Akamai Diversity
Home > Web Security

Recently in Web Security Category

Cloudification of Web DDoS Attacks

Recent studies and reports show a dramatic increase in the prevalence of denial of service attacks in general, and application layer attacks in particular. As a result of this increase, DoS protection and mitigation solutions have evolved both on the technological side as well as in their ability to scale and protect against larger and more distributed attacks (DDoS).

Heartbleed Update (v3)

Over the weekend, an independent security researcher contacted Akamai about some defects in the software we use for memory allocation around SSL keys.  We discussed Friday how we believed this had provided our SSL keys with protection against Heartbleed and had contributed the code back to the community.  The code that we had contributed back was, as we noted, not a full patch, but would be a starting point for improving the openssl codebase.
In short: we had a bug.  An RSA key has 6 critical values; our code would only attempt to protect 3 parts of the secret key, but does not protect 3 others.  In particular, we only try to protect d, p, and q, but not d mod (p-1), d mod (q-1), or q^{-1} mod p.  These intermediate extra values (the Chinese Remainder Theorem, or CRT, values) are calculated at key-generation time as a performance improvement. As the CRT values were not stored in the secure memory area, the possibility exists that these critical values for the SSL keys could have been exposed to an adversary exploiting the Heartbleed vulnerability.  Given any CRT value, it is possible to calculate all 6 critical values.
As a result, we have begun the process of rotating all customer SSL keys/certificates.  Some of these certificates will quickly rotate; some require extra validation with the certificate authorities and may take longer. 
In parallel, we are evaluating the other claims made by the researcher, to understand what actions we can take to improve our customer protection.

Heartbleed Update

Update 2014-04-13: Our beliefs in our protection were incorrect; update here.
Today, we provided more information to our customers around the research we've done into the Heartbleed vulnerability.  As our analysis may inform the research efforts of the industry at large, we are providing it here. 
 
Summary: Akamai patched the announced Heartbleed vulnerability prior to its public announcement.  We, like all users of OpenSSL, could have exposed passwords or session cookies transiting our network from August 2012 through 4 April 2014.  Our custom memory allocator protected against nearly every circumstance by which Heartbleed could have leaked SSL keys.  There is one very narrow window through which 4 Akamai server clusters had a vulnerable release for 9 days in March 2013.  For the small number of customers potentially affected, we are pro-actively rotating certificates.
 
All certs issued on or after 1 April 2013 are certainly safe.
 
Please read below for more details on this issue.

SOURCE Boston: Fighting Security Burnout

If you're attending SOURCE Boston, there's a discussion Thursday at 11 a.m. you should attend. It deals with a subject we've been working hard to address at Akamai: burnout in the security industry, and how we can make things better by tapping into the better angels of our nature.



SOURCE Boston 2014: Need a Job? Stop By Our Table

Attention, SOURCE Boston attendees: If you or anyone you know needs a job, come by our booth. Recruiters are on hand, and they have several positions to fill, including:

  • A program manager for InfoSec;
  • A senior manager for Enterprise Security;
  • A security architect for Adversarial Resilience; and 
  • A principal application software engineer for the Security Products Group.
We're also giving away an iPad at 5 p.m., so come put your business card in the raffle jar. And by all means, come grab some shwag.

10006383_10203740995191803_846107286495733959_n.jpg

SOURCE Boston 2014: Proof Heartbleed is a Big Deal

Akamai CSO Andy Ellis wrote about how we're protecting customers from the much-publicized Heartbleed vulnerability OpenSSL fixed in an update Monday. At SOURCE Boston 2014, there's plenty of personal proof that this bug is a big deal. You could say it ruined the first day of the conference for some.

Update 2014-04-11: Updated information on our later analysis here.

We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers.

The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the attacker to walk through the memory space of the server, possibly dumping private SSL keys and certainly exposing important secrets.

All versions of the OpenSSL library between 1.0.1 and 1.0.1f contain the Heartbleed bug and should be updated to 1.0.1g as soon as possible. (The vulnerability researchers have posted their analysis, and an excellent analysis is up on Sean Cassidy's blog.

Fix Released for Heartbleed OpenSSL Flaw

A fix is now available for a serious Open SSL flaw known as Heartbleed. The vulnerability, covered in CVE-2014-0160, affects OpenSSL 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.

SOURCE Boston 2014: Talk Descriptions

SOURCE Conference 2014 runs tomorrow through Thursday at the Marriott on Tremont Street, Boston. Akamai is a platinum sponsor of the event and we hope to see you there. To help attendees acclimate, we're sharing the following talk descriptions, which are also available on the conference website.

And Now, This Message on 'Booth Babes'

For years, I've despised the so-called booth-babe phenomenon, in which vendors hire women to stand at their booths in skimpy attire at conferences. I've focused on what I see at security events, but the problem is universal.

If you want to know how I feel about it, read this Salted Hash write-up from a couple years ago. 

For the rest of this post, I direct your attention to this message from two individuals who want to see change.