Get In Touch
January 2015 Archives
On Tuesday, Akamai learned about and published a blog post highlighting a public vulnerability in the GNU C Library that could be exploited and used to take remote control of vulnerable Linux systems. Today, following our internal investigation, we have some additional information to share.
How Is Akamai protected?
Akamai's engineers have examined the primary software components that power the Akamai platform and to date have found they are not exposed to this flaw. Regardless, we are exercising caution and are patching older deployments of glibc. We recommend that other members of the Akamai community follow suit.
How can Akamai help protect my business?
Akamai Cloud Security products can provide partial protection against the glibc GHOST vulnerability, for example, by inspecting and filtering parameters sent in URL, header fields, or POST body to your application.
Today, we have defined and deployed protections for some customers to check and limit the length of HTTP headers like X-Forwarded-For, Referer, and Via in order to deliver this protection.
Finally, providing this protection requires deep knowledge of your application and its input space, including which portions of the HTTP request might eventually make their way into a gethostbyname call.
Please work directly with your Akamai Professional Services representative to define an appropriate Kona custom rule or other mitigation.
The Q4 2014 State of the Internet - Security report is out today. We've previewed sections this past week (see sidebar below), but now we can share some numbers.
By Patrick Laverty, Clark Shishido, Dave Lewis, Mike Kun, Larry Cashdollar and Bill Brenner
We're always concerned about where the next attack is coming from. We worry about DDoS, SQL injection, defacements and a host of other attack techniques. One attack in particular can bypass even the best security protections and give attackers the keys to the kingdom.
That attack is called DNS Hijacking. This happens when attackers gain access to a domain registrar account and change the DNS resource recordsto point to server(s) under the attacker's control.
In the third quarter of 2013, the State of the Internet Report started to include insight into IPv6 adoption based on data gathered from across the Akamai Intelligent Platform™. Throughout the last year, we've seen impressive growth rates across the top countries and network providers on both a quarterly and yearly basis as native IPv6 connectivity is made available to more end users.
Last month, we released three new security whiteboard videos. Here's the whole package, for your viewing pleasure and ongoing security education.
At Akamai, incidents happen daily. Despite strong controls, it's inevitable that problems will arise when so much content is being handled, processed and distributed within Akamai and on behalf of customers. To deal with that reality, the company has a set of procedures to manage incidents as they materialize. Most incidents are resolved by small interventions in the network. In this whiteboard presentation, Bill Brenner gives an overview.
Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. In this whiteboard presentation, Akamai security researcher Patrick Laverty explains the differences between the two, and how both are critical to the vulnerability management process at Akamai.
In this whiteboard presentation, Akamai InfoSec Program Manager James Salerno explains what FedRAMP is, why it was created and why it's become an important part of Akamai's security compliance process.
A public vulnerability in the GNU C Library that could be exploited to take remote control of vulnerable Linux systems was recently disclosed. Akamai is aware of this disclosure and is currently evaluating its exposure to this vulnerability, if any.
Specifically, the problem is a heap-based buffer overflow in the glibc's __nss_hostname_digits_dots() function used in gethostbyname() and gethostbyname2() glibc function calls. The vulnerability, commonly known as "Ghost" in the media, affects Linux systems.
Here are some excerpts from information that is publicly available:
- According to the Red Hat Bugzilla advisory, an attacker could remotely exploit this condition to make an application call either of these functions. In the process, the attacker could launch malicious code with the permissions of the user running the application.
- Threatpost published a report on the vulnerability this morning, having this to say: "The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000."
- The issue was first reported Tuesday by security vendor Qualys. In a separate advisory, Qualys researchers said they stumbled upon the vlnerability during an internal code audit. "We discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc)," Qualys said in the advisory. "This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability GHOST."
The issue has so far been addressed in several popular Linux distributions.
A blizzard rages outside as I write this, and the governor of Massachusetts has banned travel on the roads. Many of us from Akamai's Cambridge headquarters will spend today at home, and possibly tomorrow.
But Akamai will continue to run. Being spread across the globe makes that a given. It illustrates the power of redundancy.
Yesterday, my colleague Michael Smith shared a write-up on Akamai's Luna Authentication and Authorization services, telling his Twitter followers: "This will save your life if you are an Akamai customer. Set it up now."
It is an important part of what we offer, and a refresher course is appropriate here as well. So here we go:
We continue to preview sections of the Q4 State of the Internet - Security Report due out next week. Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Tuesday, we shared a history of malware evolution.
Today, we preview the Attack Metrics/Trends section of the report, and what we see for the future.
Yesterday in Tel Aviv, investors, VCs, and entrepreneurial supporters watched as six cybersecurity startups presented their businesses. These companies have just completed the Microsoft Ventures Accelerator Akamai was proud to partner with Microsoft in this exciting program through business and technical/engineering mentoring as well as financial support. You can read my colleague's post detailing his experience as a technical mentor here.
With the Q4 State of the Internet - Security Report due out later this month, we continue to preview sections of it.
Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Today, we preview the evolution of malware -- including the way security researchers label it.
Earlier this week we told you about a DDoS attack from a group claiming to be Lizard Squad. Today we look at how third-party content bots and scrapers are becoming more prevalent as developers seek to gather, store, sort and present a wealth of information available from other websites.
These meta searches typically use APIs to access data, but many now use screen-scraping to collect information.
As the use of bots and scrapers continues to surge, there's an increased burden on webservers. While bot behavior is mainly harmless, poorly-coded bots can hurt site performance and resemble DDoS attacks. Or, they may be part of a rival's competitive intelligence program.
Understanding the different categories of third-party content bots, how they affect a website, and how to mitigate their impact is an important part of building a secure web presence.
A couple of months ago, my colleague Or Katz published an article about an interesting trend that he uncovered, in which Black Hat SEO marketers where abusing Open Redirect vulnerabilities on popular websites to increase the popularity of advertisement sites.
January 12, 2015
'Twas the season for a not-so-jolly DDoS attack from a group claiming to be Lizard Squad - flinging Christmas tree packets as they are commonly known. Details of the DDoS attack indicate the ongoing development of DDoS attack tools. And while not the largest DDoS attack to date, this TCP flag DDoS attack would hinder or completely clog most corporate infrastructures. One packet exhibited the most flags set of all the packets - only an ACK flag was missing.
Our series of posts over the past few weeks covered a number of topics regarding the new world of application delivery, from discussions about the challenges posed by globalization to summaries of the benefits of a Cloud-based application delivery solution. We concluded on how you can move your business forward in terms of application delivery, and now it's important to lay out a number of best-practice techniques for getting the most out of your chosen solution.
ShmooCon has always been one of my favorite security conferences. Unfortunately, I can't be there this year. But for those who are going this weekend, here's what to expect.
Akamai Security Advocate Dave Lewis and I made Tripwire's list of "Top Influencers in Security You Should Follow in 2015."
For each security practitioner selected, Tripwire included Twitter handles, blog URLs and reasons for selecting the individuals. Tripwire also asked us what infosec-related superpower we wished to have, in keeping with this year's theme of "InfoSec Avengers."
Thanks to Tripwire for including us on the list!
This morning Akamai released its State of the Internet Report for the third quarter of 2014. Here are the security highlights:
Continue reading on "The Security Ledger": https://securityledger.com/2014/12/cat-and-mouse-web-attacks-increasingly-sidestep-waf-protections/
The following PLXsert advisory came out last week, but I'm just back from vacation and catching up on what I missed. This one is high-risk and worth mentioning here.
Public dumps of compromised data from several high-profile attacks have fueled an increase in automated and systematic attempts to reuse stolen credentials at multiple websites.
The requests show user agents are systematically randomized. One of the most targeted sectors is online financial services. Other industries targeted by these brute force attacks are online entertainment, high tech consulting and Software-as-aService(SaaS).
No sixth sense is necessary to determine that the answer would range from "laptop," to "smartphone." Nor would it be required to guess that you already have several work-related emails in your inbox that are stamped with "Sent from my iPhone." It's also likely that this has caused controversy amongst the Android users in your life at least once.
The January meeting of OWASP Boston is Wednesday, 6:30 p.m., at Akamai Headquarters -- 150 Broadway, on the 2nd floor.
Akamai CSIRT's Patrick Laverty will give a talk called "How a Hacker Views Your Web Site."
Laverty offered these details of the talk:
As defenders, we have to be right 100 percent of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we'll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site.
Laverty gave this presentation at the Boston Application Security Conference (BASC) in October, and it was well received.
Boston OWASP (The Open Web Application Security Project) meetings happen the first Wednesday of each month, usually at Akamai headquarters.
You can also watch Laverty deliver a talk on the differences between vulnerability management and penetration testing here.
At Akamai, our observation through in-depth discussions with our 150+ SaaS Provider customers, and ongoing engagements with analysts and press, is that the best way for SaaS Providers to increase customer retention and minimize churn is to have a maniacal focus on the end-user experience.
Compiling a full list of security conferences for a 12-month period is hard. There are the obvious ones, like RSA, Black Hat and Defcon. But there are countless more with content and networking opportunities security practitioners can benefit from.
To that end, I want to direct you to this excellent list from Henry Dalziel, a security blogger with Concise Courses. It's the most comprehensive list I've ever seen.
I've never been a fan of security predictions, though I've written about them too many times to count.
I guess that makes me a hypocrite. I could take the high road and tell you my bosses always make me write about it, but why pass the buck? In the world of tech media, we ALL write about predictions.
Call it a case of doing one of those tasks you hate because, like changing diapers or taking out the trash, it has to be done.