Issue 120: Video doorbells security flaws, intro to JWT attacks, security zines

This week, we take a look at the security issues in cheap video doorbells and security cameras, as well as tutorials and webinars on protecting APIs running in Kubernetes, JSON web tokens (JWT), and web and API authentication and authorization.

Oh, and we also have a link to DZone community awards where you can vote for this newsletter!

Vulnerability: Video doorbells and security cameras

Research teams from Florida Tech and NCC Group have, independently of each other, looked into the security of inexpensive video doorbells and security cameras. These devices are sold at Walmart, Amazon, Home Depot, Best Buy, to mention but a few.

The researchers concluded that most of the cheap devices on the market come from a handful of Chinese manufacturers (ODMs), using standard generic design and components. This also means that issues found in one model are replicated in others.

The devices they looked at had multiple serious security issues, including built-in backdoors. Some of the found issues were API-related, too:

  • Communications are not encrypted.
  • Backend APIs are not protected with authentication.
  • There are REST APIs on cameras with hard-coded credentials.

You can find a quick summary of both research efforts in the GadgetGuy. For more details, see the full reports (links above).

Webinars: API Threat Protection in a Kubernetes World

In the world of microservice-based applications, every component is an API. As such, API security in the Kubernetes world is a lot more relevant than in the world of traditional applications.

Next Thursday, February 18th at 8 AM PST / 11 AM EST, Isabelle Mauny (42Crunch) gives a webinar on this exact topic.

For more details and to register, click here.

Videos: Attacking JWT for beginners

If you find the world of JSON Web Token (JWT) security hard, check out this quick introductory video by Farah Hawaa:

Technology 101: Security Zines

Security zines by Rohit Sehgal are fun, easy-to-grasp, comics-style explanations of web and API security.

The first one he has published explains some common authentication and authorization concepts:

  • Basic
  • Session-based
  • Token-based
  • JWT
  • OAuth

For example, here he is covering the OAuth Authorization Code grant:

Vote for us!

DZone has nominated this newsletter (which they also republished) for their 2020 Contributor Awards.

If you have a minute and want to support us, please cast your vote here. This will help us further spread the word of API security.






Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy