Akamai Diversity
Home > Web Security

Recently in Web Security Category

Long Live the Botnet

Botnets are, in many ways, living organisms. They are formed by their creators - both malicious and benign - and then roam the internet. Much has been written about good and bad bots, but not much as been written about the lifecycle of the bot. Do Bots die? If so, when? What is the average life-span of a good bot? A bad bot?

Your 2015 Survival Guide for #rsac and #BSidesSF

It's two weeks until RSA, the biggest security conference of the year. For first-timers, this is the time to start preparing and understanding what lies ahead. It can be an overwhelming experience, with two loud exhibit halls, too many evening events to count on two hands, and so many talks it can be hard to choose what's best for your interests.

To that end, here's some advice for RSA 2015, which takes place April 20-24 at the Moscone Center in San Francisco:

After last week's news that RSA Conference 2015 will ban so-called booth babes, I heard from a lot of people who agree vendors need to find other ways to attract attention during security conferences. Others felt the issue was nothing but useless security industry drama, but there is a lesson in this discussion for marketers.

One reader told me the use of booth babes isn't the result of bad intentions. It's just that some marketing teams don't know any better. They assume the booth babes work because they see others using them. I think there's some truth to that.

So I've decided to give marketing practitioners some examples of successful exhibits that succeeded without the sex.

Here are four examples of exhibits that won on the strength of the security message. They use other gimmicks, to be sure, but in my opinion they are more about creativity than exploitation. Feel free to disagree with what follows, or share other examples of displays that worked.

State of the Internet Security Podcast, Episode 1

Welcome to the inaugural episode of Akamai's State of the Internet Security Podcast. This will be an ongoing podcast series where I talk to Akamai security researchers about the threats they are tracking and the defenses they identify.

Episode 1 takes us to a fairly new attack technique that exploits Microsoft's SQL Server Resolution Protocol.

Our research team recently discovered that the bad guys are using a reflection-based tactic to tamper with the Microsoft SQL Server Resolution Protocol and launch DDoS attacks.

Akamai first spotted attackers using the technique in October. But last month an independent researcher studied another such attack and we were able to replicate it by creating a script based on Scapy, an open-source packet manipulation tool.

Joining me to talk about this is Akamai PLXSert Principal Researcher Rod Soto.

Full episode here.

MIT's Fourth STAMP Workshop This Week

This week, MIT holds its 2015 STAMP Conference. Staff from Akamai InfoSec will participate in this event, which makes perfect sense given our close ties and history with MIT.


OpenSSL Vulnerability Details Released

Akamai is aware that details are now available for the OpenSSL vulnerabilities we first told you about on Tuesday. The full OpenSSL Security Advisory is available here and outlines 14 different issues.

At this time, most of the issues don't appear to affect Akamai, though we continue to investigate.

One of the high-severity vulnerabilities affects OpenSSL v1.0.2., which Akamai does not yet use.

Another issue, outlined in CVE-2015-0204, was previously addressed when we turned off export ciphers. More details on that are available here and here.

If our investigation uncovers additional risks, we will use additional blog posts and Luna advisories to update customers on how we are affected and what we're doing about it.

More Akamai perspective on patching and vulnerability management:

The experience your customers have while interacting with your company's online presence says so much about your business, its priorities, and your brand. Whether your company conducts online transactions or not, performance optimization have become more of a "need" than a "want". A slow performing web site is bound to have less engagement among critical audiences, lower transaction volume, degraded brand fidelity, and higher bounce rates. In this post, we will talk about some of the key considerations when evaluating web performance technologies and vendors.

New Vulnerabilities in OpenSSL

Akamai is aware of an announcement from OpenSSL revealing vulnerabilities in the OpenSSL stack.

Based on information provided by the OpenSSL team, the high-severity vulnerability only affects OpenSSL v1.0.2. Akamai does not use this version of OpenSSL and is therefore not susceptible to that vulnerability. We continue to investigate, however.

The full advisory will be available on March 19. Akamai will have further details about our response plans at that time.

Update on Akamai's CVE 2015-0204 Response

Here's an update on Akamai's efforts to address the security vulnerabilities outlined in CVE 2015-0204: As of today -- Wednesday, March 11, 2015 -- we have completed all the necessary change activities. Export Grade Ciphers are now disabled by default on our network.

Microsoft Fixes FREAK Flaw and More

Microsoft yesterday released its most significant patch update in a long while, fixing the so-called FREAK vulnerability, among other things.

In all, 14 security issues were addressed, five of which are tagged as critical. Affected systems include the consumer and server editions of Windows, Internet Explorer, Office, Server and Exchange Server and SharePoint.

Akamai addressed the CVE 2015-0204 vulnerability -- which FREAK exploits -- two weeks ago. You can read about our response here.

Here's the full patch matrix for Microsoft's March 2015 Security Update: