News quickly spread about a vulnerable call recording app for iPhone named “Call Recorder,” or “Acr call recorder,” as its listing in the Apple App Store states. TechCrunch was the first outlet to flag a design flaw with the mobile application’s API when it obtained call recordings from AWS S3 cloud storage to prove it was insecure and therefore open to API-based attacks. The weaknesses exhibited by the mobile app represent a vital shift occurring in cybersecurity towards the importance of the protection and hardening of APIs. From this instance alone, we can learn a number of valuable lessons as API attacks are set to rise drastically this year. Most of the issues in the Call Recorder vulnerability map directly to the OWASP API Security Top 10, a list that captures the most common API mistakes. This document is a great reference for DevOps and security teams that are looking to implement strong API security that can be applied to both web and mobile application systems, including those in the cloud.
In a blog post commemorating World Password Day, Google announced the move to make users sign in via a second step after entering a password, such as a mobile app.
Global insurance company AXA said Thursday it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.
Peloton’s leaky API has allowed any hacker to obtain any user’s account data — even if that user had set their profile to private.
The vulnerability, which was discovered by security research firm Pen Test Partners, allowed requests to go through for Peloton user account data without checking to make sure the request was authenticated. As a result, the exposed API could let anyone access any Peloton user’s age, gender, city, weight, workout stats, and birthday.
SecureLink and Ponemon Institute today released a new report titled “A Crisis in Third-party Remote Access Security”, revealing the alarming disconnect between an organization’s perceived third-party access threat and the security measures it employees.
Thursday, May 6 is World Password Day, a day dedicated to promoting safer password practices. Strong password management has been especially important as cyberattacks have skyrocketed since the onset of the pandemic and the switch to remote work. Here, security executives share their insight and tips on how to create and promote safer password practices in the enterprise and among employees.
Lookout, Inc. released a report showing that mobile phishing exposure doubled among financial services and insurance organizations between 2019 and 2020. The Lookout Financial Services Threat Report illustrates that these organizations were not immune to mobile phishing despite an increased adoption of mobile device management (MDM).
Digital Shadows released new research into the movement of cybercriminal marketplaces with a feature on Genesis market. According to the Digital Shadows Photon Research Team, Genesis is a high-profile and trusted repository of digital fingerprints that has grown in popularity since it was launched in beta in 2017. In 2020, Genesis commanded 65% of mentions across criminal forums for fingerprinting services. While other markets have come and gone, Genesis continues to endure and has grown year-on-year. In the last two months alone, more than 5,000 new listings have been added to Genesis, bringing the total number of listings to more than 350,000.
As we continue to embrace hybrid work, chief information security officers (CISOs) and compliance teams are wading through and in some cases even overlooking many different areas related to collaboration security. We’ve highlighted the top three areas of risk in this post which should keep CISOs awake at night. The remote workplace continues to evolve at lightning speed, and so too should CISOs – or risk sensitive materials ending up in the wrong hands.