Akamai Diversity
Home > March 2016

March 2016 Archives

Life Lessons at NAB

Less than a year out of college and getting ready to cover my first NAB Show as a wet-behind-the-ears trade journalist in the mid 90s, I remember receiving a fascinating (especially at the time) piece of advice. It came from a veteran of many shows, not to mention many trips to Las Vegas, shortly after I was assigned an ambitious list of conference sessions to report on during the week.

3 Recommendations for a Successful Social Media Strategy

The highly regulated environment of the financial services industry has likely contributed to the fact that many banks and financial institutions have been relatively slow to embrace social media engagement. However, with a deep understanding of the landscape and the compliance issues that govern the industry, financial institutions can have great success within the social media landscape.

Play Games Like a Player

Do you remember what it was like to play a game? Not as a games industry insider, studying a competitor's game, or keenly critiquing your own work. Just playing a game because it was fun, and because you had nothing at stake, and because there was a ninja on the box.

Securing the future of mobile video

By Lu Bolden, Vice President, Business Development, Verimatrix

The coming of age for mobile video and TV was perhaps one of the most tangible takeaways from the recent Mobile World Congress (MWC) at Barcelona, amid some of the more futuristic demonstrations around say the Internet of Things and virtual reality. 

On Trust and Video Games

I was about to hop on the Caltrain to San Francisco when I got the call. Over the metal on metal screech of the locomotive pulling into the station I could only make out the last few words, "to verify a few recent transactions". After boarding the train, I stood in the vestibule whispering for 20 minutes. It was my bank. Someone had gotten access to my debit card information and was making purchases in a country I'd never visited.

In this article we'll review how to handle known bot traffic.

As discussed in the first part, you may not be comfortable serving content to all legitimate bots for various reasons. But even when you're willing to serve content to known bots, several options are available. Just like for unknown bots, you'll have to decide on the response strategy that works best for you.

With the release of the Fourth Quarter, 2015 State of the Internet Report, we've also made a small but important update to the associated data visualization tools on www.stateoftheinternet.com.

While the report itself generally covers either the top ten countries or states, or a selected set of countries/regions, we often get requests for full data sets.  Researchers, journalists, folks involved in broadband initiatives, and others have asked for data on all 50 states, or the full complement of countries in a given region, either for the current quarter, or going back several years.

In part 1 of this series we've discussed the difficult problem of differentiating the good vs. the bad. In this article we'll review how to go about defining a response strategy to manage bots that you think are bad for your business. First thing you'll have to decide is whether you want to serve any content at all to these bots. We recommend you do to keep the bot at bay but of course it depends on your context and what infrastructure you have available.

Eight years ago, Akamai CMO Brad Rinklin called me into his office to talk about an idea he had - sharing some of Akamai's unique Internet insights with the broader community and establishing thought leadership along the way.  (I even have the PowerPoint deck around somewhere, although it's buried in 17 years of Aka-files and Aka-mail.)  Out of that conversation came the State of the Internet Report - we published the first issue in May 2008, covering the first quarter of 2008.  The report itself covered security (attack traffic, DDoS attacks, and publicized Web site hacks), networks (outages, de-peering events, routing issues, and significant new connectivity), Internet penetration (unique IPv4 addresses seen by Akamai and unique IP addresses per capita), and broadband (% above 5 Mbps, % above 2 Mbps, and % below 256 kbps).

As you may have heard, Akamai recently introduced a new product, Bot Manager. I've been working at Akamai for close to 10 years and, in my past roles here (Technical Support Engineer, Enterprise Architect), I've had the opportunity to work closely with many customers who had issues with bots. Generally, this was about protecting the site against "bad bots" but also making sure that "good bots" were not impacted by any of the mitigation techniques. 

Hackers vs. Media

We're used to hearing about cyber attacks against financial institutions and retailers. But another industry faces a growing threat: Media.

Digital media publishers strive to provide meaningful content and a user experience that will grow a dedicated base of content consumers. This allows the publisher to partner with and provide services to marketing and advertising concerns to build cash flow that can be used to further enhance the experience for content consumers.

4 Critical Focus Areas

During a recent business trip, I had the opportunity to finally see Adam McKay's wonderful portrayal of the horror that was the 2008 financial crisis - "The Big Short." Christian Bale, Ryan Gosling and Steve Carell brought me right back to that time, not so long ago, when we all witnessed the fall of major Wall Street firms and the destruction caused by the sub-prime mortgage boom.

GDC is here, and Akamai is... there.

Now is the time to stop by the Akamai booth at GDC. We've got an interactive demo that will surprise you. We've also got several games experts at the booth who can discuss what we've done to help some of the biggest games on the planet.

The Akamai Media team is hard at work putting together a completely new experience for you at NAB this year - you'll actually be able to walk through an OTT workflow and see firsthand what Akamai is doing to help you get your content and media files online faster, for delivery to bigger audiences at the highest quality. Stay tuned for more exciting details as the show approaches.

One of the important, and more interesting, use cases of Network Function Virtualization (NFV) and Software Defined Networking (SDN) is CORD.

CORD stands for Central Office Re-architected as Datacenter.  It "combines NFV, SDN, and the elasticity of commodity clouds to bring datacenter economics and cloud agility to the Telco Central Office" according to the CORD website.  It is an initiative that was started by AT&T and Open Networking Lab (ON.Lab) almost two years ago now.  

Scraper and Bot Series - When Good Bots Go Bad

By Bill Brenner, Akamai SIRT Senior Tech Writer

Akamai this week launches the first in a series about bots and scrapers, based on continued research by Akamai's Security Intelligence Research Team (SIRT). In the first installment, we discuss the various types of bots and scrapers that we have encountered, and how you may want to react to each. This paper will mainly focus on the known "good bots", -- traffic that is encouraged because it can be helpful to a business.

Games Industry Leaders Speak About Player Experience

Whenever I'm at a games event, I try to start debates. My go-to firestarter is the topic of whether or not we're doing everything we can to make the player experience better. Some people insist that players don't care, and will put up with anything. Others argue that gameplay is king. Still others (close to my heart) suggest that there are many places where the player experience could be made better.

We've always known that you never get a second chance to make a first impression and it couldn't be truer than it is with mobile financial services. It takes less than two-tenths of a second for an online visitor to form a first opinion of your brand, and as noted in Akamai's recent whitepaper "Digital Transformation, Millennials and the Future of Financial Services", 52% of mobile financial services customers expect pages to load in two seconds or less, while 23% expect instant page load. Consumer's high expectations for mobile financial services, coupled with the rise of digitally native competition, mean the stakes have never been higher for banks and insurers looking to acquire new customers. When banks and insurers get this right and delight customers with exceptional digital experiences, it becomes much easier to sell additional products, prove value, and create loyal customers. Loyal customers are the ultimate nirvana for financial institutions because the added cost of selling another product to an existing customer is often only about ten percent of the cost of selling that same product to a new customer.

Here are a few things to keep in mind to ensure that your customer remains central to your mobile strategy.

3/8/16 UPDATE:  Akamai continues to harden systems against the DROWN vulnerability (CVE-2016-0800), which exploits legacy encryption protocols in order to compromise keys that secure modern protocols, like TLSv1.2. (It does not leak the SSL/TLS keys themselves.) 

We have taken the necessary steps to protect both our customer-facing and critical internal systems from this vulnerability as of March 1, 2016.  We will continue to identify and patch non-critical systems on an as-needed basis.

The Decrypting RSA with Obsolete and Weakened eNcryption attack, described here, allows an adversary to compromise secrets from modern-TLS connections if any machine will accept SSLv2 connections using the same key & certificate.

Our secure delivery services are not vulnerable to DROWN. Individual customers have the option to enable SSLv2 for their own sites. Doing so would expose that customer's connections to DROWN.

While Akamai secure delivery provides protection, customers are still advised to verify that the origin servers they operate themselves do not use SSLv2. If they do have to use SSLv2, they should not do so using the same key & certificate as would be used for more secure connections.

The vulnerability is getting attention from such media outlets as The Register and Ars Technica.

The official DROWN web page calls this "a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security." Attackers can exploit it to break the encryption and read or steal sensitive communications such as passwords, credit card numbers, trade secrets, or financial data. The researchers estimate that 33% of all HTTPS servers are vulnerable to the attack.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject, or contact your Akamai Representative or Customer Care.

If our investigation uncovers additional risks, we will provide follow-up blog posts, Akamai Community posts, and Luna Portal advisories to update customers on how we are affected and what we're doing about it.

I recently spoke at the 7th annual BankTech Summit in Hong Kong, and had a chance to meet with many of our customers who attended.  Meeting with customers has always been the best part of my job, and in particular, hearing first hand war stories about their challenges.  The stories that I've recently heard involve a common problem: mainframe and back end systems becoming overloaded due to the success of digital transformation.

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. In Enterprise Security - SSL/TLS Primer Part 1 - Data Encryption I covered the fundamentals of data encryption. For part two we will cover certificates. Let's start with the basics.

CDN-based WAF + Big Data Intelligence is a Gold Mine for This Security Researcher

I am frequently asked by friends and colleagues why I joined Akamai's Threat Research Team.  I can boil it down to three main reasons: People, Technology and Data.         

Akamai Response To "Forwarding-Loop" Issue

Akamai is aware of the research paper titled "Forwarding-Loop Attacks in Content Delivery Networks" published by Jianjun Chen et. al on Feb. 29.  We have reviewed the researchers' findings, and are confident that we already have adequate counter-measures in place to thwart any attempt to use Akamai as an attack vector in the manner described by the paper.

The paper describes four types of forwarding-loop attacks against CDNs: self-loop, intra-CDN loop, inter-CDN loop and dam flooding. The paper acknowledges that Akamai is not vulnerable to the first two. The third attack (the "inter-CDN loop attack") is described as a looping between multiple CDNs.  Finally, the fourth -- "dam flooding" -- is described as coupling "forwarding-loop attacks with timely controlled HTTP responses to significantly increase damage."

While Akamai does not publically disclose or discuss our security countermeasures, we would like to reiterate that we have sufficient countermeasures in place to detect and defend against all these attacks, as well as substantial capacity to absorb traffic spikes. If you have any additional questions/concerns, please reach out to your Akamai representative.

Going Big with eSports

Electronic Arts recently announced the launch of their new division, focused entirely on esports. Within weeks, Activision, who had already launched its own esports department, announced they were acquiring MLG, one of the key brands in competitive gaming.

Monday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I've been writing posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at Web application attacks by industry.

Related: 

This quarter, the retail sector suffered the vast majority of web application attacks: 59%. Media and entertainment suffered 10% of attacks, as did the hotel and travel industry. Financial services suffered 7% of attacks, followed by high technology (4%), consumer goods (3%), manufacturing (2%), the public sector (1%), and gaming (1%).

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. Let's start with the basics.

So what is SSL/TLS & how does it work?

Yesterday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I'll write posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at mega-DDoS attacks from last quarter.

Related: 

In Q4, five DDoS attacks registered more than 100 Gbps. This number was down from the eight we saw in Q3 2015, and still more of a drop from the record-setting 17 mega attacks of Q3 2014.