Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

An Overview of the OSI Model with Akamai CSO Andy Ellis

In this video, Akamai CSO Andy Ellis gives an overview of the OSI model, abstraction layers, HTTP, TCP/IP and how together these things make the Internet work.

Schneier and Corman: A Conversation in Tweets

What does one do when he has to get on a plane right before one of the more anticipated keynotes at Akamai Edge? In my case, follow the tweets and retweet what I found most interesting.

Below are tweets from those attending the keynote discussion between security luminary Bruce Schneier and Akamai InfoSec's Josh Corman. I followed from the taxi, through the TSA line and from the gate, and it was worth it.


  1. I have to give both and Bruce Schneier props for rocking the stage here at Akamai Edge!

  2. Economics of classifying information on it's head. Incentives must shift to charging for classifying info.

  3. at : one of the problems with secrets: "There is no cost to classification." At least to those classifying things

  4. at The NSA is turning into a huge surveillance platform and we don't know how to fix it.

  5. is demonstrating why he is one of the foremost authorities on .

  6. Oh,   is asking Bruce Schneier the chaos vs control question. Will this result in the Balkanization of the internet?

  7. at : we are moving to a world of less secrecy. Stunned that NSA had no contingency plan for big leaks.

  8. : at : on computer security: Offense is easier and won't change anytime soon.

  9. "The onus is not on the breaker, it is on the maker" Bruce Schneier (only in a perfect world)

  10. at : one click is too many for security in most cases.

  11. Check out the orange shoes on  Bruce says "I like them on YOU"

Dissecting Operation Ababil at Akamai Edge

Operation Ababil has been a thorn in the side of financial institutions this past year, costing victims both business and sleep. At Akamai Edge, we've been talking a lot about the attacks -- particularly the lessons we've learned and the fresh security measures companies have put in place.

Thursday, Akamai CSO Andy Ellis led a panel discussion on the lessons learned, and earlier in the day John Summers -- VP of Akamai's security business -- shared some slides on the subject.

I was on the plane home by the time Andy got onstage, but I did attend Summers' talk and photographed his slides. Meanwhile, artist Natalia Talkowska -- who has been doing some fabulous live sketching at Edge -- captured Andy's panel discussion as it happened. What follows are the Summers slides and Natalia's sketch. Together, I think they present a pretty solid picture of the discussion.

Related reading:





Thumbnail image for BWPnzD9IMAAl3FK.jpg

George Delivers Security Message at Akamai Edge

At Akamai Edge I've been hanging out a lot with Dan Abraham, my InfoSec department colleague. I have yet to see him without George, the stuffed penguin who serves as our mascot and symbol of security awesomeness.

We've shown George a good time, taking him on a stroll around Washington DC Sunday. (He visited the Spy Museum and was not amused to discover that Ford's Theater was closed because of the government shutdown.) But he's earned it. This week, he's working overtime to deliver our security message.

Whenever someone catches sight of George, they ask Dan what the deal is. Dan then tells them about our internal efforts to be secure, and how George visits those who "do something awesome for security."

Since Dan can't talk to every single person who sees George and wonders about him, I thought a post was in order. What follows is my own personal history with George, and the education he's given me so far.

I met George long before starting this job, and I admit that I've had a little fun at his expense. During the RSA conference in San Francisco last February, I acquired a stuffed mini version of George and stuck him in the side pocket of an unsuspecting colleague, who spent the night bouncing from one vendor party to the next with no clue that a penguin's head was bouncing up and down on the side of his leg.

As this department's storyteller, I can't do that sort of thing anymore. I have to play nice with George and keep him happy. Akamai CSO Andy Ellis absolutely adores George, and failing to get on the flightless waterfowl's good side could prove career limiting.

The first time I met George, he looked familiar. Duh, you're probably thinking. Everyone knows what a penguin looks like. But the fluffiness of this guy was something distinctive that stuck in my mind like a thorn. So I did some digging and remembered: I had run into his likeness dozens of times during family trips to the New England Aquarium. He was always in the gift shop, sold in stuffed animal form and in a smaller, rubber version. My youngest son Duncan had one of the latter. His name was Bucky, and he brought the child tremendous joy until he got old and worn out, at which point his rubber butt fell off.

It turns out one of the stuffed penguins was purchased by an Akamai employee during a team outing, and she was allowed to make the purchase as a business expense. That meant he had to be put to work.

And so Akamai's InfoSec emissary was born.

The little dude even has his own Twitter account (@SecurityPenguin), LinkedIn page and website.

Here's how he describes himself on LinkedIn:

"I am a highly motivated information security professional, looking to promote awareness of security practices. In my role as the Penguin of Awesome, I promote and recognize practices that promote and raise awareness of Information Security. I am assigned in 1-week rotations to shadow staff who have helped make Akamai a more Security-aware place to work, so that I may learn from them and make sure that their peers know how awesome they are."

He even has some LinkedIn recommendations. Akamai InfoSec CSIRT Director Michael Smith wrote, "GTP is hands-down the most awesome dictator that I have ever had the opportunity to work for. Just the other day I asked him 'George, I'm having a problem getting the sales reps to say no to customer audits, would it help if I showed up at meetings with a crowbar and threatened them physically?' He nibbled on his herring lunch and nodded. Such genius, such drive, such vision!"

There are pictures on the wall of team members with George. The photo op is something that comes your way in recognition of a job done well. My mug isn't up there yet, but it's something I covet. 

Still, as popular as he is around here, there's something mysterious about George. There's a lot we don't know about him. There are rumors that he has a nemesis out there, someone dedicated to trouncing on the InfoSec principals we hold most dear.

I do have 20 years of reporting experience under my belt, and I intend to use those skills to peel back the layers of mystery.

Stay tuned.


Bots, Crawlers Not Created Equally

A few months ago, Akamai Senior Enterprise Architect David Senecal wrote a post about ways to identify and mitigate unwanted bot traffic. Here at the Akamai Edge conference in Washington D.C., discussions around that continue -- specifically, how to squeeze the maximum usefulness out of bots and other Web crawlers.

Yesterday, I continued a discussion I've been having about that with Matt Ringel (@ringel on Twitter), an enterprise architect in Akamai's Professional Services team. (Check out Matt's recent post, "You Must Try, and Then You Must Ask.")

The first order of business was to throw cold water on the notion that all bots are the work of bad guys. 

"People think of bot armies descending on your site like locusts, killing your performance and wrecking your infrastructure," Matt said. "But in terms of commerce and the ability to do things like making price comparisons, some bots will give people faster access to your information, which is worthwhile in certain contexts."

To start down that road, let's break bots down to two categories:

  • The nasties that do nothing but weigh down your infrastructure (low usefulness, high load on resources).
  • Those that can be useful to your business if properly directed. (These fall into the category of high usefulness, but with lower or higher loads.)
Let's say you have a site that sells LED flashlights and you want potential customers to find you within seconds of a Google search. Price-comparison bots can help Google's own crawlers find you more quickly. Then Google can tell the user to "buy LED flashlights from these sites," including yours, and -- if you're lucky -- starting with yours.

For businesses, the question is how to get to "high usefulness, low load" as often as possible. That's where using an application programming interface (API) comes in handy. 

APIs are good for, among other things, setting up online partnerships with resource sharing. A business solution to mitigating the effect of high-load, high-usefulness crawlers is to offer an API to the entity if the opportunity arises. This is typically a much more efficient way to receive pricing data than crawling your website.

If there's no way to make a partnership, periodically creating static versions of your sites and directing bots to those sites will lighten the load on your infrastructure. A bot will not interact with a dynamic website the way a user would, so there is no need to show them one.

An alternate technical solution is to set up network rate limits for aggressive bots, especially if they're not very useful to you. 

Another way to slow down bots is through browser testing -- planting a javascript "puzzle" the crawler needs to solve in order to proceed. If a bot isn't running a javascript engine, it won't be able to get through. Even if it has such an engine -- some do -- it effectively rate limits the bot by causing it to spend more CPU resources per request.

A more subtle way to foil web crawlers is to use a spider trap. Here's how it works: Since bots read pages and follow links for data, one way to get them hopelessly lost is by putting in a link that's invisible to the user -- white-on-white text, for example -- that the bot will most certainly see. That link, in turn, leads to dozens of pages with randomly generated data, all having dozens of their own links.

With variations of these techniques in place, the business is now in a much-improved position to sell products online, even in the presence of bots and other crawlers.

Catch the rest of my discussion with Matt next week in the next episode of the Akamai Security Podcast.

Akamai Edge 2013 and Patch Tuesday

I'm in Washington D.C. for the Akamai Edge customer conference, and while it's easy to lose sight of the daily chores of security when you're spending the day listening to talks, there's still always work to be done. An example of that: Tuesday is Microsoft's regularly-scheduled security patch release.

We'll be talking to Akamai customers at Edge about how our efforts play into their vulnerability management needs. We'll also talk about our own efforts to keep our patches up to date. So it's fitting that Patch Tuesday coincides with our event. 

Microsoft has released an advance notification bulletin on what to expect tomorrow. Here's a breakdown:

Bulletin 1: Critical 
Remote Code Execution, affects Microsoft Windows, Internet Explorer

Bulletin 2: Critical 
Remote Code Execution, affects Microsoft Windows

Bulletin 3: Critical 
Remote Code Execution, affects Microsoft Windows, Microsoft .NET Framework

Bulletin 4: Critical 
Remote Code Execution, affects Microsoft Windows

Bulletin 5: Important 
Remote Code Execution, affects Microsoft Office, Microsoft Server Software

Bulletin 6: Important 
Remote Code Execution, affects Microsoft Office

Bulletin 7: Important 
Remote Code Execution, affects Microsoft Office

Bulletin 8: Important 
Information Disclosure, affects Microsoft Silverlight

There's been a lot of debate in the InfoSec community about the effectiveness (or lack thereof) of security awareness programs. More such discussion is likely this month as the Department of Homeland Security (DHS) promotes National Cyber Security Awareness Month.

Rather than repeat my own position on the matter, I'll direct you to the post "Security Awareness Programs: Better Than Nothing." For now, I'm thinking about how DHS's initiative fits in with the Akamai Edge customer conference taking place, appropriately, in Washington DC next week. As I noted a couple weeks ago, security will be a major part of the proceedings

There will be the Financial Services Roundtable Lunch on Security Information Sharing: Lessons Learned from Financial Services, and Former NSA Senior Counsel Joel Brenner will share his insider perspectives on the implications of our global reliance on the inter-connected and Internet-dependent way of life and how to address "the new faces of espionage and warfare on the digital battleground."

There will also be a keynote discussion with Bruce Schneier, founder and CTO of BT Managed Security Solutions, and Akamai CSO Andy Ellis will lead a panel discussion on the lessons of Operation Abibal.

As I cover these discussions, I'll tie them in with the themes of National Cyber Security Awareness Month. Beyond that, I'll write one post per week focusing on the individual themes, captured below. The exception will be week 2, as I'll be traveling. The following week's post will cover Oct. 7-18.

Stop Think Connect logo

Week One (October 1-4):
Launch of 10th Annual National Cybersecurity Awareness Month. Cybersecurity is Our Shared Responsibility

The next ten years in cybersecurity are critical to ensure a safe, secure, resilient cyberspace where the American way of life can thrive. Given the stakes we must remain focused on meeting the challenges of the next ten years.

keyboard keys

Week Two (October 7-11): 
Being Mobile: Online Safety and Security

Emphasizes the importance of cybersecurity no matter where you are or what device you are using.
Group of people

Week Three (October 15-18): 
Cyber Workforce and the Next Generation of Cyber Leaders

Highlights the importance of fostering the next generation cyber workforce through education and training.

keyboard keys

Week Four (October 21-25): 
Cyber Crime

Focuses on national and local efforts to prevent traditional crimes like theft, fraud, and abuse that can also take place online.

Man with a headset Week Five (October 28-31):
Critical Infrastructure and Cybersecurity
Highlights the growing intersection between cyber and physical security when protecting the Nation's critical infrastructure.

Silk Road, Tor and the Threat of DDoS

Whenever authorities bust somebody for alleged use of popular software for illegal purposes, there's always the chance digital miscreants will protest with DDoS and other attacks.

That's certainly a possibility after the FBI's arrest of Ross William Ulbricht, known as "Dread Pirate Roberts," alleged operator of Silk Road, a marketplace for illegal drugs. 

According to the Reuters news service, federal prosecutors charged Ulbricht with one count each of narcotics trafficking conspiracy, computer hacking conspiracy and money laundering conspiracy.

In a Forbes article, writer Andy Greenberg added that authorities seized the Silk Road website along with between $3.5 to 4 million in bitcoins, the cryptographic currency people use to buy drugs on Silk Road. In addition to the use of bitcoins, Ulbricht allegedly used Tor to conduct business.

Tor is free software used for online, anonymous communications. It moves Internet traffic along through a free, global volunteer network using thousands of relays to hide a user's location from those who might try to spy on them via traffic analysis and other methods.

Silk Road and Tor have many loyal users who will no doubt be unhappy with this latest turn of events. Don't be surprised if some of them express their feelings by launching fresh waves of DDoS attacks. The FBI's online resources are an obvious target, but when rage ensues everyone becomes fair game.

Of course, there's always the possibility nothing will happen and I'll be happy if proven wrong. But it's best to be prepared. As always, Akamai will monitor activity for its customers and protect them from what may come.


Was This Really One of the Internet's Biggest Attacks?

There was an interesting story in eWeek yesterday about "one of the largest attacks in the history of the Internet" taking place last week. It describes a 9-hour barrage against an unnamed entity that swelled to 100 Gigabits of traffic at its peak.

But does it really qualify as one of the biggest in Internet history? It's an impressive barrage, to be sure. 

Reading the article reminded me of a post Akamai CSO Andy Ellis wrote back in March about a 300 Gbps attack against SpamHaus.

(For additional perspective, check out Andy's blog post on "DNS reflection defense" and our page on Akamai's DNS security offerings)

He wrote at the time:

When we think about an attack an Akamai, we think about three things: the attacker's capacity, their leverage, and the target's capacity. And when we think about leverage, it's really comprised of two smaller pieces: how much cost efficiency the attacker expects to get, and how the target's resilience mitigates it. 300 Gbps isn't that bad when it's restricted to reflected DNS traffic -- if you have enough capacity to ingest the packets, they're pretty trivial to drop, and, until your network cards fill up, are less effective than a SYN flood. 

So why bother? Andy continued:

The attacker likely doesn't have 300 Gbps in their botnet - they probably have somewhere in the range of 3 to 60 Gbps. Attacks through DNS resolvers are amplified - so the attacker can create a larger attack than they might have otherwise, at the cost of reducing their leverage. In comparison the BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps.   Because they're willing to sacrifice their hosts, they have a wider range of attacks available to them. Commonly, they send HTTPS request floods - requiring their targets to negotiate full SSL connections, parse an HTTP request, and determine whether they'll deliver a reply or not. BroBot could certainly throw around a bit more bandwidth with DNS reflection - but against most of their targets, it would have less effect than some of their current tactics.

I write this with the admission that I'm not an expert in the metrics of data transfers and the size of Internet traffic in general. As a still-fairly-new Akamai employee, I'm learning quickly. But I'm not ready to shoot down the claims others make.

But as a long-time journalist, I also know how easy it it to make too much or too little of attack traffic patterns. In the hurry to cover breaking news, I've been the sucker of more than one claim over the years. So whenever I see "biggest" or "largest" in a headline, I'm an instant skeptic.

Having said that, I welcome your thoughts. Is this really that big, or is it hyperbole?


Security Webinars for SMBs

I'm pleased to announce a trilogy of webinars set for next month on web app security for SMBs: small-to-medium-sized businesses. 

We'll discuss the basic ingredients of web security for SMBs and eCommerce, common problems found at the mom-and-pop level, and ways to better prepare for security audits. Common hacking techniques and ways to defend your networks against them will also be covered. And, with the holiday shopping season coming up, we'll examine common holiday-related phishing tactics and how to avoid becoming a victim.

Joining us are Martin Fisher, director of information security at WellStar Health System, Steve Ragan, a trained hacker and staff writer at CSO Online, and Paul Roberts, editor-in-chief of The Security Ledger and former analyst with the 451 Group. 

We hope you can join us!

Thumbnail image for Security - Mailer1.jpg