Category Archives: OWASP

The Ripple Effect of API Breaches: Analyzing Business Consequences and Mitigation Strategies

Posted on by
Reply

 

Businesses rely heavily on Application Programming Interfaces (APIs) for seamless communication and data exchange, the stakes have never been higher. API breaches can lead to significant vulnerabilities, affecting not only the targeted organization but also their customers and partners. Understanding the causes and consequences of these breaches is essential for any business operating in a connected world.

Nodes

High-profile incidents, such as the T-Mobile and Dropbox API breaches, have demonstrated the ripple effect these security lapses can have across various industries, from financial services to healthcare and e-commerce. The repercussions can be devastating, ranging from substantial financial losses to lasting damage to an organization’s reputation. As companies navigate this complex landscape, they must recognize that an API breach is much more than just a technical issue—it can alter the course of a business’s future.

This article will delve into the nature of API breaches, explore the consequences they bear on different sectors, and analyze effective mitigation strategies that can enhance API security. By examining key case studies and extracting valuable lessons, we will equip businesses with the knowledge and tools necessary to protect themselves from the ever-evolving threat of API breaches.

Understanding API Breaches

API breaches have emerged as a significant threat in today’s digital landscape. They are becoming the largest attack vector across various industries, including telecommunications and technology. In 2022 alone, these security breaches resulted in estimated financial losses ranging from $12 billion to $23 billion in the US and up to $75 billion globally. Notable incidents, such as T-Mobile’s exposure of over 11.2 million customer records, underline the severe repercussions of API vulnerabilities, leading to costs exceeding $140 million for the company.

The business impact of API breaches goes beyond financial losses, extending to reputational damage and loss of customer trust. Malicious actors often exploit API vulnerabilities to gain unauthorized access to sensitive customer information such as email addresses, social security numbers, and payment card details. This surge in API attacks and ransomware incidents underscores the need for a proactive approach in API security.

Effective API security involves regular updates, patch management, automated vulnerability scans, and continuous monitoring. It’s crucial to safeguard against evolving threats, as malicious code and sophisticated attacks are increasingly targeting application programming interfaces. Organizations must also conduct regular security audits and incorporate strong authentication measures like multi-factor authentication to bolster their security posture.

Definition of APIs

Application Programming Interfaces (APIs) are essential for modern software interactions, facilitating the seamless sharing of a company’s most valuable data and services. They enable communication between diverse software applications, forming the backbone of interconnected and efficient digital ecosystems. The rapid growth in the number of APIs—with a 167% increase over the last year—highlights their expanding role in technology.

As APIs continue to proliferate, they have also become a significant target for cyber threats. The widespread adoption of APIs has posed new challenges, with API security breaches disrupting the technological landscape. It’s imperative for organizations to integrate robust API security measures as APIs emerge as the predominant attack vector in cybersecurity incidents.

Common causes of API breaches

Unprotected APIs are at the forefront of security vulnerabilities, becoming the largest attack vector as predicted by Gartner. One of the common causes of API breaches is the lack of visibility into unsecured APIs, allowing attackers to exploit these gaps without detection. Organizations often fail to implement a strong governance model, resulting in inconsistent coding practices and inadequate security measures during API development.

Breaches frequently occur due to the poor protection of sensitive data. For instance, exposing an AWS S3 bucket without a password can lead to unauthorized access to sensitive information. Such oversights signal a need for improved security practices in managing API access. Even minor breaches pose significant threats, as exposed API tokens and source code can permit attackers to exploit security vulnerabilities and potentially infiltrate more sensitive areas of a network.

To mitigate these risks, organizations should focus on regularly auditing their API endpoint security, enforcing security policies, and employing encryption methods to protect data in transit and at rest. Additionally, leveraging third-party services for monitoring API usage and potential weak points can significantly enhance an organization’s overall security posture in the face of an increasingly complex threat landscape.

High-Profile API Breaches

In recent years, the business impact of API breaches has become increasingly visible, with widespread security incidents causing significant financial and reputational harm. According to a study, 92% of surveyed organizations reported experiencing at least one API security incident in the last 12 months. The economic ramifications are substantial, with API breaches in 2022 alone resulting in financial losses estimated between $12–$23 billion in the US and $41–$75 billion globally. These figures highlight the immense threat landscape that organizations must navigate.

One notable incident was the Optus API breach, where attackers exploited a publicly exposed API lacking authentication. This oversight led to the exposure of sensitive customer data, emphasizing the critical importance of securing endpoints. Mitigation strategies such as implementing multi-factor authentication (MFA) and conducting regular security updates can significantly enhance an organization’s security posture against such threats. Moreover, exposed API tokens present severe risks, as they allow unauthorized access and actions, underscoring the need for robust security measures.

Case Study: T-Mobile Breach

In January 2023, T-Mobile faced a significant security incident when a malicious actor exploited an API to access personal data from approximately 37 million customer accounts over a six-week period. The breach exposed customer names, email addresses, phone numbers, birthdates, account numbers, and service plan features, affecting both prepaid and subscription customers. While T-Mobile assured that social security numbers, passwords, credit card information, and financial details remained secure, the incident still posed considerable security risks.

The leaked information, such as phone numbers and email addresses, increased the risk of social engineering attacks like sophisticated phishing attempts. Since 2018, T-Mobile has experienced multiple security incidents, highlighting their ongoing vulnerability and the critical need for a proactive approach to API security.

Case Study: Dropbox Breach

On November 1, 2022, Dropbox suffered a breach resulting from a phishing scam that compromised its internal GitHub code repositories. The attack began when threat actors deceived Dropbox employees into entering their GitHub credentials and a One-Time Password on a fake CircleCI page. Although no user data was accessed, 130 GitHub repositories containing sensitive API keys and user data were compromised.

The Dropbox incident was uncovered on October 14, following a GitHub alert about suspicious activities dating back to October 13. Despite the fortunate absence of unauthorized access to user data, the breach underscored the vulnerabilities associated with social engineering attacks and the importance of vigilant security posture and regular security audits.

In conclusion, these high-profile API breaches illustrate the severe consequences organizations face when they fall victim to sophisticated API attacks. To protect sensitive customer data and maintain customer trust, companies must adopt a proactive approach to API security. This includes regular security audits, robust endpoint protection, and enhanced authentication mechanisms to safeguard against unauthorized access and mitigate the risk of reputational damage.

Consequences of API Breaches for Businesses

API breaches represent a significant threat to businesses, exposing sensitive data and inflicting substantial financial, reputational, and regulatory damage. These vulnerabilities, if left unchecked, can be exploited by malicious actors who exploit security gaps to gain unauthorized access to critical systems and databases. Let’s explore the multi-faceted consequences of API breaches and learn lessons from real-world incidents.

Financial losses

The financial repercussions of API breaches can be catastrophic. In 2022, breaches in the United States alone resulted in losses estimated between $12–$23 billion, while globally, the impact ranged from $41–$75 billion. Notable incidents like the Clop ransomware gang’s exploitation of MOVEit Transfer software demonstrate how these security incidents can cost organizations between $75 million and $100 million in extortion alone. Moreover, the Kronos API hack underscores the potential for direct financial losses, with approximately $25 million siphoned from a single cryptocurrency trading firm.

Organizations must also shoulder the costs of forensic audits, customer notifications, and implementation of technical fixes following breaches. These expenses add to the financial strain, as does the need to manage additional costs associated with evolving work environments. For instance, according to IBM’s findings, data breaches related to remote work cost companies around $1 million more than those without remote operations. The financial impact of API vulnerabilities is undoubtedly severe, underscoring the necessity for robust security measures.

Reputational damage

In addition to financial losses, API breaches can severely harm a business’s reputation. When insider data theft occurs, as seen in Tesla’s case, the disclosure of confidential information and potential for a $3.3 billion fine due to inadequate data protection can significantly damage a company’s public image. Similarly, the 2022 data breach at Optus resulted in the exposure of personal information of approximately 2.1 million customers, eroding consumer trust and harming the company’s reputation.

T-Mobile’s history of security incidents is a cautionary tale — a recent API breach exposed 11.2 million customer records, further deteriorating customer confidence and trust. When customer records, email addresses, or sensitive data like social security numbers are compromised, the fallout is swift and severe, often leading to business losses as customers choose more secure alternatives. Regulatory breaches and supply chain attacks add to the perception that an organization cannot safeguard its stakeholders’ data.

Regulatory consequences

Regulatory bodies impose stringent requirements on organizations regarding data protection and timely breach notifications. The failure to adhere to these regulations can result in hefty fines and even potential prison sentences for those responsible. High-profile API breaches have exposed millions of user records due to inadequate security measures, attracting significant penalties and lawsuits.

For example, the Optus data breach involved an unsecured API, leading to an attempted $1 million extortion threat. Such incidents highlight the necessity for a proactive approach in aligning with evolving regulatory standards to mitigate risks associated with data breaches. Organizations must prioritize protecting sensitive data like customer names, credit cards, and social security numbers. Non-compliance not only results in legal and financial consequences but also compels businesses to face rigorous scrutiny from watchdogs and the public alike.

The complex and ever-evolving threat landscape necessitates a vigilant and proactive stance on API security. Businesses must invest in regular security audits and enhance their security posture to safeguard against sophisticated attacks by threat actors. By learning from past incidents and implementing comprehensive security measures, organizations can protect themselves from the dire consequences of API breaches.

The Impact on Different Industries

API breaches have highlighted a significant and growing threat across various industries, with reported incidents increasing by a staggering 681% within a single year. This sharp rise underscores the crucial vulnerabilities present in the interconnected systems many sectors rely upon. Notably, the telecom industry has experienced a substantial uptick in data breaches due to unprotected APIs, signaling an urgent call for enhanced security measures in highly interconnected environments. Real-world incidents demonstrate that the average time for detecting and responding to these breaches stands at 212 days. This delay presents a major challenge for organizations focused on minimizing both financial and reputational damage. According to a joint study, 60% of organizations reported experiencing an API-related breach, reflecting pervasive security struggles in safeguarding digital assets. Beyond immediate security concerns, these vulnerabilities often translate to prolonged business disruptions, eroding user trust and tarnishing organizational credibility.

Financial Services

The financial sector is particularly vulnerable to cyberattacks due to the high value of stored data and ongoing digital transformation efforts, which open more attack vectors. Financial institutions must learn from past breaches to avoid similar pitfalls, given the enormous financial repercussions. API-related breaches have cost the industry an estimated $12–$23 billion in the US and up to $75 billion globally. A strong software engineering culture, including conducting blameless postmortems, can aid in effective breach responses and bolster system security. Implementing a robust API governance model is essential to mitigate vulnerabilities and promote consistent API design and coding practices across organizations in this sector.

Healthcare

In 2023, a significant ransomware attack on Change Healthcare brought to light the critical need for stringent security measures in the healthcare sector. Such incidents disrupt operations and compromise patient records, emphasizing the strategic target healthcare providers present to cybercriminals. These attacks cause operational disruptions and delays in essential services like payment processing. Collaborative efforts across industries are crucial for enhancing shared knowledge and forming unified strategies against evolving AI-related and cybersecurity threats. Comprehensive training and awareness are fundamental for healthcare staff at all levels to tackle unique cybersecurity challenges. As the AI landscape evolves, healthcare organizations must adopt a forward-thinking approach and allocate adequate resources for robust security protocols to safeguard sensitive data and ensure uninterrupted service.

E-commerce

E-commerce data breaches have now overtaken those at the point of sale, signaling a shift in vulnerabilities as online shopping increasingly dominates the market. The financial implications of such breaches are also rising, posing significant risks to businesses in this sphere. A prevalent issue is the alarming lack of corporate self-awareness about cybersecurity practices, leaving many companies vulnerable to breaches. These incidents can expose personal data, heightening risks such as identity theft and spam for affected users. Many breaches, often linked to API vulnerabilities, could be prevented with proper security measures, such as firewalls and rigorous authorization strategies. Businesses must focus on proactive practices to secure sensitive customer data and protect their operations from malicious actors.

Mitigation Strategies for API Security

With the rise of cyber threats targeting Application Programming Interfaces (APIs), businesses must adopt robust mitigation strategies to safeguard customer names, email addresses, social security numbers, payment card details, and other sensitive customer data from unauthorized access. A comprehensive and proactive approach to API security can significantly reduce the risk of security breaches, reputational damage, and financial loss.

Implementing API governance

Implementing a strong API governance model is vital for ensuring security and consistency in API development. A well-defined governance framework mandates the documentation and cataloging of APIs, which helps mitigate risks associated with third-party services and unauthorized parties. By adopting API governance, organizations ensure that their security teams follow best practices, such as regular security audits, from project inception through completion. Governance also includes blameless postmortems to learn from security incidents without assigning blame, thereby improving overall security practices and reducing API vulnerability.

Establishing proactive monitoring

Proactive monitoring is crucial for identifying suspicious activities and unauthorized access in real-time, enabling businesses to respond swiftly to API attacks. Continuous monitoring systems and threat detection tools provide immediate alerts to security teams about potential threats, such as malicious actors or sophisticated attacks. This approach includes routine audits, vulnerability scans, and penetration tests to assess security posture and detect API vulnerabilities. By maintaining a comprehensive overview of user activities, organizations can swiftly address anomalies and enhance their overall cybersecurity posture against threat actors and supply chain attacks.

Conducting employee training

Human factors often pose significant risks to API security, making employee training indispensable. Regular cybersecurity training empowers employees to recognize potential threats, such as social engineering attacks, and prevent data breaches like those experienced by companies such as Experian. Training programs should focus on cyber threat awareness and provide practical insights into avoiding common mistakes leading to data exposure, like those observed in the Pegasus Airlines incident. By conducting regular security audits and reinforcing knowledge on best practices, organizations enhance their defenses and ensure that employees contribute to a secure environment, minimizing the impact of ransomware attacks and malicious code.

Implementing these strategic initiatives—strong governance, vigilant monitoring, and continuous education—ensures that businesses maintain a resilient defense against the evolving threat landscape surrounding APIs.

Lessons Learned from Past Breaches

API breaches have become a pressing concern for businesses worldwide, impacting everything from customer trust to financial stability. Real-world incidents provide valuable lessons that organizations must heed to fortify their cybersecurity defenses.

One prominent case, the Parler API hack, underscores the critical nature of requiring authentication for data requests. The absence of such measures led to catastrophic data exposure. Similarly, the Clubhouse API breach highlighted that exposing APIs without adequate authentication can lead to severe vulnerabilities, allowing unauthorized parties access to sensitive customer information.

Another significant incident involved Optus, where an unsecured API endpoint was exposed on a test network connected to the internet. This oversight resulted in a large-scale data breach and attempted extortion, underscoring the need for robust API management visibility. These incidents demonstrate the necessity for organizations to maintain continuous cybersecurity diligence through regular security audits and proactive approaches to identify and address API vulnerabilities.

The alarming increase in API security breaches, with 41% of organizations facing such incidents annually, calls for vigilant monitoring and enhancement of security posture to protect against sophisticated attacks by threat actors operating within today’s dynamic threat landscape. In summary, organizations must learn from past security incidents to anticipate and mitigate future risks.

Key Takeaways from T-Mobile Breach

In January 2023, T-Mobile confronted a significant security breach that exposed the personal data of approximately 37 million customers. This information included names, birthdates, billing and email addresses, phone numbers, and account details. Although more sensitive information like passwords, social security numbers, and credit cards were fortunately not compromised, the breach posed serious risks for identity theft and phishing attacks through exposed email addresses and contact details.

The breach was traced back to unauthorized access via a single API that went unnoticed for around six weeks. This oversight revealed substantial vulnerabilities in T-Mobile’s API management and security protocols. Specifically, the incident emphasized the necessity for stronger security measures targeting prepaid and subscription accounts, as these were predominantly affected.

The T-Mobile breach reinforces the importance of effective API cataloging and protection to prevent unauthorized access and potential data breaches. Businesses must regularly audit their API frameworks and implement robust security measures as a proactive approach to safeguarding sensitive customer information.

Key Takeaways from Dropbox Breach

The Dropbox breach, which surfaced on November 1, 2022, marked another significant incident involving APIs. Initiated through a sophisticated phishing scam, the attack prompted employees to unwittingly share their GitHub credentials. This breach led to unauthorized access to 130 internal GitHub repositories containing sensitive API keys and user data.

Detected on October 14, 2022—just one day after suspicious activities began—the breach was flagged by GitHub, highlighting the essential role of timely incident detection. The phishing attack involved deceptive emails impersonating the CircleCI platform, showcasing advanced social engineering tactics by malicious actors.

Although the breach’s severity was notable, there was no evidence that user data was accessed or compromised, mitigating potential damage to Dropbox’s user base. This situation underscores the critical need for organizations to train employees on identifying and defending against social engineering attacks while reinforcing internal security teams’ response protocols to swiftly address potential threats.

Future Trends in API Security

As the digital landscape evolves, so does the reliance on APIs, particularly as distributed systems and cloud-native architectures gain ground. A staggering 92% of organizations surveyed reported experiencing at least one API security incident in the last year. This highlights the increasing frequency and severity of these vulnerabilities. It’s imperative that companies adapt their security measures to manage these evolving threats effectively, with continuous monitoring and automated scanning becoming essential components of a robust API security strategy.

One telling example is the Twitter API breach, which underscored how API vulnerabilities can severely impact user trust and platform reputation. This incident illustrates the crucial need for efficient vulnerability detection and response mechanisms. As APIs continue to evolve in complexity and usage, the necessity for a proactive security posture will only intensify.

Evolving Cyber Threats

Cyber threats are growing more sophisticated, as shown by notorious incidents such as the 2020 US government data breach that targeted multiple agencies. This attack raised alarms globally, emphasizing the perilous nature of modern cybersecurity threats. In 2022, Roblox faced a data breach exposing user data, which is particularly concerning given the platform’s popularity among children. Similarly, the ChatGPT data leak in 2023 highlighted the difficulties in securing new technologies and underscore the need for continuous security protocol updates.

These incidents illustrate that cyber threats are evolving at an unprecedented pace. Organizations must adopt a proactive approach by investing in cutting-edge security technologies and fostering a culture of awareness. This includes adopting advanced defense mechanisms and continuously updating their threat landscape assessments to stay ahead of potential vulnerabilities.

The Role of AI in API Security

Artificial Intelligence is revolutionizing how organizations protect their API systems. By enhancing threat detection capabilities, AI enables continuous real-time monitoring, identifying unauthorized access, or suspicious behaviors effectively. AI-driven defense systems allow businesses to anticipate threats and proactively counteract potential breaches.

Furthermore, AI supports security teams by streamlining audits and vulnerability assessments, pinpointing deficiencies in API implementations that could lead to breaches. However, it is vital to note that while AI bolsters security defenses, it can also empower malicious actors to execute sophisticated attacks. This dual nature necessitates an equally sophisticated and adaptive protective strategy to effectively safeguard sensitive customer data, including email addresses and payment card information.

Best Practices for Staying Ahead of Threats

To maintain a strong defense against API vulnerabilities, organizations should adopt the following best practices:

  • Automated Vulnerability Scans: Regular automated scans are crucial for identifying and addressing potential security gaps timely.
  • Strong Authentication Protocols: Implement stringent authentication measures to ensure only authorized parties can access API functions.
  • Comprehensive API Inventory: Keep a detailed record of all APIs to ensure all endpoints are accounted for and appropriately secured.
  • Continuous Monitoring: Continual oversight is essential for detecting and mitigating threats before they escalate into serious security incidents.
  • Regular Security Audits and Penetration Tests: Conduct frequent audits and tests to dynamically assess and improve the security posture.

Utilizing AI-infused behavioral analysis further enhances these best practices, enabling organizations to identify and block API threats in real time. By adopting a proactive approach, companies can safeguard sensitive customer data such as social security numbers, email addresses, and credit cards from unauthorized access, thus ensuring robust protection against potential malicious code or supply chain attacks.

Get Help from MicroSolved

MicroSolved offers robust solutions to bolster your organization’s API security posture. One key strategy is implementing secure secrets management solutions to securely store API keys, tokens, and credentials. This helps minimize risk if a breach occurs, by preventing exposure of sensitive information.

Continuous monitoring and threat detection tools from MicroSolved can identify unauthorized access or suspicious behavior in real-time. This proactive approach allows you to address threats before they escalate, safeguarding your customer records, such as email addresses and social security numbers, from unauthorized access and malicious actors.

Regular security audits of your APIs are essential for identifying vulnerabilities and weaknesses, especially when integrating with third-party services. MicroSolved can assist in conducting these audits, reducing the risk of security breaches.

A strong software engineering culture is crucial for improving your API security processes. MicroSolved encourages adopting a governance framework for API development. This not only enforces consistent design and coding practices but also reduces the chance of high-profile API breaches.

Whether faced with sophisticated attacks or API vulnerability exploitation, MicroSolved provides the expertise to protect your assets from threat actors in today’s dynamic threat landscape.

Contact MicroSolved today for assistance with your API security posture. Email: info@microsolved.com. Phone: +1.614.351.1237

 

 

* AI tools were used as a research assistant for this content.

 

Strengthening Your Digital Front Door: Best Practices for API Security Assessments

Posted on by
Reply

APIs (Application Programming Interfaces) are the building blocks of modern applications and digital ecosystems. They enable applications to communicate seamlessly, power integrations, and drive innovation. However, as APIs become the backbone of interconnected systems, they also become high-value targets for cybercriminals. A single vulnerability can open the door to devastating breaches. This is why API security assessments are not just a best practice—they’re a business imperative.

APISec

Why API Security Assessments Are Critical

APIs are highly versatile, but their flexibility and connectivity can make them vulnerable. Common threats include:

  • Injection Attacks: Attackers can exploit unvalidated input to inject malicious commands.
  • Broken Authentication: Weak authentication mechanisms can allow unauthorized access.
  • Data Exposure: Misconfigured APIs often inadvertently expose sensitive data.
  • Rate Limiting Issues: APIs without proper rate-limiting controls are prone to Denial-of-Service (DoS) attacks.
  • Exploited Business Logic: Attackers can manipulate API functionality in unintended ways.

Key Best Practices for API Security Assessments

  1. Inventory and map all APIs.
  2. Understand the business logic behind your APIs.
  3. Enforce authentication and authorization using best practices like OAuth 2.0.
  4. Validate inputs and encode outputs to block injection and scripting attacks.
  5. Implement rate limiting and throttling to prevent DoS attacks.
  6. Conduct regular vulnerability scanning and combine SAST and dynamic analysis.
  7. Test for authentication failures to prevent session hijacking and credential stuffing.
  8. Secure APIs using centralized API gateways.
  9. Align with industry standards like OWASP API Security and CIS Controls v8.
  10. Perform regular penetration testing to uncover complex vulnerabilities.

How MSI Stands Out in API Security Assessments

  • Tailored Assessments: MSI customizes assessments to your unique API ecosystem.
  • Beyond Vulnerability Scanning: Manual testing uncovers complex attack vectors.
  • Contextual Reporting: Actionable insights, not just raw data.
  • Long-Term Partnerships: Focus on sustainable cybersecurity improvements.
  • Proprietary Tools: MSI’s HoneyPoint™ Security Server and other patented technologies provide unmatched insights.

More Information

APIs are the lifeblood of digital transformation, but with great power comes great responsibility. Don’t let vulnerabilities put your business at risk.

Contact MSI today to schedule your API security assessment and take the first step toward building a resilient, secure API ecosystem. Visit MicroSolved.com or email us at info@microsolved.com to learn more.

Let’s secure your APIs—together.

 

 

* AI tools were used as a research assistant for this content.

 

 

Quick Thought on CSRF Attacks

Posted on by
Reply

Yesterday, I listened to @Grap3_Ap3 present at the Columbus OWASP local chapter on Cross Site Request Forgery (CSRF). While this attack has been around since 2001, it continues to show a strong presence in web applications across a range of platforms. Phil spent a lot of his time talking about content management systems on the public Internet, but we have seen CSRF very widely exploitable on embedded devices.

Embedded devices, often equipped with rather rudimentery web servers and applications for management, have proven to be a searing hot pain point for CSRF in our research. While that isn’t shocking or new, I definitely see an interesting and potentially dangerous collision between the growth of the “Internet of Things” and web vulnerabilities. Today, some of these platforms are toys, or novelty tools built into home appliances – BUT, the future of internetworking of our devices and our physical lives means that these web controls will eventually have larger impacts on our day to day lives.

What happens when a CSRF attack can be used to trick your teenager into clicking on a picture on the web that while they view it, they also execute a command to raise the temperature on your refrigerator to unsafe levels? Or when an embedded link in an email tricks you into a click that turns your oven onto super heat clean mode without your knowledge? Sound like a prank? Maybe. Extend it to thermostats, home automation and consumer control over alternative energy controls like solar panels and such and it might take a new form.

We are on a course of collision. Our inattention to information security and the exploding complexity and technology dependencies will soon come together in ways that may surprise us. Ignore the hyperbole, but think about it rationally. Isn’t it time we worked with organizations who make products to demand an increase in protection from some of these basic known attacks? In the future, consumers and organizations alike will vote with their dollars. How will you spend yours?

Columbus OWASP Meeting Presentation

Posted on by
5

Last week, I presented at the Columbus OWASP meeting on defensive fuzzing, tampering with production web applications as a defensive tactic and some of the other odd stuff we have done in that arena. 

The presentation was called “Hey, You Broke My Web Thingee :: Adventures in Tampering with Production” and I had a lot of fun giving the talk. The crowd interaction was excellent and a lot of folks have asked for the slide deck from the talk, so I wanted to post it here

If you missed the talk in person, feel free to reach out on Twitter (@lbhuston) and engage with me about the topics. I’d love to discuss them some more. Please support OWASP by joining it as a member. These folks do a lot of great work for the community and the local chapter is quite active these days! 

OWASP Talk Scheduled for Sept 13 in Columbus

Posted on by
2

I have finally announced my Columbus OWASP topic for the 13th of September (Thursday). I hope it turns out to be one of the most fun talks I have given in a long while. I am really excited about the chance to discuss some of this in public. Here’s the abstract:

Hey, You Broke My Web Thingee! :: Adventures in Tampering with Production

Abstract:
The speaker will tell a few real world stories about practical uses of his defensive fuzzing techniques in production web applications. Examples of fighting with things that go bump in the web to lower deployment costs, unexpected application errors and illicit behavior will be explained in some detail. Not for the “play by the book” web team, these techniques touch on unconventional approaches to defending web applications against common (and not so common) forms of waste, fraud and abuse. If the “new Web” is a thinking admin’s game, unconventional wisdom from the trenches might just be the game changer you need.

You can find out more about attending here. Hope to see you in the crowd!

PS – I’ll be sharing the stage with Jim Manico from White Hat Security, who is always completely awesome. So, come out and engage with us!

What the Heck Is FeeLCoMz?

Posted on by
3
FeeLCoMz is a string I often get a lot of questions about. Basically, people see it and other strings in their logs, or if they are unlucky, they run into it like this, in a file in their web directories:
 
 Basically, if this is in the file system, then the system has been compromised, usually by a PHP RFI vulnerability. Other strings to check for, if you feel you want to run some basic grep checks against web files, include: 
 
“FaTaLz”,”KinCay”,”CreWz”,”TeaM”,”CoMMunity”,”AnoNyMous”,”Music”,
“ProGraMMeR”,”CyBeRz” and “mIRC”
 
If you find those strings, they usually indicate other PHP scanners, worms or attack tools have compromised the system. Now, if you don’t find those, it does NOT mean the system is safe, the list of all of those relevant strings would be too large and dynamic to manage. 
 
Another good grep check to parse files for in web directories, especially PHP and text files, if the nearly ubiquitous, “base64_decode(“, which is an absolute favorite of PHP bot, shell and malware authors. Any files you find using that call should be carefully inspected.
 
If you want to find more information on how PHP RFI attacks and other such issues occur, check out these links 
 
 
Basically, if you find files with the FeeLCoMz tag in it in the web directories, you have some incident response and investigation work to do. Let us know if we can assist, and stay safe out there. 
 
PS – It’s a good idea to have all PHP applications, even common ones like WordPress and the like, assessed prior to deployment. It might just save you some time, hassle and money! 

Columbus OWASP Quarterly Meeting August 18 – We’ll See You There!

Posted on by
Reply

We’ve been involved with the Columbus, Ohio Chapter of OWASP and have met some great folks. If you’re involved with information security and haven’t visited yet, you’ll want to be at this meeting! Below are the details with a link to register. We look forward to seeing you there!

 

When? August 18, 2011, from 1PM to 4PM

Where? The Conference Center of BMW Financial

The Columbus OWASP chapter will be presenting its Third Quarter Meeting, specifically on the subject of Web Application Security Analysis. We are pleased to present two local speakers leading discussions on malware, and the OWASP Enterprise security framework.

Speaker: Brent Huston CEO & Security Evangelist of MicroSolved, Inc. (MSI)

This presentation will discuss PHP and ASP malware, discovery techniques, how the attackers are staging and processing malware-based attacks, as well as the relevance of anti-virus against these forms of malware. Drawn from real world attacks and compromises, examples will be displayed and discussed. Take aways will include the architecture of attacker cells, their targeting and use of compromised hosts and insight into how simple, basic controls can assist us in fighting these forms of assault.

Speaker: Kevin Wall – ESAPI Committer / Owner at OWASP & Staff Security Engineer at CenturyLink

OWASP Enterprise Security API (ESAPI) is one of the flagship projects at OWASP, but as of yet, not many application development teams have adopted it. This presentation will provide a brief history and overview of ESAPI, including its goals and all its language implementations, before taking a deeper dive into ESAPI for Java.

The ESAPI for Java portion will discuss major changes from ESAPI 1.4 to ESAPI 2.0 and how the various ESAPI 2.0 security controls map as mitigations for the OWASP Top Ten. We will also examine the relative maturity of each security control.

This will be followed by a few examples of how to use ESAPI, including an in-depth one of using ESAPI’s symmetric encryption. Finally, we will briefly describe how the OWASP AppSensor project has the ESAPI’s Intrustion Detection mechanism to provid an powerful intrustion detection system at the application layer and describe some of the advantanges of this versus an more traditional IDS.

Register today!