Akamai Diversity
Home > Web Security

Recently in Web Security Category

Security Kahuna Podcast: Las Vegas Edition

Akamai Security Storyteller Bill Brenner and Akamai Security Advocates Martin McKeay and Dave Lewis report from Las Vegas during Black Hat, BSidesLV and DEF CON. They are joined by special guests Steve Ragan and Gillis Jones.

They touch on antivirus pioneer John McAfee's appearances at BSidesLV and DEF CON, security luminary Dan Geer's Black Hat keynote, and try to answer the age-old question: Why go to these events?

About our guests:

Steve Ragan is a reporter for CSOonline and CSO MagazineGillis Jones is a security consultant at Accuvant.

  • Listen to the full episode HERE.

OpenSSL Vulnerabilities

On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here.

These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.

We currently believe our services are not impacted by CVE-2014-3508, CVE-2014-3509, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3510, and CVE-2014-3512.

We are in the process of rolling out a fix to address vulnerabilities CVE-2014-3511 and CVE-2014-5139 for each of our relevant services.

Akamai is investigating the vulnerabilities further, and will provide additional communication if needed.

Some of the vulnerabilities, as outlined in the advisory, include:

  • An information leak in pretty printing functions 
  • A crash condition with SRP ciphersuite in Server Hello message 
  • A race condition in ssl_parse_serverhello_tlsext 
  • Double Free when processing DTLS packets 
  • A DTLS memory exhaustion condition 
  • DTLS memory leak from zero-length fragments 
  • An OpenSSL DTLS anonymous EC(DH) denial of service 
  • An OpenSSL TLS protocol downgrade attack
  • A SRP buffer overrun

BSidesLV and DEF CON: Security Bookshelf

I was browsing the tables this morning at BSidesLV and came across some books published by No Starch Press, which will also have books on display at DEF CON this weekend. 

Not Your Older Brother's Black Hat

Walking around Black Hat USA 2014 today, I'm struck by how much things have changed. 

For many years, the event was held in the Caesars Palace conference center. The corridors were crammed with people between talks, and the extent of the exhibit area were tables lining one wall. Now it's at Mandalay Bay, which has a lot more space. But that's not the crazy part.

The crazy part is the exhibit hall. 

That there's an entire exhibit hall is alien to the Black Hats of old to begin with. To be fair, the conference has been using a full exhibit hall for a few years now. But the so-called Business Hall this year is massive. I walked in and the first thing that came to me was that I was at the RSA Conference. Half a dozen people made the same observation.

Not that it's a negative change. 

It simply is what it is -- a progression Black Hat has followed for the last decade.

This is now truly a business event rather than a hacking-research event.


News Sources for Black Hat, BSidesLV and DEF CON

It used to be that I went to conferences to report news. 

Now, as a member of Akamai's InfoSec department, my role is different. I still write about a lot of topics, especially those pertaining to Akamai's security procedures and beliefs. But for the most part, now I'm on the other side, looking for good news sources to keep track of what's happening.

Fortunately, I didn't have to look far...

One source is Dark Reading, which has a special page devoted to the conference, including radio broadcasts, blog posts and raw news stories.

There's also my former employer, CSOonline, which is already full of great coverage. Pay special attention to Steve Ragan's Salted Hash blog.

Threatpost.com is a good resource for articles on the talks as they happen. One particularly interesting item is Dennis Fisher's article about innovation in the wake of the Snowden leaks.

Paul Roberts' Security Ledger is another great resource, particularly this article on security luminary and Black Hat keynote speaker Dan Geer.

I'll update this post as I come across more.

Akamai at Black Hat USA 2014

A platoon of Akamites -- myself included -- will descend on Las Vegas this week for Black Hat USA 2014 as well as BSidesLV and DEF CON. We'll be there to network, tell Akamai's security story and learn from those of you who will be giving talks.

At Black Hat, you can find us in the Business Hall at Booth 858. Come say hi and collect some free items, including scan-blocking card holders, stickers and t-shirts.

Safe travels!

Wednesday, August 6: 10:00 - 19:00
Thursday, August 7: 10:00 - 17:00

Security in the News, Aug. 4

A look at security stories in the news that are relevant to Akamai customers and beyond.

Android vulnerability still a threat to many devices nearly two years later (CSOonline)
Many apps that use the Android addJavascriptInterface API are still vulnerable to JavaScript code injection, researchers from Bromium said.

Microsoft ordered to turn over customer data stored in the cloud (Computerworld)
Federal court says warrant for info stored in Ireland is not an extra-territorial application of U.S law; decision has privacy implications.

The World's Most Hackable Cars (Dark Reading)
Researchers find 2014 models of Dodge Viper, Audi A8, Honda Accord are the least likely to be hit by hackers.

U.S. government warns of point-of-sale malware campaign (SearchSecurity)
The U.S. government has divulged details on the 'Backoff' point-of-sale malware campaign, which purportedly targets remote access software for entry.

Sandwich Chain Jimmy John's Investigating Breach Claims (KrebsonSecurity)
Sources at a growing number of financial institutions in the United States say they are tracking a pattern of fraud that indicates nationwide sandwich chain Jimmy John's may be the latest retailer dealing with a breach involving customer credit card data. The company says it is working with authorities on an investigation.

The IETF as a Nexus of Cryptography

Thumbnail image for Thumbnail image for rsalz.jpg

The following is a guest post from Akamai Principal Security Engineer Rich Salz.

The Internet Engineering Task Force (IETF) is becoming a center for the application of cryptography. There are a handful of factors contributing to this:

· It is the technical organization that defines the protocols and standards that enable the Internet.
· The recent Snowden revelations that showed how much government spying there is on Internet traffic.
· The IETF response (RFC 7258) to treat pervasive monitoring as an attack that must be mitigated.
· Increasing recognition in the academic community that TLS is an important protocol; papers discussing attacks on it get noticed.

Microsoft and Akamai have teamed up with Jerusalem Venture Partners (JVP) to create a security-focused accelerator program. It's based at the Microsoft Ventures Accelerator in Israel, and interested entrepreneurs and startups can apply now

Startups accepted into the program will be announced Sept. 7 and the class will run through January.

Security in the News, July 28

A look at security stories in the news that are relevant to Akamai customers and beyond.