Akamai Diversity
Home > September 2014

September 2014 Archives

In two weeks, I'll be at the Akamai Edge customer conference. It's a terrific opportunity to meet face-to-face with a lot of our customers and get their feedback on what's working for them and what we can improve upon. A robust Web Security track of talks is planned, and I'll be blogging about it. 

The security track will run each day of Edge. Here's a partial list of what's planned:

Response Rate Limiting Bites Back?

A new kind of DDoS attack is currently stressing DNS infrastructure everywhere. Attackers gain access to DNS resolvers through home gateways with open DNS proxies. Proxies forward large bursts of queries with spoofed IP addresses to whatever resolver they are configured to use, usually an ISP resolver. With these attacks, the overwhelming majority of queries require recursion so resolvers in turn query authoritative servers to get answers.

Setting the Stage for Akamai Edge 2014

If you create the stage setting and it's grand, everyone who enters will play their part.

That was the motto of Morris Lapidus, architect of the Fontainebleau Miami Beach, which will play host to Akamai Edge 2014 in October.

Environment Bashing

[UPDATE: 9/25/2014 11:30AM]

Akamai is aware that the fix to CVE-2014-6271 did not completely address the critical vulnerability in the Bourne Again Shell (bash). This deficiency is documented in CVE-2014-7169. The new vulnerability presents an unusually complex threat landscape as it is an industry-wide risk.

Akamai systems and internal Akamai control systems have been or are being urgently patched or otherwise mitigated in prioritized order of criticality.

Akamai has developed an emergency patch for today's vulnerability which makes function forwarding conditional on the compile-time switch "FUNCTION_EXPORT". We're using it for systems that can't be switched to the Almquist Shell. In the hope that it's useful to others, and for public review, we've posted that patch at https://bit.ly/ShellShockPatch.

_____________

 

About CVE-2014-6271
Today, CVE-2014-6271 was made public after its discovery last week by Stephane Chazelas. This vulnerability in bash allows an adversary who can pass commands to bash to execute arbitrary code.  As bash is a common shell for evaluating and executing commands from other programs, this vulnerability may affect many applications that evaluate user input, and call other applications via a shell.  This is not an Akamai-specific issue; this impacts any system that uses a vulnerable bash.
Akamai has validated the existence of the vulnerability in bash, and confirmed its presence in bash for an extended period of time.   We have also verified that this vulnerability is exposed in ssh---but only to authenticated sessions. Web applications like cgi-scripts may be vulnerable based on a number of factors; including calling other applications through a shell, or evaluating sections of code through a shell.  
There are several functional mitigations for this vulnerability: upgrading to a new version of bash, replacing bash with an alternate shell, limiting access to vulnerable services, or filtering inputs to vulnerable services.  Akamai has created a WAF rule to filter this exploit; see "For Web Applications" below for details.
Customer Mitigations
Systems under our customers' control which might be impacted include not only vulnerable web applications, but also servers which expose bash in various ways.  System owners should apply an updated bash with a fix for this vulnerability as expeditiously as possible.  In the meantime, there are several workarounds that may assist.
For SSH servers:  Evaluate the users who have access to critical systems, removing non-administrative users until the systems are patched.
For Web Applications: CGI functionality which makes calls to a shell can be disabled entirely as a short term measure; alternately WAF mitigations can be deployed.  The following Akamai WAF protections will assist customers that have purchased the Kona Web Application Firewall or Kona Site Defender services:
  • All customers of Akamai's web acceleration services (Ion, Dynamic Site Acceleration, EdgeSuite, Object Delivery, and similar) are protected against some attacks using this vulnerability by Akamai's HTTP normalization.  Attack text in Host headers, HTTP version numbers, and similar will be silently discarded by the Akamai Platform.  
  • Use of the "Site Shield" feature can further enhance the HTTP normalization protection by removing attackers' ability to connect directly to a customer web server.
  • Customers who use the new Kona Rule Set are protected against some attacks using this vulnerability if they enable the Command Injection risk scoring group.  This scoring group is being extended today to provide more comprehensive coverage by incorporating specific rule triggers for this vulnerability.  
  • We also have a custom WAF rule which will provide a targeted defense against this specific vulnerability.  This WAF rule operates by filtering on the four-byte attack string '() {' in the request header or body . It can be implemented to cover both headers and query strings (for maximum safety), or headers only (in the event that query strings generate too many false positives).  The custom rule is available to customers by contacting their account team.  It will be available for self service today.
  • This custom WAF rule will shortly be available for self-service provisioning for non-KRS customers.
Akamai Mitigations
Public-facing Akamai systems and internal Akamai control systems have been or are being urgently patched or otherwise mitigated in prioritized order of criticality. 
For many of our critical systems, Akamai first switched away from using bash to another shell, to protect those systems.  We did not make a universal switch, as the alternate shell was not completely feature-compatible with bash (not all of our systems would continue to operate with this change).
For other systems which could tolerate the downtime, we disabled those systems pending receiving an updated bash. For Akamai web applications which couldn't take an alternate shell and couldn't be disabled, we blocked many Akamai-owned CGI scripts at the Akamai Edge, until we developed and deployed the WAF rules above.
 
Do you have any evidence of system compromises?
 
No.  And unfortunately, this isn't "No, we have evidence that there were no compromises;" rather, "we don't have evidence that spans the lifetime of this vulnerability."  We doubt many people do - and this leaves system owners in the uncomfortable position of not knowing what, if any, compromises might have happened. 

PLXsert warns of Spike DDoS Toolkit

Akamai's Prolexic Security Engineering and Research Team (PLXsert) is tracking the spread of Spike, a new malware toolkit that poses a threat to embedded devices, as well as Linux and Windows systems.

Several versions of Spike can communicate and execute commands to infected Windows, desktop Linux and ARM-based devices running the Linux operating system (OS), PLXsert said in an advisory Wednesday morning.

Good Recognition for Akamai's Real-Time Web Monitor

Analyst Daniel Humphries has written a review of several threat monitoring tools for the "Software Advice" website, including a positive assessment of Akamai's Real-Time Web Monitor.

Ours was among five tools Humphries looked at in his report, "Spotlight: Threat Visualizations." The others were Kaspersky's Cyberthreat Real-Time Map, Digital Attack Map -- a joint project between Google and security vendor Arbor Networks -- the Deutsche Telekom Attack Meter, and Trend Micro's Global Spam Map. 

Humphries noted that threat visualization maps are becoming increasingly popular because of the "unique way in which they can illustrate cyber attacks," which are normally unseen to the human eye. "Both the educational and design value of these maps are crucial factors when it comes to successfully enlightening the public about the specific and global nature of security threats, so we wanted to find the best of the best, and highlight what it was that we liked most about each map," he said.

Akamai's Real-Time Web Monitor became a quick front-runner because it has the best of both worlds, he said: It shows a "very large and comprehensive range of threat data, while also having one of the simplest and cleanest interfaces of the maps we featured."

Read the full review here.

Akamai 1.png

We are so excited about Akamai Edge this year that we simply can't wait to share some details.

The 2014 Digital Entertainment lineup at Akamai Edge boasts world-class speakers ready to share their knowledge and expertise starting Wednesday October 8. The program will cover live events, monetization, devices and much more.

Coming Soon: New Security Whiteboard Videos

Last year, we released a bunch of videos containing security whiteboard lessons on a variety of topics. This Thursday we shoot four new episodes. 

Below is a preview of each episode.

  • To see previous security whiteboard videos, go here and here.

Security Topics at Akamai Edge 2014: A Primer

Each year at Akamai Edge we update customers on some of the more persistent threats we've dealt with in the 12 months prior. Slides detailing the 2013 threat picture are available here. For an idea of what we'll be sharing at Edge 2014 in a couple weeks, I've assembled this primer. 

The following blog posts capture the main threats that have kept us busy in recent months:

Akamai Reaches The Beach

Twelve co workers crammed into vans all weekend? No sleep? No showers? Camping out under the stars? Running in the woods at night? This is not everyone's idea of a good time but for Team Faster Forward - Akamai it was an amazing experience we will never forget.
Over the last five months, the services and support management teams from Akamai have been working hard on integrating the Akamai and Prolexic Security Operation Center (SOC). Given the progress that we've made along the way, we think it would be timely for us to talk about how this effort from both companies could help our customers against the ever-changing attack sphere.

Public Compliance Docs: The List So Far (Updated Sept. 18)

As previously noted, Akamai InfoSec has been working to make its most sought after compliance documents publicly available. The goal is to make it easier for customers to access the answers they regularly seek, and also to show potential new customers how we operate. 

We're building the foundation in the form of a compliance page on the Akamai Security microsite, and hope to publish up to two fresh public docs a month. What follows is a list of what we've done so far.

Edge-stravaganze

It's that time of year, and again I have the pleasure of participating in two Edge conferences: The panel-based EdgeConf conference in San Francisco this Saturday (Sep 20th) and the Akamai customer conference, Akamai Edge, in Miami on Oct 8-10.

Both conferences are going to be a blast, and I'm looking forward to both.

Web Vulnerabilities: Low-Hanging Fruit for DDoSers

A new Akamai PLXsert whitepaper was released this morning: "Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns." The paper can be downloaded here

Security practitioners know this much from long experience: 

Attackers who successfully build botnets and launch DDoS campaigns start by exploiting web vulnerabilities. It is the low-hanging fruit. In the white paper, PLXsert explores specific examples of the exploitation of popular web content management systems and web management suites and how these compromises have led to the development of some of the most advanced and difficult-to-stop DDoS campaigns.

suspect-ddos-attack.jpg

Akamai Security Podcast: Inside the PLXsert

This week, Akamai PLXsert Manager David Fernandez and I discuss the latest attack research from his team. David reviews the fallout from a recent advisory about threats to Linux systems, and offers a preview of upcoming research reports.

  • Listen to the full episode HERE 
You can subscribe to the Akamai Security Podcast  and the Security Kahuna podcast from the iTunes store. Hear interviews with Akamai security specialists as well as security luminaries from the larger industry. Preview the podcast here and, to subscribe, click "view in iTunes." Once iTunes launches, you can hit the subscribe button. Thanks for listening!

Podcast.jpg

It's fitting that the Akamai Edge customer conference is in October. It's the same month as National Cyber Security Awareness Month, and we'll have a robust security track at Edge.

2014 World Cup's Digital Fútprint

FIFA World Cup 2014 was one of the largest multimedia sporting events in history . In-person attendance was estimated at more than three and a half million while hundreds of millions of viewers tuned in via TV, Internet, and radio. Akamai's online traffic statistics estimate this year's event to be ten times larger than the 2010 World Cup in South Africa, and two and a half times larger than the Sochi Winter Olympics. In my role as Akamai's Senior Director of Environmental Sustainability I was curious about the carbon footprint of such a large event, and how digital and analog attendance compared.

Security Kahuna Podcast, Episode 3

Akamai's Bill Brenner, Dave Lewis and Martin McKeay discuss the pros and cons of Google Glass Detector, software designed to detect Google Glass and boot it from any local Wi-Fi network. They also discuss the iCloud/4Chan controversy and look ahead to upcoming security conferences.

  • Listen to the full episode HERE.
You can subscribe to Security Kahuna and the Akamai Security Podcast from the iTunes store. Hear interviews with Akamai security specialists as well as security luminaries from the larger industry. Preview the podcast here and, to subscribe, click "view in iTunes." Once iTunes launches, you can hit the subscribe button. Thanks for listening!

Podcast.jpg

How to evaluate a DDoS mitigation solution

How fast could your IT team stop a DDoS attack? IDG Research found that it takes an average of 10 hours before a company can even begin to resolve an attack. On average, an attack isn't detected until 4.5 hours after its commencement and typically an additional 4.9 hours passes before mitigation can commence. With outage costs averaging $100,000 per hour, it means that a DDoS attack can cost an Internet-reliant company $1 million before the company even starts to mitigate the attack.

Last year I launched the Akamai Security Podcast. Episode 1 was an interview with Akamai CEO Tom Leighton, who discussed the legacy of Co-Founder Danny Lewin, Akamai's role on 9-11-01, and his vision of Akamai as a major player in the security industry. This week being the anniversary of 9-11, it seems appropriate to re-share.

Listen HERE.

Related content:

9-11 Anniversary: Danny Lewin's Life and Legacy
Internet Security Central To Danny Lewin's Legacy

Akamai Offers Further Guidance to Blunt Linux DDoS Threat

Yesterday's advisory about attackers exploiting Linux vulnerabilities for DDoS assaults got a lot of attention. After hearing the feedback, we decided a follow-up post was necessary to help admins mount a better defense.

I spoke with David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), and he offered additional details on the countermeasures.

First, for the basic details of the threat, check out yesterday's post.

Now for the next steps...

Linux Systems Exploited for DDoS Attacks

Linux users have a new threat to worry about.

According to Akamai's Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks. PLXsert released an advisory outlining the danger this morning.

  • The full advisory is available HERE.
  • Also read Akamai Security Advocate Dave Lewis' CSOonline blog post about the threat.

Let's make one thing absolutely clear at the outset: the time to think about the best options for cyber-threat mitigation is NOT when your network is being attacked. In the best-case scenario you will already have a mitigation strategy in place for defending against both network-layer and application-layer attacks. The most important thing to know when you are building a multi-layered approach to securing web applications is that security solutions aren't one-size-fits-all. You have several options to mix and match. Akamai's free eBook, "Threats and Mitigations: A Guide to Multi-Layered Web Security", gives you options for making the choices that best fit both your business and IT infrastructure requirements.

Reminder: Social Engineering Isn't Just An Online Threat

Shortly after DEF CON last month, friend and journalist Steve Ragan made an observation in his Salted Hash blog: People standing in the many long lines at the event were forgetting a basic social engineering risk.