资源描述
state of the internet / security Volume 5, Issue 6 A Year in ReviewTable of Contents 01 Letter From the Editor 02 12 Months of Akamai Research 03 October 2018 03 November 2018 04 December 2018 / January 2019 05 February 2019 07 March 2019 07 April 2019 08 May 2019 08 June 2019 10 July 2019 11 August 2019 11 September 2019 13 Looking Forward 14 Appendix 24 Credits state of the internet / security A Year in Review: Volume 5, Issue 61 state of the internet / security A Year in Review: Volume 5, Issue 6 As 2019 comes to a close, we want to thank you, our readers, for continuing to support Akamais State of the Internet /Security (SOTI) report. The team, and the report, have both evolved significantly this year, and we plan to continue to grow and evolve in the years to come. We want to be a report you return to for important research again and again. Why does Akamai produce the SOTI report and produce security research in general? From an internal standpoint, the SOTI report and its research are excellent marketing materials. Good research makes for good stories, and good stories drive awareness of what a company considers important. In some ways, the type of research any security company publishes is nearly as important to building their reputation as the types of products they sell. Why does a global group of researchers believe in the value of research and publication? Most individual responses weve received can be boiled down to two motivators. First, being recognized as a leader and source of intelligence in your chosen field is nice, no matter who you are. Second, the work our teams are doing is important. The security field is still young, and every piece of information, every nugget of wisdom that contributes to global knowledge, is valuable. For my team the writers, data scientists, and editors who develop this report and so much more our work is our passion. Together, we have more than four decades of experience in security. We realize just how much there is left to discover and how little of it is quantified. Working with our researchers lets us make a difference by making their work accessible and interesting to you. The SOTI report was originally based solely on DDoS and web application attacks, but weve evolved the report to cover a wide range of pressing security issues. As Akamai continues its own evolution as a security company, the types of data we have available will only grow. Weve already started plotting for 2020, in all senses of the word. You, our readers, are important to us. Without you, this report wouldnt exist. Thank you for reading, and we hope youll continue to find value in our reports in the coming year. We welcome your feedback and your questions. Letter from the Editor Martin McKeay Editorial Director12 Months of Akamai Research 2 state of the internet / security A Year in Review: Volume 5, Issue 63 state of the internet / security A Year in Review: Volume 5, Issue 6 Welcome to the sixth State of the Internet / Security (SOTI) report of the year. As the end of 2019 draws near, we want to look back and examine the research Akamai has done over the last 12 months. From the start of October 2018 through the end of September 2019, we pay particular attention to the research coming out of Akamais Security Intelligence Response Team (SIRT). Additionally, we highlight a selection of the more important news stories that affected the security industry in the past year. While it might seem clich to say its been an interesting year, its still true. More than ever before, security stories have become increasingly important and are becoming part of mainstream news. With elections on the minds of most people in the United States, we expect security to play an even bigger role in the year ahead. October 2018 What a month! It began with a data breach affecting millions of people on Facebook. A short while later, Bloomberg published a story centering on nation-state supply chain hacks. Every vendor in the story, as well as the U.S. Department of Homeland Security, refuted the claims, but Bloomberg stood firmly behind their reporting. October was also a busy month for our security teams. Akamais Ryan Barnett published a blog post on security response headers and why business leaders and security managers should care about them. One day later, Larry Cashdollar published an examination of the Luis phishing kit, including some of its evasion techniques. Cashdollar also broke the news surrounding the jQuery file upload vulnerability (CVE-2018-9206). While the issue was addressed, forks of the code and recycled usage spread its impact across other codebases. This meant the issue had the potential to affect 7,800 projects. In a follow-up post, Cashdollar tested 1,000 forked projects using the jQuery code, and discovered 970 of them were vulnerable. November 2018 November started off with word that the Library of Congress and the U.S. Copyright Office had added exemptions to the Digital Millennium Copyright Act (DMCA). One exemption allows researchers to expose flaws in software without fear of criminal prosecution. This news was followed by reports that some 60 million U.S. payment cards had been compromised between 2017 and 2018, and 93% of them were EMV enabled. Around this time, Akamais Kaan Onarlioglu published a blog discussing third-party vulnerability assessments on the Akamai Intelligent Edge Platform and the existence of false-positive results that could lead to confusion. Soon after, Ryan Barnett published an in-depth report on steps to take to protect yourself from Magecart attacks, and Or Katz published a detailed look into a phishing scam with 78 different variations. Magecart software continues to be a significant threat as we close out 2019, in large part because of the vulnerabilities both in the software and in third-party plugins used in many sites. With elections on the minds of most people in the United States, we expect security to play an even bigger role in the year ahead. The Important Stories of the Past 12 Months4 state of the internet / security A Year in Review: Volume 5, Issue 6 December 2018 / January 2019 Toward the end of 2018, the publication and research teams also put the finishing touches on the first State of the Internet / Security report for 2019, published on January 30. It seems researchers, and even criminals, took much of December off. Before the SOTI report hit the presses, Larry Cashdollar published a blog centered on the ThinkPHP vulnerability (CVE-2018-20062), which was discovered while he was researching Magecart skimming attacks. Lukasz Orzechowski followed that post by blogging about an experiment with Computer-Aided Translation (CAT) tools. Translations between languages are hard, especially when youre translating a computer script with technical writing. 4 TL;DR Mental health issues cost U.S. businesses more than $190 billion a year in lost earnings. Sometimes an “attack” isnt exactly what it first appears to be. Experts in Akamais SOCC saw 4 billion requests impact a major website and dug into the real cause. Bots are big money for attackers, and theyre constantly evolving to circumvent new defenses. One attacker offered $15,000 in his search for developers with experience in targeting specific company defenses. State of the Internet / Security: Volume 5, Issue 1 DDoS and Application Attacks This issue explored mental health, with a guest essay by Amanda Berlin. Since January, the number of Mental Health Hackers workshops at security conferences has grown across the United States. We took a deep dive into an incident that, at first glance, looked like a massive DDoS attack, with more than 4 billion requests, across more 15,582 IP addresses. However, “the attack that wasnt” turned out to be a faulty application. We also explored the topic of retail bots and how All-in-One (AIO) applications can seriously impact online sales and promotions. While not all bots are bad, some can certainly be more trouble than theyre worth.5 state of the internet / security A Year in Review: Volume 5, Issue 6 February 2019 February was cold, and so was the news cycle. However, there were some interesting stories, including a case in which someone filed a lawsuit against Apple for forcing two-factor authentication on user accounts. An incident notification letter filed with the Vermont Attorney Generals Office PDF also drew attention. The incident in question was a credential stuffing attack that targeted TurboTax users, rather than a breach of Intuit systems. Examples like this are one reason why multi-factor authentication and credential stuffing were themes Akamai followed throughout 2019. Another reason is the sheer volume of credential stuffing attacks Akamai continues to see. Just before the second issue of the SOTI report was published this month, Larry Cashdollar published a blog post examining the use of Google Translate in phishing attacks against Facebook. LPT: Dont poke researchers with phishing attempts, as they make their living digging into strange and unusual patterns. Multi-factor authentication and credential stuffing were themes Akamai followed throughout 2019. 5 state of the internet / security A Year in Review: Volume 5, Issue 6 State of the Internet / Security: Volume 5, Issue 2 Retail Attacks and API Traffic This was the first time this year when Akamai dug into our credential stuffing data. At the time this report was filed, Akamai had observed 10 billion credential stuffing attempts against the retail sector between May and December 2018. The report also dug into AIO bots in the retail sector, API security, and potential IPv6 problems.6 state of the internet / security A Year in Review: Volume 5, Issue 6 TL;DR Covering all sectors (not just retail), Akamai detected nearly 28 billion credential stuffing attempts between May and December 2018. IPv6 usage might be underreported based on Akamais analysis. This leads to a dangerous assumption that IPv6 isnt worth monitoring. An analysis of Akamais ESSL network revealed an 83% to 17% split between API and HTML traffic on our secure content delivery network (CDN). This is a significant increase since the same survey was performed in 2014. Daily Malicious Login Attempts January September 2019 Fig. 1 (Update of chart published in issue 2) Credential stuffing continues to largely target the retail industry, with 16.5 billion attempts in the first nine months of 2019, compared with 11.5 billion in the last nine months of 20187 state of the internet / security A Year in Review: Volume 5, Issue 6 March 2019 When discussing credential stuffing attempts, one of the key themes is the use of easily guessed or weak passwords. In addition, far too many users recycle their passwords across multiple networks and services. Early in March, stories about Comcasts Xfinity Mobile phone service having a default PIN of 0000 on customer accounts came to light. This story circulated shortly after rapper and business mogul Kanye West was shown to have set the password on his iPhone X to 000000. Outside of the news cycle, Akamais Jonathan Respeto published a blog on using Capture the Flag programs to promote continuous training within the Security Operations Command Center (SOCC). April 2019 April arrived, and as the team recovered from the RSA Conference, news of a trio of WordPress zero-day vulnerabilities started to spread online, leading to a number of website compromises. Akamai researchers often observe that criminals use compromised websites to host phishing kits. This also helps with evasion; a legitimate but compromised website isnt likely to raise suspicions or trigger endpoint defense alarms. In other vulnerability news, Larry Cashdollar published a blog that warned about multiple vulnerabilities in Magento. The advisory, published to bring attention to the issue, called out more than 30 vulnerabilities in the platform, including one that had a working proof-of-concept at the time. Later in the month, researcher Yael Daihes published a blog with Craig Sprosts about adding real-world DNS data to deep learning models in order to increase effectiveness. State of the Internet / Security: Special Media Edition Credential Stuffing Attacks and Economies Released on April 8, 2019, this special edition of the SOTI report was published with the media audience at the National Association of Broadcasters (NAB) conference in mind. Akamais Patrick Sullivan presented data and intelligence from the report at the NAB Cybersecurity across all industries, there were more than 55 billion credential stuffing attacks during the same time frame. Web applications were
展开阅读全文