Security News

42Crunch launches new self-registration feature for its API Security Platform
2020-02-26 02:00

At RSA Conference 2020, API security leader and creator of the industry's first API Firewall - 42Crunch - announced the launch of its new self-registration feature for their API Security Platform. 42Crunch has made this easy by creating a platform based around the industry standard OpenAPI Specification, and now opening it to the public with self-registration to continue their mission of providing the most comprehensive tools for implementing API security best practices.

Wallarm advances API security with native gRPC and GraphQL support
2020-02-24 02:00

At RSA Conference 2020, Wallarm released an expanded set of parsers, detection of API-specific vulnerabilities and API schema analysis for gRPC and GraphQL. With Wallarm context-specific protection is delivered both for externally-facing APIs and for service-to-service internal APIs for a true zero trust use case. "More than half of our customers are actively moving to the cloud-native stack. For them support for gRPC and GraphQL is not just a"nice-to-have", but a strong requirement for all the security solutions, including WAF and DAST. Wallarm is stepping up to provide just that.

Week in review: API security risks, Office 365 security pain points
2020-02-23 10:30

Take your SOC to the next level of effectivenessOrganizations are turning to Breach and Attack Simulation integration with the SOC. BAS integration with SIEM and SOAR solutions enables SOC teams to continually evaluate the effectiveness of their security controls and improve the company's security posture with real-time, accurate metrics. SecOps teams face challenges in understanding how security tools workSecurity professionals are overconfident in their tools with 50% reporting that they have experienced a security breach because one or more of their security products was not working as expected, according to Keysight.

Stuffing nonsense: Persistent cyberpunks are pummelling banks' public APIs, warns Akamai
2020-02-20 22:56

The web services 'n' security biz said, in a report released today, that three-quarters of all credential abuse attacks it detected in 2019 were targeted at banks' publicly available APIs. Akamai said it had "Observed 85,422,079,109 credential abuse attacks" over two years, spanning December 2017 to November last year.

Most credential abuse attacks against the financial sector targeted APIs
2020-02-20 06:30

According to data from Akamai, up to 75% of all credential abuse attacks against the financial services industry targeted APIs directly. According to the report's findings, from December 2017 through November 2019, 85,422,079,109 credential abuse attacks were observed.

Three API security risks in the wake of the Facebook breach
2020-02-17 06:30

The theft of access token represents a major API security risk moving forward, but also highlights how API risks can remain undetected for so long. API risk is rooted in a lack of visibility, not only into its traffic, but also into its flexible and powerful parameters, known as API specifications-or "Specs." DevOps and SecOps attempt to mitigate this risk by creating and maintaining API catalogs, which are a collection of its specs.

Twitter API Abused to Uncover User Identities
2020-02-04 14:22

The social media giant said that on Dec. 24, 2019, it discovered a large network of fake accounts abusing a legitimate API function on its platform that, when used as intended, allows accounts to find Twitter users that they may already know by matching phone numbers to their Twitter account names. The bad actors were using this legitimate feature to uncover Twitter users - opening concerns that they could have potentially obtained the true identities of human rights activists or dissidents who go under pseudonyms on Twitter.

Twitter Suspends Fake Accounts for Exploiting API Vulnerability
2020-02-04 14:11

Twitter on Monday announced that it has suspended a large number of fake accounts that had exploited an API vulnerability to match usernames to phone numbers. The fake accounts were exploiting a feature meant to help users with newly created accounts find people they might already know on the online platform.

State-sponsored actors may have abused Twitter API to de-anonymize users
2020-02-04 11:11

A Twitter API that's intended to help new account holders find people they may already know on Twitter has been abused by known and unknown actors to tie usernames to phone numbers and potentially de-anonymize certain users. "On December 24, 2019 we became aware that someone was using a large network of fake accounts to exploit our API and match usernames to phone numbers. We immediately suspended these accounts and are disclosing the details of our investigation to you today because we believe it's important that you are aware of what happened, and how we fixed it," Twitter shared on Monday.

Twitter Warns API Flaw Abuse May Have Unmasked Users
2020-02-04 09:33

A Twitter API could have enabled outsiders to match users' phone numbers to their corresponding accounts and potentially unmask anonymous users of the social media site. Still, many users who wanted better account security have likely given their phone numbers to Twitter.