Recently in Web Security Category

Yearly Review

2016 was an exciting year; a year in which hazards related to the Intent of Things (IoT) became trendy small talk in many living rooms around the world. For us, the members of the InfoSec community, it was the year when the security risks of IoT devices evolved from being theoretical to becoming a practical problem to us all. It was the year in which we all realized that the lack of security surrounding IoT is not just a liability on the consumer owning the device, it is a problem for the entire Internet.

In the first of this two-part blog, I reported the impact that the Dyn DDoS attack had on the financial services industry.  Banks, insurers, credit cards, and others had two waves of impacts on Oct. 21, with many websites clocking in with 60 second page response times, and others with outright failures, not able to service their customers.

In Part 2, we'll dig into some details to better understand the technology risks of financial services websites, and extract some lessons learned for the industry.

Leading up to the U.S Presidential Election last week, the oracles of the security world were warning of all the possible types of attacks we might see during the day of decision making.  We were preparing for attacks against voting machines, disinformation spread through social media platforms, more email leaks, and above all Distributed Denial of Service (DDoS) attacks against everyone from the White House to news sites around the globe.  Yet none of these seem to have materialized.

Each quarter the Akamai team delves into the volumes of data that we have at our disposal. Every time we do so we find something new and exciting, and this last quarter was by no means an exception. You might have heard of a little botnet called Mirai that set the Internet on its ear during the month of October.

Boolean Operator

Different cultures and nationalities have different naming conventions; I came from a one that led me to face the universe with a personal name "Or". I fact, my name has different meanings in different languages. In English the meaning of "Or" is function word that indicate alternatives and in computer coding languages the name "Or" is being used as Boolean operator that enable us to write conditions in our code. 

New Year's Eve is typically in the depth of end-of-year change freezes for most IT organizations. At the end of 2016, however, two major events will be occurring right at the end of the year: a leap second and the final end of browser support for SHA-1 TLS certificates.  Both of these changes have the potential to break software systems and applications.  Significant preparation, planning, and testing ahead-of-time can significantly reduce the risk for both.

The recent DDoS attack against the Dyn DNS service resulted in major impact across the financial services industry, and provides us an example to better understand the technology risks and the lessons learned from this attack.

In the first of this two part blog, we will examine the impact that the attack had on banks, insurance companies, and other firms in the industry.  In Part 2, we'll dig into some details to better understand the technology risks of financial services websites, and extract some lessons learned for the industry.

Earlier this month, I found myself thinking about some vulnerabilities I discovered with my intern, Elitza Neytcheva, while demonstrating vulnerability research. I realized I only gave the code a nominal review, only partially analyzing and tracing the execution paths to exploit the XSS and SQL injection that Elitza and I initially found. We looked at about 5% of the overall extensions code. I figured it could use a second deeper look, and I wanted to find a SQL injection that didn't require an authenticated user to exploit - which is the worst kind of vulnerability.

Akamai Edge conference is here and I'm really excited to share some of my insights and thoughts about credential abuse attacks in my session "Akamai Threat Research into Credentials Abuse".

Credential abuse attacks become a common disturbing threat in recent years, a successful credential abuse attack campaign can result with a potential damage that include losing access and control over the accounts, data breach and even fraudulent transactions.

Akamai completed its first assessment against the SOC 2 standard this summer, and has released its first report on compliance under NDA.

What is the SOC 2?

The SOC (Service Organization Controls) 2 is a security standard aimed at Service Organizations. The SOC 2 is developed and maintained by the AICPA (American Institute of CPAs),which breaks goals for secure operations into 5 different categories called trust principles. The trust principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy. An organization may be assessed against one or more of the trust principles. There is no certification available for the SOC 2 standard, as the controls of each trust principle, called common criteria, are interpreted by each organization undergoing assessment.