Issue 20: Drupal APIs hacked, EU releases IoT standards


This week we look into vulnerabilities at Uber and Drupal, the best practices from the ICANN DNS security checklist, the upcoming European IoT security standards, and more vulnerability stats from 2018.

Vulnerabilities

This is the worst API vulnerability of the year so far. Drupal‘s RESTful Web Services (rest), JSON:API, and other web services modules allowed executing arbitrary code remotely because the input data was not properly sanitized. Attackers are already exploiting the vulnerability to take over websites. If your site is running on Drupal, upgrade and patch it ASAP!

Uber has fixed an API vulnerability as well. One of their API endpoints didn’t have proper response sanitization. As result, the API was leaking client secrets and server tokens of all Uber apps. Attackers could acquire those and impersonate as a particular partner application.

Best Practices

DNS is a vital system because it determines which IP addresses requests are directed to. A successful DNS attack enables traffic redirection and man-in-the-middle attacks.

We have covered the DNS security directive of the US Department of Homeland Security (DHS) in our issue 16. Now ICANN (top level internet domain body) has spoken as well. They have issued a press release urging the world to switch to DNSSEC. ICANN also published a checklist for DNS security:

  • Ensure all system security patches have been reviewed and applied.
  • Review log files for unauthorized access to systems, especially for administrator access.
  • Review internal controls over administrator (root) access.
  • Verify the integrity of every DNS record, as well as the change history of those records.
  • Enforce sufficient password complexity, especially the minimum length of password.
  • Ensure that passwords are not shared with other users.
  • Ensure that passwords are never stored or transmitted in cleartext.
  • Enforce regular and periodic password changes.
  • Enforce a password lockout policy.
  • Ensure that DNS zone records are DNSSEC signed and your DNS resolvers perform DNSSEC validation.
  • Ideally ensure that multi-factor authentication is enabled to all systems, especially for administrator access.
  • Ideally ensure that your email domain has a DMARC policy with SPF or DKIM and that you enforce the policies provided by other domains on your email system.

Standards

European Telecommunications Standards Institute (ETSI) has released ETSI TS 103 645 standard for consumer IoT security. The key takeaways are:

  • No universal default passwords.
  • Implement a way to manage the reports of vulnerabilities.
  • Keep software updated.
  • Store credentials and other security-sensitive data securely.
  • Communicate securely.
  • Minimize exposed attack surfaces.
  • Ensure software integrity.
  • Ensure that personal data is always protected.
  • Make systems resilient to outages.
  • Examine system telemetry data.
  • Make it easy for consumers to delete their personal data.
  • Make the installation and maintenance of devices easy.
  • Validate all input data.

Trends

EdgeScan has released their 4th annual Vulnerability Stats Report. Here are some stats from 2018 that they are seeing:

  • Approximately 20% of vulnerabilities are web and API-related.
  • For web applications, roughly 15% of vulnerabilities are cross-site scripting (XSS) and 6% are SQL injections.
  • Around 45% of vulnerabilities in infrastructure are caused by outdated or misconfigured TLS/SSL.

Subscribe to this weekly newsletter at https://APIsecurity.io


Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy