Akamai Diversity
Home > Web Security

Recently in Web Security Category

3/8/16 UPDATE:  Akamai continues to harden systems against the DROWN vulnerability (CVE-2016-0800), which exploits legacy encryption protocols in order to compromise keys that secure modern protocols, like TLSv1.2. (It does not leak the SSL/TLS keys themselves.) 

We have taken the necessary steps to protect both our customer-facing and critical internal systems from this vulnerability as of March 1, 2016.  We will continue to identify and patch non-critical systems on an as-needed basis.

The Decrypting RSA with Obsolete and Weakened eNcryption attack, described here, allows an adversary to compromise secrets from modern-TLS connections if any machine will accept SSLv2 connections using the same key & certificate.

Our secure delivery services are not vulnerable to DROWN. Individual customers have the option to enable SSLv2 for their own sites. Doing so would expose that customer's connections to DROWN.

While Akamai secure delivery provides protection, customers are still advised to verify that the origin servers they operate themselves do not use SSLv2. If they do have to use SSLv2, they should not do so using the same key & certificate as would be used for more secure connections.

The vulnerability is getting attention from such media outlets as The Register and Ars Technica.

The official DROWN web page calls this "a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security." Attackers can exploit it to break the encryption and read or steal sensitive communications such as passwords, credit card numbers, trade secrets, or financial data. The researchers estimate that 33% of all HTTPS servers are vulnerable to the attack.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject, or contact your Akamai Representative or Customer Care.

If our investigation uncovers additional risks, we will provide follow-up blog posts, Akamai Community posts, and Luna Portal advisories to update customers on how we are affected and what we're doing about it.

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. In Enterprise Security - SSL/TLS Primer Part 1 - Data Encryption I covered the fundamentals of data encryption. For part two we will cover certificates. Let's start with the basics.

CDN-based WAF + Big Data Intelligence is a Gold Mine for This Security Researcher

I am frequently asked by friends and colleagues why I joined Akamai's Threat Research Team.  I can boil it down to three main reasons: People, Technology and Data.         

Akamai Response To "Forwarding-Loop" Issue

Akamai is aware of the research paper titled "Forwarding-Loop Attacks in Content Delivery Networks" published by Jianjun Chen et. al on Feb. 29.  We have reviewed the researchers' findings, and are confident that we already have adequate counter-measures in place to thwart any attempt to use Akamai as an attack vector in the manner described by the paper.

The paper describes four types of forwarding-loop attacks against CDNs: self-loop, intra-CDN loop, inter-CDN loop and dam flooding. The paper acknowledges that Akamai is not vulnerable to the first two. The third attack (the "inter-CDN loop attack") is described as a looping between multiple CDNs.  Finally, the fourth -- "dam flooding" -- is described as coupling "forwarding-loop attacks with timely controlled HTTP responses to significantly increase damage."

While Akamai does not publically disclose or discuss our security countermeasures, we would like to reiterate that we have sufficient countermeasures in place to detect and defend against all these attacks, as well as substantial capacity to absorb traffic spikes. If you have any additional questions/concerns, please reach out to your Akamai representative.

Monday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I've been writing posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at Web application attacks by industry.

Related: 

This quarter, the retail sector suffered the vast majority of web application attacks: 59%. Media and entertainment suffered 10% of attacks, as did the hotel and travel industry. Financial services suffered 7% of attacks, followed by high technology (4%), consumer goods (3%), manufacturing (2%), the public sector (1%), and gaming (1%).

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. Let's start with the basics.

So what is SSL/TLS & how does it work?

Yesterday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I'll write posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at mega-DDoS attacks from last quarter.

Related: 

In Q4, five DDoS attacks registered more than 100 Gbps. This number was down from the eight we saw in Q3 2015, and still more of a drop from the record-setting 17 mega attacks of Q3 2014.

If you're headed to the RSA Conference 2016, be sure to stop by the Akamai booth #4000, in Moscone North Hall. We're very excited about the recent launch of our Bot Manager web security technology and we'll show you firsthand how it works in a live demo. You'll see how Bot Manager provides, for the first time, the capability to categorize bot types and manage bot activity on your website. This is a significant advance over the simple detection and blocking techniques commonly available today. The result? You'll be in control of both the business and technological impact of bot traffic - without blindly mitigating everything and potentially escalating the bot problem.

Akamai's State of the Internet Security Report with Andy Ellis

The State of the Internet Security report by Akamai is issued four times a year with information on the types of online attacks that Akamai Technologies protects its customers from every day. In this free report, you can read about changes in Distributed Denial of Service (DDoS) attacks with multiple different metrics. In addition, we look at the various types of web attacks against our customers and a spotlight on a specific technique or attack group. 

In this video, Akamai CSO Andy Ellis gives a breakdown:

Today Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I'll write posts throughout the week focusing on specific parts of the report, but let's begin with an overview in the form of an infographic.