Get In Touch
August 2014 Archives
The data center perimeter is dead - web assets cannot be protected by a fortress wall - but a historical view of web protection lives on in the way many IT departments continue to defend their infrastructures. Websites and web applications increasingly live outside the data center. Cloud-based applications and websites are at constant risk from web threats that are becoming more damaging and sophisticated by the day.
As previously noted, Akamai InfoSec has been working to make its most sought after compliance documents publicly available. The goal is to make it easier for customers to access the answers they regularly seek, and also to show potential new customers how we operate.
We're building the foundation in the form of a compliance page on the Akamai Security microsite, and hope to publish up to two fresh public docs a month. What follows is a list of what we've done so far.
Microsoft released its August 2014 Security Update Tuesday. The company's OneNote note-taking software, Internet Explorer browser, Server software, and .NET Framework were most affected this time.
- Listen to the full episode HERE.
My friend Adrian Crenshaw of Irongeek.com has pulled off quite a feat -- posting all of BSidesLV's video-recorded presentations. Pretty impressive, since it's barely been a week since the event opened. Go here to watch the full roster of videos. For this post, I want to share the presentation by Akamai's own Patrice Coles, "Third-Party Service Provider Diligence: Why are we doing it all wrong?"
Akamai Security Storyteller Bill Brenner and Akamai Security Advocates Martin McKeay and Dave Lewis report from Las Vegas during Black Hat, BSidesLV and DEF CON. They are joined by special guests Steve Ragan and Gillis Jones.
They touch on antivirus pioneer John McAfee's appearances at BSidesLV and DEF CON, security luminary Dan Geer's Black Hat keynote, and try to answer the age-old question: Why go to these events?
About our guests:
Steve Ragan is a reporter for CSOonline and CSO Magazine. Gillis Jones is a security consultant at Accuvant.
- Listen to the full episode HERE.
On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here.
These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
We currently believe our services are not impacted by CVE-2014-3508, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, and CVE-2014-3512.
We are in the process of rolling out a fix to address vulnerabilities CVE-2014-3511 and CVE-2014-5139 for each of our relevant services.
Akamai is investigating the vulnerabilities further, and will provide additional communication if needed.
Some of the vulnerabilities, as outlined in the advisory, include:
- An information leak in pretty printing functions
- A crash condition with SRP ciphersuite in Server Hello message
- A race condition in ssl_parse_serverhello_tlsext
- Double Free when processing DTLS packets
- A DTLS memory exhaustion condition
- DTLS memory leak from zero-length fragments
- An OpenSSL DTLS anonymous EC(DH) denial of service
- An OpenSSL TLS protocol downgrade attack
A SRP buffer overrun
In July the New York Department of Financial Services (DFS) proposed comprehensive regulations for virtual currencies including Bitcoin. Under this 40 page proposal, DFS would issue BitLicenses to companies that meet certain criteria. Although BitLicenses would not be required for most merchants or consumers, for most others, a BitLicense will be required for any virtual currency business activity.
How will these regulations impact the Bitcoin industry, and can the industry adapt to these new requirements?
Let's take a look at the major elements of the regulation.
I was browsing the tables this morning at BSidesLV and came across some books published by No Starch Press, which will also have books on display at DEF CON this weekend.
This is a follow up post to my recent article entitled "Let's watch the game first and attack later." We received a lot of interest in learning how Akamai's Professional Services could help support a major global online event like the World Cup, and details around the attack trends that we observed during the World Cup.
In general, a successful readiness and support approach can be divided into three stages:
● Event Preparation
● Event Execution
● Post Event Wrap-up
A look at security stories in the news that are relevant to Akamai customers and beyond.
Android vulnerability still a threat to many devices nearly two years later (CSOonline)
Microsoft ordered to turn over customer data stored in the cloud (Computerworld)
Federal court says warrant for info stored in Ireland is not an extra-territorial application of U.S law; decision has privacy implications.
The World's Most Hackable Cars (Dark Reading)
Researchers find 2014 models of Dodge Viper, Audi A8, Honda Accord are the least likely to be hit by hackers.
U.S. government warns of point-of-sale malware campaign (SearchSecurity)
The U.S. government has divulged details on the 'Backoff' point-of-sale malware campaign, which purportedly targets remote access software for entry.
Sandwich Chain Jimmy John's Investigating Breach Claims (KrebsonSecurity)
Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John's may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.