code execution. What the deep "single-event" analysis of the exploit did not reveal was the sheer volume and distribution of the attack. When the threat research team decided to zoom out and started looking for similar attack patterns across Akamai's customer base - they uncovered an entire botnet, exclusively "working" on attacks of this kind, slowly mining the internet for more and more vulnerable applications. Here are some of the key findings, after analyzing one month of security events, using Akamai's security big data platform:

Increase in Malicious Transactions Over Time

Looking at 43,000 malicious HTTP transactions over the time period of one month, we saw a constant increase in the amount of malicious traffic: 

Number of Attacks per day Or Katz.png

Botnet Distribution by Country

Looking at distribution by country of botnet machines - United States based bots were the most prominent:

Or Katz Blog Image 2.png


Botnet Distribution by Continent

Looking at the distribution by continent of botnet machines - Europe was the top continent from which bots were used:
Or Katz Blog Image 3.png


Increase in Number of Targets Per Day

Over the time period of one month 2,008 different web application were targeted. When looking at the chart, there is a clear trend of increase in the amount of web applications being targeted each day: 
Or Katz Blog Image 4.png


Analysis of Bot Machines 

When looking at the malicious bot machines that were being used to send attacks we noticed that most of these machines were actually internet-facing web applications - it was also obvious that attackers owned these web applications. 

Or Katz Blog Image 5.png

Further analysis of the botnet machines running web servers, showed that the prevalent server software was Apache. 

Or Katz Blog Image 6.png

Further Evidence on the Attacker's Identity 

While analyzing the botnet machines that participated in the attack, we found out that some of the machines were completely compromised and were installed with backdoor and remote control software. Other machines were also defaced and left with a hacktivist-type messages:

Or Katz Blog Image 7.png
The following image shows a backdoor on one of the compromised web servers giving attackers full control over the machine: 

Or Katz Blog Image 8.png
Summary

  • When looking at the behavior of web attack botnets over time we can see a clear trend of increase in the number of attacked application per day and HTTP transactions per day. These botnets are not static in size, and tend to grow over time, as hackers add more and more machines to the malicious network
  • Most of the bot machines in this attack came from the US and Europe - making geographic-based protections ineffective While geographic-based protections are futile, the fact that the majority of malicious bots were Internet facing web servers means that their IP address is static. This in turn, makes it easier to block them specifically
  • The ability to identify globally distributed malicious botnets based on behavioral analysis of multi-site security data can become a game changer in the battle for web application security
  • Correlating cross-domain attack information can help in the prediction of the next targets and therefore reduce risk to other applications that are still not under attack
  • Akamai's threat research team sees an increase in botnet-based attacks, which makes use of application-layer vulnerabilities as their primary weapon (as opposed to DDoS botnets) 

This post was written by Or Katz, Principal Security Researcher & Ory Segal, Principal Product Architect


CES-Logo.jpg
On the eve of this week's International CES in Las Vegas, Qualcomm issued this news release highlighting an interesting demonstration at their booth (#8252 in the Las Vegas Convention Center's central hall), of which Akamai is a part. As a proof of concept, we've worked with Qualcomm's Atheros subsidiary to show how Akamai Intelligent Software can run on an Atheros IPQ smart gateway to make consumer experiences markedly faster and more reliable in the home. 

The last estimates from the NPD Group suggest that there's an average of 5.7 Internet-connected devices in every home. Thanks to the glut of these connected devices being used to watch video, access dynamic websites, download software and play games online - particularly during prime times - the strain on household Internet connectivity is leading to inconsistent and even frustrating experiences for consumers. In fact, it's fairly common to find devices requesting more bandwidth than is available over the last mile. 

Our demonstration at CES with Qualcomm shows how Akamai's Intelligent Software can run on the Atheros smart gateway to help optimize delivery and prepositioning of content, thereby improving the efficiency of existing last-mile resources as well as the use of resources from the gateway to connected devices in the home. In a real-world use case, partnerships like this could allow service providers to improve quality of service and enable family members to enjoy far better all-around Internet experiences.

The demo also offers a glimpse into the future of the Akamai platform as we explore ways to move beyond the edge and onto devices of many types; not only gateways, but game consoles, set-top-boxes, Blu-ray players, connected TVs and more. It's this type of evolution that we feel can help address the existing issues of bandwidth content and also pave the way to help deliver the massive amounts of video and other content at scale, including 4K, that is expected to traverse the Internet over the coming years. 

Also, I would like to re-iterate that this proof-of-concept is designed to show the potential benefits that can be realized by placing Akamai's Intelligent Software onto in-home technology such as the Qualcomm Atheros IPQ smart gateway. We're not announcing business models or any information on availability at this time.

If you're interested in checking out the demo or want to set up some time to meet with Akamai at CES this week, please feel free to email kalexand@akamai.com.

Kris Alexander is Chief Strategist, Connected Devices & Gaming, at Akamai.

Security Predictions? Here Are Some Facts About 2014

I've said it before and will repeat it here: I absolutely loathe security predictions.

I have nothing against those who make them. It's just that most predictions are always so much duh. The rest are marketing creations that have no attachment to reality. 

Examples of the self evident:

  • Mobile malware is gonna be a big deal.
  • Social networking will continue to be riddled with security holes and phishing attacks.
  • Microsoft will release a lot of security patches.
  • Data security breaches will continue to get more expensive

Examples of predictions that never had a hope of becoming true:

I'm going to offer you something different: Some facts for 2014. That's right, things that are really going to happen -- things that are not obvious to those outside of Akamai. Let's begin:

  1. In February, we will officially launch the first-ever Akamai.com security section, and it'll be packed with everything you need to understand the threats your organization faces and how Akamai keeps its own security shop in order.
  2. Several of us from Akamai InfoSec will travel the globe, visiting customers and speaking at many a security conference. Those who attend will walk away enlightened and inspired.
  3. Akamai will continue to protect customers from DDoS and other attacks.
  4. You will see many new security videos and hear many new podcasts from us.
  5. If you visit the soon-to-be-launched Akamai security section, you will walk away with a better understanding of our compliance efforts than ever before.
Happy New Year! May you have a healthy, prosperous and secure 2014.

2014.jpg

Addressing the 4K Challenge at CES

Big screens, bigger screens and little, tiny screens ... the 2014 International CES is sure to be all about screens - and the gadgets they're attached to - again this year.

I, for one, will have my eyes fixed on the Ultra High Definition, or 4K, screens at this year's show. Unlike the 3-D fad in recent years, this technology is here to stay. Tech cycles have quickly evolved and there's no physical "box" needed to deploy 4K (except the enormous one the display comes in, of course), which means it's rapidly moved from "interesting" to "awesome" over the last year.

In fact, Akamai has been working with our friends from Elemental Technologies and Qualcomm Technologies, Inc. on a 4K demonstration, which can be experienced in Qualcomm's CES booth #8252. We are showing attendees how content owners can make the jump from demonstration to deployment at a scale that is achievable and can help satisfy the groundswell of consumer demand in the year ahead.

Here's what it will look like:

  • Qualcomm Technologies, Inc. will be demonstrating a development tablet, powered by the Snapdragon™ 805 processor, with the ability to decode H.265 High Efficiency Video Coding (HEVC) and play back 4K content on an Ultra High Definition television.
  • Elemental Technologies will encode the content using HEVC, compressing the video to require about half of the bandwidth of today's commonly used AVC/H.264 compression standard. Elemental will also apply Moving Picture Expert Group - Dynamic Adaptive Streaming over HTTP (MPEG-DASH) formatting to the content. MPEG-DASH has been designed to serve as a single, open streaming format for all devices and players.
  • That 4K/HEVC/DASH content will be hosted in Akamai's cloud-based NetStorage and streamed in real time over the Akamai Intelligent Platform's high-performance network at bitrates ranging from 10 to 20 megabits per second. 

So, what's cool about this joint demonstration at CES? It's a great example of innovative companies combining their technologies to showcase a practical implementation for online 4K viewing. Sure, you can find a few examples of 4K content online now, and you can also download massive 4K files; but delivering that level of content at scale is a real hurdle for content owners and service providers - one that Akamai is working with other innovators to solve.

This demonstration from Akamai, Qualcomm, Technologies, Inc. and Elemental shows those enabling technologies all in one place and demonstrates how 4K can become commercially viable in terms of managing the storage, bandwidth and costs associated with this higher level of content delivery.

If you're interested in seeing this demonstration in person, stop by Qualcomm's booth, #8252, or email Kurt Michel to make an appointment.

Kurt Michel is director of product marketing for Akamai's digital media solutions.