Allow-all APIs?
Clubhouse APIs allowed anyone accessing them to download a list of user IDs, social media profiles and other details that Clubhouse users shared on the platform.
Clubhouse said that all the information was ‘public profile information’. This is against the fundamental principle of privacy that allows a user to choose - with whom to share their data and when. Just because a clubhouse user is comfortable sharing his or her profile on the platform does not mean that they are comfortable sharing it on the big bad internet.
We wrote about the meaning of privacy in this newsletter, where we specifically spoke of ‘private’ data.
CISO Check:
Ensure that your privacy policies are in line with the basic tenets of privacy.
As a part of your secure coding strategy, ensure that API security has the same level of control as your application.
Who is the hacker?
https://www.theregister.com/2021/04/13/computer_misuse_act_convictions_analysis/
A recent paper by a British researcher who analysed more than 100 hacking attacks found out that the attacker is a low skilled male, lone wolf.
Read the actual paper here [pdf]
This is in contrast to what we generally focus our attention on - large scale, state sponsored APT attacks.
CISO Check:
While conducting your threat and risk assessments, create a ‘hacker persona’ that can help you design the right controls for the right attacker. For example, if the attacker is a script kiddie with basic knowledge, you do not need to implement anti APT and EDR solutions. Your WAF should block most attempts.
Look out for our post on assessing risks using design thinking, where we will elaborate more on creating a ‘hacker persona’.
Quote of the week
APIs are websites without a browser - Sumedh Thakar