Akamai Diversity
Home > Web Security

Recently in Web Security Category

"Let's Encrypt" = Secure HTTPS Over TLS

The industry-wide transition from cleartext HTTP to secured HTTPS over TLS moves another step forward this week, with the Internet Security Research Group (ISRG) announcing the launch of a new Certificate Authority (CA) service called "Let's Encrypt."

Akamai, Mozilla, Cisco, the Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan are working through ISRG to deliver the infrastructure in mid-2015.

Voting Season for (ISC)2 Members

Many readers of this blog are CISSPs and members of (ISC)2 -- the organization that administers and maintains the certification. This is the time of year when they have a chance to vote for the Board of Directors and have a say in how (ISC)2 conducts itself.

Akamai Security Advocate Dave Lewis is finishing his second year as a member of the current board. He's not up for re-election until next year.

Trends in Security for the Commerce and Travel Industry

Late last year, Akamai CSIRT Director Michael Smith gave a presentation about security trends affecting eCommerce and the travel industry. Around the same time, I conducted a two-part podcast interview with him on those and other security challenges.

I finally got around to watching the video of his presentation, and think the big picture he presented is as true today as it was then. Have a look, and then a listen.


Bill Brenner and Michael Smith discuss Akamai CSIRT
Bill Brenner interviews CSIRT Director Michael Smith. They discuss the role of CSIRT in researching threats and vulnerabilities, as well as keeping customers and the wider public informed of defensive measures they can take.

Bill Brenner and Michael Smith discuss Akamai CSIRT - Part 2
Bill Brenner continues his discussion with CSIRT Director Michael Smith. In this installment, Mike describes the process by which CSIRT delivers daily threat intelligence to our customers, along with the defensive measures needed to block attacks.

Microsoft Security Update for November 2014

Microsoft released its November 2014 Security Update Tuesday. Windows, Office, Server Software and the .NET Framework are among the items affected.

More Akamai perspective on patching and vulnerability management:

Attackers Use DNS Flooder Tool to Amplify DDoS Impact

Akamai's Prolexic Security Engineering and Research Team (PLXsert) issued an advisory this morning warning of a new technique bad actors are using to launch DNS amplification attacks.

Amplification attacks generate large response packets with relatively small requests. Attackers create large DNS TXT (text) records to increase amplification, magnifying the impact of a DDoS attack. Several campaigns observed since Oct. 4, 2014 contain fragments of text taken from press releases issued by the White House, according to the advisory, available here.

PLXsert suspects the DNS flooder tool continues to be used in these campaigns.

5 Security Tips For Online Holiday Shopping

In the run-up to Cyber Monday, we're looking at different online shopping trends and how Akamai plays a critical role in keeping things running. As part of that, we'll be focusing on typical security threats to be aware of this time of year and beyond.

Let's begin with some wise advice from my colleague, Akamai Security Advocate Dave Lewis. He originally came up with these last year, but it bears repeating each year. From here, we'll delve deeper into the scams online shoppers must worry about. More advice for keeping secure will follow from there.

And now for Dave's tips...
Businesses need to protect themselves from all of these types of attacks. By identifying the threats they find most damaging, businesses can tailor their security solutions to provide the best security for their critical applications.

Presented by Edward S. Ferrara, Vice President & Principal Analyst, Forrester. Learn more at www.akamai.com/webdefense


Akamai CSIRT Director Michael Smith and WhiteHat Security Threat Research Center Senior Manager Matt Johansen gave a demonstration of how the Million Browser Botnet operates, during last month's Edge conference.

Below is the full presentation.

Talk description:

Online advertising networks can be a web hacker's best friend. For mere pennies per thousand browser impressions, service providers allow you to broadly distribute arbitrary JavaScript. Most advertisers use this feature to show ads, track users, and get clicks, but hackers don't play by the same rules as the rest of us.

Absolutely nothing prevents them from spending as little as $10 to create a massive JavaScript-driven browser botnet instantly.

WhiteHat Threat Research Center Manager Matt Johansen and Akamai CSIRT Director Michael Smith show you how easily a bad actor can commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes, and even help brute-force passwords using just a few lines of HTML5 and JavaScript.


In April, Akamai determined its network was vulnerable to the Heartbleed bug. In late September, the company determined it was vulnerable to the Shellshock bug.

In this case study, Akamai Chief Security Architect Brian Sniffen walks through Akamai's response to both and provides insights into the lessons learned for improved security and incident response.

Screen Shot 2014-11-04 at 5.13.22 AM.png

Akamai Edge 2014: Evolution of TLS/SSL

Akamai Chief Security Architect Brian Sniffen reviews the evolution of TLS/SSL during a presentation at Akamai Edge 2014. Following the Heartbleed vulnerability, attention turned to TLS, the fundamental building block of Internet encryption and authentication. Sniffen reviewed the evolving TLS standard, including new ciphers, authentication mechanisms and asymmetric key changes.