Issue 2: California IoT security law, GoDaddy & AWS vulnerabilities
GoDaddy 2-step authentication API found to be vulnerable. The API lacks rate limiting and does not impose timeouts after failed second factor attempts. This opens doors for brute force attacks on the second factor.
AWS Honeytokens designed by Amazon to help security specialist attract attackers and detect attacks turned out to actually be discoverable. The vulnerability is a combination of two factors. Certain failed AWS queries produce verbose error messages that include Amazon Resource Name and thus information that this is a honeytoken. To make things worse, not all AWS services are covered with CloudTrail logging and thus hackers can use the intentional error queries against these services to check whether what they found is a honeytoken and do so without being detected.
Legal / Compliance
State of California Senate and Assembly passed new legislation on IoT security and APIs exposed by smart devices. The law requires devices to have authentication and features to protect the device and any information contained on it from unauthorized access, destruction, use, modification, or disclosure. It takes effect on January 1, 2020.
Keith Casey from Okta talks about Cybersecurity in API Economy. He posits that the 3 basic pillars of API security are:
- What: We expose only the interfaces we intend
- How much: We share and accept only the data we intend
- With whom: We grant access only to the people or systems we intend
Then looks into how API gateways and OAuth can help.
Jason Macy from Forum Systems argues APIs need to be secure by design by including:
- Centralized identity management,
- Real-time monitoring & security enforcement,
- Seamless cloud integration.
Shahid Mansuri writes about API Security in Internet of Things (IoT): “API security will be critical for defending the integrity of data transiting between IoT devices and backend software infra to make sure that only sanctioned devices, certified developers, and trustworthy apps are collaborating with APIs as well as spotting possible threats and attacks against particular APIs.”
API Security LinkedIn group launched. Join to read and submit API security-related news and opinions.