Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

This month, I've been hosting a three-part webinar series on the challenges smaller companies face when it comes to Web security. This week and next, I'm presenting the recordings here.

WellStar Health System Security Director Martin Fisher joined me for part 1: "What Web Security Means for Small & Medium Businesses."

Video: What's a Zero-Day Vulnerability?

Akamai Chief Security Officer Andy Ellis gives a whiteboard lesson on zero-day vulnerabilities. 

Class is in session:


Web Shells, Backdoor Trojans and RATs

Akamai's CSIRT team advises companies to check their systems for Web shells, executable code running on a server that gives attackers remote access to a variety of critical functions.

Online adversaries can install Web shells by compromising legitimate Web applications on a server, using such tried-and-true techniques as SQL injection, Remote File Inclusion, an unvalidated file upload feature or through a valid user's stolen credentials.

Here are the basics of the CSIRT advisory, as written by Akamai Security Response Engineer Patrick Laverty:

A Web shell can also be seen as a type of Remote Access Tool (RAT) or backdoor Trojan file. The shell may be a full-featured administrative GUI or as simple as a single line of code that simply takes commands through a browser's URL field and passes them on to the back-end server.

Web shells can be written in any language that a server supports and some of the most common are PHP and .NET languages. These shells can be extremely small, needing only a single line of code or can be full featured with thousands of lines. Some are self-sufficient and contain all needed functionality while others require external actions or a "Command and Control" (C&C) client for interaction. When the shell is installed, it will have the same permissions and abilities as the user who put it on the server. 

One of the most common PHP Web shells seen is the c99madshell. It is approximately 1,500 lines long and some of its features include displaying security measures the server may have in place, a file viewer that includes the files' permissions, an area where the user can run custom PHP code on the server, and the contents of phpinfo(). Phpinfo() is a core PHP function that creates a Web page and outputs valuable information about the OS, Web server and PHP configurations. It also has the ability to search the server for configuration files, password files and other writeable files and directories. It also has tools built in to encode/decode strings from various formats as well as a brute-force password cracker. It has a GUI to directly connect to a database server and if the attacker is concerned about detection, it has a function to self-delete the shell.

The big question we always try to answer is how those affected can fix the problem. Guidance in the advisory includes the following:

The main goal is to prevent a shell from getting on a server in the first place. The methods of infection include SQL injection and remote file inclusion through a vulnerable Web application. With frequent testing and monitoring, these vectors can be minimized.

For all types of shells, a search engine can be extremely helpful. Often, the shells will be used to spread malware onto a server and the search engines are able to see it. But some check the User-Agent and will display differently for a search engine spider than for a regular user. To find a shell, you may need to change your User-Agent to one of the search engine bots. Some browsers have plugins that allow you to easily switch a User-Agent. 

Once the shell is detected, simply delete the file from the server.

A Twitter Chat on Cybercrime Defense

Yesterday, Akamai participated in a Twitter forum on cybercrime as part of National Cyber Security Awareness Month. Participants supplied a ton of great resources, which I think is worth sharing here. 

What follows are some of the tweets from the conversation. If you want to stay out of the attackers' crosshairs -- or if you're a victim looking for help -- you'll find what follows useful.

  1. If you're a victim, DOJ has a great site at where you can report a or identity theft.

  2. Check a site is using https:// *before* you login. Learn about the dangers of not doing so:

  1. You can also report phishing scams to the Internet Crime Complaint Center

  2. Cybercrime victims, file complaints: . victims, take 3 steps immediately:

  1. Guide for what to do if victim of cybercrime, including forms & what if it's your kid:

  2. FTC has detailed steps, checklists, & videos 2 help u prevent & resolve damage from :

  1. The "Victims of " resources sheet is good to have on hand before you need it.

  2. owners can also check out our whitepaper w/ plenty of tips:

  • RT : Stay educated! Here are top 10 email of 2013 & expert tips to protect yourself

  • Teach kids re: w/Fordham's great program:

    1. Final thought - subscribe to OnGuardOnline blog posts 2 learn about latest online scams & how to avoid them:

    2. Are u ready to protect yourself online? Test your skills on our game -The Case of the Cyber Criminal:

    3. RT : Seriously good advice. People are afraid to be blacklisted for one mistake, but it happens to the best of us.

    4. Check out our infographic on cybercrime & how small businesses can lose big

    5. Our blog at is a great resource for the latest info in security trends, tips and info.

    6. Oversharing info online & using unsecured public wi-fi makes it easier for criminals. Learn 2 use w/care:

    7. A lot of the training gives new employees on how to behave securely applies to what we're discussing here...

    8. If people suspect fraudulent activity, they should report it to their bank, local police,etc. Here's a list

    9. A lot of PII is shared (intentional or b/c we have many user accts). Helps bad guys social engineer. Advice:

    10. We provide pics of a few common Visa phishing scams on our security blog


    11. Guessable passwords played role in 29% of 2011 breach investigations

    12. Weak passwords! We see "123456" and "password" used way too often. More fun stats we found:

    13. For newbies, social engineering is when the bad guys try to phish you with messages that look like legit business, news, etc.

    14. As a journalist, one of the things I covered a lot -- and still do at Akamai, is social engineering...


    Akamai CSO Andy Ellis gives an overview of tokenization and why it exists, as well as a brief history of the credit card industry.


    Video: Josh Corman on Different Adversary Classes

    Akamai Director of Security Intelligence Josh Corman gives an overview of different adversary classes and their motivations.

    IBM, Akamai Team Up in DDoS Fight

    As part of a new partnership, IBM will integrate Akamai's Kona Site Defender with IBM's Cloud Security Services portfolio.

    IBM Security Services General Manager Kris Lovejoy said her company decided to join forces with Akamai because of its track record in protecting customers from DDoS attacks.

    "Our clients tell us there is a need to strengthen cloud security," Lovejoy said in a statement. "The partnership with Akamai combines a world-class security team and an intelligent network platform to strengthen cloud security Together with Akamai, IBM can provide both proactive and reactive DDoS protection from the increasing frequency, scale and sophistication of these attacks."

    Based on daily monitoring of security for more than 4,000 thousand clients, IBM sees DDoS attacks as an escalating problem. The average large company must filter through 1,400 cyber attacks weekly, according to the IBM Cyber Security Intelligence Index.

    In its most recent State of the Internet report, Akamai documented a second-quarter rise in DDoS attacks. Akamai customers reported 318 attacks -- a 54 percent increase over the 208 reported in the first quarter. At 134 reported attacks, the Enterprise sector continued to be the leading target of DDoS attacks, followed by Commerce (91), Media and Entertainment (53), High Tech (23) and Public Sector (17).

    The companies will also share security intelligence to better detect threats, identify security risks and areas of noncompliance and set priorities for remediation. IBM's X-FORCE research and development will contribute global analytics capabilities and use its Q1Radar security solution, which gathers information from multiple sources and uses analytics to identify potential threats and breaches.

    The result for clients is managed DDoS protection that covers a full spectrum of services including: 


    • Preparation - development of readiness plans and response protocols
    • Mitigation - proactively stop attacks before they affect clients' networks
    • Monitoring - monitor network traffic, DDoS alerts, and the real-time health of IT resources
    • Response - trained response experts on standby to assist with attacks; to contain, eradicate, recover and identify primary and secondary attacks
    • Intelligence - deliver insights on internet threat conditions and provide real-time DDoS metrics

    cloud-security.jpeg

    The latest Akamai State of the Internet report analyzes recent DDoS trends and includes a section on something I've written about a lot in recent months -- attacks from the so-called Syrian Electronic Army

    DDoS attacks spiked in the second quarter of 2013, with Akamai customers reporting 318 attacks -- a 54 percent increase over the 208 reported in the first quarter. At 134 reported attacks, the Enterprise sector continued to be the leading target of DDoS attacks, followed by Commerce (91), Media and Entertainment (53), High Tech (23) and Public Sector (17).

    Also during the second quarter, the Syrian Electronic Army (SEA) claimed responsibility for several attacks against news and media companies. The attacks all exploited tried-and-true spear-phishing tactics where internal email accounts were compromised and used to collect credentials and gain access to Twitter feeds, RSS feeds and other sensitive information. The attacks were designed to spread propaganda about the regime of Syrian President Bashar al-Assad, and they have indeed attracted plenty of media attention in recent months. 

    The quarter covered in the latest report ended June 30, but the SEA's antics have continued. In late August, for example, users couldn't access many high-profile websites one day after SEA launched a targeted phishing attack against a reseller for Melbourne IT, an Australian domain registrar and IT services company. At the time, the IDG News Service reported that the attack allowed hackers to change the DNS records for several domain names including nytimes.com, sharethis.com, huffingtonpost.co.uk, twitter.co.uk and twimg.com -- a domain owned by Twitter.

    "This resulted in traffic to those websites being temporarily redirected to a server under the attackers' control," the news service reported. "Hackers also made changes to the registration information for some of the targeted domains, including Twitter.com. However, Twitter.com itself was not impacted by the DNS hijacking attack."

    There was some concern that the SEA would use the anniversary of 9-11 and news of potential military action in Syria as an excuse to unleash a fresh wave of DDoS attacks in September, but that spike never materialized


    Additional reading: 

    syrian-electronic-army-lo-008.jpg


    Are You a Future Akamai Security Professional?

    It's week three of Cyber Security Awareness Month at the U.S. Department of Homeland Security, and the focus is on the future security workforce. Here's what DHS says on its website:

    As technology continues to evolve and improve, the need to protect against evolving cyber threats also requires improvement and expansion. To meet the growing technological needs of government and industry, the Department of Homeland Security (DHS) is building strong cybersecurity career paths within the Department and in partnership with other government agencies. In order to ensure that the next generation of cyber leaders is prepared to protect against cyber threats, it is crucial that we help to prepare them. To accomplish this critical task, we have created a number of very competitive scholarship, fellowship, and internship programs to attract top talent. As the agency responsible for securing federal civilian networks, DHS works closely with its partners in the private sector and federal, state and local governments to educate and engage the next generation of cyber professionals.

    It's a cause we support at Akamai, given our role in protecting many of the biggest entities on the Internet. We work hard to instill strong security scruples in all employees, who get about an hour of security training as part of their first-day orientation. Meanwhile, our InfoSec department has grown dramatically this past year. Without a doubt, we'll always need fresh security talent.

    One thing I'm learning is that we have to cast a wider net for security talent. We can't limit our search to the usual places, like the halls of academia. It's a point Mark Weatherford, former undersecretary of cybersecurity for DHS, made during an event last year put on by CSO Magazine.

    He spelled it out this way: If you're a so-called computer geek who likes to break things and put them back together again, the Department of Homeland Security's cybersecurity division wants you. Nobody would expect you to stick around forever, and lack of a college degree wouldn't necessarily be a deal-breaker.

    "We need to make it so people want to do this for a career," he said at the time. "The goal isn't necessarily to create DHS lifers, but to make the agency's cybersecurity division a step on the career ladder. For the most part, he said, "people don't work in government forever. But having DHS experience on your resume will mean a lot when you go back out to the private sector."

    And despite all that's been said about the importance of a college education for those hoping to succeed in the workforce, Weatherford said those without a degree are welcome to come forward.

    "There are people out there who didn't go to college, but they spent much of their time breaking things and putting them back together," and DHS needs their help, too, he said.

    After a stint with DHS, who knows what could be next? As I said, Akamai always has its eyes open in the never-ending search for security talent.

    This week Akamai released its State of the Internet report for the second quarter of 2013, and the security section includes some changes since the last go around.

    Based on data gathered from the Akamai Intelligent Platform, the report provides insight into key global statistics such as network connectivity and connection speeds, attack traffic, and broadband adoption and availability. One of the things we track is the origin of attack traffic around the world, and that will be the focus of this post.

    What's new this time is that Indonesia replaced China as the top producer of attack traffic. Indonesia nearly doubled its first-quarter traffic from 21 to 38 percent, while China moved to second at 33 percent -- down one percentage point from last time. The United States remained in third even after dropping to 6.9 percent in the second quarter from 8.3 percent in the first quarter.

    The top 10 countries and regions generated 89 percent of observed attacks, up from 82 percent in the previous quarter. Like the first quarter, Indonesia and China again originated more than half of the total observed attack traffic.

    Thumbnail image for Thumbnail image for akamai-americas-attack-sources-v1-620x231.jpg

    The choice of ports used to launch attacks shifted this time around. For the first time since the inaugural State of the Internet Report (first quarter of 2008), Port 445 (Microsoft-DS) was not the most targeted port for attacks, dropping to third place at 15 percent, behind Port 443 (SSL [HTTPS], 17 percent) and Port 80 (WWW [HTTP], 24 percent).

    The vast majority (90 percent) of attacks targeting Ports 80 and 443 originated from Indonesia, up from 80 percent last quarter. Indonesia was observed to originate the majority of attacks targeting Ports 80 and 443, up to 90 percent from last quarter's 80 percent.

    Thumbnail image for Thumbnail image for Thumbnail image for ports.jpg

    My next State of the Internet post will focus on the DDoS trends captured in the latest report, as well as the attacks we've been tracking from the Syrian Electronic Army.

    Additional reading: