Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label SSL. Show all posts

Must Follow Guidelines for API Security

An online store can collect payments via the PayPal API, for instance, rather than developing their own payment gateway. APIs serve the required function while sparing business time and effort, which is why it is evident they are useful. 

Protecting these APIs from security risks and breaches entails securing them together with all linked apps and users. 

APIs are used by businesses to link services and move data. Major data breaches are caused by compromised, broken, or exposed APIs. They make private and delicate financial, medical, and personal information available to the public. However, not all data is created equal, and not all data should be safeguarded in the same way. The type of data being exchanged will determine how you should approach API security. 

In the last 12 months, 95% of firms encountered an API security issue, according to the most recent Salt Labs State of API Security report. Additionally, during the past year, a variety of businesses—including Facebook, Experian, Starbucks, and Peloton—have experienced public API problems. Clearly, APIs need more protection against intrusions than the present crop of application security approaches can provide.

Security leaders need to carefully examine the way they are currently approaching API security to fix the issue. Understanding how a third-party application is sending data back to the internet is important if user API connects to one. 

Strategies for API Security

  1.  Put a secure authentication and authorization protocol into action: The first stage in an API security approach is authenticating and authorizing the appropriate users.
  2. Implement the "Least Privilege" Principle: The attack surface is decreased by restricting access to only essential tasks, which helps reduce the exposure to security breaches.
  3.  Constrain Data Sharing: To find weak spots, keep track of the data shared between apps, APIs, and users, and then secure them by restricting the shared data.
  4. Not utilize HTTPS: In order to communicate data securely, APIs employ HTTP connections and require Secure Sockets Layer (SSL) or Transport Layer Security (TLS) encryption.
  5.  Implement a policy of zero trust: We can leave out the zero-trust policy when discussing API security advice. It operates under the premise that no user, device, or server should be trusted until proven otherwise.
  6. Implement data logging: Logs provide admins with a wealth of information that can be utilized to enhance API security and assist with manual inspection and monitoring.
Security requires ongoing work in the age of technology and the internet. Unfortunately, security problems would not disappear, and as IoT technology grows more widespread, the dangers and vulnerabilities will only become worse. Beware of such ineffective strategies for API security. The security strategy must broaden to keep up with attackers' growing skill sets. 

Being proactive is vital, which means keeping an eye on current technology, patching up any flaws, and implementing cutting-edge cybersecurity measures.

1.2 Million users Affected by GoDaddy Data Breach

 

GoDaddy, the web hosting provider, has announced a data breach as well as warned that data on 1.2 million clients might be compromised. 

GoDaddy Inc. is a publicly listed American Internet domain registration and web hosting firm based in Tempe, Arizona, and incorporated in Delaware. GoDaddy has over 20 million clients and over 7,000 employees globally as of June 2020. 

Demetrius Comes, GoDaddy's chief information security officer, said in a statement with the Securities and Exchange Commission that the business discovered unauthorized access to its networks in which it hosts and administers its customers' WordPress servers. 

WordPress is a web-based content management system that millions of people use to create blogs and web pages. Users can host their WordPress installations on GoDaddy's servers. 

According to GoDaddy, an unauthorized user gained access to GoDaddy's systems around September 6th. GoDaddy stated that the breach was detected last week, on November 17. It is unclear whether the hacked password was secured using two-factor authentication. 

According to the complaint, the hack impacts 1.2 million current and inactive WordPress users, whose email accounts and customer numbers were disclosed. According to GoDaddy, this disclosure may put users at increased risk of phishing attacks. As per the web host, the initial WordPress admin password generated while WordPress had been installed, which could be used to manage a customer's WordPress server, had also been exposed. 

Active users' FTP credentials (for file transfers) as well as the login information for their WordPress accounts, that store all of the user's content, were compromised in the incident, according to the business. In certain situations, the user's SSL (HTTPS) private key was revealed, which might allow an attacker to mimic the customer's website or services if misused. 

According to GoDaddy, it has updated client WordPress passwords and private keys and is now in the process of providing new SSL certificates. Meanwhile, Dan Race, a GoDaddy spokeswoman, refused to respond, citing the company's ongoing investigation.

Hackers Use SSL Certificates to Launch Malware Attack


The latest report published by Meno Security indicates that 52% of the top one million websites have "HTTPS" in their URL, not traditional "HTTP." 

Despite this, the data says that these organizations that don't conduct satisfactory SSL reviews are more vulnerable to breaches and cyberattacks. According to recent research, hackers, while creating phishing websites, now use SSL as well, which endangers the organization's effort to keep its workers safe. In 96.7% of all user-initiated website visits that work over HTTPS, a mere 58% (approx) of the URL connections are HTTPs in the email, which indicates that firewalls and proxies are unaware of the threat until the organizations conduct an SSL investigation.


If the users are in the illusion that the green lock sign of HTTPS means they are safe, they might want to consider it again, for the hackers use the encryption too. Many people still think that as long as they have an SSL certificate, their webspace is secure, which, unfortunately, is not valid. Recent cyberattacks show that the malware is prone to these types of SSL certificate, and is now hiding behind this sign, which was once a symbol of safety. Many organizations from the beginning have relied upon firewalls and proxies to ensure the safety of web access.

But many organizations in the present time ignore the decryption and inspection SSL certificates, which has become very crucial. Point to be noted is that when the SSL decryption is enabled, the operations of these devices are down by a factor of five, which is why these enterprises refrain from conducting SSL inspection. Since 2014, even Google started giving priority in rankings to HTTPS websites on its Search Engine Result Page, considering they are safer.

According to Kowsik Goswami, chief technology officer at Menlo Security, there are many reasons why many enterprises don't turn SSL inspection. The main reason is privacy, as many organizations are concerned about their employees' privacy when they investigate the links the employees have visited. The other reason is performance, as the operations turn down by a factor of 5 when SSL inspection is on.

Web users exposed to "FREAK" attack

SSL/TLS breached

Newly discovered security vulnerability in the SSL/TLS protocol, dubbed as “FREAK” poses potential risks for millions of people surfing the web on Apple, Google and Microsoft browsers.

A whole range of browsers including Internet Explorer, chrome for Mac OS and Android , Apple browsers and about 12% of popular websites like  Bloomberg.com, kohls.com, mit.edu have been found to be vulnerable.

The flaw would allow a “man in the middle” attack which can downgrade security of connections between vulnerable clients/servers by tricking them into using low strength “export grade RSA” , thus rendering TLS security useless.

This 512 bit export grade mode of cryptography can then be easily cracked to compromise the privacy of users, by stealing passwords and other personal information. Larger attacks on the Web sites could be launched as well.

Computing power worth 100 dollars and seven hours is all that is required for a skilled code breaker to crack it.

The flaw was exposed by a team of researchers at INRIA and Microsoft Research who named it as “FREAK” for Factoring attack on RSA-EXPORT Keys.

The “export grade” RSA ciphers resulted from the 1980s policy of the US government which required US software makers to use weaker security in encryption programs which were shipped to other countries. It was meant to facilitate internet eavesdropping for intelligence agencies to monitor foreign traffic. These restrictions were lifted in the late 1990s, but the weaker encryption got wired into widely used software that percolated throughout the world and back into US.

Christopher Soghoian, principal technologist for the American Civil Liberties Union said, “You cannot have a secure and an insecure mode at the same time… What we’ve seen is that those flaws will ultimately impact all users.”

This reveals that a weaker crypto-policy ultimately exposes all parties to hackers and serves a strong argument against the recent requests of the US and European politicians to enable new set of backdoors in established systems.

Apple said its fix for both mobiles and computers will be available next week and Google said it has provided an update to device makers and wireless carriers.

For web server providers , the way ahead entails disabling support for all export cipher and known insecure ciphers.

A full list of vulnerable sites is available here.

Google Provides Secure search(SSL encryption) for Signed in users


"Google Search will be redirected to secure google search connection(https://), if you are signed in" Google said in their official blog.  This will provide security for users search queries by SSL encryption.  They set SSL as a default connection for Gmail in January 2010, four months later they introduced secure search in this link:
https://encrypted.google.com/ 

Recently, Other Giants like Twitter, facebook also introduced the SSL support. 

As searching query is important and risky thing(especially if you are in public cafe), the google is introducing the default SSL encryption in google Search for Signed in users.  If you are signed in, the google search will be redirected to (https://www.google.com), usually it search in direct connection(http://www.google.com).

If you are not google user or not signed in, you can still use the Encrypted Search by visiting https://www.google.com directly.(Don't forget the 's')

Source:
http://googleblog.blogspot.com/2011/10/making-search-more-secure.html