Akamai Diversity
Home > March 2014

March 2014 Archives

Anatomy of Wordpress XML-RPC Pingback Attacks

Akamai researchers have released fresh details regarding the Wordpress XML-RPC pingback exploits used in a series of DDoS attacks earlier this month. The details are in an advisory written by CSIRT's Larry Cashdollar.

Top Tweets of the Week: 3/21 - 3/28

It's that time of again - time for Top Tweets of the Week! We're gearing up for the NAB Show and Second Screen Summit next week, and also pretty excited about helping NBC deliver record amounts of video content during the 2014 Sochi Winter Olympics. Want to know what else has happened at Akamai this week? Check out this weeks installation of "Top Tweets of the Week"
Sometimes 99% just isn't good enough.  That is the global Country Level SLA Akamai's Edgescape Pro Service currently commits to.  The lack of four 9's or finer granularity to this SLA is quite simple-- Internet IP space is not static.  Oh ya, and there are a lot of IPs out there too that move around in fractional blocks including portable IP space, and ISPs jockeying for every last IPV4 address that remains available or unused.  Looking over a 3 week period of a sample of EdgeScape data with 10 million IP addresses for instance, the percentage delta change in physical locality ranged from .24% all the way to 5.6% week over week. 

Getting the most accurate mapping to date has been a mixture of science and art.  But just as Google maps improved in accuracy with crowd-sourced user provided corrections, it seems plausible that a similar technique could be achieved through a data handshake as has been described in the most recent Technology Service Industry Association (TSIA) publication called B4B.  B4B details among other things, new outcome based sales operating trends and organizational capabilities like what is described as a data handshake. 

We piloted this concept recently with a US-based delivery service where the IP mapping data was highly reliable and the data handshake introduced a new data stream to improve the overall accuracy of the database.  The results were improved accuracy at the city and state level.  By improving the accuracy at finer grained locality, the country accuracy improves as well.  The more accurate the database, the more accurate our ability to map end users to Akamai machines nearer to them for improved performance which is of mutual benefit to Akamai and the data stream supplier that wants their end users to have an improved ordering experience--i.e. the full lifecycle of the ordering to fulfillment process is much improved. 

Additionally, improved accuracy of the database can be used by derivative services such as IP Intelligence including reputation, country level geo-blocking, and geo-targeting which is continuing to get much more attention both for Software Downloads in relation to ITAR as well as Broadcast Media rights distribution for live events and Video On Demand.  As we continue exploring this further, we wanted to expand the pilot to other companies willing and interested to contribute at this level.  Existing Akamai customers can broach the topic through their assigned account teams, and others that are interested, feel free to tweet me at @AkamaiRob and I can help get you in touch with the right folks to explore the feasibility and Business Development opportunity.

Security Awareness for Senior Citizens

We hear a lot about the need to educate kids on Internet security threats. But Christopher Burgess, CEO of security consultancy Prevendra, thinks the danger is even greater for senior citizens who haven't had the advantages of growing up in a hyper-connected world. 

"We focus so much on protecting our kids. Nobody is watching the seniors," he told me in a phone conversation this week. "A lot of people are invested in separating seniors from their personal information and money." 

That being the case, his company set out to do something about it.

Full Disclosure's Second Chance

A week after the shutdown of Full Disclosure sent shockwaves through the security industry, we're getting word that it's getting a second chance. Nmap Project hacker Gordon Fyodor Lyon announced Tuesday that he's taking on management of the list.

In a market where innovation is the name of the game and competition is fierce, Progressive High Tech organizations must deliver products and services quickly, efficiently and cost effectively. The High Tech Industry must ensure unmatched cloud computing security to prevent malicious attacks, data theft and downtime. Don't leave the quality of your content delivery to chance when the web is strategic to your business. Learn how IBM Edge Delivery Services powered by Akamai can help you derive maximum Return on Investment and business value from your online business. 

Podcast: Humanity in Security

In this week's episode of the Akamai Security Podcast, I talk to Christian Ternus of our adversarial resilience team. He's been the driving force behind "Humanity in Security," an effort to address burnout, depression and stress in the security community.

A Very Exciting Day for Akamai and Telefonica

Telefonica_Logo.pngHere at Akamai, it is our goal to work with Operators to build a more efficient network and a faster Internet service to meet the growing demands of their subscribers. We are thrilled to be announcing a strategic global alliance with one of the largest telecommunications companies in the world to deliver on that goal, Telefonica. And when we say "one of the largest"...Telefonica has over 323 million customers!

Web Experience Overview with M.J. Johnson

Watch this overview of how Akamai helps our customers deliver reliable, fast and secure web experiences with Akamai Director of Web Experience Product Marketing, M.J. Johnson. M.J. also provides an overview of how websites have evolved into full-fledged dynamic applications and how the way users interact with these sites has changed with the proliferation of new devices and variable network conditions.

BsidesBoston Details

The final speaker list and agenda have yet to be finalized, but plenty of details are now available regarding BSides Boston 2014. Those details are below. As for the final agenda, stay tuned for that after the call for papers period closes March 31.

Full SOURCE Boston 2014 Schedule Released

The full schedule has been released for next month's SOURCE Boston security conference. This year's keynote speakers are:

  • Internationally renowned security technologist and author Bruce Schneier;
  • Justine Aitel, who manages cyber security and identity programs at Dow Jones; and 
  • Dr. Andrea M. Matwyshyn, an academic studying technology innovation and its legal implications, particularly corporate information security regulation and commercial and consumer privacy.
The SOURCE website includes podcast interviews with the keynoters as well as many other speakers.

Top Tweets of the Week: 3/14 - 3/21

It's Friday again! This week, we attended the Game Developers Conference in San Francisco, enjoyed Pi Day the way it's supposed to be enjoyed (with pie), and wondering what security professionals would ask for if they were granted one wish. It's been busy around here, but it's time to sit back and enjoy this weeks edition of "Top Tweets of the Week"!
The job of security professionals is becoming tougher by the day. While we work hard to ensure that vulnerabilities are covered, an attacker simply needs to find the weakest link. Not a pleasing thought, but often attackers have the time and resources on their side while the "good guys" work under a whole different set of pressures.

Patrick J. McGovern Left a Huge Legacy in Tech Media

International Data Group (IDG) announced yesterday that its Founder and Chairman, Patrick J. McGovern, died March 19 at Stanford Hospital in Palo Alto, California. Having worked at IDG for five years before coming to Akamai, the news made me profoundly sad. But this post is a celebration of a life well lived and the huge legacy he left in the world of tech media and beyond.

Full Disclosure Shutdown: A Journalist's Perspective

There's a lot of valuable perspective out there regarding the shutdown of Full Disclosure, a mailing list where researchers posted details of exploits and software security holes. I'll share that perspective below. But first, here are my thoughts as an ex-journalist who often relied on it for news.

Measuring Web Performance: Synthetic vs RUM

How you measure page can dramatically impact your view on a website's performance. Synthetic testing tools on one hand and Real User Monitoring technology are all useful, but only if you understand what they represent. In this video Mike McCall, Product Architect at Akamai, explains the different measuring tools, and what purpose does each one serve.

If Security Pros Could Be Granted One Wish...

The great videos David Spark produced during RSA Conference 2014 keep rolling in. In this latest episode, security professionals are asked what they would want if they could be granted one wish. The answers are amusing and, in most cases, unattainable.

Visit the site of our partner Tripwire for a related article.

The competition for wallet share has never been greater. A well designed application delivered over the internet is only as good as the client experience. You need a world class delivery platform! Learn how IBM Edge Delivery Services powered by Akamai transforms the Internet into an Enterprise class network to deliver mission critical Web applications to consumers quickly, reliably and securely.

Learn more about becoming an Akamai Partner: http://www.akamai.com/html/partners/index.html

Learn more about Akamai's solutions for the Commerce industry: http://www.akamai.com/html/industry/retail_consumer.html

An overview of the online video landscape, consumer expectations and the importance of video quality with Akamai Director of Media Product Marketing, Kurt Michel. Kurt also provides an overview of the quality chain that must be considered when delivering exceptional media experiences: delivery, storage, preparation, protection and analytics.

Learn more about Akamai's Media & Delivery Solutions:http://www.akamai.com/html/solutions/sola-solutions.html

Why Security Pros Should Embrace DevOps

One of the big topics at last month's RSA Conference was DevOps, the process by which developers and IT operations work together to speed up development and production at unprecedented levels, pushing sometimes thousands of updates to production in a single day. 

Gene Kim (@RealGeneKim), author of "The Phoenix Project" and a huge proponent of DevOps production environments, and Josh Corman (@JoshCorman), CTO of Sonatype, explain the benefits in this Tripwire video:

The Tripwire site includes an article on DevOps. Check it out here.

A DDoS Checklist?

Following last week's cyber-attacks on Meetup's infrastructure, Antone Gonsalves, a reporter from CSO Online, asked me, for an article he was writing, what steps I would recommend CISOs to take "if they came under a similar attack". I hesitated before giving a softball answer, "don't wait for the attack, prepare for it." I could sense the reporter's frustration immediately. He wanted to give his readers step-by-step instructions, to what I have observed to potentially be a very complex problem.

Wordpress DDoS: New Attack, Old Problems

Our researchers spent much of yesterday tracking a massive DDoS exploiting weaknesses in the Wordpress blogging platform. Most of the news reports are consistent with what we saw, so let's take a look at some of the more comprehensive pieces, starting with a CSOonline blog post from Akamai Security Advocate Dave Lewis. The overall message: This latest attack is just another example of an old and unaddressed problem.

Podcast: RSAC in Review

This week's episode of the Akamai Security Podcast is a recap of RSA Conference 2014, and my guests are Stuart Scholly, SVP and General Manager of Akamai's Security Business Unit, Akamai CSO Andy Ellis, and Program Manager Meg Grady-Troia.

Thumbnail image for 2013-02-26-expo-0690.jpg

Akamai Participating in Cyber-Defense Competition

Akamai InfoSec personnel will be on hand this weekend to help run the seventh Annual Northeast Collegiate Cyber Defense Competition, in which students are divided into teams to carry out simulated cyber-defense scenarios.

eTail West: Post Show Report

Another eTail West in the Books 

I look forward to the eTail West Conference every year as a chance to spend time with our industry peers, stay up to date with best practices, and learn about emerging opportunities and technologies in the online retail community. I was inspired by the conference as a whole and impressed with the caliber of attendees and valuable information shared by over 200 retailer speakers. The event's focus on quality was clear both in terms of attendance and speaker representation.

Is Microsoft Wrong to Retire Windows XP?

There's an interesting article in Computerworld today about the dangers surrounding Microsoft's plan to finally pull the plug on Windows XP. The argument goes something like this: Many people still use XP, and depriving them of future security patches could lead to devastating malware infections and, by extension, myriad forms of mayhem.

Neil shares how Akamai's services transform the cloud from a chaotic place with unpredictable performance and scale to a secure, reliable and cost-effective environment to do business. Neil also gives an overview of how Akamai transforms the cloud to make the Internet fast, reliable and secure and why that matters for your business.

Learn more about Akamai's Solutions and how they can move your business faster forward: http://www.akamai.com/html/solutions/index.html

Partner Solution: IBM Edge Delivery Services

The difference between success and failure comes down to user perception of response time, reliability and safety. Sophisticated online users expect a high quality experience regardless of location and device type. IBM Edge Delivery Services powered by Akamai overcomes the complexities so the Internet works as a trusted, reliable and secure platform. Learn how your company can benefit from IBM Edge Delivery Services.

Akamai InfoSec Program Manager Benjamin Brown will give a talk at two upcoming events called "Meta Cognition and Critical Thinking in Open Source Intelligence (OSINT)."

Top Tweets of the Week: 2/28 - 3/7

It's been a busy week here at Akamai. From heading out to #eTailWest to ending the week by celebrating International Women's Day, we have rounded up this weeks "Top Tweets of the Week"! Enjoy!

Patch Tuesday Preview for March 2014

Patch Tuesday is an important calendar item for Akamai customers, given how dominant Windows machines are in many companies. What follows is a preview of Microsoft's March 2014 Security Update. 

The surge in Microsoft [IIS] install base gains reported in the Netcraft February 2014 Web Server Survey presents an opportune time to write about a lesser known behavioral interaction between IIS and Caching Web Proxies as well as other layer 7 network intermediaries that operate similarly.  The interaction in question is related to HTTP compression being disabled whenever an HTTP Via header is included in inbound request to the server.  According to this Microsoft TechNet article, the intent is to "minimize the chance of inappropriately returning a compressed file to a client that cannot decompress it because not all caching proxy servers handle the caching of compressed objects correctly".  However, for intermediaries like the Akamai Intelligent IP Platform that have highly advanced caching and other network optimization capabilities, the origin not sending compressed content can have a negative effect on the total achievable performance.


More Great RSAC Videos

My friend David Spark, founder of Spark Media Solutions, does some outstanding videos each year during RSA. They are educational, humorous and brilliantly edited. His work appears on the site of one of our partners, security vendor Tripwire. Per an agreement, I'm sharing them here as well. Enjoy!


I've been thinking a lot about the culture of security since RSA Conference 2014, and find myself returning to a topic that got me in trouble three years ago.

DNS 101 - From a Web Browsing Perspective

DNS (Domain Name System) queries are a hidden component of practically everything we do on the web - and specifically, they make up an important part of web browsing. This video explains the core principles of DNS, as they relate to web browsing, and why a fast DNS matters.


 
No longer is IPv6 "just around the corner". It's here. In the half-year following when I last wrote about our measurements of IPv6 adoption, many of the metrics we were tracking have doubled. This is in large part due to increased adoption of IPv6 by residential broadband networks in the U.S.A. and Germany. As of December 2013, we were serving over 20 billion IPv6 requests per day, double the 10 billion per day delivered just six months prior.
Dr. Michael Wu, PhD, chief scientist at Lithium presented a workshop in the (very cold) Boston area this past week called "the science + ROI of social media influence". I stress the very cold statement as when we discussed the topic of "creditability" he pointed out that he is not credible when it comes to clothing. His wife, however is very credible, as she picks out his clothes. He was extremely happy that she had selected 6 layers of clothing for him on that cold, snowy day.

Missed #RSAC? We've Got You Covered!

As you might have already read, we were at RSA Conference in San Francisco last week. For the first time, I had the opportunity to live-tweet the entire conference: from William Shatner's musical opening, to Andy Ellis', Or Katz's and Tsvika Klein's talks, to Stephen Colbert's closing keynote. Did you miss RSA Conference this year? Read our Twitter stream to follow the various talks and events from each day. Enjoy!

RSAC and BSidesSF: Week in Review

Another RSA Conference and BSidesSF is in the books. Here's a look back at our coverage for the week.