Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

Akamai InfoSec at BASC 2014

The Boston Application Security Conference (BASC) was this past weekend, and Patrick Laverty from Akamai InfoSec's CSIRT team gave a talk called "How Hackers View Your Web Site."

Patrick recorded the talk and posted it on his YouTube channel. Like everything he does, it's quite good. So I'm sharing it here.

Laverty described his talk this way:

"As defenders, we have to be right 100% of the time where an attacker only needs to be right once. The attack surface of a modern web site is incredibly large and we need to be aware of all of it. Additionally, individual attacks may not always be effective but sometimes using them together can gain the desired effect. In this talk, we'll take a look at the whole attack surface for a typical web site and the various ways that an attacker will use to compromise a site."

Poodle FAQ: What Akamai Customers Need to Know

The Poodle attack (CVE-2014-3566) raised many questions from our customers, peers, auditors, and prospects. This post addresses some of the most frequently asked questions, and provides an update on how Akamai is handling its operations during this industry-wide event. For a basic background on Poodle, please read Akamai CSO Andy Ellis's overview blog post, or Akamai Security Researcher Daniel Franke's in-depth analysis.

UPnP Devices Used in DDoS Attacks

Attackers are using Universal Plug and Play (UPnP) devices to launch massive DDoS assaults, Akamai's Prolexic Security Engineering & Research Team (PLXsert) warned this morning in an advisory.

PLXsert estimates that 4.1 million UPnP devices are potentially vulnerable to exploits used for reflection DDoS attacks. That's about 38 percent of the 11 million devices in use around the world. PLXsert plans to share the list of potentially exploitable devices to members of the security community in an effort to collaborate with cleanup and mitigation efforts.

Excerpt: How POODLE Happened

The following is an excerpt from Akamai Security Researcher Daniel Franke's blog post on the POODLE vulnerability.  

Bodo Möller, Thai Duong, and Krzysztof Kotowicz have just broken the internet again with POODLE, a new and devastating attack against SSL. POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption, permits a man-in-the-middle attacker to rapidly decrypt any browser session which utilizes SSL v3.0 -- or, as is generally the case, any session which can be coerced into utilizing it. POODLE is a death blow to this version of the protocol; it can only reasonably be fixed by disabling SSL v3.0 altogether.

This post is meant to be a "simple as possible, but no simpler" explanation of POODLE. I've tried to make it accessible to as many readers as possible and yet still go into full and accurate technical detail and provide complete citations. However, as the title implies, I have a second goal, which is to explain not merely how POODLE works, but the historical mistakes which allow it to work: mistakes that are still with us even though we've known better for over a decade.

For the full post, please visit Franke's blog

Your Microsoft Patch Update for October 2014

Microsoft released its October 2014 Security Update Tuesday. Windows, Internet Explorer, Office, Developer Tools and .NET Framework are among the items affected.

Here is the full patch matrix:

Five Good Security Articles

Articles I'm reading include such topics as the mounting cost of social engineering, the Mayhem Botnet's exploitation of Shellshock, and some tips for better security in the healthcare industry.

Akamai University: FedRAMP 101

Akamai Edge 2014 continues today with the second day of Akamai University and API Boot camp. To coincide with this, I'm running two security lessons that are part of an upcoming video series. This is the final installment, and was written by Akamai program managers James Salerno and Dan Philpott.

Akamai Edge 2014 begins today and tomorrow with two days of Akamai University and API Boot camp. To coincide with this, I'm running two security lessons that are part of an upcoming video series. This is the first installment, written by Akamai CSIRT researcher Patrick Laverty.

Akamai Edge 2014: Shellshock and Heartbleed Resources

Akamai Edge attendees will hear the names of two security vulnerabilities a lot this week: Shellshock and Heartbleed. Both shook the security industry to the core this year, and Akamai security staff spent countless hours working to protect customers against these threats.

Before Edge gets underway, here are some resources to get familiar with what we've done to address the threats.

More on the Web Security Track at Akamai Edge 2014:
In two weeks, I'll be at the Akamai Edge customer conference. It's a terrific opportunity to meet face-to-face with a lot of our customers and get their feedback on what's working for them and what we can improve upon. A robust Web Security track of talks is planned, and I'll be blogging about it. 

The security track will run each day of Edge. Here's a partial list of what's planned: