Akamai Diversity
Home > Web Security

Recently in Web Security Category

Fresh Wave of DNS Record Hijacking Attacks Reported

Akamai has observed a fresh wave of DNS poisoning attacks, where web sites are hijacked and placed under the control of malicious actors.

It's a tactic Akamai has seen before, and there are ways for companies to defend themselves.

Anatomy of attacks
The Domain Name System (DNS) converts the text of a domain name (ie. akamai.com) to the server's IP address. Using DNS hijacking, a malicious user is able to update DNS records to resolve the domain to an IP that they own.

In most organizations, a limited number of people can make updates to their site's information with their DNS registrar. With most registries, updating records is as simple as logging in to a site with a username and password and changing the values of the DNS servers.

If an attacker is able to use social engineering or phishing to extract those account details, the attacker can then have the ability to redirect a domain to a different server. In some of the recent cases, this is exactly what happened.

Defensive measures
Companies should make employees aware of the threat and tactics used. Many times in these attacks, the username and password were successfully phished away from someone with the right credentials.

Companies can also lock their domains.

Domains can have locks at both the registry and registrar levels. The site owner can set and control registrar locks. These will prevent any other registrar from being able to successfully request a change to DNS for a domain. The locks that can be set at the registrar level by the site owner are:

  • clientDeleteProhibited
  • clientUpdateProhibited
  • clientTransferProhibited

The clientDeleteProhibited will prevent a registrar from deleting the domain records without the owner first unlocking the site. With the clientUpdateProhibited lock set, the registrar may not make updates to the domain and with the clientTransferProhibited set, the registrar may not allow the domain to be transferred to another registrar. The only exception to these is when the domain registration period has expired. These locks can be set and unset by the site owner and many registrars will allow these locks at no cost.

A second level of locks can also be put in place and these are set at the registry level. These are controlled by the registry and setting these can incur a cost to the domain owner. These locks are:

  • serverDeleteProhibited
  • serverUpdateProhibited
  • serverTransferProhibited

These locks operate similarly to the registrar locks in what they prevent, however they offer increased security in that they will require a phone call from the registry to the person who issued the request from the domain's registry.

The requester will need to give a predetermined pass phrase to the registrar to get the change made. These will lessen the chance of the registrar being able to make accidental or unwanted changes to the DNS records for the domain. Registry level locks offer a higher degree of security for the domain and may also incur a charge to implement.

8 Security Measures for IT Shops This Holiday Season

We've offered a lot of security advice for those shopping online this holiday season. But what about the IT practitioners responsible for securing sites those customers are using?

This post is for them.

Here are some words of wisdom I've picked up from security pros over the years. Some of the advice may seem obvious. But as I said yesterday, repetitive advice tends to be necessary in this hyper-connected, fast-paced world of ours. The advice is also not new. They are points I've been collecting for the last decade. But it's timeless advice, all the same.

Online Shopping Scams and How to Avoid Them

We recently shared five tips from Akamai Security Advocate Dave Lewis on how to avoid traps attackers set for online holiday shoppers. Today, we share articles from various publications to help you identify and avoid the most typical scams.

Tomorrow, I'll have a new post on things IT practitioners can do for their retail employers to harden systems against attack. The advice is important, because for every 100 failed online scams there are a few that succeed.

Some of the advice will seem repetitive. But if there's one thing we've learned, it's that good advice must be repeated often for more people to heed it.

Yummba Webinject Tools Used for Banking Fraud

Attackers are using Yummba webinject tools to target banks and other enterprises, Akamai's Prolexic Security Engineering & Response Team (PLXsert) warned in an advisory this morning.

Zeus crimeware has a history of being used to build botnets, steal banking credentials and launch DDoS attacks -- targeting platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures.

The added capabilities of Yummba custom webinjects make the malware even more dangerous, the advisory said. Webinject attacks available for sale in the wild vary in sophistication, from simple attacks that report account information and credential theft to highly advanced webinjects that utilize ATSEngine for automated fund transfers to attacker-controlled accounts. Portions of these attacks might also be used in cross-site scripting (XSS), phishing, and drive-by download attacks.

Yesterday, I told you about "Let's Encrypt" -- the new, free Certificate Authority (CA) launched by the Internet Security Research Group (ISRG) with help from Akamai and other companies.

To recap, this is another big step in the industry-wide transition from cleartext HTTP to secured HTTPS over TLS. It will allow organizations to obtain basic server certificates for their domains through a simple one-click process.

For a look at how simple this will be, check out the following demo:

"Let's Encrypt" = Secure HTTPS Over TLS

The industry-wide transition from cleartext HTTP to secured HTTPS over TLS moves another step forward this week, with the Internet Security Research Group (ISRG) announcing the launch of a new Certificate Authority (CA) service called "Let's Encrypt."

Akamai, Mozilla, Cisco, the Electronic Frontier Foundation, IdenTrust and researchers at the University of Michigan are working through ISRG to deliver the infrastructure in mid-2015.

Voting Season for (ISC)2 Members

Many readers of this blog are CISSPs and members of (ISC)2 -- the organization that administers and maintains the certification. This is the time of year when they have a chance to vote for the Board of Directors and have a say in how (ISC)2 conducts itself.

Akamai Security Advocate Dave Lewis is finishing his second year as a member of the current board. He's not up for re-election until next year.

Trends in Security for the Commerce and Travel Industry

Late last year, Akamai CSIRT Director Michael Smith gave a presentation about security trends affecting eCommerce and the travel industry. Around the same time, I conducted a two-part podcast interview with him on those and other security challenges.

I finally got around to watching the video of his presentation, and think the big picture he presented is as true today as it was then. Have a look, and then a listen.

Podcasts:

Bill Brenner and Michael Smith discuss Akamai CSIRT
Bill Brenner interviews CSIRT Director Michael Smith. They discuss the role of CSIRT in researching threats and vulnerabilities, as well as keeping customers and the wider public informed of defensive measures they can take.

Bill Brenner and Michael Smith discuss Akamai CSIRT - Part 2
Bill Brenner continues his discussion with CSIRT Director Michael Smith. In this installment, Mike describes the process by which CSIRT delivers daily threat intelligence to our customers, along with the defensive measures needed to block attacks.

Microsoft Security Update for November 2014

Microsoft released its November 2014 Security Update Tuesday. Windows, Office, Server Software and the .NET Framework are among the items affected.

More Akamai perspective on patching and vulnerability management:

Attackers Use DNS Flooder Tool to Amplify DDoS Impact

Akamai's Prolexic Security Engineering and Research Team (PLXsert) issued an advisory this morning warning of a new technique bad actors are using to launch DNS amplification attacks.

Amplification attacks generate large response packets with relatively small requests. Attackers create large DNS TXT (text) records to increase amplification, magnifying the impact of a DDoS attack. Several campaigns observed since Oct. 4, 2014 contain fragments of text taken from press releases issued by the White House, according to the advisory, available here.

PLXsert suspects the DNS flooder tool continues to be used in these campaigns.