The solution, he said, is to upgrade your browser to the latest version.On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments. It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.
Get In Touch
Recently by Bill Brenner
Online Attacks and Large Online Events
The upcoming Olympic Games, much like other widely publicized, international events, offer unique challenges for online security. In the course of any given year, Akamai supports many of these online events including concerts, sporting competitions, elections, and other newsworthy happenings. Because of this, we've had substantial visibility into the various ways the "bad guys" may try to take advantage of an online event for their own gain. As important, these events typically involve a variety of online components - from live streaming to commerce - that providing a significant amount of attack surfaces for the event's security staff to protect.
The primary concern when supporting a large event is that online resources may be built in a hurry and then receive a sudden influx of users. As such, there are time and effort constraints to securing these websites and the infrastructure that carries them. Usually as the security team for the event, you do not have a lot of historical Internet traffic to define what is "normal" so you have to rely on attack trends from other events and threat intelligence to detect any new techniques that specifically are targeting your event.
One thing you need to be prepared to defend against is Denial of Service (DoS) attacks, where the attacker disrupts the operation of an online service such as a livestream or website. Highly visible event websites are prime targets and a cleverly-conducted Distributed DoS attack looks like a flash mob of legitimate users that are coming to a website.
The high visibility for events such as the Olympics can also prompt defacement style attacks. Because the event draws a large volume of website users, hacktivist groups wishing to propagate their messages can alter the event's website to display their message to a broad audience and to generate headlines that create awareness for their cause.
In a similar vein, most large events have a scheduling site or a storefront where they sell tickets, memorabilia, or other services. These can be prime targets for data exfiltration for anything from email addresses to passwords to credit card information to VIP contact information.
Data breaches can also lead to inappropriate information disclosure. Although not a big fear for a real-time event such as the Olympics but for events with a predetermined outcome such as awards ceremonies, attackers can access the results before they are officially released - this can lead to significant audience loss and loss of revenue. The loss of revenue could happen as a result of actual content theft where attackers make a copy of the event content available on their own website or on portable media.
Significant interest in an event may make associated online assets a possible target for distributors of malware. In this situation, attackers would alter the website in a non-obvious, non-visible manner to serve hooks to malicious content that runs on the users' computer and installs other software such as viruses, keyloggers, and the Zeus banking trojan.
And unfortunately, the event organizers and their online assets are not always the sole target. Event audiences can also be targets. Vehicles could include phishing, spam, and malware email where attackers seek a wide variety of goals such as stealing information from the user's computer, implanting viruses on the user's computer, and conducting outright scams involving selling counterfeit tickets, VIP passes, and fraudulent "discount tickets" to unsuspecting consumers.
Overall, the trick to keeping online events as safe as possible is to understand your potential adversary based on previous trends and current capabilities and understand how they're most likely to attack, the motivation for the attack, and countermeasures that you can implement. Doing so will help you apply the right defenses to the right assets and have a successful event.
Read the full post HERE.
Put bluntly: to others, we're jerks.
If you don't think this is a problem, you can stop reading here.
The dysfunctional tale of Bob and Alice
Imagine this. Developer Bob just received an email from your Infosec department, subjectImportant Security Update. He sighs, thinking of the possibilities: a request to rotate his password, or a new rule? Maybe it's a dressing-down for having violated some policy, a demand for extra work to patch a system, or yet another hair-on-fire security update he doesn't really see the need for. His manager is on his case: he's been putting in long hours on the next rev of the backend but library incompatibilities and inconsistent APIs have ruined his week, and he's way behind schedule. He shelves the security update - he doesn't have time to deal with it, and most things coming out of Infosec are just sound and fury anyway - and, thinking how nice it would be if his team actually got the resources it needed, continues to code. He'll get to it later. Promise.
Meanwhile, you, Security Researcher Alice, are trying not to panic. You've seen the latest Rails vulnerability disclosure, and you know it's just a matter of hours before your exposed system gets hit. You remember what happened to Github and Heroku, and you're not anxious to make the front page of Hacker News (again?!). If only Bob would answer his email! You know he's at work - what's happening? The face of your boss the last time your software got exploited appears in your mind, and you cringe, dreading an unpleasant meeting ahead. You fume for several minutes, cursing all developers everywhere, but no response is forthcoming. Angrily, you stand up and march over to his cube, ready to give him a piece of your mind.
Pause. What's going on here, and what's about to happen?
Here in Akamai's InfoSec department, we constantly remind employees and customers to keep up on all the latest security patchesin their environment. Since Windows is everywhere in the business world, it's particularly important to keep an eye on Microsoft's patching efforts.
Today is an inflection point for Microsoft, as well as the security industry. For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community.
Full details for the new bounty programs and a fantastic technical deep-dive by our esteemed panel of judges (headed by Matt Miller and David Ross) can be found on SRD's blog.
In short, we are offering cash payouts for the following programs:
- Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
- BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
- IE11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.
L-R: David Seidman, Gerardo di Giacomo, Mark Oram (via avatar), Mike Reavey, Dustin Childs, Leah Lease, Rob Chapman, Neil Sikka, Jacqueline Lodwig, Brandon Caldwell, Katie Moussouris, Nate Jones, Sweety Chauhan, Emily Anderson, Claudette Hatcher, Cynthia Sandwick, Stephen Finnegan, Manuel Caballero, Ben Richeson, Elias Bachaalany, David Ross, Cristian Craioveanu, Ken Johnson, Mario Heiderich, Jonathan Ness. Not pictured: Christine Aguirre, Danielle Alyias, Michal Chmielewski, Chengyun Chu, Jules Cohen, Bruce Dang, Jessica Dash, Richard van Eeden, Michelle Gayral, Cristin Goodwin, Angela Gunn, Joe Gura, Dean Hachamovitch, Chris Hale, Kyle Henderson, Forbes Higman, Andrew Howard, Kostya Kortchinsky, Jane Liles, Matt Miller, William Peteroy, Georgeo Pulikkathara, Rob Roberts, Matt Thomlinson, David Wheeler, Chris Williams. Behind the camera: Jerry Bryant.
One of the more challenging tasks as the new guy in Akamai's InfoSec department is getting to know George Penguin. He's our mascot and ambassador of good will. His likeness is everywhere in the office, most notably in the form of soft, stuffed toys that dominate the workspace like an invasion of the tribbles from "Star Trek."
As part of my new role as Akamai's security storyteller, I've been digging around in search of all the press coverage this group has gotten over the years. I'm finding that many articles and blog posts came from me, particularly what I wrote in my last job as managing editor of CSO Magazine.
You could say my coming here was destiny, based on how easily I focused on Akamai InfoSec research as a journalist. Most recently, I wrote about two presentations from SOURCE Boston 2013. One, by Senior Security Architect Eric Kobrin, was an analysis of the BroBot DDoS attacks that have targeted the banking sector.
The other talk, by researcher Christian Ternus, was about Akamai's Adversarial Resilience program. The goal: better protect Akamai's customers by thinking like those who attack them. "At Akamai the attack surface is huge," Ternus said. "As the bad guys attack our customers, we are constantly being tested to see if our systems are good enough. What's needed then is resilience -- the ability to adapt. Our job is to think and act like the adversary to make Akamai safer."
Looking further back, as a journalist I usually gravitated toward Akamai's InfoSec team for perspective and raw data on the biggest DDoS attacks and pretty much any story concerning cloud and application security.
There was this inside look at what it's like for Akamai to deal head-on with incoming DDoS attacks against customers.
And there was this report -- I didn't write it but did assign it -- throwing cold water on the notion that hacktivists were the chief culprits in the banking attacks.
Indeed, I've often come knocking when I wanted to measure the real impact of attacks against the hype I'd be seeing elsewhere in the media. The realities have often been less dramatic than reported.
Now that I've tossed my reporter's hat on the shelf to collect dust, expect a much deeper focus from me on the raw detail that comes out of a company that, at last check, handled tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military.
This is going to be both fun and informative.
And it won't take long to ramp things up. In hindsight, I've been telling Akamai security stories all along.