Akamai Diversity
Home > January 2015

January 2015 Archives

Behind the Live Stream of Super Bowl XLIX

For content distribution of its live stream of Super Bowl XLIX, NBC Sports Digital has again turned to Akamai to help deliver the online experience through its NBC Sports Live Extra streaming service. Live events and live sports are not unfamiliar to us at Akamai. We just wrapped up 2014 with record traffic and viewership for multi-day events including the Winter Olympics and the World Cup.

Update on CVE-2015-0235

On Tuesday, Akamai learned about and published a blog post highlighting a public vulnerability in the GNU C Library that could be exploited and used to take remote control of vulnerable Linux systems. Today, following our internal investigation, we have some additional information to share.

How Is Akamai protected?

Akamai's engineers have examined the primary software components that power the Akamai platform and to date have found they are not exposed to this flaw. Regardless, we are exercising caution and are patching older deployments of glibc. We recommend that other members of the Akamai community follow suit.

How can Akamai help protect my business?

Akamai Cloud Security products can provide partial protection against the glibc GHOST vulnerability, for example, by inspecting and filtering parameters sent in URL, header fields, or POST body to your application.

Today, we have defined and deployed protections for some customers to check and limit the length of HTTP headers like X-Forwarded-For, Referer, and Via in order to deliver this protection.

Finally, providing this protection requires deep knowledge of your application and its input space, including which portions of the HTTP request might eventually make their way into a gethostbyname call.

Please work directly with your Akamai Professional Services representative to define an appropriate Kona custom rule or other mitigation.

The Q4 2014 State of the Internet - Security report is out today. We've previewed sections this past week (see sidebar below), but now we can share some numbers.

PREVIEW POSTS:


DNS Hijacking: Dangers and Defenses

By Patrick Laverty, Clark Shishido, Dave Lewis, Mike Kun, Larry Cashdollar and Bill Brenner

We're always concerned about where the next attack is coming from. We worry about DDoS, SQL injection, defacements and a host of other attack techniques. One attack in particular can bypass even the best security protections and give attackers the keys to the kingdom.

That attack is called DNS Hijacking. This happens when attackers gain access to a domain registrar account and change the DNS resource recordsto point to server(s) under the attacker's control.

Update on IPv6 Adoption

In the third quarter of 2013, the State of the Internet Report started to include insight into IPv6 adoption based on data gathered from across the Akamai Intelligent Platform™. Throughout the last year, we've seen impressive growth rates across the top countries and network providers on both a quarterly and yearly basis as native IPv6 connectivity is made available to more end users.

Latest Security Whiteboard Videos

Last month, we released three new security whiteboard videos. Here's the whole package, for your viewing pleasure and ongoing security education.


At Akamai, incidents happen daily. Despite strong controls, it's inevitable that problems will arise when so much content is being handled, processed and distributed within Akamai and on behalf of customers. To deal with that reality, the company has a set of procedures to manage incidents as they materialize. Most incidents are resolved by small interventions in the network. In this whiteboard presentation, Bill Brenner gives an overview.


Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. In this whiteboard presentation, Akamai security researcher Patrick Laverty explains the differences between the two, and how both are critical to the vulnerability management process at Akamai.


In this whiteboard presentation, Akamai InfoSec Program Manager James Salerno explains what FedRAMP is, why it was created and why it's become an important part of Akamai's security compliance process.



A public vulnerability in the GNU C Library that could be exploited to take remote control of vulnerable Linux systems was recently disclosed. Akamai is aware of this disclosure and is currently evaluating its exposure to this vulnerability, if any.

Specifically, the problem is a heap-based buffer overflow in the glibc's __nss_hostname_digits_dots() function used in gethostbyname() and gethostbyname2() glibc function calls. The vulnerability, commonly known as "Ghost" in the media, affects Linux systems.

Here are some excerpts from information that is publicly available:

  • According to the Red Hat Bugzilla advisory, an attacker could remotely exploit this condition to make an application call either of these functions. In the process, the attacker could launch malicious code with the permissions of the user running the application.
  • Threatpost published a report on the vulnerability this morning, having this to say:  "The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000."
  • The issue was first reported Tuesday by security vendor Qualys. In a separate advisory, Qualys researchers said they stumbled upon the vlnerability during an internal code audit. "We discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc)," Qualys said in the advisory. "This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability GHOST."


    The issue has so far been addressed in several popular Linux distributions.

Blizzard 2015: The Power Of Redundancy

A blizzard rages outside as I write this, and the governor of Massachusetts has banned travel on the roads. Many of us from Akamai's Cambridge headquarters will spend today at home, and possibly tomorrow.

But Akamai will continue to run. Being spread across the globe makes that a given. It illustrates the power of redundancy.

Luna Authentication and Authorization

Yesterday, my colleague Michael Smith shared a write-up on Akamai's Luna Authentication and Authorization services, telling his Twitter followers: "This will save your life if you are an Akamai customer. Set it up now."

It is an important part of what we offer, and a refresher course is appropriate here as well. So here we go:

We continue to preview sections of the Q4 State of the Internet - Security Report due out next week. Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Tuesday, we shared a history of malware evolution.

Today, we preview the Attack Metrics/Trends section of the report, and what we see for the future.

Yesterday in Tel Aviv, investors, VCs, and entrepreneurial supporters watched as six cybersecurity startups presented their businesses. These companies have just completed the Microsoft Ventures Accelerator Akamai was proud to partner with Microsoft in this exciting program through business and technical/engineering mentoring as well as financial support. You can read my colleague's post detailing his experience as a technical mentor here.

Cybersecurity Mentorship Experiences: My 4 Insights

Through the Akamai-Microsoft cybersecurity accelerator program, I had the privilege to act as a mentor to six cyber-security startups. The accelerator ran through Fall 2014, now coming to an end with the demo-day planned for January 21st, 2015.
The Internet is a far more complex entity than the "series of tubes" image that is often invoked. Similarly, keeping up with the current solutions for your IT infrastructure and modern application delivery, such as the Application Delivery Controller (ADC), may seem equally daunting if you're not staying current with the key terminology; fortunately, Akamai is here to help you navigate the current atmosphere:

Malware Evolution: A History

With the Q4 State of the Internet - Security Report due out later this month, we continue to preview sections of it. 

Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Today, we preview the evolution of malware -- including the way security researchers label it.

The Trouble With Bots, Spiders and Scrapers

With the Q4 State of the Internet - Security Report due out later this month, we continue to preview sections of it.

Earlier this week we told you about a DDoS attack from a group claiming to be Lizard Squad. Today we look at how third-party content bots and scrapers are becoming more prevalent as developers seek to gather, store, sort and present a wealth of information available from other websites.

These meta searches typically use APIs to access data, but many now use screen-scraping to collect information.

As the use of bots and scrapers continues to surge, there's an increased burden on webservers. While bot behavior is mainly harmless, poorly-coded bots can hurt site performance and resemble DDoS attacks. Or, they may be part of a rival's competitive intelligence program.

Understanding the different categories of third-party content bots, how they affect a website, and how to mitigate their impact is an important part of building a secure web presence.

Security Kahuna Podcast, 1-13-15

Microsoft's announcement that it will no longer offer advance patch notification to the masses has rekindled the debate over how best to handle vulnerability disclosure. Bill Brenner, Dave Lewis and Martin McKeay discuss this and other issues.



Open Redirect, XSS and SEO Attacks

A couple of months ago, my colleague Or Katz published an article about an interesting trend that he uncovered, in which Black Hat SEO marketers where abusing Open Redirect vulnerabilities on popular websites to increase the popularity of advertisement sites.

By PLXsert
January 12, 2015

'Twas the season for a not-so-jolly DDoS attack from a group claiming to be Lizard Squad - flinging Christmas tree packets as they are commonly known. Details of the DDoS attack indicate the ongoing development of DDoS attack tools. And while not the largest DDoS attack to date, this TCP flag DDoS attack would hinder or completely clog most corporate infrastructures. One packet exhibited the most flags set of all the packets - only an ACK flag was missing.

Our series of posts over the past few weeks covered a number of topics regarding the new world of application delivery, from discussions about the challenges posed by globalization to summaries of the benefits of a Cloud-based application delivery solution. We concluded on how you can move your business forward in terms of application delivery, and now it's important to lay out a number of best-practice techniques for getting the most out of your chosen solution.

ShmooCon Security Conference This Weekend

ShmooCon has always been one of my favorite security conferences. Unfortunately, I can't be there this year. But for those who are going this weekend, here's what to expect.

Mobile Networks - Performance Testing

There has been a huge surge in the demand to access a variety of popular applications via mobile devices. The demand for access to business information and websites through mobile technologies has caused the business managers to drive mobility as part of their business technology. It is becoming imperative for companies to have their content effectively available on the mobile devices.

Akamai Security Advocate Dave Lewis and I made Tripwire's list of "Top Influencers in Security You Should Follow in 2015."

For each security practitioner selected, Tripwire included Twitter handles, blog URLs and reasons for selecting the individuals. Tripwire also asked us what infosec-related superpower we wished to have, in keeping with this year's theme of "InfoSec Avengers."

Thanks to Tripwire for including us on the list!

Accelerating Single Page Apps and Mobile Apps

Single page apps and hybrid mobile apps share something in common: a rich semi-static wrapper that makes API calls for small objects, normally JSON. It is a performance oriented design pattern where large content is cached as close as possible to the client (Edge server, client cache, etc.) and non-cacheable content is small and can be compressed and minified.

This morning Akamai released its State of the Internet Report for the third quarter of 2014. Here are the security highlights:

Recently, the Akamai Threat Research Team unveiled a unique distributed brute force attack campaign targeting nearly five hundred WordPress applications. What's interesting about this campaign? It clearly demonstrates how Web attackers are becoming more sophisticated, attempting to evade security controls - specifically Web Application Firewalls (WAFs) and rate control protections.

Continue reading on "The Security Ledger": https://securityledger.com/2014/12/cat-and-mouse-web-attacks-increasingly-sidestep-waf-protections/

Data Breaches Fuel Login Attacks

The following PLXsert advisory came out last week, but I'm just back from vacation and catching up on what I missed. This one is high-risk and worth mentioning here.

Public dumps of compromised data from several high-profile attacks have fueled an increase in automated and systematic attempts to reuse stolen credentials at multiple websites.

The requests show user agents are systematically randomized. One of the most targeted sectors is online financial services. Other industries targeted by these brute force attacks are online entertainment, high tech consulting and Software-as-aService(SaaS).

Although our goal was to publish it in mid-December, unexpectedly busy schedules and holiday time off derailed those plans. Fear not, though, as the Q3 2014 State of the Internet Report will be published just after the start of the New Year. As a belated holiday present for our readers, we will also be launching an updated connectivity visualization on the State of the Internet website, a new State of the Internet subspace on the Akamai Community, and an updated mobile application for iOS devices.

What type of device are you using to read this post right now?

No sixth sense is necessary to determine that the answer would range from "laptop," to "smartphone." Nor would it be required to guess that you already have several work-related emails in your inbox that are stamped with "Sent from my iPhone." It's also likely that this has caused controversy amongst the Android users in your life at least once.

January OWASP Boston Meeting at Akamai

The January meeting of OWASP Boston is Wednesday, 6:30 p.m., at Akamai Headquarters -- 150 Broadway, on the 2nd floor.

Akamai CSIRT's Patrick Laverty will give a talk called "How a Hacker Views Your Web Site."

Laverty offered these details of the talk:

As defenders, we have to be right 100 percent of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we'll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site.

Laverty gave this presentation at the Boston Application Security Conference (BASC) in October, and it was well received.

Boston OWASP (The Open Web Application Security Project) meetings happen the first Wednesday of each month, usually at Akamai headquarters.

You can also watch Laverty deliver a talk on the differences between vulnerability management and penetration testing here.

Although our goal was to publish it in mid-December, unexpectedly busy schedules and holiday time off derailed those plans. Fear not, though, as the Third Quarter, 2014 State of the Internet Report will be published just after the start of the New Year. As a belated holiday present for our readers, we will also be launching an updated connectivity visualization on the State of the Internet Web site, a new State of the Internet subspace on the Akamai Community, and an updated mobile application for iOS devices.
2nd of a 2-part blog post. Read the first one now! It's all about the user experience

At Akamai, our observation through in-depth discussions with our 150+ SaaS Provider customers, and ongoing engagements with analysts and press, is that the best way for SaaS Providers to increase customer retention and minimize churn is to have a maniacal focus on the end-user experience.

2015 Security Conferences: A Comprehensive List

Compiling a full list of security conferences for a 12-month period is hard. There are the obvious ones, like RSA, Black Hat and Defcon. But there are countless more with content and networking opportunities security practitioners can benefit from.

To that end, I want to direct you to this excellent list from Henry Dalziel, a security blogger with Concise Courses. It's the most comprehensive list I've ever seen.

2015 Security Predictions: Sort Of

I've never been a fan of security predictions, though I've written about them too many times to count.

I guess that makes me a hypocrite. I could take the high road and tell you my bosses always make me write about it, but why pass the buck? In the world of tech media, we ALL write about predictions.

Call it a case of doing one of those tasks you hate because, like changing diapers or taking out the trash, it has to be done.