June 2017 Archives

As has been widely reported, a new ransomware known as 'petya' (also being referred to as `notpetya` or `petwrap` in the research community) started circulating on the internet earlier this week. It appears the attacks started in Eastern Europe and caused widespread damage around the globe.

As I work with Operators all over the world, I'm amazed at two worrying. First, Operators are still treating DNS as an afterthought. Everyone knows that if DNS is down, the network is down. Too many people are taking DNS's resiliency for granted. DNS "just works" is assumed to be norm until it does not work. Operators (Carriers, ISPs, Cloud Operators, Mobile Operators, etc) really need to put the robustness of their DNS architectures (in plural) into focus. Simple attacks against DNS are one of the easiest forms of Denial of Service (DOS) attacks.

The term latency is used a lot in networking and most commonly refers to how long it takes a packet to reach a destination and come back again. The most common tools for measuring network latency are ping and traceroute, but there are more. When I speak to operators around Asia Pacific about DNS though, it's interesting to hear that latency is not often used when benchmarking or measuring their DNS service quality.

Akamai is aware of and is tracking the malware threat known as "Petya". Petya is ransomware spread using several methods, including PSexec, Windows Management Instrumentation Command-line (WMIC), and the EternalBlue exploit used by the WannaCry family of ransomware. The malware spreads via port 139 and 445; it probes IP addresses on the local subnet for vulnerable systems.

Today, we are proud to introduce Akamai Enterprise Threat Protector (ETP). ETP is designed to provide customers quick-to-deploy and easy-to-manage cloud-based protection against the impact of complex, targeted threats such malware, ransomware, phishing, and DNS‑based data exfiltration.

One organization already seeing the benefit of using Enterprise Threat Protector is innovator in cruise travel, Norwegian Cruise Line. According to Fidel Perez, the company's Director of Enterprise Architecture and Performance, "An important element of our commitment to our guests is doing everything in our power to safeguard their personal information. Our use of Enterprise Threat Protector adds a powerful layer of intelligent security, across all our shoreside office locations and cruise ships, to ensure we're doing all we can to protect the company, our employees and our guests from complex, targeted attacks."

In my last blog post, part 1 of this series, I discussed the important role DNS plays in protecting service provider networks from DNS amplification attacks, and the necessity of not only blocking malicious queries but also of not blocking good queries. In this post, I'll look at Pseudo-Random Subdomain (PRSD) attacks and other malware (like phishing and ransomware), showing why DNS is perfectly suited to protect both networks and subscribers.

I sat down again with John Payne, Akamai's Chief Architect of Infrastructure and Security, as well as Keith Hillis, Director IT Risk & Security. We spoke about enterprise security compliance, and how Enterprise Application Access (EAA) exceeds Akamai's requirements and simplifies the process for auditors.

Gaining new customers and retaining existing ones is at the core of every business. In the past few years, two major trends have emerged in this drive towards customer centricity

• To meet the ever increasing customer demands, most modern digital applications leverage microservice architecture to achieve scalability, agility and reduce time to market. These are ideal for DevOps teams that need continuous deployment workflows. But all this comes at a price, as it increases the complexity of these applications.

• Many companies are adopting public cloud platforms for their growing infrastructure needs for cost efficiency, agility, scalability and global distribution to serve their customers more easily. But cloud adoption has its own challenges. As you move applications and workloads to the cloud, there must be thoughtful consideration for what supporting services to keep on-premises, what to take with you, and what to replace entirely with a cloud service.

The Telegraph Media Group (TMG) is a multi-media news publisher and its titles include The Daily Telegraph, The Sunday Telegraph and The Telegraph website.  Today, its site serves more than 380 million pages to over 84 million unique visitors every month across the globe, featuring on average about 15,000 stories and 900 videos.

While The Telegraph is a true digital pioneer - its website launched four years before Google and ten years before Facebook - it too is forging a new path.  Like other online publishers, Telegraph is looking for data and new ways to help drive greater engagement and improve customer experience.

In an earlier blog, "Remote Access no longer needs to be Complex and Cumbersome", I wrote about the new game-changing remote access solution available from Akamai called Enterprise Application Access (EAA). My thesis was that in our cloud-first, mobile-dominated world, providing access to behind-the-firewall applications need not be as complex as with today's traditional DMZ/VPNs infrastructure.

The importance of the DNS security protocol, in general, is widely understood, particularly in today's overall security landscape. Anyone who currently manages (or has managed) caching/recursive or authoritative DNS servers knows the pain it causes when they go down. It's bad. Without available DNS there is no internet, at least no usable internet. Generally, most, if not all applications today rely on DNS to locate resources somewhere on the internet to function. Additionally, said apps are becoming more and more reliant on the DNS.

Online viewers of former FBI Director James Comey's live testimony last week generated a massive peak of 2.5 Tbps of live streaming video traffic on the Akamai platform, despite the hearing occurring in the middle of the work week, in the middle of the work day.

Too often, we are so focused on our day-to-day that we neglect to consider the bigger picture. I have been writing about recursive DNS and threat intelligence, Domain Generation Algorithms (DGAs), and DNS-based data exfiltration assuming that the vast majority of readers are familiar with the business impact of malware, ransomware, and phishing. Turns out, that isn't necessarily the case.

HTTP2 is the second major version of the HTTP protocol. It changes the way HTTP is transferred "on the wire" by introducing a full binary protocol, made up of TCP connections, streams and frames, rather than simply being a plain-text protocol. Such a fundamental change between HTTP/1.x to HTTP/2, meant that client side and server side implementations had to incorporate completely new code to support new HTTP2 features - this fact, introduces nuances in protocol implementations, which in turn, might be used to passively fingerprint web clients.

In the last few posts, I talked about why recursive DNS (rDNS) combined with threat intelligence makes for such a simple-to-deploy security solution that effectively mitigates and prevents advanced, targeted threats. Not to belabor the point, but the recent punycode phishing news makes the effectiveness of rDNS plus threat intel even more evident. Identifying punycode domains lexically through a combination of rDNS and threat intel is quite straightforward, either by detecting phishing attempts to popular domains or by just identifying abnormal usage of different language variants.