Akamai Diversity
Home > March 2017

March 2017 Archives

Judy Piper.jpeg

 

 

 

 

 

 

 

 

 

 

 

No matter what else she does in her day, Judy Piper is, first and foremost, a people manager. Her role as a senior engineering manager in the Enterprise business unit is all about empowering others, and her curiosity and fearlessness help her succeed. Judy recently answered a few questions about her cool new project, her advice to others and her favorite extreme sport.

Update: Vulnerability found in Apache Struts

Akamai has created two new WAF rules in response to new information about the Apache Struts2 vulnerability.  The first rule, the most recent version of KRS Rule 3000014, is a standard part of the Kona Ruleset and protects against the many common attacks leveraging  this vulnerability.  This rule is designed to allow organizations that have complex environments to continue operating without risk of the WAF rule interfering with their environments. However, this rule was intentionally designed to have as few false positives as possible, and may not capture future attacks against the Struts vulnerability. This rule will provide superior protection to rule 960010 for most customers.   

From an IT management perspective, remote access management can be complex. Deployment, administration, testing and compliance is often multifaceted and time consuming, and security is an on-going concern.

Granted, I have talked with IT professionals who tell me VPNs - being the primary remote access technology deployed by enterprises - are not difficult to deploy and maintain. They tell me VPNs are a 'set it and forget it' technology, and they serve their organizations well because they have just a few remote workers.

Managing risk is a key aspect of any business. This becomes more complicated when additional parties, such as vendors are brought into the mix. One of the strongest pieces of guidance on managing vendors that customers have brought to Akamai comes from the US Office of the Comptroller of the Currency (OCC) Bulletin 2013-29, wherein the OCC recommended that financial institutions strengthen their preparedness around third-party risk management, particularly in the field of cybersecurity. Many other global regulations exist with similar requirements.

DDoS of Past, Present and Future

The pervasiveness of technology has meant automation of tasks, allowing better productivity, with more time to do more. However, the dark side of technology would be that enterprises and individuals alike are vulnerable to cybercrimes, compromise of identities, loss of data and subject to malicious attacks.

In our recent 'State of the Internet / Security Q4 2016 report', we reported that Akamai mitigated 3,826 distributed denial of service (DDoS) attack events on our Prolexic network, a 4% increase in attacks since Q4 2015.

Reaching toward universal TLS SNI

The past few years have seen a dramatic increase in client support for TLS SNI (a technology standard that makes HTTPS much more scaleable). While early 2014 saw fewer than 85% of HTTPS requests being sent by clients supporting TLS SNI, many Akamai customers today now see client TLS SNI usage exceeding 99%. This shift means that deploying SNI-only Web sites is now increasingly viable, with 31% of the Alexa top-100k hostnames with valid certificates for HTTPS only presenting those certificates when TLS SNI is sent by clients.

HTTP/2 Server Push: The What, How and Why

What is HTTP/2 Server Push? How does it work? Why is it valuable? If you are looking for the answers to these questions, you've come to the right place.

 

Online audiences are growing and so are their expectations for the quality of experience. You know exactly what I mean if you've ever been frustrated with the rate at which a game is downloading or if your video stalls at the most inopportune time.

Online streaming is no longer novel, it's the norm. The days of being enamored by streaming your favorite TV show online are over. Viewers now expect instant access to uninterrupted video streams on whichever device they're using, anywhere they might be, at any time of day or night. The same goes for online gaming, where mobile downloads and updates are expected to complete in just a matter of seconds and large software files are expected to download faster than ever.

Nine Years of Better Broadband

One of the questions I am frequently asked about the State of the Internet is how things are changing - what are the trends we see in the data? As we've just closed out the ninth year of publication of the Connectivity report, I thought that it would be a good time to take look back and see just how much better things have gotten since the initial report, which covered the first quarter of 2008.

The graphs below cover the key connection speeds and broadband adoption metrics currently covered within the report, along with a look at connections under 256 kbps - some folks out there are still stuck on dial-up quality connections. For ease of review, we've aggregated the data at a continental level - obviously, that means that the changes seen in a specific country will be lost in the averaging. For more granular insight, similar country-level trending graphs can be built and exported (as can the underlying data) using the State of the Internet graph visualization tool. (And you can always contact us at stateoftheinternet@akamai.com with questions as well.)

The Akamai WAF - Now Protecting APIs

Kona Site Defender is our flagship Web Application Firewall and DDoS Mitigation solution at Akamai.  Back in the days of the Al-Qassam Cyber Fighters, Brobot ("It's not OK, bro"), and the "holy 100 Gbps attack!", we had a saying around Akamai:  "Kona Site Defender customers come for the DDoS, but they stay for the WAF".  The general idea was that it took a headline-grabbing DDoS attack to make customers and prospects aware that Akamai had a security offering. That was the end of 2012 and the beginning of 2013. In those days, analysts told us and our prospects that we had WAF customers *only* because we were good at mitigating DDoS attacks. We were only mildly offended, and we toiled on.  Our work seems to have paid off:  In 2017, cloud-based WAFs are more or less an industry standard, Kona is a perennial fixture in the Gartner WAF Magic Quadrant and analysts tell us that "Kona is on the short list of all Security buyers".

Matt Soares.jpg

 

 

 

 

 

 

 

 

 

 

When Matt Soares was offered a role at Akamai, it was the flexibility that sold him. "It allowed me to make it my own and I thought that was pretty cool!" he said. Today, Matt is the lifeline of the Akamai Americas campuses as the manager of facilities operations. If a employee's  office isn't below freezing, they can probably thank him. During his days at Akamai, he's involved in office functionality and in the planning of the new Cambridge headquarters building. He's also a chronic cereal wolfer and a big fan of his newest cooking accessory. Matt recently shared a little about his professional and personal experiences, his biggest challenge, favorite mistake and go-to winter pastime.

Vulnerability found in Apache Struts

On Monday, March 6th, the Apache team patched a vulnerability in Apache Struts2 framework.   Apache Struts is an open-source web application framework for developing Java web applications.  The vulnerability exists in the Jakarta Multipart parser, which can be tricked into executing attacker-provided OGNL code. The impacted versions are 2.3.5 through 2.3.31, and 2.5 through 2.5.10 of the Apache Struts framework.  If you are currently running an affected version of the software, malicious users could execute code on the system remotely by using a maliciously crafted Content-Type header.  Successful exploitation does not require the user to be authenticated. Apache has classified the vulnerability as a "possible remote code execution"; however, the vulnerability is easy to exploit and allows code to be executed using the user context of the account running the Tomcat server. At least two working exploits have been seen in the wild already.

With the acquisition of Soha Systems, Akamai's vision of bringing a simpler, more secure access approach to the enterprise is now available. We have blogged about this, most notably an excellent piece penned by Lorenz Jakober titled "Secure Enterprise Access Needs to Evolve".

If this is a new topic for you, the case for enterprises needing a new access model is:

  • VPNs, a staple of IT Networking for more than twenty years, have failed to evolve to meet today's remote access requirements.
  • Today, employees are mobile, and need to access applications hosted in different clouds and physical datacenters.
  • In increasing numbers, enterprise contractors, partners and customers - the global partner ecosystem - are also accessing "behind-the-firewall" applications. 
  • Using traditional VPNs to support these requirements brings increased complexity and support overhead to both IT and InfoSec teams. 

Today, we published the Fourth Quarter, 2016 State of the Internet / Connectivity Report.  This issue of the report concludes its ninth year of publication.  Over that time, everyone involved with the report at Akamai has worked hard to make it one of Akamai's most successful thought leadership programs.  And of course, our readers have made the report a success through their ongoing interest in, and use of, its data, effectively making it a de-facto reference within the broadband industry.

Mobile App Users: The Next Generation

What does the morning of a typical mobile user look like? It's probably something like this:

  • 6:00 a.m. - Your alarm wakes you up and automatically starts increasing the brightness to your bedroom lamps. The snooze button is not an option today!
  • 7:00 a.m. - On your morning run, you track your total mileage and pace, and then share your workout details and scoreboard on Facebook.
  • 8:00 a.m. - You check your phone to make sure your train is on time, you can't be late to work!
  • 8:15 a.m. - You catch your train and check Facebook, LinkedIn, Snapchat, and your standard news apps to get up to speed.
  • 8:30 a.m. - As you get off your stop, you choose your coffee order and pay for it, so it's ready and waiting for you - no more waiting in line at Starbucks!
  • 8:45 a.m. - With coffee in hand, you walk to the office and check your office slack, Skype, and Whatsapp groups to prepare for the day ahead.
  • 9:00 a.m. You enter the office and get your day started.

So...what do all of the activities above have in common? Mobile apps. And in the first three hours of a day, it's totally normal to have interacted with 10+ apps to accomplish a variety of tasks. This is the reality of today's mobile user.

Fighting Cybercrime with DNS

I recently sat down with Steve Saunders of Light Reading to talk about the role DNS plays in understanding and fighting emerging cyberthreats. In the interview, we went through the highlights of Nominum's, now part of Akamai, recent Data Science report, in which our Data Science team studied more than 15 trillion queries over a three-month period and reported on the world of cybersecurity through the lens of DNS, uncovering trends in phishing attacks, DDoS, the Mirai botnet, Locky ransomware, IoT-based threats and more.

On Web Cache Deception Attacks

Summary

On Monday, February 27, 2017, security researcher Omer Gil published a blog post laying out a data exfiltration method called a "Web Cache Deception Attack." The attack leverages web caching functionality to potentially expose sensitive information or allow for account takeover (ATO) attacks. Caching is often used to reduce load and time-to-delivery for a web server receiving requests for content, but this attack shows ways in which, given certain web configurations, the caching feature can be misused to serve content not intended for caching. Both the caching proxy and the origin site can have individually valid configurations, but in concert lead to unexpected behavior in light of this new attack method. This attack affects all forms of web caching and is not limited to proxies or Content Delivery Networks (CDNs). Akamai is actively working with customers to identify configurations which may be affected and assist them in protecting their sites against this attack.