Akamai Diversity
Home > December 2014

December 2014 Archives

In our last blog post, we discussed aesthetics, and online and mobile merchant site responsiveness. Here is the second and final half of our installment:

Did the site make as much revenue as it could have?
Part 1 of a 2-Part Blog Series

The peak holiday online shopping season is in full-force now. Most eCommerce merchants spent months preparing their sites for an onslaught of the web traffic they both hope for - and fear, depending on their role in the organization. If you are in business management (i.e., CIO, CMO or VP of Ecommerce) you'll want to encourage as much traffic as possible to your online store while avoiding performance or security problems.

The genre of Science Fiction and its contributors has given us plenty of glimpses into what the future of mobile devices might look like, from the hand-held communicators of "Star Trek" that inspired the first cellular flip phones to both cinema and comic-inspired wearable devices. However, compared to the smartphones and other devices that are currently on the market, these formerly advanced devices of the past now look and feel far more antiquated than cutting-edge, becoming more and more obsolete with each new upgrade.
While eCommerce certainly continued to grow year-over-year this holiday season, reports about growth numbers are a mixed bag, depending on who you ask. One thing is for certain, though: Mobile commerce hit its stride this year.

The Advantages of Enterprise Cloud Applications

Beyond all the hype, industry reorientations and analyst projections, the emergence of cloud computing as a common internal business tool (whether authorized CRM and data management applications or unauthorized note-taking and organizational tools) is an interesting example of companies following where their employees have led.

Akamai's Prolexic Security Engineering & Response Team (PLXsert) has issued a new advisory about a Xsser mobile remote access Trojan (mRAT) attackers are using to target iOS and Android devices.

The Xsser mRAT is spread through man-in-the-middle and phishing attacks and may involve cellphone tower eavesdropping for location-specific attacks.

Video: Vulnerability Management vs. Pen Testing

Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. In this whiteboard presentation, Akamai security researcher Patrick Laverty explains the differences between the two, and how both are critical to the vulnerability management process at Akamai.

Video: Incident Management at Akamai

At Akamai, incidents happen daily. Despite strong controls, it's inevitable that problems will arise when so much content is being handled, processed and distributed within Akamai and on behalf of customers. To deal with that reality, the company has a set of procedures to manage incidents as they materialize. Most incidents are resolved by small interventions in the network. In this whiteboard presentation, Bill Brenner gives an overview.

Video: FedRAMP 101

In this whiteboard presentation, Akamai InfoSec Program Manager James Salerno explains what FedRAMP is, why it was created and why it's become an important part of Akamai's security compliance process.

Video growth is overwhelming the enterprise network.

We have all been there. At work trying to watch the live company all-hands video, or the latest training, or perhaps even the latest YouTube video. But all we end up with are pixelated videos that take forever to start and constantly re-buffer. The workplace video experience can be abysmal if the WAN is not ready. Most of us will avoid a painful experience like that. Or, if we need to watch the content, suffer through it and spend extra time re-playing it until we can get the message. Talk about engaging employees and improving productivity! In all likelihood, at the same time, the IT team has been watching their network choke on all the additional video traffic. And as we all know we are just at the beginning of the video growth curve with HD everywhere, 4K, "engaging video training", etc. Cisco, for example, forecasts that by 2018 IP video will represent 79 percent of all traffic globally.

CSIRT Warns of More Account Checker Fraud

The following was written by CSIRT Manager Mike Kun:

While investigating an attack against an Akamai customer, Akamai's CSIRT discovered a server hosting a web-based attack tool -- a variant of the account checker tool first discovered in 2012.

Dynamic Content: A Short TTL as an Alternative to Purge?

Purging URLs at the Edge when its underlying content changes at the origin infrastructure may seem to be the best way to manage a website dynamic content. Or is it?

In this post, we'll explore the pros and cons of purging, and offer an alternative when appropriate.

Microsoft's Final Patch Tally for December 2014

Microsoft released its security bulletin for December 2014 this week, fixing security holes in Windows, Exchange, Office and Internet Explorer. The full patch matrix is below.

More Akamai perspective on patching and vulnerability management:

FAQ: Vulnerability in the TLS 1.x protocol

The following advisory was written by CSIRT Manager Mike Kun:

We are aware of a newly-announced vulnerability found by Adam Langley and Brian Smith in some implementations of the TLS 1.x protocol that allows for a man-in-the-middle attack. This can result in insecure compromised transactions over TLS 1.x. For more details, read the original article.

As enterprises further embrace cloud environments for both business and mission critical applications, it is important to have easier ways to connect with other cloud based services. Akamai recognizes this need and this is why we are excited to announce our participation as a Silver sponsor of the Cloud Foundry Foundation. Cloud Foundry is an open source Platform as a Service (PaaS) that provides capabilities to distribute applications to one or more cloud environments. Cloud Foundry is exciting because anyone can download and run it in conjunction with their own private cloud environments or take advantage of it through service providers who have adopted it, such as IBM Blue Mix, HP Helion, and CenturyLink Cloud.

Security Kahuna Podcast: Data Breach Lessons

In the latest episode of the Security Kahuna Podcast, Dave Lewis, Martin McKeay and I discuss the security breach at Sony, lawsuits between the banks and Target, and much more.

Rather than give the latest victims a lashing over mistakes that allowed the breach to happen, we focus on the lessons learned and how companies can better protect themselves going forward.

Microsoft's December 2014 Security Bulletin

Microsoft has released a preview of the security bulletin it plans to release Tuesday, Dec. 9, 2014. If the plan holds, the software giant will release seven bulletins -- three of them for critical vulnerabilities in Windows, Office and Internet Explorer. The full preview is below.

More Akamai perspective on patching and vulnerability management:

1st of a 2-part blog post

SaaS is growing like crazy.

We have all observed the fact that the SaaS market has experienced tremendous growth over the course of the past few years, and that rapid growth is forecasted to continue for the next several years.

Because Akamai is trusted by thousands of online retailers, and in fact all of the 20 top global eCommerce sites, we see and analyze enormous amounts of attack data during events such as Black Friday. This year we tracked requests coming into dozens of online retailers over 24 hour periods for each of the 5 Fridays leading up to Black Friday. During that period we analyzed 4.2 billion HTTP requests directed at dynamic application pages (not including requests for media files, JavaScript or other static objects). For those 4.2b requests, we saw 574 million WAF rule triggers. We analyzed which rules were triggered more on Black Friday in order to answer a few questions. Our main goal was to figure out: Were the bad guys busy trying to wreak havoc or were they looking out for some good "deals" of their own?

My Turn on the "Security Influencer" Podcast

I recently sat down for a discussion with Contrast Security CTO Jeff Williams, host of the Security Influencer Podcast. We covered a lot of ground, including the most recent data breaches making news and the recent uptick in attacks against third-party web services.

#GivingTuesday

The Future is Bright for FB.jpgWe are committed to investing in the education of our future innovators. In the spirit of the holiday season, we are proud to contribute to: With a charitable donation in our customers' names!

DD4BC: PLXsert warns of Bitcoin extortion attempts

A Bitcoin extortion campaign is underway, launched by a group of bad actors calling themselves DD4BC. The group repeatedly tried to blackmail Bitcoin exchanges and gaming sites -- threatening victims with DDoS attacks in order to extort bitcoins. Akamai's Prolexic Security Engineering and Response Team (PLXsert) reports the following:

Boston OWASP meeting Dec. 3 at Akamai Headquarters

The Boston chapter of OWASP (Open Web Application Security Project) will have its next meeting at Akamai headquarters the evening of Wednesday, Dec. 3. Details are available on the OWASP Boston website, but here's a summary of the agenda:

Fresh Wave of DNS Record Hijacking Attacks Reported

Akamai has observed a fresh wave of DNS poisoning attacks, where web sites are hijacked and placed under the control of malicious actors.

It's a tactic Akamai has seen before, and there are ways for companies to defend themselves.

Anatomy of attacks
The Domain Name System (DNS) converts the text of a domain name (ie. akamai.com) to the server's IP address. Using DNS hijacking, a malicious user is able to update DNS records to resolve the domain to an IP that they own.

In most organizations, a limited number of people can make updates to their site's information with their DNS registrar. With most registries, updating records is as simple as logging in to a site with a username and password and changing the values of the DNS servers.

If an attacker is able to use social engineering or phishing to extract those account details, the attacker can then have the ability to redirect a domain to a different server. In some of the recent cases, this is exactly what happened.

Defensive measures
Companies should make employees aware of the threat and tactics used. Many times in these attacks, the username and password were successfully phished away from someone with the right credentials.

Companies can also lock their domains.

Domains can have locks at both the registry and registrar levels. The site owner can set and control registrar locks. These will prevent any other registrar from being able to successfully request a change to DNS for a domain. The locks that can be set at the registrar level by the site owner are:

  • clientDeleteProhibited
  • clientUpdateProhibited
  • clientTransferProhibited

The clientDeleteProhibited will prevent a registrar from deleting the domain records without the owner first unlocking the site. With the clientUpdateProhibited lock set, the registrar may not make updates to the domain and with the clientTransferProhibited set, the registrar may not allow the domain to be transferred to another registrar. The only exception to these is when the domain registration period has expired. These locks can be set and unset by the site owner and many registrars will allow these locks at no cost.

A second level of locks can also be put in place and these are set at the registry level. These are controlled by the registry and setting these can incur a cost to the domain owner. These locks are:

  • serverDeleteProhibited
  • serverUpdateProhibited
  • serverTransferProhibited

These locks operate similarly to the registrar locks in what they prevent, however they offer increased security in that they will require a phone call from the registry to the person who issued the request from the domain's registry.

The requester will need to give a predetermined pass phrase to the registrar to get the change made. These will lessen the chance of the registrar being able to make accidental or unwanted changes to the DNS records for the domain. Registry level locks offer a higher degree of security for the domain and may also incur a charge to implement.