Akamai Diversity
Home > Web Security

Recently in Web Security Category

Two Embarrassing Security Lessons

Good news: I got another look at how well Akamai's security procedures work. 

Bad news: It's because I made two simple mistakes. And I knew better.

Storm Stress Tester Crimeware Kit Targets Windows

The Akamai Prolexic Security Engineering & Response Team (PLXsert) has discovered a new tool attackers could use to target Microsoft Windows. The PLXsert advisory describes it this way:

The Storm kit is capable of infecting Windows XP (and higher) machines for malicious uses, including execution of DDoS attacks. Once a PC is infected, the Storm Network Stress Tester crimeware kit establishes remote administration (RAT) capabilities on the infected machine, enabling file uploads and downloads and the launching of executables, including four DDoS attack vectors.

A single PC infected by the new Storm crimeware kit can generate up to 12 Mbps of DDoS attack traffic with a single attack. As a result, orchestrated botnet attacks pose a significant DDoS threat. In addition, the RAT capability enables a variety of malicious activity, including the infection of other devices.

The RAT capabilities provide criminals with an all-purpose crimeware platform that can be used for a variety of malicious activity, including the infection of other devices, the advisory says.

"Remote administration lets malicious actors take over a PC from a distance, even from another continent," said Stuart Scholly, senior vice president and general manager of Security at Akamai Technologies. "In the last year, we've seen a growing volume of cyber-attacks coming from Asia. The Storm kit seems to have been custom-designed to infect and control vulnerable Windows XP machines in China."

One PC infected by the kit can generate up to 12 Mbps of DDoS attack traffic with a single attack. The kit comes pre-programmed to launch four types of DDoS attacks at once, increasing the potential attack volume.

A free download of the full advisory is available here.

Akamai PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through digital forensics and post‐attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers and the security community.

By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.


2013 DDoS Analysis For Europe

This year, we decided to do something a little different to accompany the year-end State of the Internet Report. In addition to the analysis we do on the numbers for the world as a whole, we're breaking out a particular region to look at in more detail. Although it is not the target of the largest number of attacks, we chose Europe because, like the rest of the world, it is seeing a growing number of attacks.

Akamai Is Hiring

One of the most interesting aspects of working at Akamai is the sheer volume of opportunities within the company. Since I started here in my own role last July I have had no end of interesting challenges that have managed to keep me thoroughly engaged. Akamai is a company that allows you to grow and never has a shortage of amazing projects to work on. 

This sort of excellent working environment invariably brings forward the question, "How do I get a job at Akamai?" Well, I'm happy that you asked. In fact we have extensive job listings on our careers page. In point of fact we currently have four open positions right now for our Information Security team. Take your career faster forward where your only limitation is your own imagination. Check out these job descriptions. 

Heartbleed: A History

In the interest of providing an update to the community on Akamai's work to address issues around the Heartbleed vulnerability, we've put together this outline as a brief summary:
  • Akamai, like all users of OpenSSL, was vulnerable to Heartbleed.
  • Akamai disabled TLS heartbeat functionality before the Heartbleed vulnerability was publicly disclosed.
  • In addition, Akamai went on to evaluate whether Akamai's unique secure memory arena may have provided SSL key protection during the vulnerability window when we had been vulnerable; it would not have.
  • Akamai is reissuing customer SSL certificates, due to the original Heartbleed vulnerability. 
More detailed information is below.

Cloudification of Web DDoS Attacks

Recent studies and reports show a dramatic increase in the prevalence of denial of service attacks in general, and application layer attacks in particular. As a result of this increase, DoS protection and mitigation solutions have evolved both on the technological side as well as in their ability to scale and protect against larger and more distributed attacks (DDoS).

Heartbleed Update (v3)

Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys.  We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community.  The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.
In short: we had a bug.  An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.  In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p.  These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability.  Given any CRT value, it is possible to calculate all 6 critical values.
As a result, we have begun the process of rotating all customer SSL keys/certificates.  Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. 
In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection.

Heartbleed Update

Update 2014-04-13: Our beliefs in our protection were incorrect; update here.
Today, we provided more information to our customers around the research we've done into the Heartbleed vulnerability.  As our analysis may inform the research efforts of the industry at large, we are providing it here. 
Summary: Akamai patched the announced Heartbleed vulnerability prior to its public announcement.  We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through 4 April 2014.  Our custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys.  There is one very narrow window through which 4 Akamai server clusters had a vulnerable release for 9 days in March 2013.  For the small number of customers potentially affected, we are pro-actively rotating certificates.
All certs issued on or after 1 April 2013 are certainly safe.
Please read below for more details on this issue.

SOURCE Boston: Fighting Security Burnout

If you're attending SOURCE Boston, there's a discussion Thursday at 11 a.m. you should attend. It deals with a subject we've been working hard to address at Akamai: burnout in the security industry, and how we can make things better by tapping into the better angels of our nature.

SOURCE Boston 2014: Need a Job? Stop By Our Table

Attention, SOURCE Boston attendees: If you or anyone you know needs a job, come by our booth. Recruiters are on hand, and they have several positions to fill, including:

  • A program manager for InfoSec;
  • A senior manager for Enterprise Security;
  • A security architect for Adversarial Resilience; and 
  • A principal application software engineer for the Security Products Group.
We're also giving away an iPad at 5 p.m., so come put your business card in the raffle jar. And by all means, come grab some shwag.