On February 23, 2017, Cloudflare released information on a bug that was disclosed by Google security researcher, Tavis Ormandy, in their content delivery network. The bug potentially exposed sensitive customer data to the Internet. Approximately 1 in every 3,300,000 HTTP requests may have contained potentially sensitive information. This information would normally be stored and cached by users and search engines as part of normal website sessions. This bug is similar to Heartbleed, in that uninitialized memory was accidentally being sent along with regular data. Unlike Heartbleed, which required malicious requests, this bug was in Cloudflare's HTML parser code, which means that sensitive data could be sent as part of normal client requests.
Get In Touch
February 2017 Archives
Rock, meet hard place.
On the one side, sophisticated audiences are watching more video online and demand ever-higher quality. On the other, your challenge to simply deliver - keeping in mind scalability, workflow complexity, and cost.
The numbers are impressive.
By 2020, Digital TV Research predicts the Over-the-Top (OTT) video market will be worth $55 billion in consumer spending. In the U.S., the average OTT-enabled household already has 1.4 subscriptions to providers such as Netflix and Amazon, and that number is rapidly increasing. In China, eMarketer expects subscription video on demand to increase by a stunning 1,400 percent in the next five years.
Three key questions to ask yourself before your next Day 1:
- Do I have the right infrastructure to support my game?
- How well am I protecting my product and players?
- Do I have the capacity to expand and adapt?
Most companies ask themselves these questions... after their game server's gone offline or while they're fending off a DDoS attack.
It's a fact: if you can't give your viewers the quality they expect, they'll take their eyeballs elsewhere.
Usually in less than two seconds.
That's why you'll want to pay particular attention to your network architecture. All those servers, connections, and delivery mechanisms can make the crucial difference between optimal quality and a lousy stream.
So, how do you get it right?
You have years to bring your game from vision to reality.
And just 30 days to make it a success.
Successful games see higher revenue through add-ons and downloadable content. They help you secure funding and resources for your next big idea. But a staggering 95 percent of players leave a game within its first 30 days.
With cyberthreats increasing in size and scope, businesses are scrambling to find new ways to protect their financial and human capital assets. Many enterprise solutions offer endpoint protection and network security, but the SMB sector doesn't have the budget to deploy enterprise security solutions and typically lacks the in-house expertise to keep their networks and users adequately protected. In particular, as employees bring mobile devices onto corporate networks, and with new attack variants being introduced almost daily, small and mid-sized businesses have no way of keeping up. This is where communications service providers (CSPs) can step in to provide a broad layer of protection, visibility, and control from within their own networks.
You've probably seen a long list of complaints from players, and it might even drive you to say, "If I can't keep them all happy, what's the point?" But some concerns deserve your attention, and most of those fall into a single theme.
In a word: friction.
Over the last two years, Akamai has seen an increase in the number of customers who wish to run their own review of Akamai, either to satisfy their own information security or risk management program, or to gain the expertise to explain Akamai to their regulators and consumers. This increase is due to a confluence of factors, from Akamai's increased global sales presence, to heightened regulation of certain verticals by governments and other organizations. We expect to see demand for custom assessments continue to grow in 2017 and beyond, and we expect the breadth and depth of questions from customers to increase as well.
The fourth quarter of 2016 was relatively quiet for web application attacks. The biggest sales season of the year usually signals a marked increase in the number of attacks for all customers - especially retailers. Many merchants breathed a sigh of relief at not being attacked during their most important shopping days.
The other half asks "May I please have some more (application security)."
Another lifetime ago, way back in 2014, I wrote that "updating WAF rules is like flossing, everybody knows they should be doing it but it can be an easy step to forget and difficult to find the time to do it." At the time my conclusion was something along the lines of "so if you don't have time to do it, you should pay someone to do it for you". In hindsight that conclusion was flawed for two reasons: First my analogy at that point got a little bit weird - who in their right mind would let someone else floss their teeth for them? By the same token, what if you don't trust a 3rd party to update your rules for you? Some security professionals, quite rightfully, probably take better care of their apps than they take care of their own teeth, and they are perfectly able, thank you very much, of taking care of their apps and their WAF rules themselves. Some of the larger eCommerce companies and banks, for instance, have teams of 4, 5 or even 6 full time employees studying WAF rules, tuning configurations, and generally making sure that the bad guys are kept out while the good guys get through to their websites unmolested. Second, even if you are comfortable with someone else flossing your teeth or updating your rules, what if you can't afford to pay someone else to do it for you?
I recently spent time with Joe DeFelice. Joe is a Sr. Director Enterprise Security & Infrastructure Engineering here at Akamai. He is responsible for IT risk and security, Akamai infrastructure architecture and engineering (network, voice, video, platform, messaging, etc.), as well as our Akamai On Akamai initiative, which is a program built around sipping our own champagne or how we can best utilize Akamai products in the enterprise.
On Tuesday, February 1, 2017, security vendor Sucuri disclosed a severe vulnerability in the WordPress REST API in versions prior to 4.7.2. The vulnerability allows for remote, unauthenticated and easily automated modification of blog post and page content by manipulating a parameter payload. Sucuri, Inc. notified Akamai of this vulnerability in advance of the public disclosure, which allowed the Threat Research team to internally confirm exploitability and to develop a new rule for Kona Site Defender designed to protect customers from this vulnerability. It's important to understand the new Wordpress REST API before we discuss the technical details of the vulnerability.