Akamai Diversity
Home > March 2015

March 2015 Archives

Mobile Browser Usage in Q4 2014

In June 2012, Akamai launched the Akamai Internet Observatory (IO), which highlights browser usage across desktop and other connected devices. The data presented in the Fourth Quarter, 2014 State of the Internet Report and this post are derived from the Akamai IO site.

We, The Mobile People...

In my last blog, I wrote about the mobile market trends, where companies are investing when it comes to mobile technology. In other words, it was about the 'supply' side of the equation. In this post, I will take a closer look at the 'demand' side of the equation: consumer behavior trends in mobile solutions.

State of the Internet Security Podcast, Episode 1

Welcome to the inaugural episode of Akamai's State of the Internet Security Podcast. This will be an ongoing podcast series where I talk to Akamai security researchers about the threats they are tracking and the defenses they identify.

Episode 1 takes us to a fairly new attack technique that exploits Microsoft's SQL Server Resolution Protocol.

Our research team recently discovered that the bad guys are using a reflection-based tactic to tamper with the Microsoft SQL Server Resolution Protocol and launch DDoS attacks.

Akamai first spotted attackers using the technique in October. But last month an independent researcher studied another such attack and we were able to replicate it by creating a script based on Scapy, an open-source packet manipulation tool.

Joining me to talk about this is Akamai PLXSert Principal Researcher Rod Soto.

Full episode here.

We've all been there. Traffic is bumper to bumper, and it looks like you're going to miss your meeting. But you've got access to cloud applications, so you search and find a coffeehouse two blocks ahead. You drop in, order the dark roast, punch in the password (javalover), and scour your email for the meeting link. You finally get your presentation open from a cloud storage app, fire up your smartphone and Bluetooth earpiece, and take a breath. You made the meeting after all (and the coffee is better than the stuff in the conference room to boot).
In 2014, we hit the mobile tipping point - total global users of mobile phones outpaced those on desktop. In 2015, discussions on mobile are most often centered around how to best take advantage of mobile's growth in eCommerce, rather than on mobile's growth alone. Below, I've compiled a few of my favorite statistics that really put this into perspective:

MIT's Fourth STAMP Workshop This Week

This week, MIT holds its 2015 STAMP Conference. Staff from Akamai InfoSec will participate in this event, which makes perfect sense given our close ties and history with MIT.

cropped-mit.jpg

The Q4 2014 State of the Internet Report will be available for download on March 25. In the meantime, here are some of the highlights from the report.

Security
Across the fourth quarter, Akamai observed attack traffic originating from nearly 200 unique countries/regions. Of these, China and the United States remained the top two sources. Port 23 remained the most targeted port for attacks during the fourth quarter -- continuing the trend of the previous two quarters. Additionally, Akamai recorded a rise in DDoS attacks.

One billion Red Envelopes Delivered!

I was born in Beijing and when I was a kid, I always looked forward to the Spring festival, because I'd receive red envelopes from parents as a celebration of the new year. In the envelope, there would be a significant amount of pocket money - not much for adults, but a fortune for a small kid

OpenSSL Vulnerability Details Released

Akamai is aware that details are now available for the OpenSSL vulnerabilities we first told you about on Tuesday. The full OpenSSL Security Advisory is available here and outlines 14 different issues.

At this time, most of the issues don't appear to affect Akamai, though we continue to investigate.

One of the high-severity vulnerabilities affects OpenSSL v1.0.2., which Akamai does not yet use.

Another issue, outlined in CVE-2015-0204, was previously addressed when we turned off export ciphers. More details on that are available here and here.

If our investigation uncovers additional risks, we will use additional blog posts and Luna advisories to update customers on how we are affected and what we're doing about it.

More Akamai perspective on patching and vulnerability management:

The experience your customers have while interacting with your company's online presence says so much about your business, its priorities, and your brand. Whether your company conducts online transactions or not, performance optimization have become more of a "need" than a "want". A slow performing web site is bound to have less engagement among critical audiences, lower transaction volume, degraded brand fidelity, and higher bounce rates. In this post, we will talk about some of the key considerations when evaluating web performance technologies and vendors.

Akamai's new Emerging Mobile Business Unit, along side our partners Saguna Networks, won the top honors for "Best Innovation based on Network Intelligence" at the Network Intelligence Awards, which took place at Mobile World Congress in Barcelona on March 3, 2015. The Network Intelligence Awards honor telecom platform and solution suppliers providing performance and innovative products that leverage network intelligence for Software Defined Networking (SDN) and Network Functions Virtualization (NFV).

Third Quarter Internet Disruptions

Internet disruptions are still a frustrating reality in many regions across the globe. The most common types of disruptions generally fall into three categories: accidental (backhoes or ship anchors severing buried fiber), natural (hurricanes, earthquakes, etc.) or political (government-driven shutdowns in response to protests). Akamai is in a unique position to monitor each country or region's traffic levels for the consumption of content from Akamai customers. The following events are highlights of global disruptions that affected traffic levels in the third quarter of 2014.

Third Quarter Situational Performance

In June 2013, Akamai announced the latest release of Ion. Ion is a solution that's designed to meet the unique challenges of optimizing the desktop and mobile web experiences. One feature of Ion is a capability known as Real User Monitoring (RUM). RUM takes performance measurements from real web users to provide developers with insights into performance across a multitude of devices and networks. Ideally, RUM is used in tandem with synthetic testing to generate a comprehensive picture of a user's web experience to help developers best calibrate their applications.

New Vulnerabilities in OpenSSL

Akamai is aware of an announcement from OpenSSL revealing vulnerabilities in the OpenSSL stack.

Based on information provided by the OpenSSL team, the high-severity vulnerability only affects OpenSSL v1.0.2. Akamai does not use this version of OpenSSL and is therefore not susceptible to that vulnerability. We continue to investigate, however.

The full advisory will be available on March 19. Akamai will have further details about our response plans at that time.

Have you seen those auto insurance commercials with that guy in the suit that always looks a little beat up portraying the personification of "mayhem"?

One my favorites from that ad series is the one where "Mayhem" is your car's GPS system - he seems to be recalculating at every other turn! Don't you hate that moment when you're traveling along on a road trip, following the pleasant voice prompts from your car or your smartphone's GPS and then all of a sudden you realize the road you are supposed to take is closed? You're now being redirected to a new route? What's worse is when you get to a point where you have to make a decision "do i go left?" or "do I go right?" you look at the GPS and it's "Recalculating!"

Market's Pulse Beats Mobile

Some people still speak about mobile technology in our lives in the future tense. If you are one of those few people remaining, then I think it is time to realize mobile is now.

Update on Akamai's CVE 2015-0204 Response

Here's an update on Akamai's efforts to address the security vulnerabilities outlined in CVE 2015-0204: As of today -- Wednesday, March 11, 2015 -- we have completed all the necessary change activities. Export Grade Ciphers are now disabled by default on our network.
From February 17-20, I left the frigid east coast to visit Palm Springs for eTail West, the premier online retail conference attended by many eCommerce innovators. I have been attending this event for many years and I was glad that it was once again in Palm Springs - not just because of the great weather and palm trees but it is where my mind associated with the event and the venue - since I first attended eTail West years ago.

Microsoft Fixes FREAK Flaw and More

Microsoft yesterday released its most significant patch update in a long while, fixing the so-called FREAK vulnerability, among other things.

In all, 14 security issues were addressed, five of which are tagged as critical. Affected systems include the consumer and server editions of Windows, Internet Explorer, Office, Server and Exchange Server and SharePoint.

Akamai addressed the CVE 2015-0204 vulnerability -- which FREAK exploits -- two weeks ago. You can read about our response here.

Here's the full patch matrix for Microsoft's March 2015 Security Update:

AppSec USA 2015 Call For Papers

Fellow security practitioners: OWASP AppSec USA 2015 will take place in San Francisco Sept 22-25.  The call for papers closes March 14.  It's probably the biggest application security conference of the year, so it's a great speaking opportunity.

From the OWASP website:
 
OWASP encourages and prioritizes submissions around the three focus areas of AppSec USA 2015: 

  • Web Application security
  • DevOps
  • Cloud Security
In addition to these focus areas, OWASP is interested in all topics related to information security.

Deadlines:

Submission of proposal closes:  March 14, 2015 - 11:59 Pacific

Notification of acceptance:  April 15 - May 15, 2015

Conference Date:  September 22-25, 2015
 
To submit a proposal, send an abstract of your intended presentation (500 - 4000 characters), a brief biography (150 - 800 characters), a headshot, and a signed copy of the speaker agreement.  Talks without all required information probably won't be considered.

CSIRT Advisory: Mass Website Defacements

The following was written by Akamai CSIRT researcher Patrick Laverty:

Akamai has seen multiple media reports where a group will claim to have hacked hundreds or thousands of sites in a single night. The intent is to instill a sense of widespread unease to the casual observer.

When we look a little closer, we see that there may be more to it. One can rightly assume that many of these have been done through a type of automation. But if we look even closer, we see something else interesting about the attacks.

If we look at the IP address for the hundreds of web sites affected, we notice that many and sometimes all of them have the same IP address.

When we see this, it leads us to believe the sites are running on the same server.

The smartphone market is a two-horse race between two of the biggest names in technology - Apple (iOS) and Google (Android). One way to track their relative operating system market penetration is via mobile browser usage.

Despite Android's tremendous operating system market share (81.5 percent in 2014, according to IDC), Apple cemented its leadership in mobile browser usage in the third quarter of 2014. To measure browser usage, Akamai tracked the number of cellular specific and total network connections from Apple's default iOS web browser, mobile Safari, and Android's stock Webkit browser.

A Run on 4K at NAB

If the industry had stuck with "Ultra High Definition" as the generic label for 4K video resolution, chances are pretty good that we wouldn't be doing road races during major tradeshows. But with 4K becoming a generally accepted term, it was practically an obligation that somebody came up with a way to tie it into a run.

Security Kahuna Podcast, 3-3-15

Newly disclosed data breaches. A constant stream of fresh security vulnerabilities. Dangerous network configurations. Bad passwords. Old lessons unheeded.

Bill Brenner, Dave Lewis and Martin McKeay discuss the latest incidents in the never-ending fight against evil.

Global Map of DDoS Attacks

Among the security content on Akamai's new State of the Internet website is a very cool map where you can view DDoS attack activity worldwide in near real-time, including global sources, types, volume and targets.

The most recent 5000 DDoS attacks blocked by Akamai appear on the map. Each DDoS attack source can command hundreds or thousands of DDoS bots. Viewers can customize their view by zooming in or out. There's also a section that ranks bot activity by country.

Security content on the site focuses on:

  • Network and DNS security
  • Web application security
  • DDoS protection and DDoS mitigation
  • Threat advisories and attack trends

It pairs well with the security section on Akamai's main website. Check in on both sites daily for the full security picture around the world.

Thumbnail image for Thumbnail image for Screen Shot 2014-10-28 at 6.42.40 AM (2).png

Akamai Addresses CVE 2015-0204 Vulnerability

The following, written by Rich Salz, deals with Akamai's response to CVE 2015-0204. The vulnerability has been exploited by such exploits as the so-called FREAK attack.

Back in the last century, the United States tried to control the export of strong cryptography. This policy made its way into the SSL/TLS standards in two ways.

The first part was to add several cipher suites that used small, easily breakable keys. These are all identified with the name EXP at the beginning.

For example, EXP-DES-CBC-SHA. DES normally uses a 56-bit key (which is considered laughably weak these days), and EXP-DES is a variant that uses a 40-bit key -- sixty-five thousand times weaker than "laughably weak". (We're using the common OpenSSL names, not the official names from the TLS RFC.)

The second change is more problematic and, for technical purists, very "ugly."