Recently in News & Announcements Category

Akamai's 2^nd annual Girls Who Code Summer Immersion program is now underway!   Last Monday, we welcomed 20 high school girls to our Cambridge headquarters to begin their intensive seven week program.  The girls will learn coding fundamentals, participate in field trips, workshops, and receive mentoring from Akamai employees.

Hi. I'm Bhuvana Husain, Director of Programs & Operations in Akamai's Web Experience Business Unit. I'm also the Program Coordinator for this year's Girls Who Code Summer Immersion Program here at Akamai. As described in the previous blog posts by Kate Jenkins (Girls Who Code Summer Immersion Program at Akamai and Week 1 update on Akamai's Girls Who Code), we are thrilled to be hosting a group of 20 high school girls onsite at Akamai HQ in Cambridge so they can learn how to code. 

Earlier today (Aug 6, 2015) at the Black Hat Security Conference in Las Vegas, Bishop Fox, a security research and penetration testing firm, announced the discovery of a vulnerability that allows an outside actor to conduct a cross-site request forgery (CSRF)/Server-Side Request Forgery (SSRF) attack using a combination of exploits. This vulnerability relied on the Akamai platform in two ways: specially-crafted legacy resource locators (also called v1 ARLs) in combination with specific versions of Flow Player.

Akamai is aware of a talk scheduled for Black Hat USA 2015 this week that will discuss some potential issues with platforms like ours.

Mike Brooks and Matthew Bryant, security analysts at Bishop Fox, will give the following talk on Aug. 6:

BYPASS SURGERY ABUSING CONTENT DELIVERY NETWORKS WITH SERVER-SIDE-REQUEST FORGERY (SSRF) FLASH AND DNS

Akamai is aware of a recently disclosed critical vulnerability in BIND (CVE-2015-5477) that can be exploited to cause a denial of service.

How does the attack work?

An attacker can cause BIND to exit by using a constructed packet to trigger a REQUIRE assertion via defective handling of a TKEY query.

How is Akamai affected?

Akamai's Fast DNS / EDNS authoritative name servers do not run BIND and as such are not impacted by this CVE.

Further, Akamai continuously evaluates CVEs as they appear, and we continue to evaluate and patch relevant systems as necessary.

What can you do to protect yourself?

If you run BIND anywhere in your environment, upgrade to the patched release most closely related to your current version of BIND. These can be downloaded from http://www.isc.org/downloads.

Akamai is proud to have recently improved its position in the "Challengers" quadrant of Gartner, Inc.'s Magic Quadrant for Web Application Firewalls*.

Gartner states: "By year-end 2020, more than 60% of public Web applications protected by a Web application firewall (WAF) will use WAFs delivered as a cloud service or Internet-hosted virtual appliance -- up from less than 15% today."

DD4BC, the malicious group responsible for several Bitcoin extortion campaigns last year, continues to expand attacks against Akamai customers. Researchers from Akamai's PLXsert and CSIRT teams continue to investigate attack activity related to the group.

In recent weeks, the frequency of customers receiving ransom emails from this band of chaotic actors has steadily grown. DD4BC continues to inform victims that they will launch a DDoS attack of 400-500 Gbps against them. To date, DD4BC attack campaigns mitigated by Akamai have not exceeded 50 Gbps in size. That's up from the high of 15-20 Gbps observed in early May. (A full history of the group's exploits and firepower can be found in this advisory from April.)

 

Below are the most commonly asked questions we've received from customers, along with some answers.

What is new since the last update?

The group can now attack with firepower of up to 50 gigabits per second. Additionally, they now threaten exposure to a targeted organization via social media in addition to the DDoS attack itself. The goal is to publicly embarrass the target via social media, thus harming the company's reputation and to garner additional attention towards credibility for the service disruption. Their methodology has also changed in that they are utilizing multi-vector campaigns more readily as well as in some instances re-visiting previous targets that experienced some level of impact during the initial event. We have also observed this group incorporating a Layer 7 attack as part of the multi-vector attack. 

Wow! Last night the Akamai Adaptive Media Delivery Service was crowned Best Cloud or CDN Service Delivery solution at the TV Connect Awards 2015. I was thrilled to be there at the awards ceremony on behalf of Akamai and accept the award.

Last week, Google officially rolled out its mobile friendly update, which "boosts the ranking of mobile friendly pages on mobile search results." A long time in the making, the update is a response to the increasingly mobile world we live and work in. This update underscores Google's focus on mobile customer experience. For companies scrambling to respond to this development, fret not. Akamai, the leader in optimizing mobile performance, is here to help. In this post, I'll discuss what drove Google's focus toward customer experience, identify a solution considered a Google best practice, and highlight the specific ways Akamai can provide a seamless experience across devices that meet consumers increasing performance expectations.