Akamai Diversity
Home > Web Security

Recently in Web Security Category

#OpKillingBay Expands Attacks

By Bill Brenner, Akamai SIRT Senior Tech Writer

Operation Killing Bay, better known as #OpKillingBay on social media sites, is expanding. Historically, malicious attackers participating in OpKillingBay have targeted Japanese government websites and sites of companies participating in whale and dolphin hunting. These attackers often see themselves as protesters or activists, in addition to hackers and refer to themselves as "hacktivists."

How Has Let's Encrypt Impacted Web Security?

When Let's Encrypt was founded at the end of 2014 it had a lofty goal: promote the use of TLS everywhere by making certificates free and server configuration painless.  It was noted that for many web administrators, for both large and small sites, TLS was seen as expensive, difficult to configure, and slow.  With that headwind, the return on investment was seen as too low to bother unless you were handling financial or other sensitive information.  As it does, web security quickly evolved in the ensuing years.  Firesheep, Snowden, and Google page ranking: these are just a few things that have changed how people think about the importance of encrypting everything online.  And services like Let's Encrypt and Akamai deal with the problems head on, reducing the pain of Internet security tremendously.

HTTP/2 is here; come and get it!

Since showcasing a production demonstration of HTTP/2 at Velocity in 2014 and announcing broad support in 2015, Akamai has been actively working with hundreds of customers to deliver HTTP/2-enabled websites.

Half-baked Patching: More Common Than You Think

In the last year or so I've been looking at Wordpress plugins. I've seen some poorly written code, plugins that had little purpose (one plugin's stated purpose was to only download a copy of itself!) and patches that attempted to fix a problem but weren't thorough enough or didn't follow the official Wordpress recommendations and codex.

Bad code can not only be a threat to the system it's hosted on and the users that use it, but the Internet community as a whole. On Dec. 12, 2015 a zero-day exploit was uploaded to 0day.today by sniper.t. The uploaded text was simply a proof of concept to remotely download /etc/passwd. The exploit abused the plugin author's lack of authentication and file type verification to steal arbitrary files from a victim's server.

HTTP Strict Transport Security (known as HSTS for short) is a security signal that instructs the browser to attempt all requests to your website using HTTPS. In short, with HSTS enabled, a modern browser will never attempt to visit your site on HTTP. Furthermore, the browser remembers this instruction for an amount of time you set. So the next time a user visits your website, their browser won't attempt a HTTP request.

BillGates Malware used in DDoS Attacks

By Bill Brenner, Akamai SIRT Senior Tech Writer

Akamai's Security Intelligence Research Team (SIRT) continues to see the BillGates trojan/bot family of malware being used to launch DDoS attacks. Attackers who control the malware -- first disclosed on a Russian IT website in February 2014 -- can gain full control of infected systems.

Akamai SIRT member Tsvetelin Choranov led the research effort outlined in this advisory.

On Trust and Video Games

I was about to hop on the Caltrain to San Francisco when I got the call. Over the metal on metal screech of the locomotive pulling into the station I could only make out the last few words, "to verify a few recent transactions". After boarding the train, I stood in the vestibule whispering for 20 minutes. It was my bank. Someone had gotten access to my debit card information and was making purchases in a country I'd never visited.

In this article we'll review how to handle known bot traffic.

As discussed in the first part, you may not be comfortable serving content to all legitimate bots for various reasons. But even when you're willing to serve content to known bots, several options are available. Just like for unknown bots, you'll have to decide on the response strategy that works best for you.

In part 1 of this series we've discussed the difficult problem of differentiating the good vs. the bad. In this article we'll review how to go about defining a response strategy to manage bots that you think are bad for your business. First thing you'll have to decide is whether you want to serve any content at all to these bots. We recommend you do to keep the bot at bay but of course it depends on your context and what infrastructure you have available.

As you may have heard, Akamai recently introduced a new product, Bot Manager. I've been working at Akamai for close to 10 years and, in my past roles here (Technical Support Engineer, Enterprise Architect), I've had the opportunity to work closely with many customers who had issues with bots. Generally, this was about protecting the site against "bad bots" but also making sure that "good bots" were not impacted by any of the mitigation techniques.