Tag Archive for: insecure

Insecure APIs Threaten Mobile App Security – What To Do


For most mobile apps, it’s not much of an exaggeration to describe them as a collection of APIs all tied together with a wrapper.

 

In fact, without connectivity, many mobile apps can’t function at all, because they depend on APIs to connect to back-end services. And that’s a big problem for developers, because, unfortunately, these APIs are frequently insecure — even in very sensitive apps.

 

A study of banking, fintech and cryptocurrency exchanges found that practically every single one of the mobile apps researchers reverse engineered contained hardcoded API keys and tokens. The exact number was a whopping 99%!  This includes usernames and passwords to third-party services.  

 

Worse yet: All the APIs tested had vulnerabilities that enabled researchers to change PIN codes and transfer funds in and out of accounts. And if apps that control end-users’ money are this insecure, the situation is not going to be any better for apps that work with far less sensitive data and assets than people’s bank accounts.

 

Certainly, cybercriminals are paying attention.

 

By this year in 2022,Gartner predicts APIs will become the largest attack vector. It stands to reason. API keys in mobile apps and code repositories provide hackers with the means they need to attack back-end servers and access valuable assets, such as customer accounts and production servers.

 

But securing APIs is not simply a matter of willpower. Developers haven’t neglected API security because they are lazy or unconcerned. API security is complex, difficult and time-consuming. It requires highly specialized skills that are in short supply. And while much of the DevOps cycle is automated, mobile API security implementation is largely manual.

 

Simply put, in the aggressive mobile app marketplace, publishers must churn out new apps and features at a rapid pace to remain competitive. Implementing strong API security would substantially extend development cycles and break budgets.

 

A recent global survey of 10,000 mobile consumers found that a solid majority (63%) value security and malware protection of equal or even greater importance than they do features.  This shows…

Source…

Client-side content scanning as an unworkable, insecure disaster for democracy • The Register


Fourteen of the world’s leading computer security and cryptography experts have released a paper arguing against the use of client-side scanning because it creates security and privacy risks.

Client-side scanning (CSS, not to be confused with Cascading Style Sheets) involves analyzing data on a mobile device or personal computer prior to the application of encryption for secure network transit or remote storage. CSS in theory provides a way to look for unlawful content while also allowing data to be protected off-device.

Apple in August proposed a CSS system by which it would analyze photos destined for iCloud backup on customers’ devices to look for child sexual abuse material (CSAM), only to backtrack in the face of objections from the security community and many advocacy organizations.

The paper [PDF], “Bugs in our Pockets: The Risks of Client-Side Scanning,” elaborates on the concerns raised immediately following Apple’s CSAM scanning announcement with an extensive analysis of the technology.

Penned by some of the most prominent computer science and cryptography professionals – Hal Abelson, Ross Anderson, Steven M. Bellovin, Josh Benaloh, Matt Blaze, Jon Callas, Whitfield Diffie, Susan Landau, Peter G. Neumann, Ronald L. Rivest, Jeffrey I. Schiller, Bruce Schneier, Vanessa Teague, and Carmela Troncoso – the paper contends that CSS represents bulk surveillance that threatens free speech, democracy, security, and privacy.

“In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance,” the paper says.

“Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be…

Source…

The risk of insecure protocols in business environments


This year alone, there have been some of the biggest and most damaging ransomware attacks to date. In the space of just five days in May, there were two major cyber-attacks that rattled governments and private sector organizations around the world. The first, on Colonial Pipeline, forced a week-long shutdown of a major petrol supply line and pushed U.S. petrol prices to their highest since 2014. The second attack, on the Irish healthcare system, resulted in thousands of appointments, cancer treatments, and surgeries being canceled or delayed and patient data shared online. 

Most recently, IT company Kaseya was targeted with ‘the biggest ransomware attack on record’, with cyber criminals demanding over $70 million to restore systems and unlock data. In this case, the attackers targeted a well-established but little-known software firm that would give them access to hundreds of other environments and the full extent of the damage is yet to be determined. 

Source…

BlackKingdom ransomware still exploiting insecure Exchange servers – Naked Security


It’s three weeks since the word HAFNIUM hit the news.

The word Hafnium refers to a cybergang who are said to focus on stealing data from pretty much anyone and everyone they can infiltrate, across an eclectic range of industry sectors, and this time they hit a sort-of cybercrime jackpot.

The Hafnium crew, it turned out, not only knew about four zero-day vulnerabilities in Microsoft Exchange, but also knew how to exploit these bugs reliably in order to walk into unprotected networks almost at will.

The Exchange bugs didn’t include a remote code exeution (RCE) hole to give the crooks the direct and immediate access to a compromised server, but the bugs did allow the crooks to rig up RCE using a trick known as a webshell.

Greatly simplified, the attack goes like this:

  • Exploit the Exchange bugs to write a booby-trapped web file called a webshell onto a vulnerable server.
  • Trigger the booby-trapped web page hosting the webshell to run a Powershell (or similar) command to download further malware, such as a fully-featured backdoor toolkit.
  • Enter at will and, very loosely speaking, commit whatever cybercrimes are on today’s “to do” list.