Akamai Diversity
Home > Web Security

Recently in Web Security Category

Akamai CSIRT Director Michael Smith and WhiteHat Security Threat Research Center Senior Manager Matt Johansen gave a demonstration of how the Million Browser Botnet operates, during last month's Edge conference.

Below is the full presentation.

Talk description:

Online advertising networks can be a web hacker's best friend. For mere pennies per thousand browser impressions, service providers allow you to broadly distribute arbitrary JavaScript. Most advertisers use this feature to show ads, track users, and get clicks, but hackers don't play by the same rules as the rest of us.

Absolutely nothing prevents them from spending as little as $10 to create a massive JavaScript-driven browser botnet instantly.

WhiteHat Threat Research Center Manager Matt Johansen and Akamai CSIRT Director Michael Smith show you how easily a bad actor can commandeer browsers to perform DDoS attacks, participate in email spam campaigns, crack hashes, and even help brute-force passwords using just a few lines of HTML5 and JavaScript.


In April, Akamai determined its network was vulnerable to the Heartbleed bug. In late September, the company determined it was vulnerable to the Shellshock bug.

In this case study, Akamai Chief Security Architect Brian Sniffen walks through Akamai's response to both and provides insights into the lessons learned for improved security and incident response.

Screen Shot 2014-11-04 at 5.13.22 AM.png

Akamai Edge 2014: Evolution of TLS/SSL

Akamai Chief Security Architect Brian Sniffen reviews the evolution of TLS/SSL during a presentation at Akamai Edge 2014. Following the Heartbleed vulnerability, attention turned to TLS, the fundamental building block of Internet encryption and authentication. Sniffen reviewed the evolving TLS standard, including new ciphers, authentication mechanisms and asymmetric key changes.


Preparing for the Holidays: Security Trends

Last time in our "Preparing for the Holidays" series, we focused on what you should know about mobile trends. And as promised, we're back at it with some more trends you should be aware of. This time, it's all about security. If security hasn't been top of mind in the past, it certainly is (or should be) now, given the number of high-profile breaches we've seen over the past several months. With that said, here's what you need to know:
In this latest episode, I talk to Akamai Security Advocates Dave Lewis and Martin McKeay about the increased frequency of severe vulnerabilities affecting SSL and related technology.

We start with the most recent case, Poodle, and move on to Shellshock and Heartbleed. A full list of resources for all of these incidents can be found here.

We also look ahead to potential security trends in 2015.


Akamai's Prolexic Security Engineering & Research Team (PLXsert) issued a new advisory Monday that provides a full analysis of the Poodle vulnerability, including actions companies can take to blunt the impact.

It's the latest in a series of postings Akamai has done to keep the public informed of its Poodle response. In addition to reviewing this new advisory, please refer to the following posts as well:

This is the latest in a string of severe vulnerabilities this year, including Shellshock and Heartbleed. A full list of resources for all of these incidents can be found here.

CAMBRIDGE, Mass. - October 23, 2014 - Akamai Technologies, Inc. (NASDAQ: AKAM), the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today announced availability of the Q3 2014 State of the Internet - Security Report. Akamai's Prolexic Security Engineering and Research Team (PLXsert) is a recognized leader in Distributed Denial of Service (DDoS) protection services and strategies. This quarter's report, which provides analysis and insight into the global attack threat landscape including DDoS attacks, can be downloaded at www.stateoftheinternet.com/security-report.

"DDoS attack size and volume have gone through the roof this year," said John Summers, vice president, Security Business Unit at Akamai Technologies. "In the third quarter alone, Akamai mitigated 17 attacks greater than 100 gigabits-per-second, with the largest at 321 Gbps. Interestingly, we witnessed none of that size in the same quarter a year ago and only six last quarter. These mega-attacks each used multiple DDoS vectors to deliver large bandwidth-consuming packets at an extremely high rate of speed."

Akamai PLXsert's Q3 2014 State of the Internet Report

Today we've launched the first all-security edition of the State of the Internet report. State of the Internet also has its own website now, where readers can delve into Akamai's threat intelligence, threat advisories, data visualizations and more.

Highlights of the security edition for Q3 2014 include a four-fold year-over-year increase in DDoS attack size and volume; new attacks targeting hand-held devices and the proliferation of easy-to-use attack tools.

In the latest episode of the Akamai Security Podcast, I talk to CSIRT Manager Mike Kun about what he calls an "interesting new attack vector" where bad actors forgo direct attacks against websites in favor of targeting third-party services the site is using.

"Rather than go against a target directly, bad actors are looking at what other services that website is using," Kun explains. "A simple one is DNS. If the attacker can compromise the registrar a site is hosted with, they can easily change the IP address mapping and point that at some other site."

Those who go for such attacks include hactivist groups looking to deface sites, or someone looking to steal information or drop malware for myriad purposes.

Widget providers are among the targeted. Kun notes that the chat function now available on many e-commerce sites is usually supplied by third parties.

"Sites are linking to code from third-party sites instead of running local code," Kun says. "So if an attacker can compromise that widget, they can attack your site."

Poodle, Shellshock and Heartbleed: Resources

It's been a year of major security vulnerabilities. Last week we worked to mitigate the Poodle vulnerability. Two weeks before that was Shellshock and in April we had Heartbleed. All have shaken the security industry to the core, and Akamai staff have spent countless hours working to protect customers against these threats.

To get a wider perspective of our actions in the face of such incidents, here's a collection of resources -- essentially everything we've had to say about Poodle, Shellshock and Heartbleed.

May you find it useful and insightful.