Even a hack exposing 9+ million records can be considered “basic.”
While the effects of a compromise on the Australian telecom Optus were anything but, omg, so mainstream, the attacker had an easy way in.
“What is of concern for us is how what is quite a basic hack was undertaken on Optus,” Australian Minister for Cybersecurity Clare O'Neil said shortly after the Sept. 2022 breach.
Because the app’s facilitator of data-exchange, known as the application program interface (API), was left “exposed” to the internet —no authentication required—the hacker could download customer records.
While IT teams often make application inventory and patching part of their vulnerability management programs, recent attacks show that the API is an oft-exposed component deserving of some attention—both in the development process and during runtime.
“Those exposure points are often ignored, often overlooked, and very often vulnerable, or overly permissive, because the person writing them maybe didn’t have the knowledge or experience for how to limit what could be seen or what could be called,” said Bill Young, VP and general manager of threat management at the consultancy Optiv.
API have no idea what you’re talking about…
Who’s calling: An API “call” initiates the exchange of information. An API, for example, facilitates access when connecting a login submission to a server.
An API is like a waiter: taking the orders, bringing them to the kitchen, and sending back the dinner. (And a hacker steals the waiter’s little notepad…)
Who’s hacking: A recent report from the cybersec company Akamai Technologies discovered a whopping 257% increase in web-application and API attacks, many directed at financial organizations.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
What’s helping: Authentication options like OAuth2 assist in securing an API. Rate-limiting also restricts login attempts, to defend against suspicious access. Protocols like Transport Layer Security (TLS) ensure messages are encrypted.
“Usually vendors are quick to say, ‘Oh, well, there’s an API. We can easily connect…’ We’re not looking at the data that’s flowing through those APIs,” said Lisa McKee, director of governance, risk, compliance and privacy at the performance-analysis company Hudl.
Grand openings. While many security professionals emphasize the importance of API inventory and testing during application development, API hacks are often the results of a “series of grand experiments” by determined individuals, said Michelle McLean, VP of marketing at Salt Security, an API-monitoring platform provider.
Take the white-hat hacker who, in April of 2021, found a flaw in an Experian API that gave access to an individual’s credit score when zeros were placed in the date-of-birth field.
Rather than halt the release of a revenue-building application, teams may just want to deploy—without checking for every scenario that involves a 00/00 birthday.
“People are doing an awful lot. They’re doing things in smaller chunks. They’re not responsible for the whole thing soup to nuts. And I think it’s honestly an unfair burden to put on developers to say you should really code perfectly,” McLean told IT Brew.
Take Optus, said McLean. Technically, the API was built just fine.
“That API worked exactly how it was supposed to. It was just never meant to be public facing,” said McLean.—BH
Do you work in IT or have information about your IT department you want to share? Email [email protected].