Akamai Diversity
Home > Web Security

Recently in Web Security Category

As you may have heard, Akamai recently introduced a new product, Bot Manager. I've been working at Akamai for close to 10 years and, in my past roles here (Technical Support Engineer, Enterprise Architect), I've had the opportunity to work closely with many customers who had issues with bots. Generally, this was about protecting the site against "bad bots" but also making sure that "good bots" were not impacted by any of the mitigation techniques. 

Hackers vs. Media

We're used to hearing about cyber attacks against financial institutions and retailers. But another industry faces a growing threat: Media.

Digital media publishers strive to provide meaningful content and a user experience that will grow a dedicated base of content consumers. This allows the publisher to partner with and provide services to marketing and advertising concerns to build cash flow that can be used to further enhance the experience for content consumers.

Scraper and Bot Series - When Good Bots Go Bad

By Bill Brenner, Akamai SIRT Senior Tech Writer

Akamai this week launches the first in a series about bots and scrapers, based on continued research by Akamai's Security Intelligence Research Team (SIRT). In the first installment, we discuss the various types of bots and scrapers that we have encountered, and how you may want to react to each. This paper will mainly focus on the known "good bots", -- traffic that is encouraged because it can be helpful to a business.

3/8/16 UPDATE:  Akamai continues to harden systems against the DROWN vulnerability (CVE-2016-0800), which exploits legacy encryption protocols in order to compromise keys that secure modern protocols, like TLSv1.2. (It does not leak the SSL/TLS keys themselves.) 

We have taken the necessary steps to protect both our customer-facing and critical internal systems from this vulnerability as of March 1, 2016.  We will continue to identify and patch non-critical systems on an as-needed basis.

The Decrypting RSA with Obsolete and Weakened eNcryption attack, described here, allows an adversary to compromise secrets from modern-TLS connections if any machine will accept SSLv2 connections using the same key & certificate.

Our secure delivery services are not vulnerable to DROWN. Individual customers have the option to enable SSLv2 for their own sites. Doing so would expose that customer's connections to DROWN.

While Akamai secure delivery provides protection, customers are still advised to verify that the origin servers they operate themselves do not use SSLv2. If they do have to use SSLv2, they should not do so using the same key & certificate as would be used for more secure connections.

The vulnerability is getting attention from such media outlets as The Register and Ars Technica.

The official DROWN web page calls this "a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security." Attackers can exploit it to break the encryption and read or steal sensitive communications such as passwords, credit card numbers, trade secrets, or financial data. The researchers estimate that 33% of all HTTPS servers are vulnerable to the attack.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject, or contact your Akamai Representative or Customer Care.

If our investigation uncovers additional risks, we will provide follow-up blog posts, Akamai Community posts, and Luna Portal advisories to update customers on how we are affected and what we're doing about it.

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. In Enterprise Security - SSL/TLS Primer Part 1 - Data Encryption I covered the fundamentals of data encryption. For part two we will cover certificates. Let's start with the basics.

CDN-based WAF + Big Data Intelligence is a Gold Mine for This Security Researcher

I am frequently asked by friends and colleagues why I joined Akamai's Threat Research Team.  I can boil it down to three main reasons: People, Technology and Data.         

Akamai Response To "Forwarding-Loop" Issue

Akamai is aware of the research paper titled "Forwarding-Loop Attacks in Content Delivery Networks" published by Jianjun Chen et. al on Feb. 29.  We have reviewed the researchers' findings, and are confident that we already have adequate counter-measures in place to thwart any attempt to use Akamai as an attack vector in the manner described by the paper.

The paper describes four types of forwarding-loop attacks against CDNs: self-loop, intra-CDN loop, inter-CDN loop and dam flooding. The paper acknowledges that Akamai is not vulnerable to the first two. The third attack (the "inter-CDN loop attack") is described as a looping between multiple CDNs.  Finally, the fourth -- "dam flooding" -- is described as coupling "forwarding-loop attacks with timely controlled HTTP responses to significantly increase damage."

While Akamai does not publically disclose or discuss our security countermeasures, we would like to reiterate that we have sufficient countermeasures in place to detect and defend against all these attacks, as well as substantial capacity to absorb traffic spikes. If you have any additional questions/concerns, please reach out to your Akamai representative.

Monday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I've been writing posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at Web application attacks by industry.

Related: 

This quarter, the retail sector suffered the vast majority of web application attacks: 59%. Media and entertainment suffered 10% of attacks, as did the hotel and travel industry. Financial services suffered 7% of attacks, followed by high technology (4%), consumer goods (3%), manufacturing (2%), the public sector (1%), and gaming (1%).

Join me over the next few posts as I talk about how to provide fast, reliable, and secure applications in the branch while protecting end-users and promoting a transparent and open Internet. Let's start with the basics.

So what is SSL/TLS & how does it work?

Yesterday, Akamai released the Q4 2015 State of the Internet Security (SOTI Security) Report (download here). I'll write posts throughout the week focusing on specific parts of the report. For this installment, let's take a look at mega-DDoS attacks from last quarter.

Related: 

In Q4, five DDoS attacks registered more than 100 Gbps. This number was down from the eight we saw in Q3 2015, and still more of a drop from the record-setting 17 mega attacks of Q3 2014.