Akamai Diversity
Home > Dave Lewis

Recently by Dave Lewis

The SOTI Q3 and Hordes of Savage Barbarian IoT

Each quarter the Akamai team delves into the volumes of data that we have at our disposal. Every time we do so we find something new and exciting, and this last quarter was by no means an exception. You might have heard of a little botnet called Mirai that set the Internet on its ear during the month of October.

Patch Tuesday For June Approaches

This month's Microsoft Patch Tuesday has almost arrived. This time out the tech giant has given advance notification that there will be seven fixes rolled out including two critical patches. The issues that are tackled by these patches are remote execution bugs in Windows, Internet Explorer (versions 6-11 depending on OS level), Office and Lync. I should note that the two critical patches require a system restart after they are applied. 

Akamai Is Hiring

One of the most interesting aspects of working at Akamai is the sheer volume of opportunities within the company. Since I started here in my own role last July I have had no end of interesting challenges that have managed to keep me thoroughly engaged. Akamai is a company that allows you to grow and never has a shortage of amazing projects to work on. 

This sort of excellent working environment invariably brings forward the question, "How do I get a job at Akamai?" Well, I'm happy that you asked. In fact we have extensive job listings on our careers page. In point of fact we currently have four open positions right now for our Information Security team. Take your career faster forward where your only limitation is your own imagination. Check out these job descriptions. 

NTP Reflection Attacks

Yesterday we saw the news outlets light up with breathless reports of a massive distributed denial of service that was directed at the boutique company, Cloudflare. There was much ado about the volume of the attack peaking at 400 Gbps according to the numbers released by them. But, was this little more than hyperbole? This would not be without precedent.

Patch Tuesday Revision

Microsoft's patch Tuesday has arrived and further to our post from Feb 7th there have been a couple updates for the release this month. The revised bulletin contains two additional patches which address remote code execution issues in Internet Explorer and the Windows operating system.

Find out how Akamai can help you with your patch management via origin offload

Oh The Hackers Online Are Frightful


Thanksgiving holiday planning is well underway in the US as is the holiday season that follows. It is gearing up to be a bumper sales cycle this year. This year will not be any different than previous ones in that in addition to great deals there will be bad actors attempting to play the role of good ole St. Nick with nothing but a bag of malicious code for the girls and boys.

One of the biggest online sales days of the year in North America is called Black Friday and it brings out amazing savings opportunities it also brings out the opportunists. This is where it becomes incumbent upon the shopper to exercise some caution.

1. Track your spending. The holiday season can be a blur of hopping from site to site and store to store. Be sure to check your credit card statements to be certain that that line up with your actual purchases.

2. Use reputable retailers. If you're unsure of a retailer don't take the risk. Look them up at the Better Business Bureau (http://www.bbb.org) or better yet, go elsewhere if you're have any hesitation. No need to put your finances at risk to save an extra $2 on that widget or grapple grommet.

3. Be judicious in your information disclosure. If you're buying something online take caution that you're not offering up more information than is absolutely necessary. Case in point, I was shopping at a national clothing store a couple years ago and the clerk was insisting that customers had to disclose their Social Security Number in order to complete the purchase as this was part of their current promotion. I declined and advised other shoppers in line that they shouldn't disclose their Social Security Number.

4. Password reuse is a huge problem. There really is no technical solution to this item as this rests with the user. When shopping online almost every site out there asks you to create an account with the option to store your credit card information. If you do this be sure to not use the same password as you do for any other account such as the one you use for banking. One of the issues that we have seen here at Akamai is a growing number of credentials being reused on multiple sites. Once a site gets compromised by an attacker they then end up replaying this login information on other online retailers. Ask yourself for a moment, why would you use the same username and password on a social media site as you do for banking? Let that sink in for a moment.

5. Check yourself before you click that link. Did you receive an email which appears to be from a retailer offering you a deal that is too good to pass up on? Well, quite possibly there is a good reason for that. When you receive a deal that offers you, as an example, a $200 gift card for filling out a survey I would hope that alarms bells sound the alert. Be sure to use your better judgement before you chase after an offer that is possibly little more than a lure.

Akamai offers services like the Kona Security Suite to help secure online retailers from attackers to better protect themselves, and ultimately you.

Tis' the season. Just be careful out there.

(Image used under CC from Cubosh)

Bypassing Content Delivery Security

As is true of every year at Black Hat there are some talks that catch our attention. Talks range from the well thought out research papers to those of the narcissistic vulnerability pimps. This year was no exception. A talk entitled "Denying Service to DDoS Protection Services" by Allison Nixon is a presentation which fell into the well thought out column. This talk caught our attention for the obvious reason that we provide this as a service to our customers.

From Nixon's talk abstract:

Cloud based DDOS protection suffers from several fundamental flaws that will be demonstrated in this talk. This was originally discovered in the process of investigating malicious websites protected by Cloudflare- but the issue also affects a number of other cloud based services including other cloud based anti-DDOS and WAF providers.

You know what? Without hyperbole Nixon is absolutely correct. There are indeed issues with these types of services as we see highlighted in this article by Robert Westervelt. The flip side being that this is nothing new. The novel aspect in this case is that it has not really been openly discussed at length before now with a few exceptions such as the report from NCC Group. And kudos to Nixon for doing it. Some of the issues that were discussed were origin disclosure and configuration errors. There wasn't much thought given to compensating controls however.

The origin discovery issue is one that allows an attacker to bypass edge servers to access the origin systems. A key issue here lies with naming origin systems. Don't use easily guessable origin host names. This presents a problem wherein the attacker can guess the origin system DNS entry and simply bypass the controls. Attackers can leverage a host of tools to enumerate such as examining DNS for NS and MX records, guessing origin hostnames, network scanning and Shodan.

Next up is the use of pragma headers on pages served by a content distribution network vendor. This is a header that is added by the provider to provide a level of debugging where required. This can also be used by an attacker to design a DDoS attack. Some providers may even put origin system names in these headers. The upside here for Akamai customers is that they are not absolutely necessary for service operation and can be disabled is required.

What can be done for Akamai customers?

First off, non-standard names should be utilized in addition to having properly configured access control lists. This ACL's should include only Akamai system addresses so that non-authorized addresses can't query origin systems directly. Verbose error pages on systems can disclose far more information than a customer may intend which can inadvertently disclose origin systems.

How can Akamai help? We provide a service offering called SiteShield.

"SiteShield protects the origin by effectively removing it from the Internet-accessible IP address space, adding an additional layer of security protection while still ensuring that content is delivered quickly and without fail, regardless of end user location."

We can detect when an origin system is in trouble and then pull from a different origin hostname or even Cloud Storage. We can segment sites by ensuring that only the Akamai edge servers can query the origin systems. We can block access to origin systems. We've known about these issues since before 2002 and at that time we applied for and received a patent on the concept of website security.

By sheer virtue of the size and scope of Akamai's scale we can mitigate most threats to our customers at the edge.