Akamai Diversity
Home > Web Security

Recently in Web Security Category

Videos: Akamai at #RSAC 2015

Tenable Network Security commissioned media pro David Spark to produce videos during RSA Conference and BSidesSF 2015. His lens caught a lot of Akamai. Here are some particularly good interviews.

Q1 2015 SOTI Preview: Cruel (SQL) Intentions

The Q1 2015 State of the Internet - Security Report is due out next month, and we spent much of last week's RSA Conference 2015 previewing sections. We continue doing so today.

Last week we reviewed the significance of a 100 GBPS attack, the continuing trend of website defacements and DNS Hijacking, and the potential security risks of widespread IPv6 adoption. Today, we look at an analysis of SQL injection attacks based on data from Akamai's Kona Site Defender web application firewall (WAF).

RSA 2015 Video: Four Cloud Mistakes to Avoid

Tenable Network Security commissioned media pro David Spark to produce videos during RSA Conference and BSidesSF 2015. Along the way, he caught up with Akamai Security Advocate Dave Lewis and myself. Here's the resulting interview.


Live from RSA 2015: Security Kahuna Podcast

State of the Internet Security Podcast Host Bill Brenner catches up with Akamai security advocates Dave Lewis and Martin McKeay.

Friends and industry colleagues, the trio dissects RSA 2015 from a security expert perspective. Over the last few years, the RSA conference been considered an insider event with a structured theme and coinciding messaging - Brenner and team discuss the expansion of RSA into a major event lacking central messaging.

In addition to discussing the changes observed at RSA 2015, Brenner also discusses with McKeay and Lewis the future for RSA in events to come and how businesses are evolving to adapt to customers and prospects who attend.

DD4BC Operation Profile [Medium Risk]

Update: In an earlier version of this bulletin, we discussed how chaotic actors were exploiting Google services as part of their operations. Some have misconstrued it as Google backing a botnet. To be clear, Google has no part in this activity, and certainly does not condone such activity.

DD4BC, a malicious group responsible for several Bitcoin extortion campaigns last year, is expanding its extortion and distributed denial of service (DDoS)
campaigns to target a wider array of business sectors. In recent days, two Akamai customers have fallen into its crosshairs.

Akamai's Prolexic Security Engineering and Research Team (PLXsert) has conducted new research into DD4BC in recent weeks.

DD4BC appears to use Google IP address ranges, and in some cases AppEngine instances, in its attacks. It appears to use common UDP reflection DDoS attack techniques, as well as SYN floods that spoof Google crawler IP addresses, to mask the malicious traffic.

In one threat, DD4BC claimed it had the firepower to launch 400+ Gbps DDoS attacks, though there is no concrete proof it could carry out an assault of that size.

Late last year, the group repeatedly tried to blackmail Bitcoin exchanges and gaming sites - threatening victims with DDoS attacks in order to extort bitcoins.

Campaigns typically consisted of an email informing the victim that a low-level DDoS attack was underway against the victim's website. Emails explained that the DDoS activity could be observed in server logs at low levels in order to not interrupt the victim's operations. Following this explanation, DD4BC demanded a ransom paid in bitcoins in return for protecting the site from a larger DDoS attack capable of taking down the website.

State of the Internet Security Podcast Host Bill Brenner catches up with an old friend: Tenable Network Security's Jack Daniel.

The two have been friends and industry colleagues for the last decade, having spent many a security conference in the trenches together. For travel to and from one such event, they shared a cramped RV from Boston to Washington, DC three years in a row.

Some things have changed in the security industry since those early days, while other things have stayed the same. In this conversation, Brenner and Daniel reminisce and look at where the state of security is headed.

The Q1 2015 State of the Internet - Security Report is due out next month, and we think the week of RSA Conference 2015 is a good time to start previewing sections.

Yesterday we reviewed the continuing trend of website defacements and DNS Hijacking. The day before that we reviewed the potential security risks of widespread IPv6 adoption. Today, we look at the significance of a 100 GBPS attack.

Akamai's Response to CVE-2015-1635

In response to the vulnerability discussed in the Microsoft disclosure at https://technet.microsoft.com/library/security/MS15-034, Akamai has analyzed its production servers and has determined it is not running any version of the software that is susceptible to the vulnerability.
 
Akamai has created a permanent rule for the Trustwave® ModSecurity® Core Rule Set (CRS) and Akamai® Kona Rule Set (KRS) rule to help protect customer servers from attacks that exploit this vulnerability. This rule (3000031) is available on Luna Control System and can be manually added to your Firewall policy using the following actions:
 
For Existing Firewall Policies using CRS v1.6.1:
  1. Access Luna Control Center and the Web Application Firewall page (CONFIGURE >> WAF Configuration).
  2. On the Web Application Firewall page, select the WAF Configuration version with which you would like to work.
  3. On the resulting Web Application Firewall Configuration page, edit the Firewall Policy for which you would like to enable rule 3000031.
  4. On the resulting Edit Firewall Policy page, click the Next button.
  5. On the resulting Application Layer Controls page, in the 1.6.1 Rule Set list, scroll to rule 3000031 and select its check box.

6. Click the Next button, and continue clicking it on any subsequent pages until you reach the final page.

7. Click Finish to finish updating the Firewall Policy.


For Existing Firewall Policies using KRS v1.0:
  1. Access Luna Control Center and the Web Application Firewall page (CONFIGURE >> WAF Configuration).
  2. On the Web Application Firewall page, select the WAF Configuration version with which you would like to work.
  3. On the resulting Web Application Firewall Configuration page, edit the Firewall Policy for which you would like to enable rule 3000031.
Be aware, unless you created your Firewall Policy on or after April 1, 2015, you must upgrade to the latest KRS version for rule 3000031 to become available to your Firewall Policy; a KRS 1.0 Update Requirednotification will appear on the Web Application Firewall Configuration page for each affected Policy. In addition, if you choose to create a new version of a WAF Configuration or Firewall Policy from an existing one created prior to April 1, 2015, you must be certain to upgrade KRS in the new version.
 
Complete the upgrade procedures in the Upgrading the KRS, Version 1.0 Rule Set section of the Kona Site Defender User Guide available in Luna Control Center (Support >> User and Developer Guides >> Kona Security Solutions) in order to proceed with enabling the rule.
4. On the resulting Edit Firewall Policy page, click the Next button.
5. On the resulting Application Layer Controls page, in the KRS 1.0 Rule Set list, scroll to rule 3000031 and select its check box.

6.      Click the Next button, and continue clicking it on any subsequent pages until you reach the final page.
7.      Click Finish. The Firewall Policy is now updated.

For New Firewall Policies:
1.      Access Luna Control Center and the Web Application Firewall page (CONFIGURE >> WAF Configuration).
2.      On the Web Application Firewall page, select the WAF Configuration version with which you would like to work.
3.      On the resulting Web Application Firewall Configuration page, click the plus sign (+) button at the upper right-hand corner of the Firewall Policies area.
4.      On the resulting Create New Firewall Policy page, enter and select all desired parameters, including the Application Layer Controls rule set (1.6.1 or KRS 1.0), then click the Next button.
5.      On the Application Layer Controls page, in the rule set list, select all desired rules, being certain to include rule 3000031, by selecting their respective check boxes.

Rule 3000031 in CRS v1.6.1.

Rule 3000031 in KRS v1.0.

6.      Click the Next button.
7.      On any subsequent pages, fill out and/or select all desired parameters, and click their Next buttons until you reach the final page.
8.      Complete the final page, and click Finish to create the Firewall Policy.
In 2014, several successful malicious attacks against large financial services, government and private sector firms gave a clear indication of the changes occurring in the network security industry. The recent Ponemon Institute Cost of a Data Breach study found the average cost of a data breach to be $3.5 million with average cost per compromised record more than $145. (1) 
Akamai's State of the Internet Report for Security, Q4, 2014, also indicates a rise in attacks with a 90 percent increase in DDoS attacks and 121 percent increase in infrastructure layer attacks over the previous quarter.

Andrew Hay, BSidesSF volunteer and research director at OpenDNS, talks to Bill Brenner about the major security issues being discussed at this year's two-day BSides event, as well as problems with attack attribution, potential fearmongering and what we might expect at RSA.