Akamai Diversity
Home > Web Security

Recently in Web Security Category

SOURCE Boston 2014: Proof Heartbleed is a Big Deal

Akamai CSO Andy Ellis wrote about how we're protecting customers from the much-publicized Heartbleed vulnerability OpenSSL fixed in an update Monday. At SOURCE Boston 2014, there's plenty of personal proof that this bug is a big deal. You could say it ruined the first day of the conference for some.

Update 2014-04-11: Updated information on our later analysis here.

We're getting a lot of questions about the OpenSSL Heartbleed fix. What follows are the most commonly asked questions, with our answers.

The Heartbleed bug affects a heartbeat functionality within the TLS/DTLS portion of the library. It allows the attacker to -- silently and without raising alarms -- dump portions of the servers memory to the client. This can allow the attacker to walk through the memory space of the server, possibly dumping private SSL keys and certainly exposing important secrets.

All versions of the OpenSSL library between 1.0.1 and 1.0.1f contain the Heartbleed bug and should be updated to 1.0.1g as soon as possible. (The vulnerability researchers have posted their analysis, and an excellent analysis is up on Sean Cassidy's blog.

Fix Released for Heartbleed OpenSSL Flaw

A fix is now available for a serious Open SSL flaw known as Heartbleed. The vulnerability, covered in CVE-2014-0160, affects OpenSSL 1.0.1 through 1.0.1f with two exceptions: OpenSSL 1.0.0 branch and 0.9.8.

SOURCE Boston 2014: Talk Descriptions

SOURCE Conference 2014 runs tomorrow through Thursday at the Marriott on Tremont Street, Boston. Akamai is a platinum sponsor of the event and we hope to see you there. To help attendees acclimate, we're sharing the following talk descriptions, which are also available on the conference website.

And Now, This Message on 'Booth Babes'

For years, I've despised the so-called booth-babe phenomenon, in which vendors hire women to stand at their booths in skimpy attire at conferences. I've focused on what I see at security events, but the problem is universal.

If you want to know how I feel about it, read this Salted Hash write-up from a couple years ago. 

For the rest of this post, I direct your attention to this message from two individuals who want to see change.

As of 31 March 2014, the UK officially has a governmental Computer Emergency Response Team (CERT) that is responsible for being the central point for communication between a variety of governmental and business within the confines of the UK, as well as beyond. While this is the 'birthday' of CERT-UK, the organization has already been working hard since November to create infrastructure and hiring personnel, this was simply an official date to say "We're open for business."

Akamai is a Platinum Sponsor of SOURCE Boston 2014

Akamai is a platinum sponsor of next week's SOURCE Boston conference, and we'll have an army of security staff on hand to answer questions, show people around and help with introductions.

Anatomy of Wordpress XML-RPC Pingback Attacks

Akamai researchers have released fresh details regarding the Wordpress XML-RPC pingback exploits used in a series of DDoS attacks earlier this month. The details are in an advisory written by CSIRT's Larry Cashdollar.

Security Awareness for Senior Citizens

We hear a lot about the need to educate kids on Internet security threats. But Christopher Burgess, CEO of security consultancy Prevendra, thinks the danger is even greater for senior citizens who haven't had the advantages of growing up in a hyper-connected world. 

"We focus so much on protecting our kids. Nobody is watching the seniors," he told me in a phone conversation this week. "A lot of people are invested in separating seniors from their personal information and money." 

That being the case, his company set out to do something about it.

Full Disclosure's Second Chance

A week after the shutdown of Full Disclosure sent shockwaves through the security industry, we're getting word that it's getting a second chance. Nmap Project hacker Gordon Fyodor Lyon announced Tuesday that he's taking on management of the list.