Mar 19, 2024The Hacker NewsAPI Security / Vulnerability

Application programming interfaces (APIs) are the connective tissue behind digital modernization, helping applications and databases exchange data more effectively. The State of API Security in 2024 Report from Imperva, a Thales company, found that the majority of internet traffic (71%) in 2023 was API calls. What’s more, a typical enterprise site saw an average of 1.5 billion API calls in 2023.

The expansive volume of internet traffic that passes through APIs should be concerning for every security professional. Despite best efforts to adopt shift-left frameworks and SDLC processes, APIs are often still pushed into production before they’re cataloged, authenticated, or audited. On average, organizations have 613 API endpoints in production, but that number is rapidly expanding as pressure grows to deliver digital services to customers more quickly and efficiently. Over time, these APIs can become risky, vulnerable endpoints.

In their report, Imperva concludes that APIs are now a common attack vector for cybercriminals because they’re a direct pathway to access sensitive data. As a matter of fact, a study from the Marsh McLennan Cyber Risk Analytics Center finds that API-related security incidents cost global businesses as much as $75 billion annually.

More API Calls, More Problems

Banking and online retail reported the highest volumes of API calls compared to any other industry in 2023. Both industries rely on large API ecosystems to deliver digital services to their customers. Therefore, it’s no surprise that financial services, which include banking, were the leading target of API-related attacks in 2023.

Cybercriminals use a variety of methods to attack API endpoints, but one common attack vector is Account takeover (ATO). This attack occurs when cybercriminals exploit vulnerabilities in an API’s authentication processes to gain unauthorized access to accounts. In 2023, nearly half (45.8%) of all ATO attacks targeted API endpoints. These attempts are often carried out by automation in the form of bad bots, software agents that run automated tasks with malicious intent. When successful, these attacks can lock customers out of their accounts, provide criminals with sensitive data, contribute to revenue loss, and increase the risk of non-compliance. Considering the value of the data that banks and other financial institutions manage for their customers, ATO is a concerning business risk.

Why Mismanaged APIs are a Security Threat

Mitigating API security risk is a unique challenge that frustrates even the most sophisticated security teams. The issue stems from the fast pace of software development and the lack of mature tools and processes to help developers and security teams work more collaboratively. As a result, nearly one out of every 10 APIs is vulnerable to attack because it wasn’t deprecated correctly, isn’t monitored, or lacks sufficient authentication controls.

In their report, Imperva identified three common types of mismanaged API endpoints that create security risks for organizations: shadow, deprecated, and unauthenticated APIs.

• Shadow APIs: Also known as undocumented or undiscovered APIs, these are APIs that are unsupervised, forgotten about, and/or outside of the security team’s visibility. Imperva estimates that shadow APIs make up 4.7% of every organization’s collection of active APIs. These endpoints are introduced for a variety of reasons—from the purpose of software testing to use as a connector to a third-party service. Issues arise when these API endpoints are not cataloged or managed properly. Businesses should be concerned about shadow APIs because they typically have access to sensitive information, but nobody knows where they exist or what they’re connected to. A single shadow API can lead to a compliance violation and regulatory fine, or worse, a motivated cybercriminal will abuse it to access an organization’s sensitive data.

• Deprecated APIs: Deprecating an API endpoint is a natural progression in the software lifecycle. As a result, the presence of deprecated APIs is not uncommon, as software is updated at a rapid, continuous pace. In fact, Imperva estimates that deprecated APIs, on average, make up 2.6% of an organization’s collection of active APIs. When the endpoint is deprecated, services supporting such endpoints are updated and a request to the deprecated endpoint should fail. However, if services are not updated and the API isn’t removed, the endpoint becomes vulnerable because it lacks the necessary patching and software update.

• Unauthenticated APIs: Often, unauthenticated APIs are introduced as a result of misconfiguration, oversight from a rushed release process, or the relaxation of a rigid authentication process to accommodate older versions of software. These APIs make up, on average, 3.4% of an organization’s collection of active APIs. The existence of unauthenticated APIs poses a significant risk to organizations as it can expose sensitive data or functionality to unauthorized users and lead to data breaches or system manipulation.

To mitigate the various security risks introduced by mismanaged APIs, conducting regular audits to identify unmonitored or unauthenticated API endpoints is recommended. Continuous monitoring can help detect any attempts to exploit vulnerabilities associated with these endpoints. In addition, developers should regularly update and upgrade APIs to ensure that deprecated endpoints are replaced with more secure alternatives.

How to Protect Your APIs

Imperva offers several recommendations to help organizations improve their API Security posture:

1. Discover, classify, and inventory all APIs, endpoints, parameters, and payloads. Use continuous discovery to maintain an always up-to-date API inventory and disclose exposure of sensitive data.
2. Identify and protect sensitive and high-risk APIs. Perform risk assessments specifically targeting API endpoints vulnerable to Broken Authorization and Authentication as well as Excessive Data Exposure.
3. Establish a robust monitoring system for API endpoints to detect and analyze suspicious behaviors and access patterns actively.
4. Adopt an API Security approach that integrates Web Application Firewall (WAF), API Protection, Distributed Denial of Service (DDoS) prevention, and Bot Protection. A comprehensive range of mitigation options offers flexibility and advanced protection against increasingly sophisticated API threats—such as business logic attacks, which are particularly challenging to defend against as they are unique to each API.

Jan 29, 2024NewsroomSurveillance / Data Privacy

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to taking steps to “ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”

Metadata about users’ browsing habits can pose a serious privacy risk, as the information could be used to glean personal details about an individual based on the websites they frequent.

This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication.

In response to Wyden’s queries, the NSA said it has developed compliance regimes and that it “takes steps to minimize the collection of U.S. person information” and “continues to acquire only the most useful data relevant to mission requirements.”

The agency, however, said it does not buy and use location data collected from phones used in the U.S. without a court order. It also said it does not use location information obtained from automobile telematics systems from vehicles located in the country.

Ronald S. Moultrie, under secretary of defense for intelligence and security (USDI&S), said Departments of Defense (DoD) components acquire and use commercially available information (CAI) in a manner that “adheres to high standards of privacy and civil liberties protections” in support of lawful intelligence or cybersecurity missions.

The revelation is yet another indication that intelligence and law enforcement agencies are purchasing potentially sensitive data from companies that would necessitate a court order to acquire directly from communication companies. In early 2021, it was revealed the Defense Intelligence Agency (DIA) was buying and using domestic location data collected from smartphones via commercial data brokers.

The disclosure about warrantless purchase of personal data arrives in the aftermath of the Federal Trade Commission (FTC) prohibiting Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information to its customers without users’ informed consent.

Outlogic, as part of its settlement with the FTC, has also been barred from collecting location data that could be used to track people’s visits to sensitive locations such as medical and reproductive health clinics, domestic abuse shelters, and places of religious worship.

The purchase of sensitive data from these “shady companies” has existed in a legal gray area, Wyden noted, adding the data brokers that buy and resell this data are not known to consumers, who are often kept in the dark about who their data is being shared with or where it is being used.

Another notable aspect of these shadowy data practices is that third-party apps incorporating software development kits (SDKs) from these data brokers and ad-tech vendors do not notify users of the sale and sharing of location data, whether it be for advertising or national security.

“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to ‘government contractors for national security purposes,'” the Oregon Democrat said.

“I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industry-wide, and not limited to this particular data broker.”