This week, we look at the growing number of penalties that companies can now face in the event of a data breach. We also learn about critical API vulnerabilities discovered in Cisco and Traccar products. VicOne recently published a white paper on automotive API security, and we also want to highlight a LinkedIn post on the crucial role of APIs in the financial sector.
Article: Costly Breaches at National Public Data and T-Mobile
National Public Data (NPD) in the US has been in the news recently due to a massive data breach. A report by BiometricUpdate.com indicates a breach that includes 272 million Social Security numbers. While the cause of the breach remains unclear, a recent update from KrebsOnSecurity suggests that a sister site to NPD may have accidentally published its own site passwords in a publicly accessible file.
The company is now facing multiple class action lawsuits claiming that NPD: “failed to properly secure and safeguard the PII that it collected and maintained as part of [its] regular business practices.”
In addition to the allegation of failing to protect customers’ PII, the company has also been criticized for its lack of transparency and failure to notify victims of the risk in a timely manner. This is another potential pitfall for companies, as different industries, from finance to healthcare, have different reporting requirements, and some are more stringent than others. For example, under the HIPAA Breach Notification Rule, organizations that handle U.S. citizens’ health data must notify affected individuals within 60 days. Companies that delay notifying their customers can face additional penalties.
Meanwhile, T-Mobile is facing its own data breach issues. According to a report in The Cyber Express, the Committee on Foreign Investment in the United States (CFIUS) recently fined T-Mobile $60 million for “not taking adequate measures to prevent unauthorized access to sensitive data and reporting incidents in a timely manner”.
So, once again, a company is being penalized both for its lack of adequate cybersecurity and for failing to report the incidents to regulators and the victims of the breach.
Both cases should encourage companies to review existing cybersecurity controls to protect customer data, as well as the tools and processes in place to report incidents to the right people in a timely manner.
Vulnerability: Blind SQL Injection discovered in Cisco APIs
A Cisco security advisory highlights multiple API vulnerabilities discovered in Cisco’s Identity Services Engine (ISE) product, exposing the tool to blind SQL injection attacks.
In a traditional SQL injection attack, the API is tricked into leaking unauthorized data directly from the SQL database. But in a blind SQL injection attack, the API doesn’t leak data directly. Instead the attacker sends carefully crafted true or false questions to the database to brute-force the data leak.
This means that it takes a bit more work for an attacker to pull off a blind injection attack. Rate-limiting the API can also help mitigate the risk by limiting the number of true or false questions an attacker can submit.
However, for both types of SQL injection the vulnerability often occurs due to insufficient validation of user-supplied input. It is the responsibility of API developers to adopt secure development practices and validate user input to ensure that only expected API data is accepted.
The vulnerable Cisco ISE product is described as “the industry-leading tool for ultimate visibility into every device on your network”. Critically, API attacks against this kind of network management device can expose other parts of the system to attacks. Similarly, SQL injection vulnerabilities have also been discovered in the F5 Big IP Next device.
You can read more technical details about the issues and solutions in our in-depth analysis in this article: The Scourge of SQL Injection for APIs.
Vulnerability: API flaw exposes Traccar GPS system to remote attacks
According to a report by Cyber Security News, a critical API vulnerability has been discovered in the open-source GPS tracking system Traccar. A new API endpoint allowed users to upload image files to the Traccar system. However, user input was not properly validated or sanitized, exposing the API to path traversal attacks.
The vulnerability report outlines the potential impact of an exploit:
“Attackers have full control over the file contents, full control over the directory where the file is stored, full control over the file extension, and partial control over the file name”.
A path traversal attack typically tricks a vulnerable API into uploading or downloading a file from an unexpected location on the API server file system. The attack works by injecting special patterns into the API input, such as “../”. This causes a vulnerable API to switch to a parent directory on the server, giving the malicious user control over where the API accesses files from.
A path traversal vulnerability occurs when an API does not properly validate user input and allows malicious patterns. In the case of Traccar, the vulnerability could be exploited through two parameters in the APIs request: a device uniqueId property and a content-type header.
Reliance on open source software (OSS) carries the risk of security vulnerabilities. The Traccar team is certainly to be commended for devoting time and effort to developing and sharing its source code. However, any individual or company that chooses to leverage OSS to provide services to their customers should take extra precautions to verify, and if necessary implement, adequate security.
Too often, OSS risk is measured by CVEs found in the code. This is helpful but does not cover the full range of API vulnerabilities that may be latent in the code. Development teams relying on OSS should be required to perform a thorough review and audit of the APIs defined and implemented by OSS, to locate and remove vulnerabilities.
Something to watch out for in your own API development.
Article: Safely integrating APIs in the automotive ecosystem
Nowadays all kinds of technologies and services are integrated using APIs to provide exciting new features and capabilities. The security of these systems depends heavily on the integrity of the data transmitted between trusted API connections. A single weak point can expose the entire system to a breach.
One of the most recent API vulnerabilities introduced in the OWASP 2023 API Top 10 list is “Unsafe Consumption of APIs”. From the OWASP release notes:
We added “Unsafe Consumption of APIs” to address something we’ve started seeing: attackers have started looking for a target’s integrated services to compromise those, instead of hitting the APIs of their target directly. This is the right time to start creating awareness about this increasing risk.
This risk from integrated services is widespread in the automotive industry. A recent article by Ling Cheng of Trend Micro subsidiary VicOne describes the complexity of API connections powering modern vehicles, including between embedded subsystems, mobile apps and SaaS applications from the auto manufacturer and various component suppliers.
Each of these API connections represents a potential weak point that an attacker can exploit to compromise any other part of the system. Ling’s article shares recommendations for managing API security risks in such an expansive automotive ecosystem. VicOne has also published a white paper on the topic that includes real world examples.
Definitely worth a read.
Article: How APIs facilitate financial regulatory compliance
The term “financial grade security” is synonymous with the highest standards in API security. It is also used outside of the financial sector, and in fact the working group formerly known as “Financial Grade API” was renamed FAPI to reflect the fact that API security frameworks from the financial sector can be positively applied in other industries.
One reason why financial security is considered a gold standard is that financial institutions must comply with strict regulations regarding cybersecurity, consumer data protection, and data access. APIs play a vital role in this compliance.
The Financial Data Access (FiDA) framework mandates the sharing of customer data between institutions, and APIs provide the standard interfaces to facilitate this data sharing. This brings APIs within the scope of other financial regulatory frameworks such as Digital Operational Resilience Act (DORA) which mandates resilience to cyberattacks.
If you’re interested in learning more about the role of APIs in the financial sector, I recommend this recent article by David Roldán Martínez on LinkedIn. In it, he calls APIs the “backbone of compliance” and describes in detail how APIs help organizations meet the stringent security and integration requirements of FiDA and DORA.
Great insights from David on the topic of financial APIs.
Get API Security news directly in your Inbox.
By clicking Subscribe you agree to our Data Policy