Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

5 Noteworthy Security Headlines

Every morning I scan the news headlines for stories that may have an impact on Akamai customers and the wider security community. Today I direct you toward five items worth keeping an eye on.

Data Broker Giants Hacked by ID Theft Service
By Brian Krebs, Krebs on Security
An identity theft service that sells Social Security numbers, birth records, credit and background reports on millions of Americans has infiltrated computers at some of America's largest consumer and business data aggregators, according to a seven-month investigation by KrebsOnSecurity.

Recycled Yahoo Email Addresses Still Receiving Messages for Previous Owners -- Passwords Included
By Lee Munson, Sophos Naked Security blog
Yahoo announced in June 2013 that it was going to recycle inactive email addresses by giving them to other users who wanted them. Security experts and other critics raised concerns about Yahoo's plan at the time, and sure enough, some new owners of recycled accounts have received messages of a sensitive nature.

Researcher: Exploit kits revolutionize automated malware production
By Brandan Blevins, SearchSecurity
In the past, producing a unique malware sample was a time-consuming process that required knowledge of both programming and security systems. Now, a researcher has shown how automation has revolutionized malware production, turning it into a trivial pursuit for even novice attackers.

Social media, mobile phones top attack targets
By John P. Mello, Jr., CSOonline
Social media has become a top target of hackers and mobile devices are expanding that target, IBM reported on Tuesday in its X-Force 2013 Mid-Year Trend and Risk Report.

Banks Plan National Cyber-Attack Drill
By Tracy Kitten, Bankinfosecurity
More than 1,000 banks will test their incident response strategies by participating in a simulated cyber-attack exercise. SWACHA's Dennis Simmons says the drill, which is open to more participants, will help bolster defenses.

Akamai InfoSec at Several Security Cons This Week

There are several important security conferences this week and this coming weekend, and Akamai InfoSec will participate in all of them. 

Security Advocate Dave Lewis is at two events in Chicago: ASIS 2013 and the (ISC)2 Congress.

London-based Security Advocate Martin McKeay is attending BruCON 2013 in Ghent, Belgium.

Meanwhile, Akamai CSO Andy Ellis and Security Intelligence Director Joshua Corman are headed to DerbyCon 3.0 in Louisville, Kentucky.

Andy will give a talk Friday called, "Cognitive Injection: Reprogramming the Situation-Oriented Human OS" and Josh is on deck for a Saturday talk called "The Cavalry Is Us: Protecting the public good and our profession."

Abstract for Andy's talk:

Cognitive Injection: Reprogramming the Situation-Oriented Human OS
Description: "It's a trope among security professionals that other humans - mere mundanes - don't 'get' security, and make foolish decisions. The human operating system has programmed itself over the last 50,000 years in ways that are understandable and manipulable. We can dynamically reconfigure human wetware to cause them to act and react in more desirable ways.

"Armed with these tools, the discerning organizational hacker can treat a group of humans as we would any other legacy distributed system; one which we can upgrade and modify to solve problems in more desirable ways! Beware, though, for these systems are Byzantine, complex, and are resistant to clumsy reprogramming efforts."

Abstract for Joshua's talk:

The Cavalry Is Us: Protecting the public good and our profession
Description: "The Cavalry Isn't Coming. Our fate falls to us or to no one. At BSidesLV and DEF CON 21, a call was made and many of you have answered. Here at DerbyCon, we begin the work of shaping our futures. We face a clear and present danger in the criminalization of research, to our liberties, and (with our increased dependence on indefensible IT) even to human safety and human life. What was once our hobby became our profession and (when we weren't looking) now permeates every aspect of our personal lives, our families, our safety... Now that security issues are mainstream, security illiteracy has lead to very dangerous precedents as many of us are watching our own demise. We're here to help us all hit rock bottom in the pursuit of something better. At some point the pain of maintaining inertia will exceed the pain of making changes, so it is time for some uncomfortable experimentation.


"This session will both frame the plans to engage in Legislative, Judicial, Professional, and Media (hearts & minds) channels and to organize and initiate our "constitutional congress" working sessions for Saturday & Sunday downstairs in Bellmonte. The time is now. It will not be easy, but it is necessary, and we are up for the challenge. It's high time we make our dent in the universe. For background, please watch the video of the launch of @iamthecavalry : http://bit.ly/16YbpC1 > Join the conversations also at: google group: https://groups.google.com/d/forum/iamthecavalry"

globe_americas_black.jpg


Building a Security Page

Earlier this month, I told you about the second phase of efforts to raise Akamai's profile as a security company. This post is an update on the last goal I mentioned: creating a security page on the Akamai website.

The page will allow InfoSec practitioners to access all our security content in one place. There will be easier access to the security blog posts, podcasts and videos we already produce daily as well as such new content as slideshows, infographics, research papers and articles on topics that matter to customers and the security community as a whole.

Another goal is to make it a place where customers can get their questions answered more quickly. We constantly field questions. Sometimes it's a compliance question. Sometimes it's about how someone may or may not be affected by an attack making headlines. Along the way, we've written up a lot of answers, and want to make them available on the new page. If you can go to our page and find the answer to a question you have, it can save a lot of time.

We also have an army of thought leaders in Akamai InfoSec who frequently travel to security conferences to deliver talks about new threats and the best security practices. We think it would be valuable to show you who among us is traveling, where we're going and what we'll be presenting on. To that end, a calendar for the page is in the works.

We hope to have the page up and running sooner rather than later. It's coming together nicely, though we don't have a specific launch window just yet.

We welcome your comments and feedback as the project continues to take shape. 

Meantime, here's the concept I sketched out at the beginning. It's a rough drawing, but it conveys the idea well enough:

64114_10201741654729541_631019911_n.jpg

Defending Against Watering-Hole Attacks

A researcher at Cisco Systems published a blog post yesterday that Akamai customers and the larger security community should be aware of. The subject: "watering-hole" attacks.

It's something Cisco researchers -- and Akamai's CSIRT team -- have been tracking for some time. In May, Threat Research Engineer Jaeson Schultz wrote about the increasing popularity of the attack technique

He wrote at the time, "Watering-hole attacks, as evidenced by the recent attack involving the U.S. Department of Labor, are becoming increasingly popular as alternatives to attacks such as Spear Phishing. In a Watering Hole attack, the attacker compromises a site likely to be visited by a particular target group, rather than attacking the target group directly. Eventually, someone from the targeted group visits the 'trusted' site (A.K.A. the 'Watering Hole') and becomes compromised."

Threat researcher Emmanuel Tacheau's post from yesterday provides updated data on who these attacks are targeting and the methods used.

Beginning in May, he wrote, Cisco TRAC started to see several malicious redirects targeting the Energy & Oil sector. The structure, he said, consisted of several compromised domains, of which some play the role of redirector and others the role of malware host. Watering-hole style domains infected with the malicious iframe included:

  • An oil and gas exploration firm with operations in Africa, Morocco, and Brazil;
  • A company that owns multiple hydro electric plants throughout the Czech Republic and Bulgaria;
  • A natural gas power station in the UK;
  • A gas distributor located in France;
  • An industrial supplier to the energy, nuclear and aerospace industries; and
  • Various investment and capital firms that specialize in the energy sector.

"Encounters with the iframe injected web pages resulted from either direct browsing to the compromised sites or via seemingly legitimate and innocuous searches," he wrote. "This is consistent with the premise of a watering-hole style attack that deliberately compromises websites likely to draw the intended targets, vs. spear phishing or other means to entice the intended targets through illicit means."

Akamai CSIRT Director Michael Smith said that in watering-hole attacks, the bad guys attack one's website to use it as a platform to attack the browser. 

"The interesting thing with energy-sector websites is that they usually service a particular geography, say the NE United States or France," he said. "Energy sector websites also sometimes are supplier portals for a particular vertical such as gas companies."

Since Akamai deals with the server side of the watering hole equation, we have a set of recommendations for our customers:

  • Use our Web Application Firewall with cross-site scripting (XSS), command injection, and SQL injection rules in deny mode.
  • Protect access to your Content Management System as a high-criticality system.
  • Restrict access to content and CMS to specific geographies.
  • Look at third-party content (such as advertising services) and have a plan to disable that content if the provider becomes compromised.
  • Secure your DNS registration and name servers to keep attackers from redirecting the entire domain to an arbitrary location.

Akamai Edge 2013: The Deeper Security Dive

A few days ago I told you about all the security awesomeness planned for the Akamai Edge customer conference. Today, I'm delving deeper into the agenda for a look at the more technical talks.

For the overview, see the post "Security Front and Center at Akamai Edge 2013."

Now for that deeper dive...

Wednesday, Oct. 9:

Noon-1:30 p.m.: Financial Services Roundtable Lunch: Security Information Sharing - Lessons Learned from Financial Services: Join us for our annual financial service luncheon and roundtable discussion. This year's topic will include speakers from the FS-ISAC (Financial Services Information Sharing and Analysis Center), USAA, and TD Bank. Come learn about the FS-ISAC, and hear how the financial services industry shares threat intelligence to protect critical systems and assets. Take part in the conversation, share your experiences, and network with your peers. The session is open all conference attendees. Commerce, High Tech and other Akamai customers are encouraged to join and learn how the banks share cyber threat intelligence.

Discussion leaders:

Rich Bolstridge, Akamai, Chief Strategist, Financial Services

Denise Anderson, FS-ISAC, Vice President, Government and Cross-Sector Programs

Don Clemmons, USAA, Technical Fellow

Dave Grau, TD Bank, Head of Threat Response, Intelligence, and Defensive Technologies

2:20-3 p.m.: Developers' Lab II: Akamai Observed Attacks and Mitigation Techniques - A Real-time Demonstration

4:20-5 p.m.: Government Forum Keynote by Joel Brenner, NSA, Former Senior Counsel - Glass Houses: Privacy, Secrecy, and Cyber Insecurity in a Transparent World

5:15-5:45 p.m.: Main Stage Partner Keynote: Observations on Modern Cyber Crime and Espionage

Thursday, Oct. 10:

10:30-noon: Kona - Web Security Roadmap: Gimme Shelter - How Kona Site Defender, IP Defender, and Cloud Security Intelligence Will Help You Weather Cyber Storms in the Coming Year: Explore the latest attack trends, from the Russian Business Network and the Al Qassam Cyber Fighters to Vietnamese Carders and Account Checkers. Learn how to tune rules to avoid "noise" and capitalize on the latest rules created to help protect customers across the Akamai Intelligent Platform. Discover how to implement the newest Kona Site Defender features and what features are still to come in 2013. Learn about how Kona IP Defender will extend protection to your entire data center. Hear how the User Validation Module has successfully defended against Account Checkers at the some of the largest eCommerce sites in the world. Understand how Cloud Security Intelligence will lead to even greater sets of rules in the future.

1:30-2:10 p.m.: Security Keynote: A Conversation with Bruce Schneier

1:30-2:10 p.m.: Developers' Lab II: Leveraging Akamai's Kona Security APIs

2:20-3 p.m.: Security Panel: Operation Abibal, Anniversary Panel - What We Have Learned: Launched in the fall of 2012, Operation Ababil has been the most visible and sustained battle in the security landscape. This well-funded, well-organized adversary has caused loss of business for many financial institutions and loss of sleep for a great many more. This panel will consist of a conversation with information security leaders from several institutions discussing what lessons they have drawn from the past year's response and practices they have put into place that have improved the security posture of their organizations and from which others can benefit. Confirmed panelists include David Cripps, CISO, Investec, Denise Anderson, Vice President Programs and Services, Financial Services Information Sharing and Analysis Center (FS-iSAC)

2:20-3 p.m.: Developers' Lab II: Akamai Observed Attacks and Mitigation Techniques - A Real-time Demonstration

3:30-4:10 p.m.: Security Tech Session: Big Data Intelligence - Harnessing Petabytes of WAF Statistics to Analyze and Improve Web Production in the Cloud: As web application attacks turn into massive campaigns against large corporations across the globe, web application firewall data increases exponentially, leaving security experts with a big data mess to analyze. Pinpointing real attacks in a sea of security event noise becomes an almost impossible tedious task. In this presentation, we will unveil a unique platform for collecting, analyzing and distilling Petabytes of WAF security intelligence information. Using the collected data, we will discuss the OWASP ModSecurity Core Rule Set project's accuracy, and reveal common attack trends, as well as our impressions and suggestions for how to wisely make the best out of the CRS project.

3:30-4:10 p.m.: Commerce Security Threat Briefing with Akamai CSIRT Director Mike Smith

Friday, Oct. 11:

9-9:40 a.m.: Security Session: USAA - Optimized Kona Site Defender and Real World Usage: Web attacks - they aren't something to fear, they are something to expect and prepare for. Please join Josh Stevens and Neelsen Cyrus, Senior Security Analysts at USAA, to hear how their team has leveraged Akamai Kona Site Defender to stop attacks while preserving site performance and availability. The team will focus on operational efficiencies gained by replacing error-prone, manual WAF updates with automation using Akamai's Network List API for Network Layer Protection.

9:50-10:30 a.m.: Security Session: The Many Dimensions of Web Security

9:50-10:30 a.m.: Developers' Session I: Leveraging Akamai's Security APIs

imgres.jpeg


A couple weeks ago, Akamai's CSIRT team warned that chaotic actors could use the anniversary of 9-11 and news of potential military action in Syria as an excuse to unleash a fresh wave of DDoS attacks. 

Fortunately, the week turned out to be pretty quiet.

The Syrian Electronic Army (SEA)a pro-Assad hacking group, mostly held its fire, and those wanting to exploit the 9-11 anniversary were nowhere to be found. 

I asked Mike Kun of the CSIRT team for a post-mortem, and here's what he had to say:

The SEA was quiet, and I believe that's because of a combination of not having a good excuse for actions agains the US while the US was debating Syria, and they might have been involved in OpIsrael Reborn. A substantial number of middle eastern hackers were involved in OpIsrael Reborn, which was just as effective as the last OpIsrael, which is to say not very. It seems most of the attention is focused on targets other than the US right now. QCF remained dormant. They haven't done anything of note since declaring Phase 4 in late July. 

I really was expecting more, honestly, but is seems the Syria negotiations and a few ops kept everyone distracted from the US.

Security Front and Center at Akamai Edge 2013

At this year's Akamai Edge Conference, taking place Oct. 7-11 in Washington DC, security will be a central part of the agenda.

One of the three tracks this year is a Web Security Symposium, tailored to meet the needs of security professionals looking to protect their organization from unwanted network or application layer attacks, while improving the exchange of information between employees, customers and business partners on any device, anywhere. Topics include:

  • Developing strategies to secure your data, sites and applications
  • Security without compromising performance
  • Web security customer panel discussions
  • Managing enterprise global security in a hybrid cloud environment
  • Mobile security insights and best practices

Security heavyweights are featured prominently on the keynote roster.

There will be the Financial Services Roundtable Lunch on Security Information Sharing: Lessons Learned from Financial Services, and Former NSA Senior Counsel Joel Brenner will share his insider perspectives on the implications of our global reliance on the inter-connected and Internet-dependent way of life and how to address "the new faces of espionage and warfare on the digital battleground."

There will also be a keynote discussion with Bruce Schneier, founder and CTO of BT Managed Security Solutions, and Akamai CSO Andy Ellis will lead a panel discussion on the lessons of Operation Abibal.

Akamai CSO Andy Ellis offers more of an overview here:

We look forward to seeing you there!


imgres.jpeg

Microsoft's September Patch Matrix

Microsoft released it's monthly patch load this week. To help identify and deploy the security fixes, here's a table showing the different bulletins, the severity of the flaws, and the products impacted.

Bulletin IDBulletin Title and Executive SummaryMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected Software
MS13-067Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052) 

This security update resolves one publicly disclosed vulnerability and nine privately reported vulnerabilities in Microsoft Office Server software. The most severe vulnerability could allow remote code execution in the context of the W3WP service account if an attacker sends specially crafted content to the affected server.
Critical 
Remote Code Execution
May require restartMicrosoft Office, 
Microsoft Server Software
MS13-068Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473) 

This security update resolves a privately reported vulnerability in Microsoft Outlook. The vulnerability could allow remote code execution if a user opens or previews a specially crafted email message using an affected edition of Microsoft Outlook. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
May require restartMicrosoft Office
MS13-069Cumulative Security Update for Internet Explorer (2870699) 

This security update resolves ten privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited the most severe of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
Requires restartMicrosoft Windows, 
Internet Explorer
MS13-070Vulnerability in OLE Could Allow Remote Code Execution (2876217) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Critical 
Remote Code Execution
May require restartMicrosoft Windows
MS13-071Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user applies a specially crafted Windows theme on their system. In all cases, a user cannot be forced to open the file or apply the theme; for an attack to be successful, a user must be convinced to do so.
Important 
Remote Code Execution
May require restartMicrosoft Windows
MS13-072Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537) 

This security update resolves 13 privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important 
Remote Code Execution
May require restartMicrosoft Office
MS13-073Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300) 

This security update resolves three privately reported vulnerabilities in Microsoft Office. The most severe vulnerabilities could allow remote code execution if a user opens a specially crafted Office file with an affected version of Microsoft Excel or other affected Microsoft Office software. An attacker who successfully exploited the most severe vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important 
Remote Code Execution
May require restartMicrosoft Office
MS13-074Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637) 

This security update resolves three privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Access file with an affected version of Microsoft Access. An attacker who successfully exploited the vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Important 
Remote Code Execution
May require restartMicrosoft Office
MS13-075Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687) 

This security update resolves a privately reported vulnerability in Microsoft Office IME (Chinese). The vulnerability could allow elevation of privilege if a logged on attacker launches Internet Explorer from the toolbar in Microsoft Pinyin IME for Simplified Chinese. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full administrative rights. Only implementations of Microsoft Pinyin IME 2010 are affected by this vulnerability. Other versions of Simplified Chinese IME and other implementations of IME are not affected.
Important 
Elevation of Privilege
May require restartMicrosoft Office
MS13-076Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315) 

This security update resolves seven privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs onto the system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities.
Important 
Elevation of Privilege
Requires restartMicrosoft Windows
MS13-077Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339) 

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker convinces an authenticated user to execute a specially crafted application. To exploit this vulnerability, an attacker either must have valid logon credentials and be able to log on locally or must convince a user to run the attacker's specially crafted application.
Important 
Elevation of Privilege
Requires restartMicrosoft Windows
MS13-078Vulnerability in FrontPage Could Allow Information Disclosure (2825621) 

This security update resolves a privately reported vulnerability in Microsoft FrontPage. The vulnerability could allow information disclosure if a user opens a specially crafted FrontPage document. The vulnerability cannot be exploited automatically; for an attack to be successful a user must be convinced to open the specially crafted document.
Important 
Information Disclosure
May require restartMicrosoft Office
MS13-079Vulnerability in Active Directory Could Allow Denial of Service (2853587) 

This security update resolves a privately reported vulnerability in Active Directory. The vulnerability could allow denial of service if an attacker sends a specially crafted query to the Lightweight Directory Access Protocol (LDAP) service.
Important 
Denial of Service
May require restartMicrosoft Windows

Internet Security Central To Danny Lewin's Legacy

With the 14th anniversary of 9-11 this week, I'll be focusing on posts about the legacy of Danny Lewin -- Akamai co-founder and casualty of that terrible day. I'll also look at Akamai's crucial role in keeping the Internet afloat that day and in the aftermath, and how it shaped the way we operate today. Let's begin with this post, originally written in June, as I was getting up to speed on Akamai and its history.
 

Long before coming to work here, I knew Danny Lewin was co-founder of Akamai and that he died Sept. 11, 2001. But that was about all I knew. Then I got a tweet from Ben Rothke, manager of information security at Wyndham Worldwide Corp., suggesting that Lewin's story needed to be retold. Since I was now at Akamai, he said, I was the man to do it.

So I did my homework over the weekend, reading multiple articles about Lewin's legacy. There were all the stories about the man's genius and drive. But two things stuck with me, both regarding the events of Sept. 11, 2001. One was the image of Lewin trying to stop the terrorists from taking over the plane, an act that made him the first death of that terrible day. Then there were the accounts of Akamai employees who knew he was on Flight 11 when it slammed into the north tower of the World Trade Center and, knowing the country was under attack, had to decide whether to go home or stay in the office and soldier on. They chose the latter course, which very likely kept the Internet from crashing with the twin towers that day.
In my decade of covering the InfoSec community as a journalist, I've seen many acts of courage -- practitioners donating time and money to individuals in need and coming together repeatedly to thwart attacks and solve many of the network configuration problems that allow the bad guys in. I've met military veterans who put their lives on the line for their country and then pursued careers in InfoSec. I've met people who excel in security despite a lot of personal adversity, medical and otherwise.
It all goes back to a special courage and grit. To me, the story of InfoSec is human to the core, even though we talk a lot about the technology and spend much of our time on that part of it. I've seen some of humanity's worst in the story. But far more often, I've seen the best. Danny Lewin's story captures the latter.
One of my favorite articles is on the WBUR website. The article, "Cambridge Co. Keeps Founder's Spirit Alive After 9/11," describes Lewin's service in Israel's Defense Forces and his studies at MIT. It describes his intensity in getting Akamai off the ground and taking it to new heights. It describes Akamai's troubles following the dot-com bust and how Lewin suffered sleepless nights over the decision of who would have to be laid off. And then it moves to the morning of Sept. 11, and how Lewin was seated in the row behind Mohammed Atta.
"Lewin was sitting one row behind Mohammed Atta and apparently tried to stop the terrorists as they were taking control. Flight attendants who phoned airline officials from the plane reported that Lewin's throat was slashed, probably by another terrorist one row behind him," the article says. The shock Akamai employees felt is described at length. Employees struggled over what to do. They chose to keep working and prove Lewin's belief that the Internet could be an essential tool for communication in a crisis, and that it could withstand something as brutal as that day's terrorist attacks.
In the years since then, the InfoSec team at Akamai has grown steadily. I'm just one of several new hires this month alone. Our days are filled protecting customers from the dregs of cyberspace. We help them through the constant DDoS attacks and give them the tools to defend themselves.
On the first day, nearly an hour of a new employee's orientation is devoted to Akamai's robust and rigorous security procedures. InfoSec's hooks run deep throughout the company, no matter the department's focus. The times demand it.
Given the man Danny Lewin was, I have no doubt this is how he would want it.
File:12.6.11DanielMLewinPanelN-75ByLuigiNovi1.jpg
Emotions will already be high next week with the 12th anniversary of the 9-11 attacks. On top of that, Congress is expected to debate and possibly authorize military action in Syria. This has Akamai InfoSec's CSIRT team on high alert.

In recent weeks we've told you about the activities of the Syrian Electronic Army (SEA)a pro-Assad hacking group. Mike Kun and Patrick Laverty, two of our CSIRT team members, have been tracking the potential dangers for next week. 

What follows is an analysis they've written to warn customers and the general public. It also includes defensive measures organizations can take to blunt any impact.


***
With the possibility that the US Congress will authorize military action in Syria next week, we at Akamai are on high alert. We are also recommending that our customers do the same. It is very likely that the Syrian Electronic Army (SEA) will use the debate and vote on US military intervention in Syria to justify additional attacks.

The SEA attacks primarily via social engineering. In the past month they were able to compromise a DNS registrar and modify DNS zone files as well as an advertising network in order to insert malicious javascript. While normally DOS attacks consists of traffic floods to a target, the SEA is adept at denying access to web servers without directly attacking the target.

Akamai recommends the following steps to prevent similar attacks:

In addition to the SEA, we believe that other organizations will take advantage of the political situation and proximity to 9-11 to launch attacks. 

Al-Qussam Cyber Fighters (QCF) have not attacked as expected during Operation Ababil phase IV, but they have been maintaining the Brobot botnet and recruiting new nodes. It is possible that the QCF will attack again in the next week, hoping to take advantage of the confusion of other attackers. The QCF is primarily interested in targeting financial institutions, banks and brokerages with volumetric DDOS attacks. Firms in this sector should be prepared for the possibility of attacks by the Brobot botnet

Members of the Anonymous hacktivist collective are working to gather support among Muslim hackers for OpIsrael Reborn and threatening attacks on both Israeli and US websites.

Other attempts at widespread disruption by Anonymous in both OpIsrael and OpUSA had only minimal success with website defacements using cross-site scripting (XSS) and data exfiltration via SQL injection, but companies should be prepared for these kinds of attacks as well.

The confluence of the anniversary of 9-11 and the possibility of a declaration of US intervention in Syria makes next week an especially tempting one for hacktivists. Any organization with a web presence should make preparations to defend themselves from:

  • Volumetric DDOS attacks
  • Social engineering and phishing attacks
  • Attacks via third party code
  • Attacks on DNS infrastructure.
syrian-electronic-army-lo-008.jpg