Recently in Web Security Category

Five security articles worth your time...

US top developer of risky mobile applications (CSOonline)

A new report identifies the U.S. as the top developer of malicious and privacy-intruding applications, a finding that contrasts with conventional wisdom that often places the problem squarely in Asia.

2014 cyberattack to cost Sony $35M in IT repairs (Computerworld)
Sony has put an estimate to the damage caused by the massive cyberattack against Sony Pictures Entertainment last year -- $35 million.

BMW's software security patch a sign of things to come (Dark Reading)
BMW's "over-the-air" update transmitted to its ConnectedDrive software running on 2.2 million of its vehicles worldwide this past week to fix security flaws offered a rare glimpse of how the generation of smarter and more network-connected vehicles could get patched when bugs are discovered.

Adobe Flash patch promised this week for new zero-day bug (SearchSecurity)
Trend Micro discovered a new zero-day bug in Adobe Flash that is being actively exploited in the wild. Adobe promises a patch for the vulnerability this week.

New-style ransomware locks out your customers - demands money to let them log back in (Naked Security)
A boutique Swiss security outfit recently wrote about a sneaky new sort of ransomware. It's an intriguing story. The crooks, it seems, decided to take it out on company X by means of extortion: encrypt customer data, and then offer the decryption key for a price.

My friend Jennifer Minella is doing a series where she asks folks from the security community about three books that changed their lives. She kicks it off with me.

Here's what she has to say about the series:

My goals for the year mean some drastic changes to the type of content you're used to seeing from me. One of these goals is to highlight the human aspect of professionals in information security -- to demonstrate the depth of personality, the breadth of interest and accomplishment, and to explore the forces which make us who we are.

In this first series, I asked my infosec colleagues to share 3 books that changed their lives. The results were astounding and the responses very heart-felt. This topic evoked passion and an openness that led me to change the format from a single article to a multi-post piece, highlighting each security professional's pick3 books changed my lifes in his/her own feature.

The idea is to share what makes us who we are, not for the purposes of emulation, but to open our eyes and minds to the bigger picture by thinking outside the infosec box in which we're so often enclosed. For this piece, I tried to select a cross-section of the industry and people I thought would be comfortable stepping outside of the normal boundaries of technology content.

The only guidance I offered was that they were to pick three books which changed their life, and explain why/how they were impacted. It was made clear the book content could be on any topic. I wasn't disappointed, and I hope you'll feel the same.

On Tuesday, Akamai learned about and published a blog post highlighting a public vulnerability in the GNU C Library that could be exploited and used to take remote control of vulnerable Linux systems. Today, following our internal investigation, we have some additional information to share.

How Is Akamai protected?

Akamai's engineers have examined the primary software components that power the Akamai platform and to date have found they are not exposed to this flaw. Regardless, we are exercising caution and are patching older deployments of glibc. We recommend that other members of the Akamai community follow suit.

How can Akamai help protect my business?

Akamai Cloud Security products can provide partial protection against the glibc GHOST vulnerability, for example, by inspecting and filtering parameters sent in URL, header fields, or POST body to your application.

Today, we have defined and deployed protections for some customers to check and limit the length of HTTP headers like X-Forwarded-For, Referer, and Via in order to deliver this protection.

Finally, providing this protection requires deep knowledge of your application and its input space, including which portions of the HTTP request might eventually make their way into a gethostbyname call.

Please work directly with your Akamai Professional Services representative to define an appropriate Kona custom rule or other mitigation.

The Q4 2014 State of the Internet - Security report is out today. We've previewed sections this past week (see sidebar below), but now we can share some numbers.

PREVIEW POSTS:

• Coming 1/29: Q4 2014 State of the Internet Security Edition
• Malware Evolution: A History
• The Trouble With Bots, Spiders and Scrapers
• TCP Flag DDoS Attack by Lizard Squad Indicates DDoS Tool Development

By Patrick Laverty, Clark Shishido, Dave Lewis, Mike Kun, Larry Cashdollar and Bill Brenner

We're always concerned about where the next attack is coming from. We worry about DDoS, SQL injection, defacements and a host of other attack techniques. One attack in particular can bypass even the best security protections and give attackers the keys to the kingdom.

That attack is called DNS Hijacking. This happens when attackers gain access to a domain registrar account and change the DNS resource recordsto point to server(s) under the attacker's control.

Last month, we released three new security whiteboard videos. Here's the whole package, for your viewing pleasure and ongoing security education.

At Akamai, incidents happen daily. Despite strong controls, it's inevitable that problems will arise when so much content is being handled, processed and distributed within Akamai and on behalf of customers. To deal with that reality, the company has a set of procedures to manage incidents as they materialize. Most incidents are resolved by small interventions in the network. In this whiteboard presentation, Bill Brenner gives an overview.

Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. In this whiteboard presentation, Akamai security researcher Patrick Laverty explains the differences between the two, and how both are critical to the vulnerability management process at Akamai.

In this whiteboard presentation, Akamai InfoSec Program Manager James Salerno explains what FedRAMP is, why it was created and why it's become an important part of Akamai's security compliance process.

A public vulnerability in the GNU C Library that could be exploited to take remote control of vulnerable Linux systems was recently disclosed. Akamai is aware of this disclosure and is currently evaluating its exposure to this vulnerability, if any.

Specifically, the problem is a heap-based buffer overflow in the glibc's __nss_hostname_digits_dots() function used in gethostbyname() and gethostbyname2() glibc function calls. The vulnerability, commonly known as "Ghost" in the media, affects Linux systems.

Here are some excerpts from information that is publicly available:

• According to the Red Hat Bugzilla advisory, an attacker could remotely exploit this condition to make an application call either of these functions. In the process, the attacker could launch malicious code with the permissions of the user running the application.
• Threatpost published a report on the vulnerability this morning, having this to say:  "The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000."
• The issue was first reported Tuesday by security vendor Qualys. In a separate advisory, Qualys researchers said they stumbled upon the vlnerability during an internal code audit. "We discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc)," Qualys said in the advisory. "This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability GHOST."

  
  The issue has so far been addressed in several popular Linux distributions.

A blizzard rages outside as I write this, and the governor of Massachusetts has banned travel on the roads. Many of us from Akamai's Cambridge headquarters will spend today at home, and possibly tomorrow.

But Akamai will continue to run. Being spread across the globe makes that a given. It illustrates the power of redundancy.

Yesterday, my colleague Michael Smith shared a write-up on Akamai's Luna Authentication and Authorization services, telling his Twitter followers: "This will save your life if you are an Akamai customer. Set it up now."

It is an important part of what we offer, and a refresher course is appropriate here as well. So here we go:

We continue to preview sections of the Q4 State of the Internet - Security Report due out next week. Last week we told you about a DDoS attack from a group claiming to be Lizard Squad and the unintended consequences of many bots, spiders and scrapers. Tuesday, we shared a history of malware evolution.

Today, we preview the Attack Metrics/Trends section of the report, and what we see for the future.