Get In Touch
October 2014 Archives
We start with the most recent case, Poodle, and move on to Shellshock and Heartbleed. A full list of resources for all of these incidents can be found here.
We also look ahead to potential security trends in 2015.
Akamai's Prolexic Security Engineering & Research Team (PLXsert) issued a new advisory Monday that provides a full analysis of the Poodle vulnerability, including actions companies can take to blunt the impact.
It's the latest in a series of postings Akamai has done to keep the public informed of its Poodle response. In addition to reviewing this new advisory, please refer to the following posts as well:
This is the latest in a string of severe vulnerabilities this year, including Shellshock and Heartbleed. A full list of resources for all of these incidents can be found here.
While the holiday season may seem far off to consumers, retailers know all too well that it has already begun. But just as the hot toy changes from year to year, so do the issues that retailers face. It's never too early to prepare for the holiday rush, so over the next few weeks we'll be sharing what you should know when it comes to mobile and security trends and how you can prepare accordingly. So first up: mobile trends.
CAMBRIDGE, Mass. - October 23, 2014 - Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today announced availability of the Q3 2014 State of the Internet - Security Report. Akamai's Prolexic Security Engineering and Research Team (PLXsert) is a recognized leader in Distributed Denial of Service (DDoS) protection services and strategies. This quarter's report, which provides analysis and insight into the global attack threat landscape including DDoS attacks, can be downloaded at www.stateoftheinternet.com/security-report.
"DDoS attack size and volume have gone through the roof this year," said John Summers, vice president, Security Business Unit at Akamai Technologies. "In the third quarter alone, Akamai mitigated 17 attacks greater than 100 gigabits-per-second, with the largest at 321 Gbps. Interestingly, we witnessed none of that size in the same quarter a year ago and only six last quarter. These mega-attacks each used multiple DDoS vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed."
Today we've launched the first all-security edition of the State of the Internet report. State of the Internet also has its own website now, where readers can delve into Akamai's threat intelligence, threat advisories, data visualizations and more.
Highlights of the security edition for Q3 2014 include a four-fold year-over-year increase in DDoS attack size and volume; new attacks targeting hand-held devices and the proliferation of easy-to-use attack tools.
In the latest episode of the Akamai Security Podcast, I talk to CSIRT Manager Mike Kun about what he calls an "interesting new attack vector" where bad actors forgo direct attacks against websites in favor of targeting third-party services the site is using.
"Rather than go against a target directly, bad actors are looking at what other services that website is using," Kun explains. "A simple one is DNS. If the attacker can compromise the registrar a site is hosted with, they can easily change the IP address mapping and point that at some other site."
Those who go for such attacks include hactivist groups looking to deface sites, or someone looking to steal information or drop malware for myriad purposes.
Widget providers are among the targeted. Kun notes that the chat function now available on many e-commerce sites is usually supplied by third parties.
"Sites are linking to code from third-party sites instead of running local code," Kun says. "So if an attacker can compromise that widget, they can attack your site."
- Listen to the full episode here.
It's been a year of major security vulnerabilities. Last week we worked to mitigate the Poodle vulnerability. Two weeks before that was Shellshock and in April we had Heartbleed. All have shaken the security industry to the core, and Akamai staff have spent countless hours working to protect customers against these threats.
To get a wider perspective of our actions in the face of such incidents, here's a collection of resources -- essentially everything we've had to say about Poodle, Shellshock and Heartbleed.
May you find it useful and insightful.
The Boston Application Security Conference (BASC) was this past weekend, and Patrick Laverty from Akamai InfoSec's CSIRT team gave a talk called "How Hackers View Your Web Site."
Patrick recorded the talk and posted it on his YouTube channel. Like everything he does, it's quite good. So I'm sharing it here.
Laverty described his talk this way:
"As defenders, we have to be right 100% of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we'll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site."
The Poodle attack (CVE-2014-3566) raised many questions from our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event. For a basic background on Poodle, please read Akamai CSO Andy Ellis's overview blog post, or Akamai Security Researcher Daniel Franke's in-depth analysis.
Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai's Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory.
PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That's about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts.
An attack affectionately known as "POODLE" (Padding Oracle On Downgraded Legacy Encryption), should put a stake in the heart of SSL, and move the world forward to TLS. There are two interesting vulnerabilities: POODLE, and the SSL/TLS versioning fallback mechanism. Both of these vulnerabilities are discussed in detail in the initial disclosure.
POODLE is a chosen-plaintext attack similar in effect to BREACH; an adversary who can trigger requests from an end user can extract secrets from the sessions (in this case, encrypted cookie values). This happens because the padding on SSLv3 block ciphers (to fill out a request to a full block size) is not verifiable - it isn't covered by the message authentication code. This allows an adversary to alter the final block in ways that will slowly leak information (based on whether their alteration survives verification or not, leaking information about *which* bytes are interesting). Thomas Pornin independently discovered this, and published at StackExchange.
The following is an excerpt from Akamai Security Researcher Daniel Franke's blog post on the POODLE vulnerability.
Bodo Möller, Thai Duong, and Krzysztof Kotowicz have just broken the internet again with POODLE, a new and devastating attack against SSL. POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption, permits a man-in-the-middle attacker to rapidly decrypt any browser session which utilizes SSL v3.0 -- or, as is generally the case, any session which can be coerced into utilizing it. POODLE is a death blow to this version of the protocol; it can only reasonably be fixed by disabling SSL v3.0 altogether.
This post is meant to be a "simple as possible, but no simpler" explanation of POODLE. I've tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we've known better for over a decade.
When you consider security solutions, there is no catchall Internet security solution that addresses every web application security challenge. A multi-layered approach to Internet security is the most effective way to guard against all types of cyber-attacks, including DDoS, application-layer attacks and data breaches. But this is much more security technology and tools. You need to add what we call "Internet hygiene" to your defenses - taking internal measures to identify and minimize vulnerabilities in your websites and web applications.
Articles I'm reading include such topics as the mounting cost of social engineering, the Mayhem Botnet's exploitation of Shellshock, and some tips for better security in the healthcare industry.
- First installment: Vulnerability Management vs. Penetration Testing
Akamai Edge 2014 begins today and tomorrow with two days of Akamai University and API Boot camp. To coincide with this, I'm running two security lessons that are part of an upcoming video series. This is the first installment, written by Akamai CSIRT researcher Patrick Laverty.
The ongoing protests in Hong Kong are attracting worldwide attention. Less visible is a connection to the ongoing DNS-based DDoS attacks that started early this year. On Sunday, Sept 28 attackers used DNS based DDoS to target Passion Times, a local Hong Kong newspaper (http://www.passiontimes.hk/). The site was brought down for most of the day and had to resort to Facebook (https://www.facebook.com/passiontimes) in order to get the news out.
"What is art? Are we art? Is art, art?"
Yesterday, we released an article on Akamai's security site detailing all of the CVE advisories now in circulation for Shellshock, and how they relate to Akamai's mitigation strategies. At the time we published, details had not yet been released for two of the six advisories -- CVE-2014-6277 and CVE-2014-6278.
Late yesterday, those details were finally released.
- Verify that the system/application is not using bash (if so, we disabled the vulnerable feature in bash or switched shells);
- Test that the disabled feature/new shell operates seamlessly with the application (if not, we repeated with alternate shells);
- Accept upstream patches for all software/applications where available (this is an ongoing process, as vendors provide updates to their patches); and
- Review/Audit system/application performance to update non-administrative access and disable non-critical functions.