Earlier this month, I found myself thinking about some vulnerabilities I discovered with my intern, Elitza Neytcheva, while demonstrating vulnerability research. I realized I only gave the code a nominal review, only partially analyzing and tracing the execution paths to exploit the XSS and SQL injection that Elitza and I initially found. We looked at about 5% of the overall extensions code. I figured it could use a second deeper look, and I wanted to find a SQL injection that didn't require an authenticated user to exploit - which is the worst kind of vulnerability.
Get In Touch
Recently in Web Security Category
Akamai Edge conference is here and I'm really excited to share some of my insights and thoughts about credential abuse attacks in my session "Akamai Threat Research into Credentials Abuse".
Credential abuse attacks become a common disturbing threat in recent years, a successful credential abuse attack campaign can result with a potential damage that include losing access and control over the accounts, data breach and even fraudulent transactions.
Akamai completed its first assessment against the SOC 2 standard this summer, and has released its first report on compliance under NDA.
What is the SOC 2?
The SOC (Service Organization Controls) 2 is a security standard aimed at Service Organizations. The SOC 2 is developed and maintained by the AICPA (American Institute of CPAs),which breaks goals for secure operations into 5 different categories called trust principles. The trust principles include Security, Availability, Processing Integrity, Confidentiality, and Privacy. An organization may be assessed against one or more of the trust principles. There is no certification available for the SOC 2 standard, as the controls of each trust principle, called common criteria, are interpreted by each organization undergoing assessment.
You. And if not you, surely some of your fellow compatriots are. With a notable exception, but I'll come to this later in the article.
For forensic purposes, determining the origin country IPs involved in DDoS attacks -called 'zombies'- helps to determine who and where the victim is, but tells nothing about the location where the actual attacker sits, since those zombies, usually well distributed geographically speaking, have been infected or compromised without their permission and knowledge. The actual attacker country is extremely difficult to locate.
Researchers at Akamai have been monitoring the growth of attacks leveraging Internet of Things (IoT) devices. These attacks are coming from compromised devices of various sorts. Akamai works hard to protect our customers and users from these attacks.
With other, non-IoT types of devices (including general purpose computers), owners can patch or reconfigure their systems to close vulnerabilities. In the Internet of Things, device owners are often at the mercy of vendor updates in order to remove their devices from the pool of botnet nodes. In some cases, IoT devices are entirely unpatchable and will remain vulnerable until removed from service.
On Tuesday, September 20, Akamai successfully defended against a DDoS attack exceeding 620 Gbps, nearly double that of the previous peak attack on our platform.
That attack and the recent release of the Mirai source code have generated a lot of interest in, and speculation about, the role of IoT devices in DDoS attacks. For several months, Akamai researchers have been looking into the code that is now known as Mirai. Much of that research was based on reverse engineering of the binary prior to the actual source code being released.
On September 22nd, 2016, the OpenSSL project released versions 1.1.0a, 1.0.2i, and 1.0.1u of OpenSSL. This release contains about a dozen security fixes, including one important update that we wanted the Akamai community to be specifically aware of.
Akamai is aware of a vulnerability, announced at the USENIX Security conference on Aug 10, 2016, which describes a vulnerability in the Linux kernel's tcp stack implementation (kernel versions 3.6 to 4.6). At a high-level, a patient adversary can leverage rate-limited challenge ACK's on a non-secure tcp connection to conduct a hijacking attack.
A year ago Akamai's Threat Research Team exposed a "Blackhat Search Engine Optimization (SEO)" attack campaign. The goal of the campaign was to manipulate search engines rankings and grow visibility for a web site that allows users to share their cheating and infidelity stories.
Last week, American Banker hosted its brand new conference, Cybersec 2016 in Midtown Manhattan. Penny Crosman (@pennycrosman), Editor at Large, American Banker, did a great job as chair of the event and brought together thoughtful presenters and panelists. There were great insights from leaders in the industry from BBVA, Bank of the West, USAA, Mastercard, U.S. Bank, and many others. It was a fantastic day of information sharing - exactly what we need more of within the Financial Services Industry.