Akamai Diversity
Home > Web Security

Recently in Web Security Category

Fresh Wave of Online Extortion Attacks Underway

Akamai CSIRT has identified a trend in online extortion that has the potential to impact customer websites and their users.

Attackers are using reflected UDP to launch direct-to-origin denial of service attacks at e-commerce sites, then demanding payment to stop the attacks, CSIRT's Mike Kun wrote in an advisory.

"We have seen these extortion attempts target e-commerce and retail sites, as well as online collaboration sites, but all sectors are vulnerable," Kun wrote. 

This advisory serves as a description of the attacker, their capabilities, and how to mitigate the threat.

The OpenSSL Project today disclosed new vulnerabilities in the widely-used OpenSSL library.  These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.
The most interesting is the ChangeCipherSpec Injection, which would enable a man-in-the-middle attack to force weaker ciphers into a communication stream.  
Akamai SSL services (both Secure Content Delivery and Secure Object Delivery) have been patched for this vulnerability. The other vulnerabilities are relatively uninteresting for our environment - we don't support DTLS, and we don't enable SSL_MODE_RELEASE_BUFFERS.

Build Systems to Fail

Akamai Security Advocate Dave Lewis (@gattaca on Twitter) has written a new post for Forbes. He argues that we need to assume that our systems will fail and fail hard. 

"We need to build network security with failure in mind," he wrote. "There was once a notion of 'bricks and clicks' that was meant to demonstrate a delineation between retail and online presence. This too has fallen by the wayside as online business is now just the business."

Thumbnail image for dave-lewis-300.jpg

A Year in the InfoSec Life: 5 Lessons

Yesterday was my one-year anniversary at Akamai, and it's been a great learning experience. To measure the journey, I took a look at posts written in the past year.

The following compilation captures the lessons that have made the biggest impression so far.

5 Security Headlines

A look at the security issues making headlines so far this week:

Phishing campaign touts fake 'Heartbleed removal' tool (Computerworld)
The program attached to the emails is actually a keylogger, according to Trend Micro.

Iranian Cyberspies Pose as Journalists Online To Ensnare Their Targets (Dark Reading)
Cyberspying campaign out of Iran combines social engineering and social media to steal credentials from a wide array of US and Israeli military, government, and defense contractors.

US Disrupts $100M GameOver Zeus Malware Cybercrime Ring (Cnet)
Suspected Russian hacker is accused of creating botnet that infected as many as 1 million computers worldwide in order to steal more than $100 million.

American Express Issues Alert After Anonymous Dumps Cardholder Data (CSOonline)
In a letter to the California Attorney General's Office (OAG), American Express says that 76,608 people in the state will get a breach notification letter after some of their data was published by Anonymous Ukraine earlier this year.

Serious Flaw in GnuTLS Library Endangers SSL Clients and Systems (InfoWorld)
A vulnerability patched in the GnuTLS library can potentially be exploited from malicious servers to execute malware on computers.


Headed To Black Hat, DEF CON and BSidesLV?

Though it's still two months away, this is the time of year when those headed to Black Hat, DEF CON and BSidesLV start fretting over registration, flights and hotel bookings. This year I decided to get a jump on things, and here are a few things I've learned that will hopefully make your lives easier.

Akamai security staff will be there in force, and we're certainly looking forward to it.

What's Your Favorite Security Conference?

I've been participating in an ongoing, online panel hosted by the Information Security Buzz website. The latest question is, "Based on your experience and knowledge, what would you say is the BEST Information Security event to attend and why?"

6 More Great Security Podcasts

Tuesday, I wrote a post about five security podcasts worth your time. This is a sequel post, directing you toward six more great podcasts that'll make you smarter and better informed about all things InfoSec.

Always a rich source of real-time security monitoring, the Sans Internet Storm Center's podcasts offer quick status checks on threats around the Internet. There's the longer ISC Podcast and the shorter, more frequent Stormcast.
Risk Science is a community-driven podcast to promote the greater understanding and applicability of risk management strategy and practices through active research, discussions, and interviews. Along the way we hope that, with our listeners, we can discover the tools and approaches that we can use to tackle the many issues and challenges we will be facing as an industry.
Features Sophos experts and Naked Security writers Chester Wisniewski and Paul Ducklin. It's produced weekly in a quarter-hour format, and gives you an informative and entertaining take on the latest security news.
Hosted by two former federal agents who investigated computer crime, this is a technology podcast covering computer security, crime and forensics topics.
The Hacker News Network Podcast takes a weekly look at the news and views that shape the information security industry and the internet underground. It's hosted by Space Rogue.
A great podcast series that coincides with the annual FIRST conference.
Thumbnail image for Podcast-RSS.jpg

DDoS, as simple as your ABC's

DDoS tool kits, and DDoS-for-hire along with some bitcoins, anonymous email, a TOR connection and a sense of purpose, has made it trivial for individuals, hacktivist collectives and cyber criminals to launch an effective DDoS attack.

6 Security Podcasts Worth Your Time

Though we have our own show called the Akamai Security Podcast and spend a lot of time promoting it in this blog, there are many other security podcasts worth your time. What follows are six favorites.

1.) Liquidmatrix Podcast

Akamai Security Advocate Dave Lewis hosts this podcast with James Arlen, Matt Johansen and Ben Sapiro.

2.) Network Security Podcast

London-based Akamai Security Advocate Martin McKeay hosts one of the longest-running and most popular podcasts in the industry.

3.) Southern Fried Security Podcast

Join Andy Willingham, Martin Fisher, and Steve Ragan as they discuss information security, news, and interview interesting folks. They focus on the operational and leadership aspects of information security using a distinctly southern viewpoint.

4.) Exotic Liability

Chris Nickerson and Ryan Jones tackle a wide range of security topics in this podcast. Here's how they describe it: Exotic Liability will push you into the new generation of Security. On your own or by force, Chris Nickerson and Ryan Jones will be bringing you the best content from the TOP/ middle and Sewers of the Security industry. No more firewall admins speculating about how attacks happen, these are the pros or even the bad guys. These are the people that make Security tick. If you are tired of the old solutions and rhetoric, join in.

5.) PaulDotCom's Security Weekly

Arguably one of the most popular podcasts on the Internet, Paul Asadoorian and crew live stream the show for video as well as audio. Regular guests include Tenable Security's Jack Daniel.

6.) Risky Business Podcast

Patrick Gray takes a "lighthearted" look at information security news and features.