Akamai Diversity
Home > Web Security

Recently in Web Security Category

The experience your customers have while interacting with your company's online presence says so much about your business, its priorities, and your brand. Whether your company conducts online transactions or not, performance optimization have become more of a "need" than a "want". A slow performing web site is bound to have less engagement among critical audiences, lower transaction volume, degraded brand fidelity, and higher bounce rates. In this post, we will talk about some of the key considerations when evaluating web performance technologies and vendors.

New Vulnerabilities in OpenSSL

Akamai is aware of an announcement from OpenSSL revealing vulnerabilities in the OpenSSL stack.

Based on information provided by the OpenSSL team, the high-severity vulnerability only affects OpenSSL v1.0.2. Akamai does not use this version of OpenSSL and is therefore not susceptible to that vulnerability. We continue to investigate, however.

The full advisory will be available on March 19. Akamai will have further details about our response plans at that time.

Update on Akamai's CVE 2015-0204 Response

Here's an update on Akamai's efforts to address the security vulnerabilities outlined in CVE 2015-0204: As of today -- Wednesday, March 11, 2015 -- we have completed all the necessary change activities. Export Grade Ciphers are now disabled by default on our network.

Microsoft Fixes FREAK Flaw and More

Microsoft yesterday released its most significant patch update in a long while, fixing the so-called FREAK vulnerability, among other things.

In all, 14 security issues were addressed, five of which are tagged as critical. Affected systems include the consumer and server editions of Windows, Internet Explorer, Office, Server and Exchange Server and SharePoint.

Akamai addressed the CVE 2015-0204 vulnerability -- which FREAK exploits -- two weeks ago. You can read about our response here.

Here's the full patch matrix for Microsoft's March 2015 Security Update:

AppSec USA 2015 Call For Papers

Fellow security practitioners: OWASP AppSec USA 2015 will take place in San Francisco Sept 22-25.  The call for papers closes March 14.  It's probably the biggest application security conference of the year, so it's a great speaking opportunity.

From the OWASP website:
OWASP encourages and prioritizes submissions around the three focus areas of AppSec USA 2015: 

  • Web Application security
  • DevOps
  • Cloud Security
In addition to these focus areas, OWASP is interested in all topics related to information security.


Submission of proposal closes:  March 14, 2015 - 11:59 Pacific

Notification of acceptance:  April 15 - May 15, 2015

Conference Date:  September 22-25, 2015
To submit a proposal, send an abstract of your intended presentation (500 - 4000 characters), a brief biography (150 - 800 characters), a headshot, and a signed copy of the speaker agreement.  Talks without all required information probably won't be considered.

CSIRT Advisory: Mass Website Defacements

The following was written by Akamai CSIRT researcher Patrick Laverty:

Akamai has seen multiple media reports where a group will claim to have hacked hundreds or thousands of sites in a single night. The intent is to instill a sense of widespread unease to the casual observer.

When we look a little closer, we see that there may be more to it. One can rightly assume that many of these have been done through a type of automation. But if we look even closer, we see something else interesting about the attacks.

If we look at the IP address for the hundreds of web sites affected, we notice that many and sometimes all of them have the same IP address.

When we see this, it leads us to believe the sites are running on the same server.

Global Map of DDoS Attacks

Among the security content on Akamai's new State of the Internet website is a very cool map where you can view DDoS attack activity worldwide in near real-time, including global sources, types, volume and targets.

The most recent 5000 DDoS attacks blocked by Akamai appear on the map. Each DDoS attack source can command hundreds or thousands of DDoS bots. Viewers can customize their view by zooming in or out. There's also a section that ranks bot activity by country.

Security content on the site focuses on:

  • Network and DNS security
  • Web application security
  • DDoS protection and DDoS mitigation
  • Threat advisories and attack trends

It pairs well with the security section on Akamai's main website. Check in on both sites daily for the full security picture around the world.

Thumbnail image for Thumbnail image for Screen Shot 2014-10-28 at 6.42.40 AM (2).png

Akamai Addresses CVE 2015-0204 Vulnerability

The following, written by Rich Salz, deals with Akamai's response to CVE 2015-0204. The vulnerability has been exploited by such exploits as the so-called FREAK attack.

Back in the last century, the United States tried to control the export of strong cryptography. This policy made its way into the SSL/TLS standards in two ways.

The first part was to add several cipher suites that used small, easily breakable keys. These are all identified with the name EXP at the beginning.

For example, EXP-DES-CBC-SHA. DES normally uses a 56-bit key (which is considered laughably weak these days), and EXP-DES is a variant that uses a 40-bit key -- sixty-five thousand times weaker than "laughably weak". (We're using the common OpenSSL names, not the official names from the TLS RFC.)

The second change is more problematic and, for technical purists, very "ugly."

DDoS Agents Target Joomla, Other SaaS Apps

A new attack threatens enterprises and Software-as-a-Service (SaaS) providers: chaotic actors using Joomla servers with a vulnerable Google Maps plugin installed as a platform to launch DDoS assaults.

The attack technique was discovered by researchers from Akamai's Prolexic Security Engineering & Research Team (PLXsert), working alongside PhishLabs' Research, Analysis, and Intelligence Division (R.A.I.D).

You can download the full advisory from Akamai's State of the Internet website for free.

Akamai at RSA Conference 2015

Akamai security staff will be at RSA Conference 2015 in force, and some of us will be giving talks. A preview: