Akamai researchers have released fresh details regarding the Wordpress XML-RPC pingback exploits used in a series of DDoS attacks earlier this month. The details are in an advisory written by CSIRT's Larry Cashdollar.
Get In Touch
March 2014 Archives
Getting the most accurate mapping to date has been a mixture of science and art. But just as Google maps improved in accuracy with crowd-sourced user provided corrections, it seems plausible that a similar technique could be achieved through a data handshake as has been described in the most recent Technology Service Industry Association (TSIA) publication called B4B. B4B details among other things, new outcome based sales operating trends and organizational capabilities like what is described as a data handshake.
We piloted this concept recently with a US-based delivery service where the IP mapping data was highly reliable and the data handshake introduced a new data stream to improve the overall accuracy of the database. The results were improved accuracy at the city and state level. By improving the accuracy at finer grained locality, the country accuracy improves as well. The more accurate the database, the more accurate our ability to map end users to Akamai machines nearer to them for improved performance which is of mutual benefit to Akamai and the data stream supplier that wants their end users to have an improved ordering experience--i.e. the full lifecycle of the ordering to fulfillment process is much improved.
Additionally, improved accuracy of the database can be used by derivative services such as IP Intelligence including reputation, country level geo-blocking, and geo-targeting which is continuing to get much more attention both for Software Downloads in relation to ITAR as well as Broadcast Media rights distribution for live events and Video On Demand. As we continue exploring this further, we wanted to expand the pilot to other companies willing and interested to contribute at this level. Existing Akamai customers can broach the topic through their assigned account teams, and others that are interested, feel free to tweet me at @AkamaiRob and I can help get you in touch with the right folks to explore the feasibility and Business Development opportunity.
The final speaker list and agenda have yet to be finalized, but plenty of details are now available regarding BSides Boston 2014. Those details are below. As for the final agenda, stay tuned for that after the call for papers period closes March 31.
The full schedule has been released for next month's SOURCE Boston security conference. This year's keynote speakers are:
- Internationally renowned security technologist and author Bruce Schneier;
- Justine Aitel, who manages cyber security and identity programs at Dow Jones; and
- Dr. Andrea M. Matwyshyn, an academic studying technology innovation and its legal implications, particularly corporate information security regulation and commercial and consumer privacy.
International Data Group (IDG) announced yesterday that its Founder and Chairman, Patrick J. McGovern, died March 19 at Stanford Hospital in Palo Alto, California. Having worked at IDG for five years before coming to Akamai, the news made me profoundly sad. But this post is a celebration of a life well lived and the huge legacy he left in the world of tech media and beyond.
There's a lot of valuable perspective out there regarding the shutdown of Full Disclosure, a mailing list where researchers posted details of exploits and software security holes. I'll share that perspective below. But first, here are my thoughts as an ex-journalist who often relied on it for news.
The great videos David Spark produced during RSA Conference 2014 keep rolling in. In this latest episode, security professionals are asked what they would want if they could be granted one wish. The answers are amusing and, in most cases, unattainable.
Visit the site of our partner Tripwire for a related article.
Learn more about becoming an Akamai Partner: http://www.akamai.com/html/partners/index.html
Learn more about Akamai's solutions for the Commerce industry: http://www.akamai.com/html/industry/retail_consumer.html
One of the big topics at last month's RSA Conference was DevOps, the process by which developers and IT operations work together to speed up development and production at unprecedented levels, pushing sometimes thousands of updates to production in a single day.
Gene Kim (@RealGeneKim), author of "The Phoenix Project" and a huge proponent of DevOps production environments, and Josh Corman (@JoshCorman), CTO of Sonatype, explain the benefits in this Tripwire video:
The Tripwire site includes an article on DevOps. Check it out here.
Following last week's cyber-attacks on Meetup's infrastructure, Antone Gonsalves, a reporter from CSO Online, asked me, for an article he was writing, what steps I would recommend CISOs to take "if they came under a similar attack". I hesitated before giving a softball answer, "don't wait for the attack, prepare for it." I could sense the reporter's frustration immediately. He wanted to give his readers step-by-step instructions, to what I have observed to potentially be a very complex problem.
Our researchers spent much of yesterday tracking a massive DDoS exploiting weaknesses in the Wordpress blogging platform. Most of the news reports are consistent with what we saw, so let's take a look at some of the more comprehensive pieces, starting with a CSOonline blog post from Akamai Security Advocate Dave Lewis. The overall message: This latest attack is just another example of an old and unaddressed problem.
This week's episode of the Akamai Security Podcast is a recap of RSA Conference 2014, and my guests are Stuart Scholly, SVP and General Manager of Akamai's Security Business Unit, Akamai CSO Andy Ellis, and Program Manager Meg Grady-Troia.
Akamai InfoSec personnel will be on hand this weekend to help run the seventh Annual Northeast Collegiate Cyber Defense Competition, in which students are divided into teams to carry out simulated cyber-defense scenarios.
There's an interesting article in Computerworld today about the dangers surrounding Microsoft's plan to finally pull the plug on Windows XP. The argument goes something like this: Many people still use XP, and depriving them of future security patches could lead to devastating malware infections and, by extension, myriad forms of mayhem.
Patch Tuesday is an important calendar item for Akamai customers, given how dominant Windows machines are in many companies. What follows is a preview of Microsoft's March 2014 Security Update.
I've been thinking a lot about the culture of security since RSA Conference 2014, and find myself returning to a topic that got me in trouble three years ago.
Another RSA Conference and BSidesSF is in the books. Here's a look back at our coverage for the week.