Posts tagged ‘Andy Ellis’

Akamai Edge 2014: Shellshock and Heartbleed Resources

October 6, 2014 3:40 am


Akamai Edge attendees will hear the names of two security vulnerabilities a lot this week: Shellshock and Heartbleed. Both shook the security industry to the core this year, and Akamai security staff spent countless hours working to protect customers against these threats.

Before Edge gets underway, here are some resources to get familiar with what we’ve done to address the threats.
More on the Web Security Track at Akamai Edge 2014:


This set of vulnerabilities is fresh on our minds. It has consumed much of the last two weeks. To keep customers informed of Akamai’s defensive measures, we created a series of articles and blog posts:

A look at two of six security holes summarized last week in six CVE advisories. These were the last two to be published late last week.

Shellshock Update
CSO Andy Ellis’ update to customers on the Shellshock situation, published Thursday afternoon.

Environment Bashing
CSO Andy Ellis’ first post regarding the threat.

Akamai Launches New Protection for Shellshock-Bash
An update on what Akamai is doing to protect customers from the Shellshock-Bash vulnerability, by Akamai Director of Product Marketing Daniel Shugrue.

Shellshock-Bash CVE List: Where Akamai Fits In
A look at all of the CVE advisories now in circulation, and how they relate to Akamai’s mitigation strategies, by Akamai CSO Andy Ellis, Akamai Chief Security Architect Brian Sniffen, and Akamai Senior Program Manager Bill Brenner.

Shellshock Bash Explained
In this podcast, Akamai’s Martin McKeay, Michael Smith and Bill Brenner discuss the Shellshock Bash bug and what Akamai is doing to keep customers secure.

Through The Bashdoor
The Shellshock story as told by Akamai’s Security Platform Statistics, by Ezra Caltum, Adi Ludmer and Ory Segal

The world awoke to the danger of Heartbleed in April, and it’s been a top-of-mind topic for Akamai and its customers ever since. The first thing worth mentioning for Edge attendees is that Akamai Chief Security Architect Brian Sniffen will give a talk on the lessons of Heartbleed. Here is the talk description:

The Evolution of TLS/SSL – Improving the Foundations of Internet Security: In the wake of the Heartbleed vulnerability, attention has turned to TLS, the fundamental building block of Internet encryption and authentication. In this session we’ll look at the evolving TLS standard and concentrate on new ciphers, authentication mechanisms, and asymmetric key changes – how they propose to impact the security of our data, and considerations for implementation and performance.

In recent months we’ve also released blog posts and a podcast outlining what Akamai has been doing to mitigate the vulnerability. All posts were written by CSO Andy Ellis:

The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy.

Podcast: CSO Andy Ellis on Heartbleed
My “lessons learned” interview with Andy.

Heartbleed: A History
A history of Heartbleed.

Heartbleed Update
During the Heartbleed crisis, we gave a series of updates in The Akamai Blog. This was the third such update, which captured all the important points.

Coming Soon: New Security Whiteboard Videos

September 23, 2014 3:40 am


Last year, we released a bunch of videos containing security whiteboard lessons on a variety of topics. This Thursday we shoot four new episodes.

Below is a preview of each episode.
  • To see previous security whiteboard videos, go here and here.

Incident Management 101
At every company, Akamai included, incidents happen daily. Despite strong controls, it’s inevitable that problems will arise when — in our case — so much content is being handled, processed and distributed within Akamai and on behalf of customers. Bill Brenner will walk viewers through the incident management process Akamai uses to minimize problems and maintain security.

Vulnerability Assessment vs. Penetration Testing
Vulnerability assessment and pen testing both deal with finding and fixing security holes. But they are not the same thing. Patrick Laverty will walk viewers through the differences between the two.

FedRAMP 101
James Salerno will tell viewers about FedRAMP — why it was created and why it’s become an important part of Akamai’s security and compliance process.

SSL Certificate Security and Trust
Meg-Grady Troia will teach viewers about the SSL certificate system and some of its strengths and weaknesses.

Next month, we’ll shoot a fifth video, where CSO Andy Ellis walks through one of the data centers housing Akamai servers and explains the myriad security procedures in place to protect those deployments.

Security Topics at Akamai Edge 2014: A Primer

September 22, 2014 3:36 am


Each year at Akamai Edge we update customers on some of the more persistent threats we’ve dealt with in the 12 months prior. Slides detailing the 2013 threat picture are available here. For an idea of what we’ll be sharing at Edge 2014 in a couple weeks, I’ve assembled this primer.

The following blog posts capture the main threats that have kept us busy in recent months:

Web Vulnerabilities: Low-Hanging Fruit for DDoSers
About a new Akamai PLXsert whitepaper released last week: “Web Vulnerabilities: The foundation of the most sophisticated DDoS campaigns.”

Akamai Offers Further Guidance to Blunt Linux DDoS Threat

David Fernandez, head of our Prolexic Security Engineering Research Team (PLXsert), offers additional details on the countermeasures regarding the Linus DDoS threat.

Linux Systems Exploited for DDoS Attacks
Linux users have a new threat to worry about. According to Akamai’s Prolexic Security Engineering Research Team (PLXsert), the bad guys have discovered a weakness in Linux systems they can exploit to expand their botnets and launch DDoS attacks.

OpenSSL Vulnerabilities
On Wednesday, 2014-08-06, the OpenSSL Project disclosed nine low- and moderate-severity vulnerabilities, with details published here. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.

Hackers “Join” World Cup 2014 Matches on the Web
George Orwell once said, “International football is the continuation of war by other means” – as we will demonstrate in this post – Mr. Orwell was spot-on, according to statistics on web application layer attacks collected by Akamai’s Cloud Security Intelligence platform, the 2014 world cup soccer matches spurred sophisticated cyber attacks between soccer-fan-hackers of competing sides.

Highlights of Prolexic Attack Report for Q2 2014
As attacks go, the second quarter of 2014 was quieter than the first. But when you compare the numbers to this time last year, that’s of little comfort. According to Prolexic’s newly-released attack report for Q2 2014, the rate of DDoS attacks rose 22 percent over the second quarter of 2013.

Blackshades RAT is a Serious Threat
Akamai’s Prolexic Security Engineering & Research Team (PLXsert) is warning companies of stealth surveillance and computer hijacking attacks by the Blackshades Remote Administration Tool (RAT) crimeware kit.

State of the Internet: Fewer Attacks Than Previous Quarter
The latest Akamai State of the Internet Report is out. Here’s a look at what we saw on the security front in the first quarter of 2014.

Anonymous Continues Targeting World Cup
In which we monitored attempts by Anonymous and others to cause Internet disruptions during the World Cup. Here’s how those attacks are playing out in the media.

World Cup 2014 Attack Targets
Attack targets were under the gun as soon as the World Cup started.

Threat Advisory: High-Risk Zeus Crimeware Kit
Akamai’s PLXSert team has discovered new payloads from the Zeus crimeware kit in the wild, deeming it “high risk” in an advisory.

Fresh Wave of Online Extortion Attacks Underway
Akamai CSIRT has identified a trend in online extortion that has the potential to impact customer websites and their users.

OpenSSL vulnerability (CVE-2014-0224)
The OpenSSL Project disclosed new vulnerabilities in the widely-used OpenSSL library. These are vulnerabilities that can potentially impact OpenSSL clients and servers worldwide.

PLXsert Eyes Spike in SNMP Reflection DDoS Attacks
Akamai’s Prolexic Security Engineering Response Team (PLXsert) has seen a significant resurgence in the use of Simple Network Management Protocol (SNMP) reflection attacks this past month.

The Brittleness of the SSL/TLS Certificate System
Despite the time and inconvenience caused to the industry by Heartbleed, its impact does provide some impetus for examining the underlying certificate hierarchy. (As an historical example, in the wake of CA certificate misissuances, the industry looked at one set of flaws: how any one of the many trusted CAs can issue certificates for any site, even if the owner of that site hasn’t requested them to do so; that link is also a quick primer on the certificate hierarchy.)

Podcast: CSO Andy Ellis on Heartbleed
By now, most of you are aware of the Heartbleed vulnerability that sent shockwaves through the tech industry. Like many of you, Akamai had to work overtime to ensure our customers were protected. We did that, but as is the case with any large security threat, we continue to be vigilant and, while letting everyone know what we did to keep them secure, we’re looking back at the lessons learned and how to turn it into even better security going forward. The details in this episode are not new, as CSO Andy Ellis has blogged at length about it. I’ve included those links below. But with so many of us working overtime to address Heartbleed, this was my first opportunity to sit down with Andy and discuss it.