Akamai Diversity
Home > Web Security

Recently in Web Security Category

Akamai Customers are not vulnerable to SLOTH

By Rich Salz

Akamai was informed of a new TLS vulnerability -- SLOTH -- by researcher Karthik Bharghaven. Akamai then worked with the researcher to confirm and fix the vulnerability in an expedient manner prior to public disclosure. Consequently, we minimized the chances of an exploit and have determined that Akamai customers are now not vulnerable to SLOTH.

How Web Applications Become SEO Pawns

Akamai's Threat Research Division has identified a sophisticated search engine optimization (SEO) campaign that uses SQL injections to attack targeted websites.

An advisory on the subject, written by Ryan Barnett of the company's cloud security intelligence team, is available here.

Delegate v9.9.13 setuid Binary Vulnerability

By Larry W. Cashdollar, Akamai SIRT

A few weeks ago I noticed a tweet from someone I have been following off and on for a few weeks. The tweet highlighted an exposed administration panel in a software product called Delegate. The Delegate software is described as, "a multi-purpose application-level gateway, or a proxy server which runs on multiple platforms (Unix, Windows and MacOS X)". What this software does is allow network connections to be relayed or proxied through it.

The recent vulnerability I discovered in Delegate 9.9.13 abuses a binary that is normally setuid root during installation when built from source. The action of setting a binary on a UNIX system setuid root allows any local user on the system to execute that binary as the root or administrative user.

The move to an Encrypted Web

It wasn't too long ago that the only reason a site would leverage HTTPS was to encrypt sensitive data so it couldn't be read in transit. Times are changing and the Internet as we know it is moving more and more towards encrypting all website traffic. Below are 7 good reasons to move your website to only use HTTPS.

WAF: Ease of management

In my last articles I introduced the idea of how simple is the concept of a WAF (although implementing a reliable WAF system is not that simple), what are false positives and false negatives and the best approach to trade-off between them, what is the impact of wide visibility when it comes to build a WAF, the importance of having a solid team of experts backing up a WAF solution, and how does scale affect to WAF performance (and ultimately to WAF deployment).

WAF: Adequate scale

Let's move on with our analysis of the ideal WAF requirements. Scale is, without a doubt, one of the most important requirements of an effective WAF. Scale has to be considered from two perspectives: under standard traffic conditions and under unusually high levels of traffic. Let's look at each one.

How 2015 Security Trends Will Influence 2016

I've always hated security 'predictions'; they range from scientific guesses to self-serving marketing drivel, trending mostly towards the latter.  But they do serve a purpose when done right, in that they draw attention to the trends currently happening and how they might play out in the future.  Given that there's been more focus on the field of computer security in 2015 than in any year before, it's probably not a bad idea to look at how some of the most important trends of 2015 are going to play out in the coming year.

 It's not a prediction, but rather a statement of fact to say that computer security is only going to become more important in the coming year and gain even more public attention.  We are at the start of a wave of changes that no one can accurately predict.  Security professionals around the globe have lamented for years that business leaders haven't paid enough attention to our advice, but that's changing rapidly and caught many people off-guard.  One of the things we need to be able to do is to understand some of the trends of today and where they might lead to tomorrow.  Which is why predictions can actually be valuable, if taken with a grain (or perhaps a block) of salt. 

So here is my view on how the top 5 security trends of 2015 will develop in 2016.

    WAF: Threat Intelligence, the brain behind the machine

    First time I jumped into a plane I was around 10 or 12 years old. The crew, moved by my innocent face and my dazzle, gave me a great gift: they allowed me to enter into the cabin where the pilot was commanding the flight. This is what I saw:

    In previous posts WAF: False Positives vs. False Negatives and WAF: trade-off between false positives and false negatives, we talked about the importance of WAF accuracy and the strategy that Akamai follows when developing the system of proprietary rules (Kona Rule Set or KRS) that govern the WAF. 

    Playing Hide and Seek In the Cloud

    When we were young, we had fun playing hide and seek. As 5 year olds there were a limited number of places our friends could hide, and we could methodically check each one and then giggle when we found them. As we grew older, we expanded the boundaries of the game. Today, as security researchers, hide-and-seek is no longer so fun because the boundaries are nearly infinite. How do you find and evaluate the risk, for example, of one deadly SQL injection attempt across 200,000 daily attack events?