Akamai Diversity
Home > Web Security

Recently in Web Security Category

SecureWorld Boston 2015: Schedule Change

Last week I told you about my speaking appearances at SecureWorld Boston March 4. There's one schedule change to tell you about:

Instead of participating in a panel on emerging threats, I'll be on this panel instead:

Protecting Your Data as it Roams, March 4 from 1:15-2:15 p.m.
Today your data moves fast and across platforms. Security professionals are charged with protecting valuable information as it moves from data centers to employee devices and into third party networks. Join this discussion on the technologies and policies that can help you manage these risks while still allowing business productivity. Ask our experts at this educational panel discussion.

I wrote about this topic a lot as an infosec journalist, so I think I'll have something to say about it.

The other appearance is a solo talk:

Attack Techniques and Defense, March 4 from 8:30-9:15 a.m.

I'll explain how the bad guys are targeting companies and how to fight back based on threat research and remediation techniques used by Akamai on behalf of customers. We've done a lot of blogging about attack techniques and defenses, and my examples will come from that material.

It should be a great conference with loads of useful content for information security professionals. I hope to see you there.

BSides Boston Call for Papers

BSides Boston 2015 takes place Saturday, May 9 at Microsoft, and organizers have issued their call for papers.

WHAT: Security BSides Boston 2015 Call for Presentations/Papers

WHO: Your awesome 45 minute presentation on a security/tech/hacking topic.

Marketing/advertising presentations will be rejected.

WHEN: Deadline for submissions: March 1st midnight EST

WHERE: 1 Cambridge Center, Cambridge, Massachusetts

HOW (Format):

  • Talk Title (under 10 words)
  • 200ish words abstract with links to any pertinent backup information
  • Your Bio (under one paragraph, or submit your CV)
  • Contact information: Your name, website, phone number, email, twitter
  • Where/when presented previously, if applicable
  • English language only presentations

If you think you have a valuable story to tell, please send organizers your pitch here.

bsidesbos.png


I'll Be Speaking at SecureWorld Boston

In two weeks I'll give a presentation and participate in a panel discussion at SecureWorld Boston 2015. The event takes place March 4-5 at the Hynes Convention Center. Akamai is a gold sponsor.

My talk, March 4 from 8:30-9:15 a.m., is called "Attack Techniques and Defenses." I'll explain how the bad guys are targeting companies and how to fight back based on threat research and remediation techniques used by Akamai on behalf of customers. We've done a lot of blogging about attack techniques and defenses, and my examples will come from that material.

From 1:15-2:15 p.m. that day, I'll participate in a panel discussion on emerging threats. From the agenda description: "The number of cybersecurity threats is growing every day forcing the need for thorough security assessment and analysis. Join industry leaders discussing emerging threats in the industry for the opportunity to learn what is next in the future of cybersecurity."

Here is the full agenda for both days of the event:

Security News for Feb. 17

A look at security news from around the Web.

The Great Bank Heist, or Death by 1,000 Cuts? (KrebsonSecurity)
A look at the Carbanak gang, which deployed malware via phishing scams to get inside of computers at more than 100 banks and steal upwards of USD $300 million -- possibly as high as USD $1 billion.

Google Adds Grace Period for Software Developer to Fix Security Flaws (eWeek)
In what appears to be a response to recent criticism, Google has added a 14-day grace period to its 90-day deadline for software vendors to patch security vulnerabilities reported to them under the search giant's controversial Project Zero vulnerability research and disclosure program.

Raduege: Why New Cyber Agency Matters (BankInfoSecurity)
A new federal cyberthreat intelligence center could help the government build more resilient networks and better identify cyber-attackers, leading to arrests and punishments, a former top Defense Department IT executive says. "Those three areas could really go a long way in providing much-needed deterrence to bad cyber-activity on the networks today," says Harry Raduege, a retired Air Force lieutenant general who was the longest serving director of the Defense Information Systems Agency.

Cyberciminals Target Bank Employees, Steal $1 Billion From Financial Institutions Worldwide (Dark Reading)
An international cybercrime ring based out of Eastern Europe has pilfered some $1 billion in two years from 100 different banks in nearly 30 countries using spearphishing emails targeting bank employees.

Equation cyberspies use unrivaled, NSA-style techniques to hit Iran, Russia (CSOonline)
A cyberespionage group with a toolset similar to ones used by U.S. intelligence agencies has infiltrated key institutions in countries including Iran and Russia. Kaspersky Lab released a report Monday that said the tools were created by the "Equation" group, which it stopped short of linking to the U.S. National Security Agency.

Attackers Using New MS SQL Reflection Techniques

The bad guys are using a fairly new technique to tamper with the Microsoft SQL Server Resolution Protocol (MC-SQLR) and launch DDoS attacks.

In an advisory released this morning, Akamai's Prolexic Security Engineering & Response Team (PLXsert) described it as a new type of reflection-based distributed denial of service (DDoS) attack.

PLXsert first spotted attackers using the technique in October. Last month, researcher Kurt Aubuchon studied another such attack and offered an analysis here. PLXsert replicated this attack by creating a script based on Scapy, an open-source packet manipulation tool.

Microsoft Security Patches for February 2015

Microsoft has released its February 2015 security bulletin. Windows, Internet Explorer, Group Policy and Office are among the affected items. The full patch matrix is below.

More Akamai perspective on patching and vulnerability management:

Security Awareness Programs: Better Than Nothing

Awhile back, after we ran a post about SEA's phishing activities and DNS attacks, my old friend Dave Marcus -- director and chief architect of McAfee's Federal Advanced Program Group -- took issue with our advice that companies continue to push for better security awareness among employees and customers.

A Bad Talk Ain't The End of the World

Having been asked to speak at a security event in Boston next month, I find myself thinking about the art of public speaking. Whether you're in sales, marketing, InfoSec or finance, it's increasingly important to have the ability to get in front of a crowd and articulate your message. The Akamai InfoSec team must do so at orientations for new employees, along with HR and other departments. And some of us are required to give talks at various trade shows. 

I've given several talks a year at various security events for some time now, and I've had my hits and misses. This post is for those who have given a bad talk and need to put it in the past.

One thing I've learned: You CAN give a lousy talk and live to fight another day.

InfoSec Challenge: When To Be Quiet, When To Go Public

I've seen way too many security advisories over the years to count. The more critical the issue, the more publishable it was. But that was my perspective as a journalist working for news organizations. In the current role, I'm seeing things from the beginning of the internal vetting process. There's a lot we want to make public, but there's a lot we have to keep to ourselves.













The 12 Steps of Recovery: Web Security Style

During my time as CSOonline's Salted Hash blogger, I wrote something I'd forgotten about until rediscovering it the other day. Three years after writing it, I think this post is still relevant.