Akamai Diversity
Home > Bill Brenner

Recently by Bill Brenner

Opera Browser Hacked

A note of caution for Akamai customers and anyone else using the Opera web browser: Hackers have broken into Opera's internal network. As a result, thousands of users have been the unfortunate recipients of malware.

According to a report on the E Hacking News site, the culprits were able to exploit an expired Opera code-signing certificate. "Cybercriminals used the certificate to send their malware and distributed the malicious software to thousands of Opera users through [the] automated update function," the news site reported. "The malware is currently detected by half of the antivirus engines used by the virus total scanner."

In the Opera blog, Sigbjørn Vik from the quality assurance department wrote:

On June 19th we uncovered, halted and contained a targeted attack on our internal network infrastructure. Our systems have been cleaned and there is no evidence of any user data being compromised. We are working with the relevant authorities to investigate its source and any potential further extent. We will let you know if there are any developments. It is possible that a few thousand Windows users, who were using Opera between 01.00 and 01.36 UTC on June 19th, may automatically have received and installed the malicious software. To be on the safe side, we will roll out a new version of Opera which will use a new code signing certificate.

The solution, he said, is to upgrade your browser to the latest version.

Experiencing Compliance From The Inside Out

One of the big educations I've been getting since joining Akamai's InfoSec group is what it's like to deal with the multiple tasks of compliance from within an organization. As a journalist, I always tackled the subject from the outside, where I'd ask a company which regulations they were bound by, and which security procedures they had adopted as a result.

Now I'm inside a publicly-traded corporation that is on the hook for all kinds of regulations, and a lot of the work going on around me is about making sure Akamai is on top of its compliance game. 

Two weeks before I officially started, I paid a visit to sit in on some meetings that were part of an audit the company was having done. It started with an overview CSO Andy Ellis gave auditors regarding the main components of our security program. There was also a meeting where representatives from human resources told the auditors about security training they give new employees and the follow-up training employees continue to receive. Having just gone through the training, I can tell you it is extensive. Another meeting dealt with Akamai's Edge Tokenization deployments.

Now I'm watching my colleagues work on the daily bits and pieces that go into our compliance upkeep.

I'm looking at compliance from two angles at all times: There's the internal compliance efforts, and then there are the products we sell to customers to help them with their efforts. I don't pretend to know everything yet. Indeed, it will take time to fully absorb everything. The greatest lesson so far for me is that the work is far deeper and far more complex than what I understood as the outsider looking in. 

I see a lot of heavy lifting ahead. But it's going to be fun.


Akamai InfoSec Has Become More Social

Akamai InfoSec has some new social networking accounts designed to keep the focus squarely on what our team is up to while inviting customers and the wider industry in to share ideas and ask us questions.

In the past week we've created new pages on Twitter, Facebook, LinkedIn and Google+ -- and we ask you all to "like," "follow" and add the team to your online social circles.

For now, these accounts are being used mostly to share the security blogging and research we do daily. But the goal is to be more accessible to customers and those who may be thinking of trying us out. 

We currently field a lot of customer questions using inside e-mail lists and other private communications. The new social networking pages will make it even easier to ask us questions and get answers. And since it's in a public setting, a wider audience will be able to take in the discussions and learn from them.

Private conversations will continue, of course. Many of our customer dealings must remain private for their protection. The social networking pages are for more general questions and answers.

Our new Twitter handle is @Akamai_Infosec.

Our page on Facebook is Akamai InfoSec.

On Google+ we are Akamai Sec.

On LinkedIn, we are the Akamai InfoSec group.


Blunting Attacks During Olympic-sized Events

InfoSec receives many questions from Akamai customers on a daily basis. Yesterday, someone asked if we had a case study on attack vectors against the 2012 London Olympics. The customer has a big event coming up, and wanted a picture of what they're up against -- and how they can defend against it all to keep their sites running smoothly. 

As it turns out, CSIRT Director Michael Smith wrote something on that very subject. 

As someone who covered security as a journalist for 10 years, I was always on guard for event-related attacks. Everyone has been a target at one time or another: The NHL, NFL, and non-sporting events like the Academy Award ceremonies. And, of course, there's the Olympics.

What follows is the full write-up Michael did in advance of the London games. I think you'll find it useful. If you're concerned about details you don't see covered below, let me know and we'll work to address what's on your mind. Remember, this was written before the 2012 Olympics, so it's in the future tense.

Online Attacks and Large Online Events

The upcoming Olympic Games, much like other widely publicized, international events, offer unique challenges for online security.  In the course of any given year, Akamai supports many of these online events including concerts, sporting competitions, elections, and other newsworthy happenings.  Because of this, we've had substantial visibility into the various ways the "bad guys" may try to take advantage of an online event for their own gain. As important, these events typically involve a variety of online components - from live streaming to commerce - that providing a significant amount of attack surfaces for the event's security staff to protect.

The primary concern when supporting a large event is that online resources may be built in a hurry and then receive a sudden influx of users.  As such, there are time and effort constraints to securing these websites and the infrastructure that carries them.  Usually as the security team for the event, you do not have a lot of historical Internet traffic to define what is "normal" so you have to rely on attack trends from other events and threat intelligence to detect any new techniques that specifically are targeting your event.

One thing you need to be prepared to defend against is Denial of Service (DoS) attacks, where the attacker disrupts the operation of an online service such as a livestream or website. Highly visible event websites are prime targets and a cleverly-conducted Distributed DoS attack looks like a flash mob of legitimate users that are coming to a website.

The high visibility for events such as the Olympics can also prompt defacement style attacks.  Because the event draws a large volume of website users, hacktivist groups wishing to propagate their messages can alter the event's website to display their message to a broad audience and to generate headlines that create awareness for their cause.

In a similar vein, most large events have a scheduling site or a storefront where they sell tickets, memorabilia, or other services.  These can be prime targets for data exfiltration for anything from email addresses to passwords to credit card information to VIP contact information.

Data breaches can also lead to inappropriate information disclosure. Although not a big fear for a real-time event such as the Olympics but for events with a predetermined outcome such as awards ceremonies, attackers can access the results before they are officially released - this can lead to significant audience loss and loss of revenue. The loss of revenue could happen as a result of actual content theft where attackers make a copy of the event content available on their own website or on portable media.

Significant interest in an event may make associated online assets a possible target for distributors of malware. In this situation, attackers would alter the website in a non-obvious, non-visible manner to serve hooks to malicious content that runs on the users' computer and installs other software such as viruses, keyloggers, and the Zeus banking trojan.

And unfortunately, the event organizers and their online assets are not always the sole target. Event audiences can also be targets. Vehicles could include phishing, spam, and malware email where attackers seek a wide variety of goals such as stealing information from the user's computer, implanting viruses on the user's computer, and conducting outright scams involving selling counterfeit tickets, VIP passes, and fraudulent "discount tickets" to unsuspecting consumers.

Overall, the trick to keeping online events as safe as possible is to understand your potential adversary based on previous trends and current capabilities and understand how they're most likely to attack, the motivation for the attack, and countermeasures that you can implement. Doing so will help you apply the right defenses to the right assets and have a successful event.



Blogs From Akamai's InfoSec Team (Updated)

Akamai's InfoSec team does a lot of blogging, both on the company site and in personal, security-oriented blogs where they offer opinions that are theirs and not always their employer's. What follows is a directory of who is blogging and where. I'll update the list as more examples come to my attention, but for now I hope you'll check out these sites. In a future post, I'll point you to InfoSec staff on Twitter and other social networks.

"Liquid Matrix" is overseen by Akamai Security Evangelist Dave Lewis. A cast of talented security professionals contribute podcasts, features, etc.

"The Security Penguin," written by George, the Penguin of Awesomeness and spokesman for Akamai InfoSec.

"Andy Ellis > Protecting a Better Internet," written by Akamai's chief security officer. His most recent post dealt with the complexities of DNS reflection defense.

"Zen of security," by John Ellis, Akamai's enterprise security director for Asia Pacific and Japan. He also blogs for CSO.

"The Guerilla CISO," by Akamai CSIRT Director Michael Smith, known in the blog as "rybolov." This is a group blog he is in charge of. Topics range from the strategic (cyberwar, pending legislation, and public policy) through the operational (NISTs Framework for FISMA) to the tactical (penetration testing, forensics, vulnerability scanning, and security engineering). 

Akamai Security Evangelist Martin McKeay has two sites that rose to popularity long before he joined the team. There's the page for his "Network Security Podcast" and his "Network Security Blog."

Akamai Chief Security Architect Brian Sniffen has a site called "Sniffen Packets," which extends beyond security into such topics as travel and religion.

Akamai Senior Systems Engineer Larry Cashdollar has a site called "Vapid Labs Security Research." It's not necessarily a blog. In fact, the page takes you to a stream of code. Larry explains: "I wrote the web server running there in C when I was experimenting with 'attack aware' ideas in the late 90's.  Embedded in the fake public pgp block are links to security vulnerability advisories I've written and exploits. If you try hitting a link like http://vapid.dhs.org/;id>/tmp/p; it will log it as an attack and display a funny message."

Josh Corman, our director of security intelligence, has one called "Cognitive Dissidents." Josh takes the philosophical approach here, tackling issues of consequence that are often poorly understood and/or obfuscated by FUD. One of the standouts for me was a series of posts he authored with Brian Martin of Attrition.org on "building a better Anonymous."

Then there's the blog of Akamai security researcher Christian Ternus, "Adversarial Thinking." He'll soon be writing in the Akamai Blog as well, and his latest post about InfoSec's "jerk" problem is a must read.

I'll end for now with my own blog, The OCD Diaries. It's not a security blog, but I do occasionally cover issues affecting the InfoSec community -- including job-induced depression and how we humans talk to each other, for better or worse.

'InfoSec's Jerk Problem,' By Christian Ternus

I wanted to take a moment to flag a post from another blog that's well worth your time, especially if you want to get a better understanding of the security industry culture. It's from Akamai InfoSec's own Christian Ternus. The subject is something any industry can relate to -- the so-called "jerk problem."

An excerpt:

Put bluntly: to others, we're jerks.

If you don't think this is a problem, you can stop reading here.

The dysfunctional tale of Bob and Alice

Imagine this. Developer Bob just received an email from your Infosec department, subjectImportant Security Update. He sighs, thinking of the possibilities: a request to rotate his password, or a new rule? Maybe it's a dressing-down for having violated some policy, a demand for extra work to patch a system, or yet another hair-on-fire security update he doesn't really see the need for. His manager is on his case: he's been putting in long hours on the next rev of the backend but library incompatibilities and inconsistent APIs have ruined his week, and he's way behind schedule. He shelves the security update - he doesn't have time to deal with it, and most things coming out of Infosec are just sound and fury anyway - and, thinking how nice it would be if his team actually got the resources it needed, continues to code. He'll get to it later. Promise.

Meanwhile, you, Security Researcher Alice, are trying not to panic. You've seen the latest Rails vulnerability disclosure, and you know it's just a matter of hours before your exposed system gets hit. You remember what happened to Github and Heroku, and you're not anxious to make the front page of Hacker News (again?!). If only Bob would answer his email! You know he's at work - what's happening? The face of your boss the last time your software got exploited appears in your mind, and you cringe, dreading an unpleasant meeting ahead. You fume for several minutes, cursing all developers everywhere, but no response is forthcoming. Angrily, you stand up and march over to his cube, ready to give him a piece of your mind.

Pause. What's going on here, and what's about to happen?

Read the full post HERE.

Bug Bounty Programs A Turning Point For Microsoft

Here in Akamai's InfoSec department, we constantly remind employees and customers to keep up on all the latest security patchesin their environment. Since Windows is everywhere in the business world, it's particularly important to keep an eye on Microsoft's patching efforts.

This week, the software giant made a big move in the name of vulnerability management, unleashing bug bounty programs that will likely lead to many more security patches in the future. Katie Moussouris, a senior security strategist with Microsoft, announced the initiative in a Microsoft blog post and on the podcast of Akamai InfoSec strategist Martin McKeay. She wrote in the blog post:

Today is an inflection point for Microsoft, as well as the security industry. For the first time ever, Microsoft is offering direct cash payouts in exchange for reporting certain types of vulnerabilities and exploitation techniques. We are making this shift in order to learn about these issues earlier and to increase the win-win between Microsoft's customers and the security researcher community.

Full details for the new bounty programs and a fantastic technical deep-dive by our esteemed panel of judges (headed by Matt Miller and David Ross) can be found on SRD's blog.

In short, we are offering cash payouts for the following programs:

  • Mitigation Bypass Bounty - Microsoft will pay up to $100,000 USD for truly novel exploitation techniques against protections built into the latest version of our operating system (Windows 8.1 Preview). Learning about new exploitation techniques earlier helps Microsoft improve security by leaps, instead of one vulnerability at a time. This is an ongoing program and not tied to any event or contest.
  • BlueHat Bonus for Defense - Microsoft will pay up to $50,000 USD for defensive ideas that accompany a qualifying Mitigation Bypass Bounty submission. Doing so highlights our continued support of defense and provides a way for the research community to help protect over a billion computer systems worldwide from vulnerabilities that may not have even been discovered.
  • IE11 Preview Bug Bounty - Microsoft will pay up to $11,000 USD for critical vulnerabilities that affect IE 11 Preview on Windows 8.1 Preview. The entry period for this program will be the first 30 days of the IE 11 Preview period. Learning about critical vulnerabilities in IE as early as possible during the public preview will help Microsoft deliver the most secure version of IE to our customers.
As Martin noted in his podcast, that's a lot of money for those who rise to the challenge. 
I congratulate Katie and her colleagues for making this happen. It's a big turning point for the software giant. I remember covering flaws, malware and patches impacting Microsoft a decade ago. Back then, the folks in Redmond balked whenever a researcher took the liberty of taking new flaw findings public. Now Microsoft is encouraging people to take their best shots and find breaks in the armor. That means more vulnerabilities will be discovered and fixed, and we'll all be more secure as a result.
Below: A group photo of those who worked on the bug bounty programs.

L-R: David Seidman, Gerardo di Giacomo, Mark Oram (via avatar), Mike Reavey, Dustin Childs, Leah Lease, Rob Chapman, Neil Sikka, Jacqueline Lodwig, Brandon Caldwell, Katie Moussouris, Nate Jones, Sweety Chauhan, Emily Anderson, Claudette Hatcher, Cynthia Sandwick, Stephen Finnegan, Manuel Caballero, Ben Richeson, Elias Bachaalany, David Ross, Cristian Craioveanu, Ken Johnson, Mario Heiderich, Jonathan Ness. Not pictured: Christine Aguirre, Danielle Alyias, Michal Chmielewski, Chengyun Chu, Jules Cohen, Bruce Dang, Jessica Dash, Richard van Eeden, Michelle Gayral, Cristin Goodwin, Angela Gunn, Joe Gura, Dean Hachamovitch, Chris Hale, Kyle Henderson, Forbes Higman, Andrew Howard, Kostya Kortchinsky, Jane Liles, Matt Miller, William Peteroy, Georgeo Pulikkathara, Rob Roberts, Matt Thomlinson, David Wheeler, Chris Williams. Behind the camera: Jerry Bryant.

Who Is George Penguin?

One of the more challenging tasks as the new guy in Akamai's InfoSec department is getting to know George Penguin. He's our mascot and ambassador of good will. His likeness is everywhere in the office, most notably in the form of soft, stuffed toys that dominate the workspace like an invasion of the tribbles from "Star Trek."

I met George long before starting this job, and I admit that I've had a little fun at his expense. During the RSA conference in San Francisco last February, I acquired a stuffed George and stuck him in the side pocket of an unsuspecting colleague, who spent the night bouncing from one vendor party to the next with no clue that a penguin's head was bouncing up and down on the side of his leg.
As this department's storyteller, I can't do that sort of thing anymore. I have to play nice with George and keep him happy. Akamai CSO Andy Ellis absolutely adores George, and failing to get on the flightless waterfowl's good side could prove career limiting.
The first time I met George, he looked familiar. Duh, you're probably thinking. Everyone knows what a penguin looks like. But the fluffiness of this guy was something distinctive that stuck in my mind like a thorn. So I did some digging and remembered: I had run into his likeness dozens of times during family trips to the New England Aquarium. He was always in the gift shop, sold in stuffed animal form and in a smaller, rubber version. My youngest son Duncan had one of the latter. His name was Bucky, and he brought the child tremendous joy until he got old and worn out, at which point his rubber butt fell off.
It turns out one of the stuffed penguins was purchased by an Akamai employee during a team outing, and she was allowed to make the purchase as a business expense. That meant he had to be put to work.
And so Akamai's InfoSec emissary was born.
The little dude even has his own Twitter account (@SecurityPenguin), LinkedIn page.
Here's how he describes himself on LinkedIn:
"I am a highly motivated information security professional, looking to promote awareness of security practices. In my role as the Penguin of Awesome, I promote and recognize practices that promote and raise awareness of Information Security. I am assigned in 1-week rotations to shadow staff who have helped make Akamai a more Security-aware place to work, so that I may learn from them and make sure that their peers know how awesome they are."
He even has some LinkedIn recommendations. Akamai InfoSec CSIRT Director Michael Smith wrote, "GTP is hands-down the most awesome dictator that I have ever had the opportunity to work for. Just the other day I asked him 'George, I'm having a problem getting the sales reps to say no to customer audits, would it help if I showed up at meetings with a crowbar and threatened them physically?' He nibbled on his herring lunch and nodded. Such genius, such drive, such vision!"
There are pictures on the wall of team members with George. The photo op is something that comes your way in recognition of a job done well. My mug isn't up there yet, but it's something I covet. 
Still, as popular as he is around here, there's something mysterious about George. There's a lot we don't know about him. There are rumors that he has a nemesis out there, someone dedicated to trouncing on the InfoSec principals we hold most dear.
I do have 20 years of reporting experience under my belt, and I intend to use those skills to peel back the layers of mystery.
Stay tuned.

Lessons From Akamai InfoSec Training

Though I've written about InfoSec for the past decade, I've still had my moments of shame. There was the time last year when I fell for one of the oldest social engineering tricks in the book, clicking the link on a direct Twitter message where someone I worked with asked if I'd seen the nasty post someone wrote about me. The co-worker's Twitter account had been hijacked and similar messages were sent to his contacts. The second I clicked the link, I knew I had just done something stupid.

It was a similar story a few years back when I clicked the link to a sci-fi site I received by email from someone masquerading as an old friend. Five-hundred pieces of malware downloaded onto my laptop that day, mainly the stuff that makes adware for pornography and pump-and-dump stock scams pop up all over the screen. I spent several hours cleaning up the mess, and the folks at the office had a good long laugh at my expense. 

In both cases, I hadn't had security training at the companies that employed me, though as a writer of security stories I should have known better. In terms of company security awareness, we received security warnings when an attack was making the rounds, but never a lesson on basic best practices.

On my first day at Akamai, nearly an hour of orientation was dedicated to the subject. I had written about the importance of security training for employees many times over the years, but this was the first time I received it.

Security training in the business world isn't something you can do with a one-size-fits-all mindset. Different companies have different needs, and Akamai is no exception. We dealt with specifics I won't discuss here. But a lot of the directions were pretty basic and applicable in any company and industry.

For example:

--We are told it's fine to use the IM app of our choice to communicate with friends and family. But for any internal, work-related communications, we must use a separate, specific IM tool -- one that has added protection around it.

--We have a routine schedule of pushing out security patches for various programs, and we will occasionally see a box appear on screen asking us to press a button to install new updates. In the training session, it's made clear that we have to pay attention and heed the call to update when called upon.

--Our passwords have to be complex and ironclad. To make sure it is, Akamai has an automated program that tries to crack employee passwords every 24 hours. If yours is penetrated, you get a message telling you to come up with a new one.

--If you walk away from your desk, you must lock your screen. On my second day, I walked away with several applications running on my machine, and I returned to find a sticky note on the monitor that said, "Screen savers FTW." That was also the day I got my first cable-locking device.

--Speaking of sticky notes, another directive we get is to never leave around notes with our passwords and ID authentication questions written on them. 

--There are physical security rules to heed as well. One is to never use something to keep a door hoisted open. No key card, no access.

There are many more details that go into our program, but those are good examples of the basics -- items other companies would benefit from adopting.

I'll have more to say on training and awareness in future posts.

A History of Akamai InfoSec Storytelling

As part of my new role as Akamai's security storyteller, I've been digging around in search of all the press coverage this group has gotten over the years. I'm finding that many articles and blog posts came from me, particularly what I wrote in my last job as managing editor of CSO Magazine.

You could say my coming here was destiny, based on how easily I focused on Akamai InfoSec research as a journalist. Most recently, I wrote about two presentations from SOURCE Boston 2013. One, by Senior Security Architect Eric Kobrin, was an analysis of the BroBot DDoS attacks that have targeted the banking sector. 

The other talk, by researcher Christian Ternus, was about Akamai's Adversarial Resilience program. The goal: better protect Akamai's customers by thinking like those who attack them. "At Akamai the attack surface is huge," Ternus said. "As the bad guys attack our customers, we are constantly being tested to see if our systems are good enough. What's needed then is resilience -- the ability to adapt. Our job is to think and act like the adversary to make Akamai safer."

Looking further back, as a journalist I usually gravitated toward Akamai's InfoSec team for perspective and raw data on the biggest DDoS attacks and pretty much any story concerning cloud and application security.

There was this inside look at what it's like for Akamai to deal head-on with incoming DDoS attacks against customers.

And there was this report -- I didn't write it but did assign it -- throwing cold water on the notion that hacktivists were the chief culprits in the banking attacks.

Indeed, I've often come knocking when I wanted to measure the real impact of attacks against the hype I'd be seeing elsewhere in the media. The realities have often been less dramatic than reported.

Now that I've tossed my reporter's hat on the shelf to collect dust, expect a much deeper focus from me on the raw detail that comes out of a company that, at last check, handled tens of billions of daily Web interactions for 90 of the top 100 online U.S. retailers, 29 of the top 30 global media and entertainment companies, nine of the top 10 world banks, and all branches of the U.S. military. 

This is going to be both fun and informative.

And it won't take long to ramp things up. In hindsight, I've been telling Akamai security stories all along.