Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays Helsinki & North 2023 - What Gladwell’s...

apidays Helsinki & North 2023 - What Gladwell’s ‘Outliers’ Can Teach Us About API Breaches, Jeremy Snyder, FireTail

apidays Helsinki & North 2023
API Ecosystems - Connecting Physical and Digital
June 5 & 6, 2023

What Gladwell’s ‘Outliers’ Can Teach Us About API Breaches
Jeremy Snyder, CEO and Co-Founder at FireTail

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays

June 29, 2023
Tweet

More Decks by apidays

Other Decks in Programming

Transcript

  1. WHAT HAPPENED? KOREAN AIR FLIGHT 801 August 5, 1997, Seoul

    (Gimpo / GMP) to Agana, Guam (GUM) List of problems on the day Captain initially scheduled to fly to Dubai, reassigned due to lack of rest Turbulence just outside Guam due to heavy rains, and additional rain on Guam between the coast and airport Captain wanted to use ILS but it was not functional at GUM Communication breakdown; navigator informed of being off-course and inoperative ILS, but ignored by Captain
  2. COMMON THREADS ANALYSIS RELEVANT FOR API DATA BREACHES Multiple things

    went wrong Technical issues + non-technical issues Lack of team communication / coordination Internal / external parties
  3. BREACH DATA ANALYSIS EXAMPLES OF BREACH LOGIC AROUND AUTHORIZATION Authenticates

    once, but then doesn’t require subsequent authorization to access additional functions Sequential numbering made scraping very easy Conclusions: Authentication ≠ authorization Must be done server-side Must be with EVERY call Principal + resource + action; either all map to YES, or it’s NO Source: https://techcrunch.com/2021/05/05/peloton-bug-account-data-leak/
  4. “VULNERABILITIES IN APPS HANDLING API DATA ARE THE DIRECT CAUSE

    OF THESE BREACHES. NOTHING ELSE IS TO BLAME.” –
  5. BREACH DATA ANALYSIS EXAMPLES OF BREACH LOGIC AROUND AUTH N/Z

    + API URL landed in Google SERP API did not require authentication token API did not check for authorization API allowed CRUD functions Conclusions: Combo network configuration + more Poor API design on auth-N/Z Source: https://techcrunch.com/2021/05/13/lemonade-insurance-bug-exposed-
  6. BREACH DATA ANALYSIS EXAMPLES OF BREACH AROUND SERVER & DATA

    HANDLING Server gave overly verbose errors Enumeration exposed routes Found undisclosed graphQL endpoint GraphQL endpoint allowed “select *” Conclusions: Poor server config Non-declarative API model Excessive exposure Source: https://samcurry.net/hacking-starbucks/
  7. BREACH DATA ANALYSIS EXAMPLES OF BREACH AROUND NETWORK / DATA

    / AUTH API made public with DNS / network configuration change API had poor authN Incremental account IDs Conclusions: Poor network change mgmt Bad data handling Easy API access Source: https://techcrunch.com/2022/09/22/optus-australia-data-breach/
  8. BREACH DATA ANALYSIS DISCUSSION AROUND MULTI-VECTOR CONCLUSIONS Almost all cases,

    more than one thing went wrong Sequential numbering + no server-side authZ No authZ + full data records returned (trimmed by client) 3rd party API access keys discovered + lack of encryption Using common IDs (like VIN or SSN) as authN tokens + second factor
  9. BREACH DATA ANALYSIS OTHER NOTES AROUND ATTACK VECTORS TRACKED Enumeration

    – lab environment with hits within 5 min, return callers, 90%+ traffic is probing (git.config, /.env, etc) Data Exposure – returning too much data; leaving it to the client to trim or remove Injection – not super common, roughly ~10% of cases Governance - general term, can refer to configuration in a cloud environment, private -> public API, etc
  10. BREACH DATA ANALYSIS SYSTEMIC FLAWS CAN BE ATTACKED SYSTEMATICALLY These

    flaws tend to affect the entire API / app logic In responsible disclosures, researchers have often performed very large POCs Average number of records per breach is in the millions, but has actually come down (more breach events)
  11. BREACH DATA ANALYSIS SOME OTHER OBSERVATIONS Not industry-specific - APIs

    are everywhere Not geography-specific – APIs are everywhere But some industries have had a huge breach impact recently Manufactoring (automotive) Technology (software) Hospitality (airlines, hotels, rental cars)
  12. TRACK OUR RESEARCH DATA AND ANALYSIS SHARED ONLINE FireTail’s API

    Data Breach Tracker: https://firetail.io/api-data-breach-tracker
  13. CORE PRINCIPLES OF API SECURITY FIRETAIL VISIBILI TY OBSERVABI LITY

    POLICY AUDIT DISCOVE RY ENFORCEM ENT Authentication, authorization, validation, sanitization in code Commercial version sends configuration and success / failure events to cloud backend Full view of API landscape across IT fleet Finding APIs not running FireTail library via network traffic, code repos & cloud APIs APIs can be analyzed for configuration settings and security policy. API security posture management Full and centralized audit trail of all APIs with FireTail library implemented. Search and set alerts.
  14. WHAT SHOULD WE DO? AN OUTLIER APPROACH TO API SECURITY

    Make sure that communication is cross-team, and that no team has a blanket veto The company that starts earliest has the best chance of success But remember – it’s in your peer group Do your 10,000 hours!