Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

Microsoft Security Patches Coming Tomorrow

Tomorrow is the second Tuesday of the month, which those of us in security know as Patch Tuesday -- the day Microsoft unloads its security updates. It's an important calendar item for Akamai customers, given how dominant Windows machines are in many companies.

Late last week, Microsoft offered a preview of what to expect. What follows is a chart showing the number of bulletins planned, along with the severity and products affected.

Bulletin IDMaximum Severity Rating and Vulnerability ImpactRestart RequirementAffected Software
Bulletin 1Critical 
Remote Code Execution
Requires restartMicrosoft Windows, 
Internet Explorer
Bulletin 2Critical 
Remote Code Execution
May require restartMicrosoft Windows
Bulletin 3Critical 
Remote Code Execution
May require restartMicrosoft Server Software
Bulletin 4Important 
Elevation of Privilege
Requires restartMicrosoft Windows
Bulletin 5Important 
Elevation of Privilege
Requires restartMicrosoft Windows
Bulletin 6Important 
Denial of Service
Requires restartMicrosoft Windows
Bulletin 7Important 
Denial of Service
Requires restartMicrosoft Windows
Bulletin 8Important 
Information Disclosure
May require restartMicrosoft Windows

Those who know me are aware of my fondness for Follow Friday -- a tradition on Twitter where people recognize the folks whose tweets keep them inspired and informed. In my case, the focus is on people in the InfoSec community. I have a list on Twitter that will show you 275 security pros I currently follow. You can see their bios and press the follow button on those you think might be of value.

Below is a list of Twitter handles worth following for consistently great debate and resource sharing specifically from the people of Akamai InfoSec. I've known a few of them for years and am getting acquainted with the rest. All have inspired me thus far. Follow them and you will be inspired, too.

Let's start with me: Bill Brenner (@BillBrenner70) -- Security scribe, family man, author of The OCD Diaries and Akamai InfoSec's resident storyteller · theocddiaries.com

Brian Sniffen (Brian_Sniffen) -- Chief security architect, http://packets.evenmere.org/

Akamai InfoSec (Akamai_InfoSec) -- The official twitter profile for Akamai's InfoSec department

George The Penguin (@SecurityPenguin) -- The Akamai Penguin of Awesome. My tweets aren't even my own, let alone my employer's. Globe waddling · securitypenguin.com

Andy Ellis (@csoandy) -- Akamai CSO, Parent, Bostonian, Oenophile, Patriots Fan, personal stylist, FCSP, FiveFinger runner. Tweets my own.
Cambridge, MA · csoandy.com

Larry Cashdollar (@_larry0-- Husband & Father. Works @Akamai. Hobbyist Vulnerability Researcher & Exploit Coder.  New Hampshire, USA · vapid.dhs.org 

Christian Ternus (@ternus) -- Security researcher @Akamai. Performing a timing channel attack on the computational ultrastructure of spacetime.
Cambridge, MA · cternus.net

Michael Smith (@rybolov) -- Akamai's CSIRT director and international man of mystery.  Boston, Ma. · guerilla-ciso.com

Joshua Corman (@joshcorman) -- Security Strategist/Ex-Analyst/Knowledge Seeker/Zombie Killer/Co-Founder of http://RuggedSoftware.org  / Statements are mine & may not reflect Akamai's. It depends · blog.cognitivedissidents.com

Martin McKeay (@mckeay) -- Blogger, podcaster, Akamai Security Evangelist.  I never thought I'd say, I wasn't paranoid enough. My opinions are my own, end of statement. Santa Rosa, CA · mckeay.net

Kathryn Kun (@theladykathryn) -- Program manager for Akamai InfoSec · weirdsistersblog.com (Not a security blog, but worth your time all the same.)

Darius Jahandarie (@djahandarie) -- Haskell, Agda, Math, Security, 日本語, Cambridge MA, USA · althack.org

James Salerno (@minion_at_work) -- Program manager, Akamai InfoSec

Daniel Franke (@dfranke) -- Security researcher. Keeping the internet safe for anarchy. Central Massachusetts

Kevin Riggle (@kevinriggle) -- Security researcher, Akamai InfoSec . free-dissociation.com

Dave Lewis (@gattaca) -- Akamai InfoSec evangelist, security type, #blogger, podcaster, breaker of things, bass player, dad, #infosec #smartgrid, #cloud, defcon goon, creator of (-:|3 emoticon. I love my job. Canada · liquidmatrix.org/blog/

follow-friday.png

Quick Wins with Website Protection Services

Securosis analyst Mike Rothman recently wrote a paper on the benefits of website protection services (WPS). I recommend you give it a read, as it's some of the most descriptive research I've seen on the subject.

Content in the report was developed independently of any sponsors and is based on material originally posted on the Securosis blogIt concludes that website protection services can add measurable security to your web presence in short order, for a reasonable price compared to deploying and managing one's own equipment and infrastructure.

From the summary:

As with any managed security service, WPS can offer a quick way to deploy protection without investing in significant infrastructure and hard-to-find application security skills. Of course there are trade-offs in flexibility and control when using any managed service, and every organization needs to balance those trade-offs when making build or buy decisions on key security initiatives. 


The paper explores those trade-offs and the best way to manage them, with guidance in such areas as website protection basics as well as deployment and ongoing management.

Check it out HERE.

Carder Gangs Continue Account Takeover Attempts

Akamai InfoSec continues to monitor repeated attempts to hijack the accounts of those doing business with our customers. In this attack, the bad guys reuse credentials they've stolen from other sites to fraudulently acquire merchandise.

Attackers use automated tools commonly referred to as account checkers to quickly determine valid user ID and password combinations across a large number of ecommerce sites. The tools help the attackers identify valid accounts quickly so they can gain access and acquire names, addresses and credit card data from user profiles.

--More on this and other security threats in Akamai's latest State of The Internet report, available for download HERE.

"We first started getting help requests last year from customers who noticed unusual activity," said Akamai CSIRT Director Michael Smith. "In March another customer reported strange activity."

Michael Kun, a security response engineer with Akamai's CSIRT team, said carder gangs acquire lists of user IDs and passwords from SQL injection and from online forums. They exploit users who are sloppy with their credentials, identifying those who use the same passwords for multiple commerce sites.

"They log in and use stolen credit cards to fraudulently buy, for example, a $200 gift card they can either sell for a profit or use themselves," Kun said. They also store cards in merchant shopping carts for future use.

--Please join us on Sept 26th at 11 AM ET for our next "Crush the Rush" holiday readiness webinar to learn more about how to protect your site and holiday season revenue. Mike Smith, director of our CSIRT Team, and Daniel Shugrue will be detailing the types of attack trends that Akamai is seeing and ways in which other customers have mitigated the latest threats. Click here for more details.

Red flags indicating an account checker has been used against an ecommerce site include the following:

• User complains that their account mailing address has been altered.
• Multiple other users altered in a similar time frame.
• Many failed logins detected in a short period of time from a small number of IP addresses.
• Locked accounts.
• Higher than normal rate of fraud activity.

Kun said many retailers have been affected. Fortunately, though, Akamai has prevented attackers from succeeding in attempts against its customers. "Every couple weeks we get a message from a customer who has seen strange behavior and wants to know if we've encountered this before.  We immediately recognize the activity and direct them to our advisory and set up their WAF configuration to block the activity," Smith said.

Companies can protect their customers in several ways. The use of a CAPTCHA or other validation steps requiring user intervention will defeat the authentication-checking tools.

Rate controls are particularly useful, specifically to count requests to the login page. Rate controls work by counting the number of requests from an individual IP address. "We scope down the rate control just to the login page and then we can set a threshold of 'if you send 10 login requests in 5 seconds, you're an automated login program not a human being behind a browser and we can safely block you,'" Smith said.

If the customer base is primarily from a known country or region, geoblocking may be an option to minimize the locations an attack can originate from.

Careful review of authentication logs can identify likely proxy servers being used by the attackers. Sequences of different logins from the same IP may be an indication.

In the end, the best defense is smarter user behavior. They can start by ending their habit of reusing user names and passwords. By using different credentials for every site, the attackers won't stand a chance.

Meanwhile, Akamai's User Validation Module (UVM) will confirm that the login is coming from a browser and will defeat these tools. Organizations that are on the Akamai platform and are using Kona Site Defender can readily block these kinds of attacks by using a combination of rate controls and IP blocklists. 

Akamai also recommends that ecommerce customers configure a bucket for the path to their login page.

Four News Reports On Recent DDoS Activity

Since one of Akamai InfoSec's biggest tasks is to blunt the impact of DDoS attacks against customers, I'm always scanning the various tech news outlets to see what's new and who among us is being quoted. Here are four that have caught my attention in recent days -- two of which include insight from Akamai CSIRT Director Michael Smith.

DDoS Attackers Change Their Game Plans
Smith is quoted in this article about how the firepower needed to launch an effective DDoS attack is steadily increasing. As a result, Tech News World's John P. Mello Jr. writes, attackers are tweaking their tactics to get "more bang for their bytes." From the article:

Logging pages at banking sites have been popular targets of application DDoS attacks. When you try to log into your bank, a whole set of backend functions are set in motion that consume CPU cycles at the site: Fraud prevention is activated; databases are accessed; authentication routines are run; and geolocations are reviewed. All those processes are performed whether a legitimate user or a fake persona is trying to log into the site. As an attacker, I would hit "that login page with a bunch of bogus usernames and passwords, knowing each request uses up a lot of resources of the target so I don't have to send as much volume of attack traffic as I would if I were trying to flood the network," Michael Smith, CSIRT director for Akamai Technologies, told TechNewsWorld. "The big trend over time will be smaller attacks with the impact of larger attacks -- smarter, more nimble, more agile attacks," he said.

DDoS: Phase 4 of Attacks Launched
Here, BankInfoSecurity reporter Tracy Kitten writes about how Izz ad-Din al-Qassam Cyber Fighters' fourth phase of DDoS attacks against U.S. banks kicked off July 31. Smith and other experts told Kitten that the attacks failed to take down the sites. From the article:

Mike Smith of the cybersecurity firm Akamai, which has been tracking and mitigating DDoS activity linked to al-Qassam, says DDoS defenses fared well throughout the morning of July 31, when the attacks began. And while the attack methods used were nothing new, some of the attack characteristics were, he says. "They keep pounding against one target," Smith said. "They've been hitting this one bank for about an hour and 15 minutes, now," which is unusual. But within a few hours, three more targets were hit, Smith says. Until now, al-Qassam typically hit a particular site for between 10 and 20 minutes at a time, Smith says. If the attacks are unsuccessful at taking a site down, the group moves on to another target, he adds.


How Do Booters Work? Inside a DDoS for Hire Attack
In this article, eWeek's Sean Michael Kerner explores the details of a talk Vigilant Chief Scientist Lance James gave at Black Hat last week. James talks about "Booter services" that offer paying customers DDoS attack capabilities on demand. From the article:

(James) got pulled into an investigation into the world of Booter services by his friend, security blogger Brian Krebs. Krebs had been the victim of a Booter service attack and was looking for some answers. "Basically a Booter is a Web-based service that does DDoS for hire at very low prices and is very hard to take down," James said. "They are marketed toward script kiddies, and many DDoS attacks that have been in the news have been done via these services." James was able to identify the suspected Booter site via Website log files and began to trace the activity of the individual who specifically attacked Krebs. Further investigation revealed that the same individual was also attacking other sites, including whitehouse.gov and the Ars Technica Website. After James was able to identify the Booter service and directly connect it to the attacks against Krebs, the two were able to help shut down the Booter service itself.

Shorter, higher-speed DDoS attacks on the rise, Arbor Networks says
Here, Network World reporter Ellen Messmer writes about how almost half of the DDoS attacks monitored in a threat system set up by Arbor Networks now reach speeds of over 1Gbps -- 13.5 percent from last year, while the portion of DDoS attacks over 10Gbps increased about 41 percent in the same period. From the article:

Arbor Networks monitoring system, which is based on anonymous traffic data from more than 270 service providers, saw in the second quarter of this year the more than doubling of the total number of attacks over 20Gbps that occurred in all of 2012. The only number that went down was the duration of all of these DDoS attacks, which now trend shorter, with 86% lasting less than one hour, according to the Arbor Networks trends report for the second quarter of 2013.

It's a popular bit of Rock & Roll lore: The band Van Halen conducted a test to make sure its tour contracts were being read, placing in a line saying there were to be no brown M&Ms backstage. Not surprisingly, they found a couple browns and trashed their dressing room in response. 

The real story is a lot less dramatic. It wasn't about the band playing games with people. It was about making sure EVERYTHING in those contracts was being read. Frontman David Lee Roth describes it this way in his autobiography, "Crazy from the Heat":

Van Halen was the first band to take huge productions into tertiary, third-level markets. We'd pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors -- whether it was the girders couldn't support the weight, or the flooring would sink in, or the doors weren't big enough to move the gear through.The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say "Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . ." This kind of thing. And article number 126, in the middle of nowhere, was: "There will be no brown M&M's in the backstage area, upon pain of forfeiture of the show, with full compensation."

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you're going to arrive at a technical error. They didn't read the contract. Guaranteed you'd run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

In a video Q&A, Roth noted that the night he found the brown M&Ms, the stage had sunk into the venue's rubber floor because promotors failed to read the rider's specifications on stage weight distribution. He DID trash a dressing room with a food fight and flying feathers from a torn couch cushion, and the damage was about $200. The stage damage, meanwhile, amounted to nearly half a million dollars and could have injured or killed someone.
 

For those in security, there's a valuable lesson here. Large enterprises are constantly circulating thick stacks of to-do and not-to-do lists, directions on how to proceed, and so on. The smartest and most dedicated people are still human, prone to skimming a line here or a page there. But doing so can compromise an organization's physical and online security.

Akamai's InfoSec department has it's own little Brown M&M tests, which we use to keep ourselves in check and ensure we don't let serious mistakes happen.
My favorite example:
One of the security procedures mandates that employees lock their laptops any time they walk away from the desk. It's an easy rule to forget, especially if you have to run to the bathroom, or you see someone in the office you've been looking for, and rush over to catch a moment of their time. If we get caught forgetting that rule and leave the machines unlocked with the screen open for passers by to read, we have to buy a round of coffee for everyone. 

Akamai InfoSec Senior Program Manager Dan Abraham tells the story: "I got caught on my second day on the job.  My boss found my machine unlocked and sent me the 'coffee' message. I was mortified, but she gave me the best wake-up call to how seriously we take this rule.  I set up two shortcuts to quickly set the machine in locked mode."

When we get caught forgetting about our own rules and get penalized, you can bet we're a lot less likely to forget the next time.
It's all in good fun. No one's room gets trashed, and I get free coffee -- unless I'm the guy who gets caught with an unlocked screen.

Black Hat 2013: A Point-Counterpoint

An old friend and seasoned veteran of the security industry, Alan Shimel, was quick to pounce on my statement yesterday that there is nothing new happening in security; that we're simply trying to find more effective ways to deal with the same old problems.

Alan does make some valid points, especially the argument that there has been advancement on the technology side of things. I was speaking more to the messaging you see among vendors who often come to these shows preaching what they see as new trends that in reality are old challenges. I was also making the case that this stuff doesn't have to be new to be important.

Because I love a good point-counterpoint, I'm now sending you to Alan's post. Read and judge for yourselves:

To think otherwise is getting lost in the trees missing the forrest

BSidesLV 2013: A Place For Security Newbies

One of the things I've always loved about Security B-Sides is that it offers a nurturing environment for people who are young in their InfoSec careers. An example of that is playing out this week in Las Vegas.

Among the tracks of talks being offered is one devoted entirely to newbies and the more seasoned veterans who have been guiding them along in a successful mentoring program. 

The track -- called "Proving Ground" -- includes talks on everything from learning to do effective public speaking and writing to getting a grip on the challenges of such things as executive management.

This B-Sides tradition goes back to the beginning of the movement. I remember BSides Boston 2010, when a young pup named Joseph Sokoly gave a talk about breaking into the industry and learning to succeed, something he has since done with distinction.

Back then, Sokoly said breaking into the security community wasn't as hard as it first seemed. In fact, his career got a big boost simply because he had the guts to stand up in front of people and give his first talk at an event in Austin. "Giving the talk in Austin helped me tremendously," Sokoly said at the time. "It has opened doors. My being here (at BSides Boston 2010) is a result of that. First, the positive reaction from the community encouraged me not just to listen but to speak again."

His Austin talk also inspired security heavyweights like Chris Hoff and James Arlen to look at establishing a mentor program to coincide with that summer's B-Sides Las Vegas event. The rest is history.

"Being proactive works. Put yourself out there and things will open up, but speaking doesn't have to be it. Use Twitter. Start blogging," Sokoly said. 

He's absolutely right. And this week, we're getting to hear from more people who are just getting started. Talks on the schedule include:

--Keli Hay (mentor is Brian Martin), "Never Mind Your Diet, Cut the Crap From Your Vocabulary"

--Franklin Tallah (mentor is Wendy Nather), "The 7 habits of highly effective CISOs"

--Alex Pinto (mentor is Joel Wilbanks), "Using Machine Learning to Support Information Security"

--Wolf Flight (mentor is Terry Gold), "The Truth, You Thought We Wouldn't Know?"

--Doug Moore (mentor is Brendan O'Connor), "Sixteen Colors: Archiving the Evolution of ANSI and ASCII Art"

Black Hat 2013: What's New In Security? Nothing.

I get the question a lot at conferences like Black Hat: What do I see as the next big thing in security? I usually respond with a blank stare. The reason is that I see absolutely nothing new, and haven't for some time.

Some might say that's a cynical, jaded response. I don't think so. Security doesn't need a constant torrent of new trends to be interesting and important.

A decade ago, when I first started writing about the security industry, it seemed as though I was chasing a new trend every year, then every six months. In the beginning the big news always involved worm outbreaks like Sasser and Mytob. First a big vulnerability would be revealed on Patch Tuesday and then someone would exploit it with the malware. Then the trend shifted from covering that to chasing the latest data breach. From early 2005 onward, every time a company announced it had suffered a breach, reporters like me would have to drop everything and chase it. Eventually, breaches were announced so often that it ceased to qualify as breaking news. Then the trend shifted to such things as hacktivism and the rise of cloud insecurity. The one constant along the way has been the challenge of regulatory compliance, from HIPAA to Sarbanes-Oxley and PCI DSS.

But in more recent years, especially the last two or three, I've seen nothing new. It's the same old threats and the same old technological and cultural challenges. 

Gone are the days when I attended security conferences in hopes of catching a new trend. As I see it, we keep coming to these events in hopes of finding some new morsel of information on how to deal a little more effectively with the same old stuff. 

Sometimes fresh insight comes our way. Sometimes we walk away with more questions than we started with.

Will some major shift take place in the next couple of years? Perhaps.

For now, I'm more interested in how we deal with the older problems that continue to vex us.

Black Hat 2013: Remembering Barnaby Jack

A big topic of conversation in Las Vegas this week is the death of famed hacker Barnaby Jack, who was scheduled to give a presentation on how to hack into pacemakers and implanted defibrillators from 30 feet away. His speaking slot will instead be a celebration of his life and work.

"Black Hat will not be replacing Barnaby's talk on Thursday, Aug. 1," event organizers said in a statement. "No one could possibly replace him, nor would we want them to. The community needs time to process this loss. The hour will be left vacant as a time to commemorate his life and work, and we welcome our attendees to come and share in what we hope to be a celebration of his life. Barnaby Jack meant so much to so many people, and we hope this forum will offer an opportunity for us all to recognize the legacy that he leaves behind."

Barnaby was director of embedded security research at IOActive. In a statement, CEO Jennifer Steffens expressed the company's sorrow but also its determination to celebrate his legacy:

"This is an extremely sad time for us all at IOActive, and the many people in our industry that Barnaby touched in so many ways with both his work and vibrant personality. But as a personal friend of Barnaby's for many years I know he'd want sadness to quickly turn to celebration of his life, work and the tremendous contributions he's made spanning well beyond his widely acclaimed professional accomplishments."

His death has hit the security community hard. He is known for his hacking prowess, particularly the 2010 presentation in which he hacked into an ATM machine and got it to spit out money. But in the security community he was family, the guy who always had a smile and could make us laugh. He lived life to the full and his sunny attitude rubbed off on everyone around him.

The week is young, but many glasses have already been raised in his honor.

I had a few conversations with him over the years that I'll always be grateful for. The importance of his work can't be overstated, particularly his focus on hacking implanted medical devices. I suspect his work on that front will lead to advancements that will someday save lives. Some might call that statement hyperbole. But I believe it.

My friend Dave Marcus of McAfee summed it up best in an interview he gave for an article in The Washington Post: "He was a hacker's hacker. He had the kind of skills the rest of us wish we had."

But he was never full of himself, and he never took himself too seriously.

I came here half expecting to see a lot of long faces, which would certainly be understandable. But instead I'm seeing a lot of laughter as people remember his antics.

I think that's how he would have wanted it.

Barnaby Jack