Get In Touch
February 2015 Archives
On Tuesday, February 24th, Akamai had the honor of being a sponsor at the inaugural Lead On: Silicon Valley Conference For Women. 5,000 women attended the event, which featured big name keynote speakers including, Diane Von Furstenberg, Candy Chang, Kara Swisher, Brene Brown and Hillary Clinton, along with two speakers from Akamai - Susan LaPointe (Vice President of Human Resource Operations), and myself!
A new attack threatens enterprises and Software-as-a-Service (SaaS) providers: chaotic actors using Joomla servers with a vulnerable Google Maps plugin installed as a platform to launch DDoS assaults.
The attack technique was discovered by researchers from Akamai's Prolexic Security Engineering & Research Team (PLXsert), working alongside PhishLabs' Research, Analysis, and Intelligence Division (R.A.I.D).
You can download the full advisory from Akamai's State of the Internet website for free.
Akamai security staff will be at RSA Conference 2015 in force, and some of us will be giving talks. A preview:
Last week I told you about my speaking appearances at SecureWorld Boston March 4. There's one schedule change to tell you about:
Instead of participating in a panel on emerging threats, I'll be on this panel instead:
Protecting Your Data as it Roams, March 4 from 1:15-2:15 p.m.
Today your data moves fast and across platforms. Security professionals are charged with protecting valuable information as it moves from data centers to employee devices and into third party networks. Join this discussion on the technologies and policies that can help you manage these risks while still allowing business productivity. Ask our experts at this educational panel discussion.
I wrote about this topic a lot as an infosec journalist, so I think I'll have something to say about it.
The other appearance is a solo talk:Attack Techniques and Defense, March 4 from 8:30-9:15 a.m.
I'll explain how the bad guys are targeting companies and how to fight back based on threat research and remediation techniques used by Akamai on behalf of customers. We've done a lot of blogging about attack techniques and defenses, and my examples will come from that material.
It should be a great conference with loads of useful content for information security professionals. I hope to see you there.
The fact that a CDN can help you in delivering the content is a well-established fact. However, resolving in-region (where the origin server is located in close proximity to most end users) performance issues can still be a challenge.
BSides Boston 2015 takes place Saturday, May 9 at Microsoft, and organizers have issued their call for papers.
WHAT: Security BSides Boston 2015 Call for Presentations/Papers
WHO: Your awesome 45 minute presentation on a security/tech/hacking topic.
Marketing/advertising presentations will be rejected.
WHEN: Deadline for submissions: March 1st midnight EST
WHERE: 1 Cambridge Center, Cambridge, Massachusetts
- Talk Title (under 10 words)
- 200ish words abstract with links to any pertinent backup information
- Your Bio (under one paragraph, or submit your CV)
- Contact information: Your name, website, phone number, email, twitter
- Where/when presented previously, if applicable
- English language only presentations
If you think you have a valuable story to tell, please send organizers your pitch here.
In two weeks I'll give a presentation and participate in a panel discussion at SecureWorld Boston 2015. The event takes place March 4-5 at the Hynes Convention Center. Akamai is a gold sponsor.
My talk, March 4 from 8:30-9:15 a.m., is called "Attack Techniques and Defenses." I'll explain how the bad guys are targeting companies and how to fight back based on threat research and remediation techniques used by Akamai on behalf of customers. We've done a lot of blogging about attack techniques and defenses, and my examples will come from that material.
From 1:15-2:15 p.m. that day, I'll participate in a panel discussion on emerging threats. From the agenda description: "The number of cybersecurity threats is growing every day forcing the need for thorough security assessment and analysis. Join industry leaders discussing emerging threats in the industry for the opportunity to learn what is next in the future of cybersecurity."
Here is the full agenda for both days of the event:
A look at security news from around the Web.
The Great Bank Heist, or Death by 1,000 Cuts? (KrebsonSecurity)
A look at the Carbanak gang, which deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million -- possibly as high as USD $1 billion.
Google Adds Grace Period for Software Developer to Fix Security Flaws (eWeek)
In what appears to be a response to recent criticism, Google has added a 14-day grace period to its 90-day deadline for software vendors to patch security vulnerabilities reported to them under the search giant's controversial Project Zero vulnerability research and disclosure program.
Raduege: Why New Cyber Agency Matters (BankInfoSecurity)
A new federal cyberthreat intelligence center could help the government build more resilient networks and better identify cyber-attackers, leading to arrests and punishments, a former top Defense Department IT executive says. "Those three areas could really go a long way in providing much-needed deterrence to bad cyber-activity on the networks today," says Harry Raduege, a retired Air Force lieutenant general who was the longest serving director of the Defense Information Systems Agency.
Cyberciminals Target Bank Employees, Steal $1 Billion From Financial Institutions Worldwide (Dark Reading)
An international cybercrime ring based out of Eastern Europe has pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spearphishing emails targeting bank employees.
Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia (CSOonline)
A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia. Kaspersky Lab released a report Monday that said the tools were created by the "Equation" group, which it stopped short of linking to the U.S. National Security Agency.
The bad guys are using a fairly new technique to tamper with the Microsoft SQL Server Resolution Protocol (MC-SQLR) and launch DDoS attacks.
In an advisory released this morning, Akamai's Prolexic Security Engineering & Response Team (PLXsert) described it as a new type of reflection-based distributed denial of service (DDoS) attack.
PLXsert first spotted attackers using the technique in October. Last month, researcher Kurt Aubuchon studied another such attack and offered an analysis here. PLXsert replicated this attack by creating a script based on Scapy, an open-source packet manipulation tool.
More Akamai perspective on patching and vulnerability management:
Awhile back, after we ran a post about SEA's phishing activities and DNS attacks, my old friend Dave Marcus -- director and chief architect of McAfee's Federal Advanced Program Group -- took issue with our advice that companies continue to push for better security awareness among employees and customers.
Nearly two years ago, we published a blog post titled "Clarifying State of the Internet Report Metrics", and it has served as a great reference for those interested in finding out more about the metrics published within the State of the Internet Report. However, as the report has evolved over the last several years, we thought it would be worth publishing an update to clarify existing metrics and review new ones, with the goal of minimizing confusion about, or misinterpretation of, terms and/or data within the report.
Five security articles worth your time...
US top developer of risky mobile applications (CSOonline)
A new report identifies the U.S. as the top developer of malicious and privacy-intruding applications, a finding that contrasts with conventional wisdom that often places the problem squarely in Asia.
2014 cyberattack to cost Sony $35M in IT repairs (Computerworld)
Sony has put an estimate to the damage caused by the massive cyberattack against Sony Pictures Entertainment last year -- $35 million.
BMW's software security patch a sign of things to come (Dark Reading)
BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.
Adobe Flash patch promised this week for new zero-day bug (SearchSecurity)
Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.
New-style ransomware locks out your customers - demands money to let them log back in (Naked Security)
A boutique Swiss security outfit recently wrote about a sneaky new sort of ransomware. It's an intriguing story. The crooks, it seems, decided to take it out on company X by means of extortion: encrypt customer data, and then offer the decryption key for a price.
My friend Jennifer Minella is doing a series where she asks folks from the security community about three books that changed their lives. She kicks it off with me.
Here's what she has to say about the series:
My goals for the year mean some drastic changes to the type of content you're used to seeing from me. One of these goals is to highlight the human aspect of professionals in information security -- to demonstrate the depth of personality, the breadth of interest and accomplishment, and to explore the forces which make us who we are.
In this first series, I asked my infosec colleagues to share 3 books that changed their lives. The results were astounding and the responses very heart-felt. This topic evoked passion and an openness that led me to change the format from a single article to a multi-post piece, highlighting each security professional's pick3 books changed my lifes in his/her own feature.
The idea is to share what makes us who we are, not for the purposes of emulation, but to open our eyes and minds to the bigger picture by thinking outside the infosec box in which we're so often enclosed. For this piece, I tried to select a cross-section of the industry and people I thought would be comfortable stepping outside of the normal boundaries of technology content.
The only guidance I offered was that they were to pick three books which changed their life, and explain why/how they were impacted. It was made clear the book content could be on any topic. I wasn't disappointed, and I hope you'll feel the same.