Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

DefCon's Fed Drama

With three big security conferences coming up in Las Vegas two weeks from now, much of the InfoSec community's attention is on who won't be at the third event: DefCon. Amidst revelations about the NSA's surveillance activities, DefCon organizers have advised feds to skip this year. It's a first in the 21-year history of this hacker gathering, and reaction has been sharply divided.

Those outraged by the depth of the NSA's activities applauded the move. Others dismissed it as a stunt by DefCon organizers to stir the drama pot and raise public interest in the event. Still others suggest that the Feds wanted to stay away until the dust settled, and that DefCon was giving them an easy out.

One could argue that it's counterproductive and shortsighted to ban the feds. After all, a continuing goal for the community is to foster stronger cooperation between the government and the grassroots level of the security world. Meanwhile, one could argue that all this shock and outrage is silly because we've known all along that the NSA has deep surveillance hooks -- spying on American citizens since the beginning.

In my opinion, the motives of DefCon organizers are beside the point. What's more important is how we go forward.

Is it better to cut people out of security events because they work for the NSA or FBI for the sake of taking a stand against the government spying on citizens, or is it more productive to use these conferences as a way to debate the issues with the very people we're angry with; in hopes they'll go back to their agencies and work toward change?

Discuss amongst yourselves, and feel free to opine in the comments section. Please keep the tone respectful.

events-defcon2012.jpg


Major Areas of Technology within Security

In this Akamai InfoSec video tutorial, Security Intelligence Director Joshua Corman gives an overview of major areas of technology within security.

The Security Team's Role Within An Organization

In this Akamai InfoSec video tutorial, Akamai CSIRT Director Michael Smith gives an overview of the security team's role within an organization.

Cloud Security Made Simple

We in Akamai InfoSec are sitting on a mountain of educational videos, and I've spent the past month reviewing some 40 items. We'll eventually have a place on the Akamai website where you can easily access them all. But for now, I've decided to start making them available via my blog posts. In this episode, Akamai CSIRT Director Michael Smith gives an overview of the cloud, cloud infrastructure and cloud delivery models. 




A Short History Of Cryptography

We in Akamai InfoSec are sitting on a mountain of educational videos, and I've spent the past month reviewing some 40 items. We'll eventually have a place on the Akamai website where you can easily access them all. But for now, I've decided to start making them available via my blog posts. 

The first one is a favorite of mine: CSO Andy Ellis giving a brief history of cryptography. Enjoy!


Talks of Interest at #BlackHat2013

I've been looking over the Black Hat 2013 schedule to see which talks best fit the issues Akamai's InfoSec team is dealing with daily. 

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value. 

Here are some agenda items that look good to me thus far. 


Tuesday, July 31:

9 a.m.:
KEYNOTE SPEAKER: GENERAL KEITH B. ALEXANDER

11:45 a.m.:

DENYING SERVICE TO DDOS: Allison Nixon
DENIAL OF SERVICE AS A SERVICE: Robert Masse
MILLION BROWSER BOTNET: Jeremiah Grossman & Matt Johansen

Wednesday, Aug. 1:

10:15 a.m.:
BIG DATA FOR WEB APP SECURITY: Mike Arpaia & Kyle Barry

2:15 p.m.:
ABOVE MY PAY GRADE: CYBER RESPONSE AT THE NATIONAL LEVEL: Jason Healey
POST EXPLOITATION OPERATIONS WITH CLOUD SYNCHRONIZATION: Jake Williams

Talks Of Interest at #BSidesLV

I've been looking over the schedule for BSidesLV to see which talks best fit the issues Akamai's InfoSec team is dealing with daily. 

It's always a roll of the dice when you try to determine which talks to attend, because some look like the right fit on the website but then the talk turns out to be something different. That's not necessarily a bad thing. I've gone to talks that didn't turn out as advertised but were useful all the same. I've also attended talks I hadn't planned for and walked away with something of value. 

Here are some agenda items that look good to me thus far:

Wednesday, July 31:

Tom Kopchak (CG2): Attacking and Defending Full Disk Encryption

Ed Bellis, Michael Roytman: Vulnerability & Exploit Trends: A Deep Look Inside The Data

Michael "DrBearSec" Smith: Calling All Researchers: A Discussion on Building a Security Research Framework

Alex Hutton (CG2): Alex Dreams of Risk: How the Concept of Being a Craftsman can Help you Find Meaning and Avoid Burnout

Sean Malone: HiveMind: Distributed File Storage Using JavaScript Botnets

Thursday, Aug. 1:

Nicholas J. Percoco and Joshua Corman: The Cavalry Isn't Coming

Javvad Malik: How embracing social media helped me stop the hackers, save the world and get the girl!

Alex Pinto (Joel Wilbanks): Using Machine Learning to Support Information Security

Davi Ottenheimer, Raymond Umerley, Jack Daniel, Steve Werby, David Mortman & George V. Hulme: Breach Panel

Steve Werby: Crunching the Top 10,000 Websites' Password Policies and Controls


BSides Las Vegas 2013 will be held July 31 and Aug. 1 at Tuscany Suites & Casino on Flamingo Ave.

Microsoft's July Patch Load: Many Critical Fixes

Microsoft has released seven security bulletins addressing 34 CVEs. Since so many Akamai customers run Windows environments, we find it important to let you know whenever these are rolled out.

Jonathan Ness, an engineer for Microsoft's Security Response Center, says six bulletins have a maximum severity rating of critical, and one has a maximum severity rating of Important. Below is a table to help you prioritize patch deployments in your environment.

BulletinMost likely attack vectorMax Bulletin SeverityMax Exploit-ability ratingLikely first 30 days impactPlatform mitigations and key notes
MS13-055

(Internet Explorer)

Victim browses to a malicious webpage.Critical1Likely to see reliable exploits developed within next 30 days.17 CVE's being addressed.
MS13-053

(win32k.sys and TTF font parsing)

Most likely to be exploited attack vector requires attacker to already be running code on a machine and then uses this vulnerability to elevate from low-privileged account to SYSTEM.

Additional attack vector involves victim browsing to a malicious webpage that serves up TTF font file resulting in code execution as SYSTEM.

Critical1Public proof-of-concept exploit code currently exists for CVE-2013-3660.Public EPATHOBJ issue (CVE-2013-3660) addressed by this update.

Kernel-mode portion of TTF font parsing issue (CVE-2013-3129) addressed by this update.

MS13-052

(.NET Framework and Silverlight)

Victim browses to a malicious Silverlight application hosted on a website.Critical1Likely to see reliable exploits developed within next 30 days..NET Framework and Silverlight exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.
MS13-054

(GDI+)

Victim opens a malicious TTF file using an application that leverages GDI+ for font parsing.Critical1Likely to see reliable exploits developed within next 30 days.User-mode (gdiplus.dll) exposure to TTF font parsing issue (CVE-2013-3129) addressed by this update.
MS13-056

(DirectShow)

Victim opens malicious .GIF file using a 3rd-party application that leverages the DirectShow library.Critical1Likely to see reliable exploits developed within next 30 days.No Microsoft end-user applications are known to be vulnerable to the single CVE being addressed by this update.
MS13-057

(Windows Media)

Victim browses to a malicious webpage or opens a malicious Windows Media file.Critical2Difficult to build a reliable exploit for this issue. Less likely to see an exploit developed within next 30 days.One CVE being addressed.
MS13-058

(Windows Defender)

Attacker having write access to the root of the system drive (C:\) places malicious file that is run as LocalSystem by Windows Defender during its signature update process.Important1Likely to see reliable exploits developed within next 30 days.

Unlikely to see wide-spread infection as low privileged users do not have permission to write to root of system drive by default.

To exploit the vulnerability addressed by this update, attacker must have permission to create a new file at the root of the system drive. (C:\malicious.exe)

Bracing For Fresh DDoS Attacks

This morning a story caught my attention regarding the potential for another wave of DDoS attacks. The article, by Tracy Kitten at Bank InfoSecurity, quotes researchers who see modifications being made to Brobot -- a favorite weapon in attacks against the banking sector. 

She wrote:

Experts say distributed-denial-of-service attacks against U.S. banks are not over, despite what's now been a two-month cease-fire by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. Security vendors tell me the group's botnet is growing. And when these attacks do resume, they won't be easy to fight. This next wave of DDoS attacks will be different from what we have seen in earlier waves of attacks, dating back to mid-September 2012, researchers believe. As a result, many of the mitigation strategies and defenses banks have in place could prove ineffective.

Fortunately, Kitten writes, information about new code added to Brobot is being shared behind the scenes among banking institutions. "Now," she says, "banks and DDoS-mitigation providers are just waiting for what will be the fourth phase of DDoS to strike."

Here in Akamai's InfoSec department, Brobot has taken up much time and attention. At SOURCE Boston in April, Senior Security Architect Eric Kobrin gave a detailed analysis of how Brobot operates and where the enabling vulnerabilities can be found.

He noted, among other things:

--The amount of bandwidth flooding websites was substantial. Akamai CSO Andy Ellis recently wrote that BroBot botnets are routinely tossing around 30 Gbps attacks, with peaks upwards of 80 Gbps. 

--The DDoS attacks are crude, exploiting large networks of compromised machines to overwhelm a website with requests. 

--The battle often comes down to the amount of bandwidth a banking site has and whether it is large enough to withstand traffic from the botnet and customers. 

Kobrin said the compromised machines often get that way because attackers were able to own them through security holes in the online content management systems (CMS) content publishers take for granted. The Wordpress interface you use to blog? It could have been used to make your computer part of the botnet, and it's something you would not notice. That vanity email domain you opened for yourself? That's an easy target, too.

One of the problems is that the hosted service providers build sites to be as accessible as possible and to make them easy for Google to index. As you've heard by now, accessibility and security are often at odds.

"There is no single cause," Kobrin said. "A half a dozen failures have to happen along the way." One such failure is a lack of routine patching. Another failure is that admin access is often easy to get.

What to do about all this? Kobrin offered this advice:

--Banks can build a more defensible online infrastructure, get a better handle on all the apps in its system and build closer relationships with its hosting providers, since attacks usually come from trouble on the provider's side of the court.

--CMS users can be more diligent in adding patches as they're released, and remove unused plug-ins. The more customized your site is, the more plug-ins you probably have sitting there. Users can also add IDS and turn off unused sites.

--Hosting providers can set up safer defaults, offer automatic updates and offer a fully managed CMS.

A Black Hat, DefCon and B-Sides survival guide

Many security professionals are making plans for a week in Las Vegas at the end of this month for three big InfoSec conferences: Black Hat, Defcon and BSidesLV. Several of us from Akamai InfoSec have been going for years and are familiar with what to expect and how to make the best use of our time there. 

If you're a first-time attendee, however, the experience can be overwhelming.

For that reason, each year I put together a survival guide of sorts. In the coming days I'll focus on presentations scheduled for the three events that fit in with trends we've been witnessing in Akamai InfoSec. For now, here's your primer:

Tip 1: Don't let the noise get to you

Black Hat in particular is a noisy event. The vendors, in an effort to really fit in with the attitude of the conference, come up with all kinds of theatrics. One year, a guy was dressed up as a "Mad Russian" hacker mastermind. His attire was a cross between Captain Caveman, Charles Manson and Rasputin. I don't remember the vendor he worked for. I also remember that between sessions, it's hard to move around as people mingle in the middle of crowds rushing from one talk to the next.

The talks themselves are often surrounded by drama, though that part has calmed down in the last couple of years. Sometimes a vendor will try to stop a talk about exploits for a vulnerability in their products. Lawyers are brought in and a mess ensues. This happened in 2005, when Cisco moved to squash a talk by then-ISS researcher Michael Lynn on an exploitable issue with Cisco's IOS router operating system. The move proved to be a waste of time for Cisco, since the story got out anyway. But what was worse, in my opinion, was that a lot of good talks went unreported in the media because everyone was too busy chasing the hype over this one talk.

And so my advice here is to remember what you do in your day-to-day job, find the talks that most closely address the challenges you want to overcome and don't let drama and noise divert you from the plan. 

Tip 2: Make time for B-Sides
At the same time Black Hat is going on, security practitioners will be giving talks at another event called Security B-Sides. This one is for those who maybe couldn't afford to attend Black Hat or DefCon or for those who wanted to speak at those events but were rejected for one reason or another.

It's a more low-key affair than the major conferences, and there are gems to be found on the agenda. The event has gotten considerably bigger in the last couple years but it's still something you'll want to make time for. The content is worth it.

Details for this year's event:

When: July 31-Aug. 1
Where: Tuscany Suites and Casino on Flamingo Ave.

It's more about the networking, anyway
To me, the most important part of the Las Vegas events is the networking. In some cases, you get to finally meet a bunch of people you only knew through Twitter up to that point. You'll also make many new contacts who will offer you a variety of helpful feedback in the years to come.

If there's an opportunity to have coffee with a fellow security practitioner at the same time a bunch of sessions are going on, go for the coffee. The talks may entertain, but it's the relationships you forge over coffee or a meal that will likely lead to useful collaborations and lines of support when you need it most.

Too much drink in public can hurt your career
This last piece of advice is along the same lines as the last one. If you're hitting the parties at night, where the booze is almost always free flowing and paid for by the vendors, remember that opportunities abound to make fresh business contacts. A game of poker and a few drinks can be the stuff future partnerships are made of. I don't drink anymore, or play poker, but I've made valuable contacts just by hanging out and being an observer.

This can cut both ways, of course.

If you enjoy too many free drinks and get plastered, you run the risk of making a big fool of yourself. I've seen some well-regarded security professionals do this many times, and when they do it's all people talk about for the next week.

I wouldn't want to be that person.

I hope you found this helpful. Safe travels and enjoy the week!