Akamai Diversity
Home > May 2014

May 2014 Archives

Cloud-based Media Workflows: A Business Proposition

The following post is part one of a two-part series exploring cloud-based media workflows. Stay tuned for a more technically oriented blog post from Akamai's Professional Services guru Frank Paolino.

When you hear people talking about "the cloud," they're typically discussing its various technical benefits. Elastic scalability, flexibility, availability and other features that end in -bility are often hot topics of conversation. In general, this can be very engaging, worthwhile dialog.

What's Your Favorite Security Conference?

I've been participating in an ongoing, online panel hosted by the Information Security Buzz website. The latest question is, "Based on your experience and knowledge, what would you say is the BEST Information Security event to attend and why?"


6 More Great Security Podcasts

Tuesday, I wrote a post about five security podcasts worth your time. This is a sequel post, directing you toward six more great podcasts that'll make you smarter and better informed about all things InfoSec.

Always a rich source of real-time security monitoring, the Sans Internet Storm Center's podcasts offer quick status checks on threats around the Internet. There's the longer ISC Podcast and the shorter, more frequent Stormcast.
Risk Science is a community-driven podcast to promote the greater understanding and applicability of risk management strategy and practices through active research, discussions, and interviews. Along the way we hope that, with our listeners, we can discover the tools and approaches that we can use to tackle the many issues and challenges we will be facing as an industry.
Features Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin. It's produced weekly in a quarter-hour format, and gives you an informative and entertaining take on the latest security news.
 
Hosted by two former federal agents who investigated computer crime, this is a technology podcast covering computer security, crime and forensics topics.
The Hacker News Network Podcast takes a weekly look at the news and views that shape the information security industry and the internet underground. It's hosted by Space Rogue.
A great podcast series that coincides with the annual FIRST conference.
Thumbnail image for Podcast-RSS.jpg

Online Extortion and World Cup Risks

In the latest episode of the Akamai Security Podcast, I talk to CSIRT researcher Mike Kun about the latest threats his team is monitoring, including online extortion attempts and possible disruptions during the World Cup. 


1274644_10202017815313383_1687459603_o.jpg

DDoS, as simple as your ABC's

DDoS tool kits, and DDoS-for-hire along with some bitcoins, anonymous email, a TOR connection and a sense of purpose, has made it trivial for individuals, hacktivist collectives and cyber criminals to launch an effective DDoS attack.

6 Security Podcasts Worth Your Time

Though we have our own show called the Akamai Security Podcast and spend a lot of time promoting it in this blog, there are many other security podcasts worth your time. What follows are six favorites.

1.) Liquidmatrix Podcast

Akamai Security Advocate Dave Lewis hosts this podcast with James Arlen, Matt Johansen and Ben Sapiro.

2.) Network Security Podcast

London-based Akamai Security Advocate Martin McKeay hosts one of the longest-running and most popular podcasts in the industry.

3.) Southern Fried Security Podcast

Join Andy Willingham, Martin Fisher, and Steve Ragan as they discuss information security, news, and interview interesting folks. They focus on the operational and leadership aspects of information security using a distinctly southern viewpoint.

4.) Exotic Liability

Chris Nickerson and Ryan Jones tackle a wide range of security topics in this podcast. Here's how they describe it: Exotic Liability will push you into the new generation of Security. On your own or by force, Chris Nickerson and Ryan Jones will be bringing you the best content from the TOP/ middle and Sewers of the Security industry. No more firewall admins speculating about how attacks happen, these are the pros or even the bad guys. These are the people that make Security tick. If you are tired of the old solutions and rhetoric, join in.

5.) PaulDotCom's Security Weekly

Arguably one of the most popular podcasts on the Internet, Paul Asadoorian and crew live stream the show for video as well as audio. Regular guests include Tenable Security's Jack Daniel.

6.) Risky Business Podcast

Patrick Gray takes a "lighthearted" look at information security news and features.

Podcast-RSS.jpg

PLXsert Eyes Spike in SNMP Reflection DDoS Attacks

Akamai's Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.

In an advisory, PLXsert said these DDoS attacks abuse the SNMP protocol, which is commonly supported by network devices such as printers, switches, firewalls and routers.

More Bricks of Security Enlightenment

Akamai Security Advocate Dave Lewis (@gattaca on Twitter) continues his prolific blogging on CSOonline. He has also begun writing for Forbes. What follows are his posts so far for May 2014. We begin with his inaugural Forbes column.

Public Research Docs: The List So Far

Akamai InfoSec has slowly been making its security advisories public. What follows is a list of what has been released so far. 

These can be found in the security research section of the Akamai Security microsite.
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. (As an historical example, in the wake of CA certificate misissuances, the industry looked at one set of flaws: how any one of the many trusted CAs can issue certificates for any site, even if the owner of that site hasn't requested them to do so; that link is also a quick primer on the certificate hierarchy.)
Three years later, one outcome of the uncertainty around Heartbleed - that any certificate on an OpenSSL server *might* have been compromised - is the mass revocation of thousands of otherwise valid certificates.  But, as Adam Langley has pointed out, the revocation process hasn't really worked well for years, and it isn't about to start working any better now.
Revocation is Hard
The core of the problem is that revocation wasn't designed for an epochal event like this; it's never really had the scalability to deal with more than a small number of actively revoked certificates.  The original revocation model was organized around each CA publishing a certificate revocation list (CRL): the list of all non-expired certs the CA would like to revoke.  In theory, a user's browser should download the CRL before trusting the certificate presented to it, and check that the presented certificate isn't on the CRL.  In practice, most don't.  Partly because HTTPS isn't really a standalone protocol: it is the HTTP protocol tunneled over the TLS protocol.  The signaling between these two protocols is limited, and so the revocation check must happen inside the TLS startup, making it a performance challenge for the web, as a browser waits for a CA response before it continues communicating with a web server.
CRLs are a problem not only for the browser, which has to pull the entire CRL when it visits a website, but also for the CA, which has to deliver the entire CRL when a user visits one site.  This led to the development of the online certificate status protocol (OCSP).  OCSP allows a browser to ask a CA "Is this specific cert still good?" and get an answer "That certificate is still good (and you may cache this message for 60 minutes)."  Unfortunately, while OCSP is a huge step forward from CRLs, it still leaves in place the need to not only trust *all* of the possible CAs, but also make a real-time call to one during the initial HTTPS connection.  As Adam notes, the closest thing we have in the near term to operationally "revocable" certs might be OCSP-Must-Staple, in which the OCSP response (signed by the CA) is actually sent to the browser from the HTTPS server alongside the server's certificate.
One Possible Future
A different option entirely might be to move to DANE (DNSSEC Assertion of Named Entities).  In DANE, an enterprise places a record which specifies the exact certificate (or set of certificates, or CA which can issue certificates) which is valid for a  given hostname into its DNS zone file.  This record is then signed with DNSSEC, and a client would then only trust that specific certificate for that hostname. (This is similar to, but slightly more scalable than, Google's certificate pinning initiative.)
DANE puts more trust into the DNSSEC hierarchy, but removes all trust from the CA hierarchy.  That might be the right tradeoff.  Either way, the current system doesn't work and, as Heartbleed has made evident, doesn't meet the web's current or future needs.
(Footnote:  No conversation made herein around Certificate Transparency, or HSTS, both of which are somewhat orthogonal to this problem.)
This entry crossposted at www.csoandy.com.

Web Security Buzz

Each week, we compile a list of headlines trending on social media and distribute it internally via a newsletter called "Web Security Buzz." We recently decided to start running a public version via this blog.

What follows are some of the stories we've been keeping an eye on for the past couple of weeks.

Big Data 101

Big Data is one of the hottest technology buzzwords today. More and more organizations look to understand and utilize their data better. This video explains what does the term Big Data actually mean, what are the primary tools used for it, and how can Akamai help organizations deal with Big Data.


Microsoft's May 2014 Patch Load

Microsoft released it's May 2014 Security Update Tuesday. The latest vulnerabilities to be addressed affect everything from Windows, Internet Explorer and Office to Microsoft Server Software, Productivity Software and the .NET Framework.

Internet Disruptions Possible During World Cup 2014

Researchers from Akamai's CSIRT team warn of potential Internet disruptions during the upcoming World Cup event. FIFA's World Cup will be held in Brazil starting June 12.

At the 2010 World Cup hosted in South Africa, some 3,170,856 spectators attended 64 matches. FIFA is again distributing a total of over 3,000,000 tickets for the tournament, where Brazilian and international visitors will attend football (soccer) matches in 12 cities across Brazil. Akamai anticipates increased Internet traffic to and from Brazil throughout the tournament.

Podcast: CSO Andy Ellis on Heartbleed

By now, most of you are aware of the Heartbleed vulnerability that sent shockwaves through the tech industry. Like many of you, Akamai had to work overtime to ensure our customers were protected.

We did that, but as is the case with any large security threat, we continue to be vigilant and, while letting everyone know what we did to keep them secure, we're looking back at the lessons learned and how to turn it into even better security going forward.

The details in this episode are not new, as CSO Andy Ellis has blogged at length about it. I've included those links below. But with so many of us working overtime to address Heartbleed, this was my first opportunity to sit down with Andy and discuss it.

imgres.jpg

Related posts:


Microsoft has released advance notification regarding the security updates it plans to release Tuesday. It looks like a busy month of patching ahead. The breakdown is below.

BSides Boston 2014: HallwayCon

As I noted in previous posts, LobbyCon is an important part of any security conference experience. At BSides Boston Saturday, attendees will enjoy the ritual with a special twist.

Organizers call it HallwayCon. A description from the BSides Boston website:

First come, first served! (Sign-up and put your name and topic on the board!) These lightning talks are 15-minute each and will go throughout the entire day.

A variation of this happened during one of the SOURCE Boston after-events last month. That time, folks were encouraged to speak on a topic at a table in one of the local pubs. I enjoyed it, though it was a bit hard to hear everyone from the other side of a packed table. The BSides Boston version will surely take it to the next level.

talks.jpg

BSides Boston 2014: Dan Geer and Heartbleed

I first met Dan Geer 10 years ago, after he debated Microsoft's Scott Charney on the "Microsoft Monoculture" at a USENIX event in Boston. I was just starting to write about security and the man intimidated me. His intellect and speaking style were light years beyond anything I had comprehended before. As a news reporter, you talk to a lot of police officers, firefighters and politicians who speak in plain, familiar terms. Dan Geer was something else entirely.

Over the years, I got to interview him several more times, and he became a personal favorite among all the security luminaries out there. 

Now CISO of In-Q-Tel, the strategic investment partner of the U.S. intelligence community, Geer will be speak at BSides Boston Saturday. He'll focus on Heartbleed.

BSides Boston Keynote Profile: Jack Daniel

An old friend will deliver the first keynote of BSides Boston Friday: Jack Daniel, technical product manager at Tenable Network Security. His talk is called "Doomed to Repeat: InfoSec's Failure to Learn from the Past."


The Flash Crash 4 Years Later: Ready for the Next One?

May 6, 2010 started like most days in the stock market. A few minutes before the U.S. equities markets opened at 9:30 AM, leading brokerage firms opened their internal "market open" conference calls. This is a common practice in the industry: get internal representatives from IT operations, networking, market data systems, software development, etc. on the phone together. Run through checklists making sure all systems are ready for the opening bell at 9:30 AM. Discuss the expected opening rush. What happened in the Asia and European markets overnight? How are the S&P futures looking? Do we have all our web servers up? Are we green? Anyone reporting yellow? OK everyone, continue monitoring your systems as the market opens at 9:30.

BSides Boston 2014: Full Agenda

Bsides Boston 2014 -- scheduled for Friday and Saturday at the Microsoft New England Research & Development (NERD) Center -- promises to be another enlightening event. Akamai is a gold sponsor, and I'll be there both days. If you're thinking of going, here's the full agenda to consider:

bsidesbos_est1.jpg

Microsoft Releases Emergency IE Fix

Internet Explorer users take note: Microsoft issued an emergency security update yesterday to address a serious, widely-publicized vulnerability. Dustin C. Childs of Microsoft's Security Response Center announced the fix in a blog post yesterday.

And you thought your page could not be cached ...

As we carry out performance evaluations for our customers, we often come across very popular pages that are made 'non-cacheable' at the edge. On top of incurring additional latency and therefore a degraded user experience, it generates heavy loads on our customers' origin infrastructure.

Akamai released its Fourth Quarter 2013 State of the Internet Report last week. Security highlights include the following:

  • DDoS traffic increased 23 percent quarter-over-quarter, up by 75 percent from fourth quarter 2012.
  • Enterprise and commerce continued to be the industries targeted most frequently.
  • China remained the top producer of attack traffic, growing to 43 percent of observed attack traffic.
  • The United States also saw significant growth in observed attack traffic, while Indonesia's contribution continued to decline after spiking earlier in the year.
  • Port 445 remained the most targeted port, growing once again and reaching 30 percent of observed attacks. The volume of attacks targeting Port 80 remained steady at 14 percent.