Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

Black Hat 2013: The Benefits of 'Lobby Con'

It's the end of my first day in Las Vegas, where I'm spending the week at Black Hat and BSidesLV. Along with DEF CON, which begins later in the week, these events are important for those of us in Akamai's InfoSec department. It's a place for vital networking and discussion on the threats and defensive measures for which we're responsible.

Also see: "A Black Hat, BSidesLV and DEF CON Survival Guide"

Attending talks is a central part of these conferences. But for me, the most important part is what a lot of us in the security community call "Lobby Con." Essentially, it's hanging out in the lobbies and bars of the conference venues. We relax, enjoy beverages and discuss a wide range of topics. 

Today, I met up with several security professionals I usually only get to talk to on Twitter, LinkedIn, Facebook and Google+ and the topics were, among other things:

--How to keep from burning out in the job and industry;
--The latest DDoS attack activity, where it's coming from and what enterprise security shops are trying to do to blunt the impact;
--The fine art of travel to and from conferences; and
--The never-ending challenge of getting upper management to understand the security issues they face and why they need to invest in defenses.

I had dinner with several people from the security and risk management department of a major financial services company, most of whom I met for the first time. There will be plenty more of that in the days to come.

I've said it before: If you find yourself stressing over how many sessions to attend and there's an opportunity to do some networking in the lobby, go for the networking. 

The talks are important. But while the presentations will help you understand and deal with the challenges of the day, week, month or year, the relationships you forge outside the session rooms will be of critical value for the rest of your career. 

One of the most interesting highlights of our latest "State of the Internet" report -- in my opinion -- involves something called account checker attacks. The big victim here: e-commerce websites.

--Please join us on Sept 26th at 11 AM ET for our next "Crush the Rush" holiday readiness webinar to learn more about how to protect your site and holiday season revenue. Mike Smith, director of our CSIRT Team, and Daniel Shugrue will be detailing the types of attack trends that Akamai is seeing and ways in which other customers have mitigated the latest threats. Click here for more details.

From the report:

In the first and second quarters of 2013, Akamai observed attempted account takeover behavior for a number of merchants resulting from reuse of credentials obtained from other sites. Lists of username and password combinations are available in carder forums or on pastebin, or acquired from compromised merchants. Because users often use the same username and password across multiple merchants and other non-commerce sites, this allows attackers to use the compromised credentials on a number of target merchants. 

It turns out attackers are using automated tools called "account checkers" to quickly fish out valid user ID/password combinations across a large number of e-commerce sites. The bad guys use these tools to quickly identify valid accounts that they then proceed to hijack. Victims reported the following red flags:

•User complained that their account mailing address has been altered
•Multiple other users' information was altered in a similar time frame
•Many failed logins were detected in a short period of time from a small number of IP addresses
•Accounts were reported to be locked.
•All this is followed by an uptick in fraud.

There are many more details of what we found in the full report, which you can download here.

soti_thumb.png


Akamai State of the Internet Report: DDoS Trends

Yesterday, I shared details from the latest Akamai "State of the Internet" report regarding attack traffic and where it's coming from. Today, we look at what the report has to say about DDoS attacks.

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers. It also gives us a look at DDoS attacks as they happen.

Here's an excerpt from the report:

The fourth quarter of 2012 saw 200 reported attacks, while 208 attacks were reported in the first quarter of 2013, representing a slight (4%) increase in the number of attacks reported.  In the third and fourth quarters of 2012, a significant number (72) of DDoS attacks were attributed to the Izz ad-Dim al-Qassam Cyber Fighters (aka QCF) and Operation Ababil.  


In the first quarter of 2013, the tactics of these attacks changed, with the QCF no longer announcing their targets prior to the attacks.  Additionally, the attacks ceased as of March 5, in theory to support a planned operation known as "OpUSA" originating from members of the group "Anonymous".  However it is unknown if this was truly the case, or if the forces behind the QCF were merely pausing to regroup for future attacks.

Figure 03 Q1 2013.jpg

As illustrated in Figure 3, enterprise clients received a substantially greater percentage of attacks in the first quarter of 2013, accounting for 34% of all attacks (67 total), up 14% quarter over quarter.  


The commerce and media verticals stayed relatively close to their 2012 percentages, at 32% vs. 34% for commerce and 21% versus 22% for media.  At the same time, high tech and public sector customers were targeted by substantially fewer attacks as a percentage, at 7% and 4% of total attacks respectively.  

Figure 04 Q1 2013.jpg

As a percentage, first quarter attacks targeting the commerce sector remained relatively stable in comparison to the attacks reported in 2012.   While the distribution of the attacks remained nearly the same, the actual targets were more varied, again following the overall trend of spreading the targets of attacks across multiple sites. 


As highlighted in Figure 4, retail organizations continue to be tempting targets, primarily because they rely so heavily on the Internet for sales and marketing and can be severely impacted if their customers cannot reach their sites.


Figure 05 Q1 2013.jpg

As shown in Figure 5, at the beginning of 2013, financial services customers continued to bear the brunt of the attacks against the enterprise vertical, suffering from 50% of all attacks in this vertical. This is directly related to the attacks performed by the QCF, as it was in 2012.  What is not apparent from the number of attacks is the fact that a number of shorter, less impactful attacks were performed in the first quarter, comprised of probes, rather than full-on DDoS attacks.  


Due to poor Internet hygiene by many ISPs and the lack of enforcement of BCP 38, forged DNS requests are allowed to continue to the name servers, rather than being filtered by the attacker's ISP as they should be.  


For more information on this topic, please refer to the DNS Reflection Defense blog post by Akamai's CSO, Andy Ellis at https://blogs.akamai.com/2013/06/dns-reflection-defense.html.



In this video, Akamai CSO Andy Ellis explains why security means different things to different people.

Akamai's latest "State of the Internet" report is rich in detail about attack traffic and other areas of security. I'll be sharing all the security bits with you in the coming days. 

The full report can be downloaded here.

We have quite a vantage point here at Akamai. Our globally-distributed Intelligent Platform helps us gather huge piles of data on everything from connection speeds, attack traffic, network connectivity/availability/latency problems, and IPv6 growth/transition progress, as well as traffic patterns across leading Web sites and digital media providers.

For today, let's look at what the report has to say about attack traffic and where it's coming from. Tomorrow, we'll take a look at DDoS attack trends.

1.1 Attack Traffic, Top Originating Countries

During the first quarter of 2013, Akamai observed attack traffic originating from 177 unique countries/regions, consistent with the count in the prior quarter. As shown in Figure 1, China remained the top source of observed attack traffic, though its percentage declined by nearly a fifth from the prior quarter. This decline is likely related to Indonesia making a sudden appearance in the second place slot, after a 30x increase quarter-over-quarter. The vast majority (94%) of the attacks from Indonesia targeted Ports 80 (WWW/HTTP) and 443 (HTTPS/SSL), potentially indicating aggressive botnet activity. Hong Kong and India were the only two other countries/regions among the top 10 that also saw quarterly increases in observed attack traffic volume--the remaining countries/regions saw nominal declines, in general. Attack traffic concentration also increased in the first quarter, again owing to the significant volume of attack traffic observed from Indonesia. The makeup of the top 10 list remained largely consistent with the previous quarter, with Italy and Hungary dropping off, and Indonesia and Hong Kong joining. 

In examining the regional distribution of observed attack traffic in the first quarter, we find that nearly 68% originated in the Asia Pacific/Oceania region, up from 56% in the fourth quarter of 2012, likely due to the massive increase seen in Indonesia. Europe accounted for just under 19%, while North and South America originated just over 13% combined. Africa's contribution dropped as compared to prior quarters, as it was responsible for a mere half a percent.


Country

Q1 '13 % Traffic

Q4 '12 %

1

China

34%

41%

2

Indonesia

21%

0.7%

3

United States

8.3%

10%

4

Turkey

4.5%

4.7%

5

Russia

2.7%

4.3%

6

India

2.6%

2.3%

7

Taiwan

2.5%

3.7%

8

Brazil

2.2%

3.3%

9

Romania

2.0%

2.8%

10

Hong Kong

1.6%

1.2%

-

Other

18%

25%

Figure 1: Attack Traffic, Top Originating Countries (by source IP address, not attribution)

1.2 Attack Traffic, Top Ports
As shown in Figure 2, the concentration of attack traffic among the top 10 targeted ports increased significantly during the first quarter of 2013, driven primarily by significant increases in attack volume targeting Ports 80 (WWW/HTTP) and 443 (SSL/HTTPS). In fact, nearly 80% of the attacks targeting these ports were observed to be originating in Indonesia, as referenced in Section 1.1. Despite these increases, Port 445 (Microsoft-DS) remained the most targeted port, though the percentage of attacks targeting it continued to decline, which is an encouraging trend. Of the top 10 targeted ports, Port 3389 (Microsoft Terminal Services) was the only other one to see a decline quarter-over-quarter. Within the list, Port 8080 (HTTP Alternate) was supplanted by Port 6882, used unofficially by BitTorrent. All of the observed attacks targeting Port 6882 were observed to be originating in China. Data from the Internet Storm Center1 shows a large spike in attacks targeting this port late in the quarter; unfortunately, however, there is no information provided on the source of the attacks.

Port 445 remained the most targeted port in six of the top 10 countries and accounted for 70 times as much traffic as the second most targeted port (135) in Romania--ratios in the other countries ranged between 2 to 10 times as much. In Turkey and Hong Kong, the largest number of attacks targeted Port 23 (Telnet)--in previous quarters, this was the case in Taiwan as well; however, in the first quarter, Port 445 was targeted by approximately 5x as many attacks from Taiwan as Port 23. (Interestingly, in the fourth quarter of 2012, Port 445 was not even among the top 10 ports targeted by attacks originating in Taiwan.) The distribution of second-most targeted ports was a bit broader in the first quarter, with Port 23 coming in second in Russia, Taiwan, and Brazil, and Port 1433 coming in second in India and Hong Kong. In the remaining countries, the second spot was held by Port 3389 (China), Port 443 (Indonesia), Port 80 (United States), Port 445 (Turkey), and Port 135 (Romania).


Port

Port Use

Q1 '13 % Traffic

Q4 '12 %

445

Microsoft-DS

23%

29%

80

WWW (HTTP)

14%

2.8%

443

SSL (HTTPS)

11%

2.1%

23

Telnet

9.3%

7.2%

1433

Microsoft SQL Server

8.3%

5.3%

3389

Microsoft Terminal Services

5.4%

5.7%

3306

MySQL

2.7%

1.6%

22

SSH

2.6%

2.5%

135

Microsoft-RPC

2.2%

2.2%

6882

BitTorrent (unofficial)

1.5%

-

Various

Other

20%

40%

Figure 2: Attack Traffic, Top Ports


soti_thumb.png

Video: A Primer on Security Laws

In this video, Akamai CSIRT Director Michael Smith walks viewers through the regulatory minefield. It's a great primer, though we suggest, as always, that you consult your own attorneys to understand how the laws and standards discussed in this video apply to you.


Akamai InfoSec at Black Hat, DEF CON and BSidesLV

This time next week the security community will head to Las Vegas for Black Hat and BSidesLV. I won't be staying for DEF CON due to family obligations, but several Akamai InfoSec colleagues will be. What follows is a rough outline of where we'll be and what we'll be doing.

Let's start with me...

This will be the first conference I've attended without a press badge, since I'm now working for Akamai. But I'll be writing as much as I always have and posting to The Akamai Blog. Per usual, I'll develop posts out of the talks I attend and the conversations that happen in the hallways. I'll also spend a lot of time talking up our plans for a new Akamai Security page and helping newbies find their way around.

Security Evangelist Dave Lewis will be a speaker proctor at Black Hat, which means he'll be helping speakers get set up right before their talks, help them troubleshoot problems with slides and technology, and so on.

Security Evangelist Martin McKeay will do a lot of blogging and podcasting at all three events. Expect to see him in the hallways a lot, which is where his interviews will take place. 

Joshua Corman, director of security intelligence, will give talks at BSidesLV and DEF CON. Specifically:


--11:30 a.m. Thursday, Aug. 1 at BSidesLV "The Cavalry Isn't Coming: Starting the revolution..." (@joshcorman and @c7five)

-- 11 a.m. Sunday, Aug. 4 at DEF CON 21: "The Cavalry Isn't Coming: Starting the revolution..." (@joshcorman and @c7five)


Corman will also moderate a panel on the weaponization of exploits July 30 at CodenomiCON 2013, which occurs from 4-9 p.m. on Tuesday, July 30.

At least two other Akamai InfoSec staffers will be in Vegas and plan to blog about their experiences.

See you there!

3302456547_ed7cb1ff50.jpg

Talks Of Interest At DEF CON

I've been looking over the Black Hat 2013 schedule to see which talks best fit the issues Akamai's InfoSec team is dealing with daily.

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value.

Here are some agenda items that look good to me thus far. See the full schedule -- with details of the talks listed below -- here

Also see my earlier DEF CON posts here and here.

Thursday, Aug. 1
10 a.m.:
Hacker Law School: Jim Rennie & Marcia Hofmann
Noon:
Pentesters Toolkit: Anch
5 p.m.:
DEF CON Documentary Premiere
8 p.m.:
DEF CON Welcome Party

Friday, Aug. 2
11 a.m.:
Torturing Open Government Systems for Fun, Profit and Time Travel: Tom Keenan
Noon:
Backdoors, Government Hacking and The Next Crypto Wars: Christopher Soghoian
1 p.m.:
Prowling Peer-to-Peer Botnets After Dark: Tillmann Werner
Offensive Forensics: CSI for the Bad Guy: Benjamin Caudill
2 p.m.:
Protecting Data with Short-Lived Encryption Keys and Hardware Root of Trust: Dan Griffin
Evil DoS Attacks and Strong Defenses: Sam Bowne & Matthew Prince
3 p.m.:
Kill 'em All - DDoS Protection Total Annihilation! Tony Miu & Wai-Leng Lee
The ACLU Presents: NSA Surveillance and More: Panel
4 p.m.:
A Password is Not Enough: Why Disk Encryption is Broken and How We Might Fix It: Daniel Selifonov
5 p.m.:
Unexpected Stories - From a Hacker Who Made It Inside the Government: Peiter "Mudge" Zatko
How my Botnet Purchased Millions of Dollars in Cars and Defeated the Russian Hackers: Michael Schrenk

Saturday, Aug. 3
10 a.m.:
Predicting Susceptibility to Social Bots on Twitter: Chris Sumner & Randall Wald
11 a.m.:
Fear the Evil FOCA: IPv6 attacks in Internet Connections: Chema Alonso
Noon:
BoutiqueKit: Playing WarGames with Expensive Rootkits and Malware: Josh 'Monk" Thomas
1 p.m.:
We are Legion: Pentesting with an Army of Low-power Low-cost Devices: Dr. Philip Polstra
3 p.m.:
An Open Letter - The White Hat's Dilemma: Professional Ethics in the Age of Swartz, PRISM and Stuxnet: Alex Stamos
5 p.m.:
DNS May Be Hazardous to Your Health: Robert Stucke

Sunday, Aug. 4
10 a.m.:
The Cavalry Isn't Coming: Nicholas J. Percoco and Joshua Corman
11 a.m.:
The Dawn of Web 3.0: Website Mapping and Vulnerability Scanning in 3D, Just Like You Saw in the Movies: Teal Rogers & Alejandro Caceres
Noon:
HiveMind: Distributed File Storage Using JavaScript Botnets: Sean Malone
1 p.m.:
Utilizing Popular Websites for Malicious Purposes Using RDI: Daniel Chechick & Anat

events-defcon2012.jpg

Oracle Releases July 2013 CPU

Akamai customers and anyone else relying on Oracle infrastructure should know that the database giant has released its latest Critical Patch Update (CPU). 

A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities and is usually cumulative. But each advisory describes only the security fixes added since the previous CPU. Oracle delivers these updates every three months.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and VersionsPatch Availability
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3Database
Oracle Database 11g Release 1, version 11.1.0.7Database
Oracle Database 10g Release 2, versions 10.2.0.4, 10.2.0.5Database
Oracle Access Manager, versions 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0Fusion Middleware
Oracle Endeca Server, versions 7.4.0, 7.5.1.1Fusion Middleware
Oracle HTTP Server, versions 10.1.3.5.0Fusion Middleware
Oracle JRockit, versions R27.7.5 and earlier, R28.2.7 and earlierFusion Middleware
Oracle Outside In Technology, versions 8.3.7, 8.4.0, 8.4.1Fusion Middleware
Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0Fusion Middleware
Oracle Hyperion BI, versions 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, 11.1.2.2.305 and earlierHyperion
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.2, 12.1.0.3Enterprise Manager
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1Enterprise Manager
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5Enterprise Manager
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3E-Business Suite
Oracle E-Business Suite Release 11i, version 11.5.10.2E-Business Suite
Oracle Agile Collaboration Framework, version 9.3.1Oracle Supply Chain
Oracle Agile PLM Framework, version 9.3.1Oracle Supply Chain
Oracle Agile Product Framework, version 9.3.1Oracle Supply Chain
Oracle PeopleSoft Enterprise Portal, version 9.1PeopleSoft
Oracle PeopleSoft HRMS, version 9.1PeopleSoft
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53PeopleSoft
Oracle iLearning, versions 5.2.1, 6.0iLearning
Oracle Policy Automation, versions 10.2.0, 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2Oracle Industry Applications Product Suite
Oracle and Sun Systems Product SuiteOracle and Sun Systems Product Suite
Oracle Secure Global Desktop, versions 4.6 prior to 4.63, 4.7 prior to 4.71Oracle Linux and Virtualization
Oracle MySQL Server, versions 5.1, 5.5, 5.6Oracle MySQL Product Suite

More details on the vulnerabilities can be found on the Oracle website.

Feedback from Yesterday's DEF CON post

Yesterday, I wrote about the controversy surrounding DEF CON 21 and the organizers' suggestion that those working for such government agencies as the NSA sit this one out. I didn't offer an opinion on whether it was the right or wrong move, but captured both sides of the argument and asked readers for feedback. And, when tweeting the post, I argued that while some see this as drama, I saw it as an opportunity for the security community to do things better.

The most detailed feedback came from Chris Hoff. I've known him for a long time and value his opinions. He took issue with what he saw as me lumping the entire security community in with the DEF CON organizers. The decision to encourage NSA types to stay away wasn't something "we" made, he said. It was a decision they, the event planners, made.


Another respected voice in the industry, Robert David Graham, noted that there's a difference between "Feds" and those encouraged not to attend. He also noted that nobody had been banned as I suggested:

Um, I don't think you parsed correctly what the D. Tangent wrote. Nobody is being banned.


also, anybody working for the government coming on their own dime is welcome.


On LinkedIn, Michael Guadagno, a national counterespionage specialist, offered this:


From what we read days ago, it was suggested by one the event organizers the decision may have been made to evade trouble within the spectators. There are no taking sides here and we feel at this point it's a good decision, under the present circumstances. There are good people that attend these events and they all are not on the dark side. Please don't be fooled, no matter what profession or spectator groups attending, in real life there will be an overzealous element ever present. Just our open minded thoughts on this, thank you. 


A few responses from me:


--My goal with yesterday's post was to initiate more discussion, not opine on whether DEF CON's decision was right or wrong.


--I noted in the opening that the "Feds" were encouraged not to come. Further down, I let slip the word "banned." To be clear, no one has been banned.


--When I say "we" or "community" I'm talking about everyone in the security industry -- which, as Hoff noted, includes many communities.


--Though this year's move was made by DEF CON organizers and not the community at large, my suggestion was that all of us could learn something from the fallout. Many in the community are involved in the planning of other conferences, and a thorough analysis of DEF CON's decision and the resulting lessons could be applied when planning other events. That's what I meant when I said we could use this to do better going forward. 


It could be that we end up learning nothing and stumble along to the next drama. As Hoff also noted, "The 'community's' biggest problem (is that) we have immediate anger issues and long-term memory problems."


I certainly can't argue with that, Mr. Hoff.


Thanks to everyone for the feedback. Keep it coming.


events-defcon2012.jpg