Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label API. Show all posts

Akamai Research Exposes Vulnerability: APIs Now Prime Targets for 29% of Web Attacks

 


As part of the State of the Internet (SOTI) reports, a series of threats and data insights from Akamai, this year marks the 10th year in which Akamai has been publishing these reports. Since then, the focus of these reports has changed, mainly due to the evolution of the threat and operational ecosystems. During this year's conference, people split the web application and API attacks into separate groups to better understand their situation. 

As a result of that, API security has become more visible. The rapid deployment of APIs has resulted in several blind spots like zombies, shadows, and rogue APIs, which are a sign that business transformation is taking place. To find and manage all APIs, users must use cyber controls. It has been observed that APIs are of critical importance to the success of most companies because they improve both the employee and customer experience. 

This rapid expansion of the API economy has allowed cybercriminals to exploit these new opportunities, but they have also used digital innovation to their advantage. It has been highlighted in the most recent SOTI report, Lurking in the Shadows: Attack Trends Shine Light on API Threats, that a wide range of attacks are taking place across both websites and APIs. In addition to traditional web attacks, API-specific attacks are also being discussed, as well as posture and runtime challenges that can be abused or allow direct attack through API. 

As the demand for APIs increases, it is predicted that these attacks will continue to spike, and organizations are encouraged to properly account for and secure the APIs they use. It also discusses how to mitigate threats and comply with compliance regulations. This research also explores some of the most common problems that arise when it comes to postures and runtimes. 

There are several case studies included in the report that demonstrate the real-world implications of API security on an organization and there are breakout reports containing data from the regions of Europe, the Middle East, and Africa (EMEA) as well as Asia-Pacific and Japan (APJ). Throughout history, APIs have played a key role in facilitating the exchange of critical and valuable information between customers and partner organizations, but they are also presenting a challenge to many security organizations due to the lack of API infrastructure and programming skills. 

The lack of comprehensive and accurate accounting of APIs in several organizations makes it difficult to determine just how large their attack surface is because the number of APIs in these organizations is not comprehensive and accurate. The Akamai research found that APIs are being tasked with both traditional attacks and API-specific attacks, requiring a combination of protections to keep them safe. 

Akamai powers and protects life online. Countless people live, work, and play every day because Akamai powers and protects their digital experiences. With Akamai Connected Cloud, a massively distributed cloud and edge platform that enables users to access apps and experiences closer to them and keeps threats to a minimum, it brings them closer to users while keeping them safe from attacks.

5 Simple Steps to Bulletproof Your API Integrations and Keep Hackers at Bay


In today's tech-driven world, APIs (Application Programming Interfaces) are like the connective tissue that allows different software to talk to each other, making our digital experiences seamless. But because they are so crucial, they are also prime targets for hackers. 

They could break in to steal our sensitive data, mess with our systems, or even shut down services. That is why it is super important for companies to beef up their API security, protecting our info and keeping everything running smoothly and this is where API Integration Secure name comes up. 

Let’s Understand What is API Integration Secure and Why Is It Important 

API integrations are made secure through a combination of measures designed to protect the data and systems involved. This includes using encryption to safeguard information as it travels between systems, implementing authentication and authorization protocols to ensure that only authorized users and applications can access the API, and regularly monitoring for any suspicious activity or attempted breaches. 

Additionally, following best practices in API design and development, such as limiting the data exposed through the API and regularly updating and patching any security vulnerabilities, helps to further enhance security. Overall, a multi-layered approach that addresses both technical and procedural aspects is key to ensuring the security of API integrations. 

Here Are Five Ways to Keep API Integrations Secure: 


Use an API Gateway: Think of it as the guardian of your APIs. It keeps an eye on who is trying to access your data and blocks anyone suspicious. Plus, it logs all the requests, so you can check who has been knocking on your digital door. 

Set Scopes for Access: Just because someone was allowed in does not mean they can see everything. Scopes make sure they only get access to the stuff they really need, like a limited view of a database. It is like giving someone a key to one room instead of the whole house. 

Keep Software Updated: You know those annoying software updates that pop up? They are actually super important for security. They fix any holes that hackers might try to sneak through. So, always hit that update button. 

Enforce Rate Limits: Imagine a crowded street during rush hour. Rate limits make sure not too many cars (or requests) clog up the road at once. It helps prevent crashes and slowdowns, making sure everyone can get where they need to go smoothly. 

Monitor Logs with SIEM: It is like having a security guard watching CCTV cameras for any suspicious activity. SIEM collects all the logs from API calls and flags anything fishy. So, if someone is trying to break in, you will know right away and stop them in their tracks.

Dell Launches Innovative Generative AI Tool for Model Customization

Dell has introduced a groundbreaking Generative AI tool poised to reshape the landscape of model customization. This remarkable development signifies a significant stride forward in artificial intelligence, with the potential to revolutionize a wide array of industries. 

Dell, a trailblazer in technology solutions, has harnessed the power of Generative AI to create a tool that empowers businesses to customize models with unprecedented precision and efficiency. This tool comes at a pivotal moment when the demand for tailored AI solutions is higher than ever before. 

The tool's capabilities have been met with widespread excitement and acclaim from experts in the field. Steve McDowell, a prominent technology analyst, emphasizes the significance of Dell's venture into Generative AI. He notes, "Dell's deep dive into Generative AI showcases their commitment to staying at the forefront of technological innovation."

One of the key features that sets Dell's Generative AI tool apart is its versatility. It caters to a diverse range of industries, from healthcare to finance, manufacturing to entertainment. This adaptability ensures that businesses of all sizes and sectors can harness the power of AI to meet their specific needs.

Furthermore, Dell's tool comes equipped with a user-friendly interface, making it accessible to both seasoned AI experts and those new to the field. This democratization of AI customization is a pivotal step towards creating a more inclusive and innovative technological landscape.

The enhanced hardware and software portfolio accompanying this release further cements Dell's commitment to providing comprehensive solutions. By covering an extensive range of use cases, Dell ensures that businesses can integrate AI seamlessly into their operations, regardless of their industry or specific requirements.

Technology innovator Dell has used the potential of generative AI to develop a platform that enables companies to customize models with previously unheard-of accuracy and effectiveness. This technology is released at a critical time when there is a greater-than-ever need for customized AI solutions.

A significant development in the development of artificial intelligence is the release of Dell's Generative AI tool. Its ability to fundamentally alter model customization in a variety of industries is evidence of Dell's unwavering commitment to technical advancement. With this tool, Dell is laying the groundwork for a time when everyone may access and customize AI, in addition to offering a strong solution. 

Rising Concerns as Discord.io Data Breach Compromises 760,000 Users

 

Although digital companies have multiple data protections in place to safeguard their customers' information, hackers continue to find ways to circumvent them and gain access to sensitive data even though they have multiple data protections in place to safeguard customer data. 

Data breaches have become more common in recent years, despite an increased focus being placed on cybersecurity in recent years. There has been another data breach at Discord.io this time, unfortunately, as the company is now one of the victims of such attacks. Learn about the types of data that hackers have access to as well as what steps are being taken by the company to protect this data. 

There has been a massive data breach at a popular service used to create custom links for Discord channels which allows people to create custom links for their channels. The service has now announced that it will be shutting down operations for the time being. 

A major breach of Discord.io's database occurred on the night of August 14, and large swaths of user data were stolen as a result. Discord announced the breach on Tuesday. As TechRadar reported in its article about the breach, more than 760,000 members of the company had their information compromised by the breach, though the company did not reveal this number in its update.

Discord.io is a third-party service that allows users to create custom invitations to their Discord channels, which can then be shared by the channel owner with their friends and viewers. It is estimated that over 14,000 users have registered on the service's Discord server, which is where most of the community exists. 

As of yesterday, a person named 'Akhirah' has started offering the Discord.io database for sale on the newly launched Breached hacking forums. A threat actor shared four records from the database as proof that he had stolen data. The new Breached forums are being hailed as the rise of a popular cybercrime forum that used to be a place where people would sell and leak data stolen from compromised databases. 

A member's username, email address, billing address (which only a small number of people) and a salted and hashed password (which only a small number of people) were among the most sensitive data that were compromised in the breach. 

Discord.io has officially confirmed that they were breached via a notice posted to their Discord server and website, and has initiated the process of temporarily shutting down its services as a result. As first reported by StackDiary, Discord.io has confirmed the authenticity of the breach. According to a timeline listed on the website for Discord.io, it was only after seeing the post on the hacking forum that they encountered the information about the data breach. 

Immediately after the leaked data was confirmed to be authentic, they shut down their services and cancelled all memberships that had been paid for. A spokesperson for Discord.io says that the person responsible for the breach has not contacted them and has not provided them with any information regarding how the breach occurred. A spokesperson for Akhirah, the seller of the Discord.io database, told BleepingComputer that he had not been in touch with the Discord.io operators before speaking with them.

It is clear from the revealed information about the users that the attacker was able to gather all types of sensitive information from Discord.io. There was data leaked by the company that included sensitive user information, including usernames, Discord IDs, email addresses, billing addresses, salted and hashed passwords, and much other sensitive information. Because Discord.io does not store any information about its users, it cannot confirm whether or not any credit card information was compromised in the attack. 

As part of the data breach, the platform acknowledges that certain information about users, including internal user IDs, avatar details, the status of users, coin balances, API keys, registration dates, last payment dates, and membership expiration dates may have been exposed.  

Currently, Discord.io has announced that it is suspending operations indefinitely due to this attack. There will be a temporary period when Discord.io will not be available during the next few months after the website is launched since it will cease to operate while it is being built. There will be a complete rewrite of the website code, in which it will be implementing a completely new security system, and the code will be completely rewritten, according to the platform. 


User Data Goldmine: Google's Ambitious Mission to Scrape Everything for AI Advancement

 


It was announced over the weekend that Google had made a change to its privacy policies. This change explicitly states that the company reserves the right to scrape everything you post online to build its artificial intelligence tools. Considering how far Google can read what you have to say, you can assume that you can expect your words to end up nestled somewhere within the bowels of a chatbot now that Google can read them. 

Google and Facebook privacy policies were quietly updated over the weekend and, likely, you didn't notice. There has been a slight change in the policy wording, but the change is significant, particularly because it is a revision.

In a recent report by Gizmodo, Google revised its privacy policy. Even though most of the policy is not particularly noteworthy, there is one section that stands out - one related to research and development - that could make a significant difference. 

The Gizmodo team has learned that Google's new privacy statement has been revised. While most of the policy is relatively unremarkable, one section in particular, the one dealing with research and development, stands out, particularly from the rest.  

For those who love history, Google has compiled a history of changes to its terms of service over the years that can be found here. According to the new language, the tech giant has written new ways in which your online musings might be used in the company's AI tools, which would not contradict the existing language in its policies. 

Google said in the past that the data would be used "for language models," rather than making "AI models," and places like Bard, Cloud AI, and Google Translate are now being mentioned, as well as the older policy that only mentioned Google Translate. 

Generally, a privacy policy does not include a clause such as this one. This type of policy describes how companies use your information when you post it on a company's service such as their website or their social media. It appears that Google has a right to harvest and harness any data posted to any part of the public web. This is as if the entire internet is the firm's playground for artificial intelligence experiments. Several requests for comment were sent to Google, but the company did not respond immediately. 

The practice raises interesting questions regarding the privacy of patients and raises new privacy concerns. Public posts are understood by the majority of people as being public. It is important to remember that what it means to write something online has changed over the years. 

The question is no longer whether a person has access to the information, but how can they use it based on that information. Your long-forgotten blog posts or even restaurant reviews from 15 years ago are very likely to have been ingested by Bard and ChatGPT. In the course of reading this, the chatbots may regurgitate some funny, humonculoid version of the words you have just spoken. This is in ways that are difficult to predict and comprehend. 

It seems odd for a company to add such a clause to its contract, as pointed out by this outlet. There is something peculiar about this because the way it has been worded gives the impression that the tech giant does reserve the right to harvest and use any data available on any part of the public internet at any time. There are times when a company's data usage policy only addresses how that company plans to make use of the personal information it has collected. 

The vast majority of people probably realize that whatever information they post online will be visible to the world at large, but this development opens up a whole new world of opportunities. The issue of privacy does not just extend to those who see your online posts, but to everything that is done with those posts as well. 

There used to be a reference here to "AI models" rather than "language models" before the update, and that statement has been changed. Furthermore, it mentioned the addition of Bard and Cloud AI to Google Translate, a service that has been included with Bard since then. 

In the outlet's opinion, this is an unusual clause that a business would enshrine in its policies. The writing of this statement seems odd since the way it's written implies that Apple owns the right to collect and use data from any section of the Internet that is open to the public. The purpose of a policy such as this is normally to tell the customer how its services will use the data it posts.

It is well known that anything you post online will be seen by almost everyone, but with the new developments that have come about, there is an unexpected twist: the possibility of using it. The thing you need to keep in mind is not just who can read what you write online, but also how that information will be used by the people who can read it. 

It is also possible to use real-time data-looking technology such as Bard, ChatGPT, Bing Chat, and other AI models that scrape data from the internet in real-time. Often, sources of information can be found in other people's intellectual property and come from their sources. AI tools currently being used for such activities are accused of theft, and more lawsuits are likely. 

The question of where data-hungry chatbots acquire their information in the post-ChatGPT world is one of the lesser-known complications of the post-ChatGPT world. Google and OpenAI scrape the Internet to fuel their robot habits. 

There is no clear legal guidance on whether it is legal. There is no doubt that the courts will have to deal with copyright questions that seemed like science fiction a few years ago when they first came up. At the same time, there have been some surprising effects on consumers that have been caused by the phenomenon so far.    

There is some aggrievement among Twitter and Reddit overlords related to the AI issue. Both have made controversial changes to lock down their platforms going forward. There has been a change in both companies' API which prevented third parties from downloading large quantities of posts for free. This was something they allowed anyone to download. There is no doubt that this statement is intended to protect social media sites from being harvested by other companies looking to steal their intellectual property. However, the consequences of this decision are far more significant. 

Third-party tools that people used to access Twitter and Reddit have been broken by the API changes that Twitter and Reddit implemented. At one point, Twitter even appeared to be considering requiring public entities such as weather forecasts, transit lines, and emergency services to pay a monthly fee to use their Twitter services, but Twitter backed down after receiving a hailstorm of criticism for this plan. 

Elon Musk has historically made web scraping his favorite boogieman in recent years. Musk explained a number of the recent Twitter disasters as a result of the company's need to guard against the theft of data from the site by others, even when the issues do not seem to be related. There was a problem with Twitter over the weekend when the number of tweets a user was permitted to view per day was limited, making the service almost unusable for many users. 

Musk believed rate-limiting was a necessary response to "data scraping" and "system manipulation." However, most IT experts agree that it was more likely a crisis response resulting from mismanagement or incompetence rather than an attempt to solve a problem. Despite Gizmodo's repeated requests for information on the matter, Twitter did not respond.

Hackers Threatened to Leak 80GB of Data Allegedly Stolen From Reddit in February

 


An independent cybersecurity expert and CNN reviewed a post from the BlackCat ransomware gang, also known as ALPHV. The post said the group had stolen 80 gigabytes of confidential data from Reddit during a February breach and claimed to have accessed it. A cyber-security expert and CNN examined the dark web post, and the group claimed it had stolen 80 gigabytes. 

A hacker group in Russia is threatening to release Reddit data if it doesn't pay a ransom demand - as well as reverse the controversial API pricing increases. 

According to the hackers, they demand a ransom of $4.5 million and an API price hike from the company. This is if they hope to prevent data release, which was hacked. 

It appears that phishing attacks allow threat actors to gain access to the company's systems to steal internal documents, source code, employee data, and a limited amount of information about Reddit's advertising partners. 

Reddit spokesperson confirmed that "BlackCat's claims refer to a cyber incident that Reddit confirmed on February 9 as related to BlackCat's claims". During a high-targeted phishing attack carried out at the incident, hackers accessed information about employees and internal documents. 

Information about employees and internal documents was accessed through a targeted phishing attack. It is believed that the company was unaware that the passwords or accounts of customers had been stolen. 

Reddit provided no further information regarding the attack or the culprits. Nevertheless, over the weekend, BlackCat raised the stakes in the February cyber intrusion, claiming responsibility for it. It threatened to leak the "confidential" information obtained during the attack. BlackCat has not shared any evidence of data theft by the hackers, and it's unclear exactly what type of information the hackers have stolen.  

BlackCat has threatened to leak the "confidential" data but there is no sign of what it is supposed to be. They have neither provided evidence of data theft nor evidence to back up their claim. 

CTO of Reddit Chris Slowe recently talked about a security incident that happened in February, and he posted about the incident here. Throughout the post, Slowe said that, as a result of a highly targeted and sophisticated phishing attack, the company's "systems were hacked," with hackers gaining access to "some internal documents, code, and some internal business systems." The hackers only obtained employee information, according to Slowe.

In a statement to CNN on Monday, a Reddit spokesperson confirmed that BlackCat's post refers to the incident in February. No user data was accessed, according to the spokesperson, but he refused to elaborate further on the matter. 

Several Reddit forums remained dark last Monday during the planned two-day protest. This was intended to highlight the company's plan to charge steep fees for third-party apps to access the company's platform in the future. 

There are still more than 3,500 Reddit forums unresponsive a week after the attack happened. Some experts argue that BlackCat's actual motives are questionable while some are sympathetic to the protestors' cause based on the ransom note. 

This is the second Reddit data breach in six years. This time, the attackers could access Reddit data dating back to 2007. A user's username, hashed password, email address, and the content of public posts and private messages were included in that report. 

In February, hackers reportedly stole 80GB of data from Reddit and threatened to leak it in three days as part of their threat. In response to the breach, Reddit acknowledged the incident and is actively investigating the matter. A ransom demand has been made by the hackers, who have warned that if they are not paid, the thieves will release sensitive information about their victims.

As of right now, it is impossible to verify the authenticity of stolen data. There are persistent cyber threats that online platforms face daily. This incident reminds us of the importance of robust security measures against such threats. Reddit is striving to improve its privacy and security protocols, and users are advised to remain vigilant at all times.

Microsoft 365 Phishing Attacks Made Easier With 'Greatness'

 


It is a method of stealing money, or your identity, by attempting to get you to reveal personal information through websites that pretend to be legitimate websites, such as credit cards, bank details, or passwords, that aim to get you to reveal your personal information. Cybercriminals often pose as reputable companies, friends, or acquaintances and send fake messages with a link to a phishing website.  

By enticing people to reveal personal information like passwords and credit card numbers, phishing attacks are intended to steal sensitive data or damage it by damaging users' computers. 

Even script kiddies have constructed convincing, effective phishing attacks against businesses using a service never heard of before, called phishing-as-a-service (PaaS). 

As many organizations around the world use the Microsoft 365 cloud-based productivity platform, it has become one of the most valuable targets for cybercriminals. These criminals use it to steal data and credentials to compromise their networks. 

During a Cisco Talos research update, researchers explained how phishing activity on the Greatness platform exploded between December 2022 and March 2023. This was when the platform was launched in mid-2022. 

Since the tool was introduced in mid-2022, it has been used in attacks on several companies across a variety of industries. These industries include manufacturing, healthcare, technology, and banking. 

At this point, approximately half of those targeted are in the United States. Attacks have also been carried out around Western Europe, Australia, Brazil, Canada, and South Africa, but the majority are concentrated in the US. 

As a result of these attacks, a wide range of industries, including manufacturing, healthcare, technology, education, real estate, construction, finance, and business services, are being targeted. 

It contains everything you will ever need to conduct a successful phishing campaign if you intend to play at being a phishing actor in the future. 

Using the API key that they have acquired for their service, the users will have access to the 'Greatness' admin panel and provided a list of email addresses that they wish to attack. 

It is the PhaaS platform, or as it is often called, that allocates the infrastructure needed to host the phishing pages and also to build the HTML attachments. This is like the server hosting the phishing pages. 

Afterward, the affiliate builds the content for the email and provides any other material needed, and changes any default settings if necessary. 

The process of taking on an organization is simple. A hacker simply logs into the enterprise using their API key; provides a list of target email addresses; creates the content of the email (and changes any other default details as they see fit). 

Greatness will authenticate on the real Microsoft platform based on the MFA code supplied by the victim once the MFA code is provided. This allows the affiliate to receive an authenticated session cookie through the Telegram channel provided by the service or through access to their web panel. 

As a result, many companies find that stolen credentials can also be used to breach their network security. This results in more dangerous attacks, like ransomware, being launched.

Imperva Red Team Patches a Privacy Vulnerability in TikTok


The Imperva Red Team has recently identified a vulnerability in TikTok, apparently allowing threat actors to look into users’ activities over both mobile and desktop devices.

The vulnerability, which has now been patched, was the result of a window message event handler's failure to accurately verify the message's origin, providing attackers access to users’ sensitive data.

PostMessage API 

The PostMessage API (also known as the HTML5 Web Messaging API) is a communication mechanism that permits safe cross-origin communication between several windows or iframes inside a web application. The API enables scripts from different origins to exchange messages, overcoming the restrictions the Same-Origin Policy imposes, that normally restricts data sharing between distinct sources on the web.

The API includes methods named window.postMessage() and an event message. The postMessage() method is used to send a message from the source window to the target window or iframe, while the message event is triggered on the receiving end when a new message is received. The team discovered a script in TikTok's web application during the code analysis that seemed to be involved in user tracking. 

The Imperva report states that “the first step in discovering the vulnerability was to identify all the message event handlers in TikTok's web application. This involved a comprehensive analysis of the source code in locating instances where the PostMessage API was being used[…]Once all the message event handlers were identified, we proceeded to carefully read and understand the code for each handler. This allowed us to determine the purpose of each handler and evaluate the security implications of processing untrusted messages.” 

Exploiting the Vulnerability 

Attackers could send harmful messages to the TikTok web application through the PostMessage API by taking advantage of this vulnerability and getting around the security precautions. The malicious message would then be processed by the message event handler as if it were from a reliable source, giving the attacker access to private user data.

The vulnerability was promptly addressed after being reported to TikTok by the Imperva Red Team, and Imperva appreciated TikTok for its swift action and cooperation. This disclosure should serve as a reminder of the value of adequate message origin validation and the risks of enabling interdomain communication without the necessary security precautions.  

Globally, Over 4 Million Shopify Users Are at Risk

 


In a report published on Friday by CloudSEK's BeVigil, a security search engine for mobile apps, it has been found that over four million users of e-commerce apps around the world are exposed to the risk of hardcoded Shopify tokens.   

As an e-commerce platform, Shopify allows anyone to create a store that enables them to sell their products online and allows businesses to do the same. Shopify is expected to be used by more than 4.4 million websites by the end of 2023 and is located in more than 175 countries. 
 
Researchers are claiming that there is a risk that crooks will gain access to sensitive data belonging to millions of Android users with e-commerce apps. 

It was recently revealed in a CloudSEK BeVigil report that researchers discovered 21 e-commerce apps that had 22 hardcoded Shopify API keys and that these keys/tokens could potentially expose the personally identifiable information (PII) of roughly four million users to the possibility of identity theft. 

A hardcoded API key becomes visible to anyone with access to the code, including attackers and unauthorized users, as soon as the key is hardcoded in the code. An attacker can access sensitive data and perform actions on behalf of the program if they can access the hardcoded key. They can then use it to access sensitive data. The company said in a press release that even if they do not have the authorization to do so, they could still do it of their own volition. 

Information About Credit Cards

It is estimated that at least 18 of the 22 hardcoded keys allow attackers to use them to view sensitive data that belongs to customers. The researchers explained that this is based on their findings further in their report. A second report provided by the researchers states that seven API keys enable users to view and modify gift cards. In addition, six API keys allow a threat actor to steal information about payment accounts.  

As part of the sensitive data, collect name, email address, website address, country, address complete, phone number, and other information related to the shop owner is collected. The site also enables customers to access information regarding their past orders and their preferences for receiving emails.  

Regarding information on payment accounts, threat actors may be able to access details about banking transactions, like credit or debit cards used by customers to make purchases. These can be obtained by obtaining the BIN numbers of credit cards, the ending numbers of the cards, the name of the company that issued the cards, the IP addresses of browsers, the names on the cards, expiration dates, and other sensitive information. 

According to the researchers, one of the exposed API keys used by the shop provided shop details on authentication, hoping to show their point. 

Researchers have also pointed out that this is not a Shopify employee error but rather a widespread issue with app developers leaking API keys and tokens to third parties.   

An e-commerce platform such as Shopify enables businesses of all sizes to easily create an online store and, in turn, sell their products online. It is estimated that there are more than four million websites with Shopify integration today, enabling both physical and digital purchases from their online shoppers.   

CloudSEK notified Shopify about their findings however, no response has yet been received from Shopify in response.   

Can Twitter Fix its Bot Crisis with an API Paywall?

 


A newly updated Twitter policy relating to the application programming interface (API) has just been implemented, according to researchers - and the changes will have a profound impact on social media bots, both positive (RSS integration, for example) and negative (political influencer campaigns), respectively. 

A tweet from the Twitter development team announced that starting February 9, the API would no longer be accessible for free. It was Elon Musk's personal amendment. Upon hearing some negative publicity, Elon Musk stepped in personally to amend the original terms of service - Twitter is to continue to provide its bots with a light, write-only API that allows them to produce high-quality content for free. 

In a computer program, APIs are used to enable different parts of the program to communicate with each other. An API provides an interface for two software programs to interact with one another. This is the same way that your computer provides an interface so that you can easily interact with all of its many complex functions. Enterprises, educational institutions, or bot developers who want to develop applications on Twitter are most likely to need the API for management and analytics. 

Whether you choose a limited or subscription model, we are at risk of displacing smaller, less well-funded developers and academics who have utilized free access to develop bots, applications, and research that provide real value for users. 

It is also pertinent to note that Twitter has been targeted by malicious bots since the start of time. The use of these social media platforms is on the increase by hackers spreading scams and by evil regimes spreading fake news, and that's without mentioning the smaller-scale factors that affect influencer culture, marketing, and general trolling, which are widespread as well. 

What are the pros and cons of using a paid API to solve Twitter's influence campaigns and bot-driven problems? Several experts believe the new move is just a smokescreen to cover up the real problem. 

Bad bots on Twitter 


According to a report published by the National Bureau of Economic Research in Cambridge, Mass., in May 2018, social media bots play a significant role in shaping public opinion, particularly at the local level. It was found that Twitter bots had been greatly influenced by the US presidential election and the UK vote on leaving the European Union. This was during the 2016 elections. Based on the data, it appears that the aggressive use of Twitter bots, along with the fragmentation of social media and the influence of sentiment, may all be factors that contributed to the outcome of the votes. 

In the UK, the increase in automated pro-leave tweets may have resulted in 1.76 percentage points of the actual pro-leave vote share is explained by the increasing volume of automated tweets. While in the US, 3.23 percentage points of the actual vote could be explained by the influence of bots. 

During that election, three states were critical swing states - Pennsylvania, Wisconsin, and Michigan - with a combined number of electoral votes that could have made the difference between victory or defeat - won the election by a mere fraction of a percent.   

Often, bots are just helpful tools that can be used by hackers to commit cybercrime at scale without necessarily swaying world history - this can make them a useful tool for committing cybercrime at scale. The use of Twitter bots by cyber criminals has been observed in the distribution of spam and malicious links on Twitter. This is as well as the amplifying of their content and profiles on the site. 

David Maynor, director of the Cybrary Threat Intelligence Team and chief technology officer for Dark Reading, explains in an interview that bots are an incredibly huge problem for the Internet. Some random objects taunt people so much that victims would spend hours or days trying to prove that they were wrong. That would be the real world. Bots also give Astroturf efforts a veneer of legitimacy, they do not deserve. 

Astroturfing is a type of marketing strategy designed to create an impression that a product or service has been chosen by the general public in a way that appears to be an independent assessment without actually being so (hiding sponsorship information, for instance, or presenting "reviews" as objective third-party assessments). 

Are Twitter's motives hidden? 


According to some people, Twitter's real motive behind placing its API behind a paywall has nothing to do with security, and instead, it could be something else entirely. The question is then, would a basic subscription plan be strong enough to guard against a cybercrime group, or indeed a lone scammer, who might be targeting your account? One of the most active operators of social media influence campaigns in the world is certainly not the Russian government. 

There are many mobile app security platforms and cloud-based solutions that can be used to eliminate bot traffic from mobile apps easily, and Elon Musk is well aware of these technologies. Ted Miracco, CEO at Approov, says: Bot traffic could be largely eliminated overnight if the proper technologies are implemented. 

Several methods and tools exist to help social media sites (and site owners and administrators of all types of websites) snuff out botnets, and they can be used by all our social media users. It is imperative to keep in mind that bots tend to respond predictably. They, for example, post regularly and only in certain ways. There are specialized tools that can help you identify entire networks of bots. By identifying just a few suspect accounts, these tools can help reveal what are a few suspect accounts. 

There is a theory that naming and shaming may well be critically significant in diagnosing malicious automated tweets along with detecting malicious automated tweets: This might not be popular, but it is the only way to stop bots and information operations. People and organizations must be tied to real-life accounts and organizations. 

In this regard, Livnek adds, Whilst this raises concerns about privacy and misuse of data, remember that these platforms are already mining all of the available data on the platforms to increase user engagement. Tying accounts to real-world identities wouldn't affect the platforms' data harvesting, but would instead enable them to stamp out bots and [astroturfing]. 

It seems a bit extreme to remove free API access before we have exhausted all feasible security measures that might have been available to us. 

As Miracco argues, the reason for this is an open secret in Silicon Valley - it is basically the elephant in the room. According to Miracco, social media companies are increasingly liking their bots in terms of generating revenue for them. 

Twitter makes money by selling advertisements and this is the basis of its business model. As a result, bots are viewed by advertisers as users, i.e. they generate revenue in the same way as users do. There is more money to be made when there are more bots. 

Tesla CEO Elon Musk threatened to pull out of his plan to buy Twitter in January, reportedly as a result of the revelation that a large portion of Twitter's alleged users is actually bots or other automated programming. As he transitioned from being an interested party to becoming the outright owner of the company, his mood may have changed. The Miracco Group's CEO predicts that "revealing the problem now will result in a precipitous fall in traffic, so revenue must be discovered along the way to maintain the company's relevance along the path to reduced traffic, which was the motivation behind the API paywall. His explanation is straightforward: the paywall is ostensibly used to stop bots, but the truth is that it is being used to drive revenue. 

There has just been the implementation of a paywall. Whether it will be able to solve Twitter's bot problem by itself or if it will only be a matter of Musk's pockets being lined, only time will tell. 

Despite a request from reporters for comment, Twitter did not respond immediately to the query.   

Mimic Attacks: Ransomware Hijacking Windows ‘Everything’ Search Tool


Trend Micro has recently revealed details of the new type of ransomware, apparently targeting the APIs ‘Everything’ search tool to attack English and Russian-speaking Windows users. 

The malware was discovered by the security firm researchers in June 2022 and was named ‘Mimic.’ According to the researchers, the malware has been “deleting shadow copies, terminating multiple applications and services, and abusing Everything32.dll functions to query target files that are to be encrypted.” 

The researchers also found that some of the code in Mimic shared similarities with the infamous Conti ransomware, which was leaked in early 2022 following a number of high-profile incidents. 

Mimic Attacks 

Mimic ransomware attack begin with targeted victims receiving executable, most likely via an email, that retrieves four files from the target system, including the main payload, ancillary files, and tools to disable Windows Defender. 

The researchers’ findings reveal that the ransomware attack largely constituted legitimate files, of which one file contains the malicious payloads. Mimic is a sophisticated strain of ransomware that may use command-line options to target specific files and multiple processor threads to encrypt data more rapidly. 

According to Trend Micro, this combination of several active threads and the way it abuses Everything's APIs enable it to operate with minimum resource consumption, leading to a more effective execution and attack. 

What Could be the Solution? 

One of the best measures advised to the companies is by implementing a multilayered approach, which will provide the most efficient security, including data protection, backup and recovery measures. 

Utilizing a range of software that are designed to prevent, mitigate and combat the attacks on personal and business computers will add another layer of protection to the systems. 

Moreover, conducting regular vulnerability assessment and patching those vulnerabilities in the systems as soon as security updates become available will additionally aid in combating potential ransomware attack.  

37 Million Accounts' Data were Stolen from T-Mobile in a Data Breach Involving APIs

 

T-Mobile, a wireless provider in the United States, reported earlier this week that an unidentified malicious intruder broke into its network in late November and stole information on 37 million customers, including addresses, phone numbers, and dates of birth. 

The breach was found Jan. 5, according to T-Mobile, which disclosed this in a filing with the U.S. Securities and Exchange Commission. According to the company's investigation to date, the stolen data didn't include passwords or PINs, bank account or credit card information, Social Security numbers, or other official identifications. 

The malicious activity "appears to be fully contained at this time, but our investigation is still ongoing," T-Mobile said, adding that the data was first accessed on or around Nov. 25.

In recent years, the company has experienced numerous hacks. In its filing, T-Mobile stated that it did not anticipate the most recent breach to materially affect its business.

However, Neil Mack, a senior analyst at Moody's Investors Service, stated in a statement that the breach raises concerns about management's cyber governance, may alienate customers, and may draw the attention of the Federal Communications Commission and other regulators. 

The frequency of these cybersecurity incidents at T-Mobile is alarmingly high compared to that of its telecom competitors, Mack said, even though they may not be systemic in nature. 

T-Mobile announced in August 2021 that personal information including Social Security numbers and driver's licence information had been stolen. As a result, the company agreed to pay $350 million to customers who brought a class action lawsuit. There were almost 80 million affected Americans. 

Additionally, it announced at the time that it would invest $150 million in other technologies and data security through 2023. Prior to the August 2021 intrusion, the company disclosed breaches in which customer information was accessed in January 2021, November 2019 and August 2018. 

After acquiring rival Sprint in 2020, Bellevue, Washington-based T-Mobile rose to prominence as one of the nation's major providers of mobile services. After the merger, it claimed to have more than 102 million clients.

Twitter: Five Changes to the Platform for Users by Elon Musk

 

Three months have passed since Elon Musk stormed into Twitter's San Francisco headquarters, and the company has barely escaped the spotlight. We've talked a lot about his thoughts on the social network and some of his more controversial business decisions, such as laying off 50% of the workforce, but less about how the platform's 237 million monthly active users use it on a daily basis.

1. Restricting alternative Twitter viewing methods

Twitter appears to have suspended access to its API, which is used by other platforms to communicate with it. So, if you use a social media manager to access your account rather than the Twitter app or website, you may discover that Twitter is not currently working with it. It's unclear whether the move was intentional, but many experts believe it was.

"My guess is that this is because those third-party apps do not show ads and they allow the user to manage their feed as they see fit, which is at odds with Musk's plans to put more ads in front of users' eyeballs and prioritize the tweets of people who have paid for Twitter Blue," said tech commentator Kate Bevan.

Although Twitter has not made an official announcement, popular apps that appear to be struggling include Tweetbot, Fenix, and Twitterific.

2. Maintenance

The order in which tweets appear on people's timelines is perhaps the most noticeable change. A new tab allows you to select between the most recent tweets from people you follow and those recommended by Twitter.

If you're using an iPhone, you'll see two columns at the top, "for you" and "following"; if you're using an Android device, you'll see a star icon on the top right-hand side of the screen. The problem is that many users did not notice or were unaware that the app occasionally reverted to Twitter's curated "for you" feed. There have been complaints that this feed is mostly made up of Twitter recommendations and interactions between people you follow and people you don't know, rather than the content you chose to follow in the first place.

Others, on the other hand, don't mind: "Some days I want to go to a restaurant with just my friends, some days I'll pitch up at the pub and see who's in...can be fun," one Twitter user explained.

3. Reintroduction of contentious accounts

Mr Musk began with some high-profile accounts that had previously been banned for violating Twitter's rules. They included Ye (rapper Kanye West), who was barred from sharing anti-Semitic posts, influencer Andrew Tate (who is currently being held in Romania on charges of people trafficking), and former US President Donald Trump, whose tweets were accused of inciting the Capitol Hill riots in January 2021.

4. Twitter's Blue

Twitter's subscription service, Twitter Blue, launched at the end of November after a few false starts. The $8/$11 (£6.50/£9) monthly fee guarantees access to extra features such as an edit button, increased visibility, and fewer ads. Anecdotally, it appears to have attracted a reasonable number of subscribers, but not a large number - though, as usual, no official news about its success has been released thus far.

5. Ticks of silver and gold

Twitter's "blue tick," which is now a sign of a subscriber, was previously a symbol of a verified account. It was given to the accounts of hand-picked celebrities, journalists, and brands by Twitter to indicate that they were not fakes.

Those who acquired a blue tick under the old regime still have them, along with a message explaining that it is a "legacy" and "may or may not be notable". As a result, seeing a blue tick next to an account does not automatically confer authority on that account.

It has been replaced by a gold or silver tick for brands and government figures, so Coca-Cola is now gold, with an explanation that it is an "official business," and Rishi Sunak, the UK Prime Minister, now has a silver badge.

'Spin Master

Twitter had to change whether Mr. Musk was there or not. Its user base and ad revenue had been stagnant for a long time, while rival social networks had sprung up and experienced explosive growth. Twitter is known for being a small but influential platform, but this was not translating into profits.

Mr. Musk is "a master of PR and spin and innovation and creativity", said social media expert Matt Navarra. He is not afraid of causing a stir or tearing up the rulebook. But will his revolutionary tactics turn around the fortunes of this floundering company, which he claims was losing $4 million per day when he took over?

It's difficult to say because Twitter is secretive about its metrics. It is now a privately owned company, as it should be. However, new advertisers do not appear to be flocking to the site, users are complaining about changes to the way their accounts are displayed, and a recent API change has irritated developers, a community that Twitter needs to help it grow.

Mr. Navarra of his own user experience of engaging with 150,000 followers said, "The vibe seems to have shifted and it doesn't seem to be quite what it was before. I don't see any signs of green shoots for a new Twitter."

 CircleCI Breach: Encryption Keys & User Data Seized

A software company CircleCi has acknowledged that a data breach that occurred last month resulted in the theft of customers' personal information. 

After an engineer contracted data-stealing malware that made use of CircleCi's 2FA-backed SSO session cookies to get access to the company's internal systems, hackers broke into the company in December. CircleCi reminded consumers to change their credentials and passwords earlier this month after disclosing a security breach.

The company accepted responsibility for the breach and criticized a system failure, noting that its antivirus program missed the token-stealing malware on the employee's laptop. Using session tokens, users can maintain their login status without constantly typing their password or re-authorizing using two-factor authentication. However, without the account holder's password or two-factor code, an attacker can access the same resources as them by using a stolen session token. As a result, it may be challenging to distinguish between a session token belonging to the account owner and one stolen by a hacker.

According to CircleCi, the theft of the session token enabled the hackers to assume the identity of the employee and obtain access to a few of the business systems, which store client data. CircleCi states they rotated all customer-related tokens, including Project API Tokens, Personal API Tokens, and GitHub OAuth tokens, in retaliation to the hack. Additionally, the business collaborated with Atlassian and AWS to alert clients of potentially hacked AWS and Bitbucket tokens.

CircleCi claims that in order to further fortify its infrastructure, they have increased the number of detections for the actions taken by the information-stealing malware in its antivirus and mobile device management (MDM) programs.

"While client data was encrypted, the cybercriminals also gained the encryption keys able to decrypt consumer data," claimed Rob Zuber, the company's chief technology officer. To avoid illegal access to third-party systems and stores, researchers urge customers who have not already taken steps to do so. The company additionally tightened the security of its 2FA solution and further limited access to its production settings to a smaller group of users.

Twitter Data Breach Indicates How APIs Are a Goldmine for PII and Social Engineering


A Twitter API vulnerability that was detected in June 2021, and was later patched, has apparently been haunting the organization yet again. 

In December 2022, a hacker claimed to have access to the personal data of 400 million Twitter users for sale on the dark web markets. And only yesterday, the attacker published the account details and email addresses of 235 million users. 

The breached data revealed by the hacker includes account names, handle creation data, follower count, and email addresses of victims. Moreover, the threat actors can as well design social engineering campaigns to dupe people into providing them their personal data. 

Twitter: A Social Engineering Goldmine 

Social media giants provide threat actors with a gold mine of user data and personal information that they can utilize in order to perform social engineering scams. 

Getting a hold of just a user name, email address, and contextual information of a user’s profile, available to the public, a hacker may conduct reconnaissance on their targeted user and create phishing and scam campaigns that are specifically designed to dupe them into providing personal information. 

In this case, while the exposed information was limited to users’ information available publicly, the immense volume of accounts exposed in a single location (Twitter) has in fact provided a “goldmine of information” to the threat actors. 

The Link Between Social Engineering and API Attacks 

Unsecured APIs allow cybercriminals direct access to users’ Personally Identifiable Information (PII), such as username and password, which is captured when the user connects to any third-party service API. API attack thus provides threat actors with a window to collect large amounts of personal information for scams. 

An instance of this happened just a month ago when a threat actor leveraged an API flaw to gather the data of 80,000 executives throughout the private sector and sell it on the dark web. The threat actor had applied successfully to the FBI's InfraGard intelligence sharing service. 

The data collected during the incident included usernames, email addresses, Social Security numbers, and dates of birth of victims. This highly valuable information was utilized by the threat actors for developing social engineering dupes and spear phishing attacks. 

How to Protect APIs and PII? 

One of the main challenges faced while combating API breaches is how modern enterprises need to detect and secure a large number of APIs. A single vulnerability can put user data at risk of exfiltration, therefore there is little room for error. 

“Protecting organizations from API attacks requires consistent, diligent oversight of vendor management, and specifically ensuring that every API is fit for use […] It’s a lot for organizations to manage, but the risk is too great not to,” says Chris Bowen, CISO at ClearDATA.  “In healthcare, for example, where patient data is at stake, every API should address several components like identity management, access management, authentication, authorization, data transport, exchange security, and trusted connectivity.”

It has also been advised to the security team to not rely solely on simple authentication options like username and password in order to secure their APIs. 

“In today’s environment, basic usernames and passwords are no longer enough […] It’s now vital to use standards such as two-factor authentication (2FA) and/or secure authentication with OAuth,” says Will Au, senior director for DevOps, operations, and site reliability at Jitterbit. 

Moreover, measures such as utilizing a Web Application Firewall (WAF), and monitoring API traffic in real time can aid in detecting malicious activities, ultimately minimizing the risk of compromise.  

How to Migrate to the Cloud Securely

 


Increasingly, organizations and business units are migrating mission-critical data and systems to the cloud. 

Migration to and between all kinds of cloud services is indeed associated with security challenges; however, migration between public cloud services is the most challenging and has the potential to have grave consequences.   

How Secure are Cloud Migrations?   

Approximately half of all study respondents' workloads and data reside in a public cloud, according to the Flexera State of the Cloud Report 2022. The growth of cloud adoption has subsequently led to a growing number of concerns about the security of data during migration to the cloud. 

Here is a list of some of the security concerns that have been raised.

Vulnerabilities Associated With APIs 

Getting applications, data, and infrastructure working in harmony through application programming interfaces can pose a major risk to the security of cloud data. This is due to the way they transmit data back and forth. There may be a lack of sandbox protection for APIs, a lack of authentication and authorization controls, and excessive privileges granted to APIs. Whenever organizations migrate data to the cloud, they should take into consideration the vulnerabilities associated with such migrations. 

Blind Spots in Security 

A cloud infrastructure that does not have the necessary security features can also put cloud data at risk due to security blind spots. There are some challenges associated with cloud computing environments, such as the use of software-as-a-service applications to store sensitive data and the creation of shadow IT networks. Cloud migration can result in these potential vulnerabilities being exposed, and organizations should take precautions to mitigate the risks when migrating to the cloud.

Loss of Data is a Serious Issue

A final concern is the risk of data loss when migrating data to the cloud. There is also the possibility that this may happen if the cloud provider does not have robust security and data recovery measures in place. This is in case there is an incident related to data security. 

The Most Effective Ways to Secure Data in a Cloud Migration

In addition to the many potential security issues that can arise during a cloud migration, there are also several steps that your team can take to make sure that your data and applications are protected as well. During a cloud migration, there are seven tips you can use to ensure that your company's data is protected. 

Make Sure Your APIs are Secure

Whenever data is moved to the cloud, it is crucial to ensure that the APIs that control access to and between cloud applications and infrastructure are secured. This will ensure data continuity. A simple way to enhance API security is by using strong authentication and authorization controls. These controls protect APIs against malicious or automated attacks. In addition, they remove excessive privileges granted to users for connecting to APIs.

During the migration to the cloud, limit access to data. For businesses seeking to migrate their data to the cloud in a secure manner, they must restrict access to data, during the transfer process. To ensure that only authorized users will be able to access the data, you need to take multiple steps to ensure this happens. Steps that should be taken to achieve this goal include: 
  • Ensuring authentication and authorization rules at the user level are implemented and enforced 
  • A robust two-factor authentication process should be established 
  • The cloud provider provides built-in security policies 
  • Enabling encryption of all data before the transfer 

Financial Service API and Web Application Attacks are up by 257%

 



Various cyber security networks are publishing reports and providing data on various ongoing issues and every day there is a new addition of cyber threat and consequently to the security arsenal. However, managing the attack surface (vulnerabilities, attack vectors, etc) is the biggest challenge that modern society is witnessing. 

In today’s hybrid and multi-cloud environments, apps and APIs are potential targets that cyberhackers can and will exploit. Recently, CDN provider Akamai Technologies, Inc., has released new research in which they have disclosed that year-over-year 257% growth has been seen in web application and API attacks on financial service institutions. 

The report indicates a growing risk to the financial services sector and a shift to more advanced and sophisticated cyberattacks. The report also revealed that DDoS attacks on financial services institutions have grown by 22%. 

Furthermore, the study shows that cybercriminals are using techniques in their phishing campaigns to bypass two-factor authentication solutions. 

It is alarming that various institutions are collecting data on recent cybercrime, as we mentioned in the beginning. In this regard, Enemy at the Gates, published a report that revealed that roughly 80 percent of threat attackers aim their efforts at customers of financial services in an attempt to find paths of least resistance for monetary gain. 

“Companies have moved key infrastructure over to APIs, so the criminals are following the revenue. But on top of that, APIs are newer and, in many cases, don’t have the same level of maturity in security processes and controls, so are more vulnerable,” Steve Winterfeld, advisory CISO at Akamai said. 

Along with this, the company recommended a number of steps that enterprises can take to prevent API-driven threats. 
  • Institutions should invest in technologies to automatically discover, validate and catalog APIs, at the same time developing a security strategy that incorporates API security testing and API access control. 
  • Increasing transparency over what internal and third-party APIs are used for as it ensures that enterprises are in a position to start mitigating potential threats across the attack surface. 
  • Updating phishing defenses to counter the latest MFA attacks with FIDO2-compliant capabilities should be the priority for the institutions. 
“Finally, they are easier to automate attacks against as they are designed for automation. These factors combine to make APIs a smart place for attackers to focus. This is also why CISOs need to focus on them,” Winterfeld added.

APIs are Everywhere, but the Security is Lacking



With the gradual increase in the number of APIs (Application Programming Interface), spreading across the corporate infrastructure, API is also emerging as the largest attack surface in applications and a big target for threat actors and cyber attackers. 

According to industry experts, the increase in integrated web and mobile offerings that requires data exchange between products of multiple organizations and the reliability of mobile apps on APIs, has eventually led to growth, making API security a huge challenge for CIOs today.

A 2022 survey by 451 Research found that 41% of organizations surveyed had an API security incident in the last 12 months; 63% of respondents said the incident involved a data breach or loss. 

Consequently, cybersecurity startup Wib is looking to zero in on API security. Wib further announced a $16 million investment led by Koch Disruptive Technologies (KDT), the growth and venture arm of Koch Industries, Inc, with participation from Kmehin Ventures, Venture Israel, Techstars, and existing investors. 

Blocking API attacks in the network: 

According to a report by GigaOm research, API security products were developed before API use expanded to the extent seen today and “were based upon the idea that it is asking for failure to insist developers secure the code they write. The report added that “most developers do not knowingly create insecure code,” if they inadvertently develop code with vulnerabilities, most likely because they are unaware of what vulnerabilities an API might suffer from. 

“Once API security was in use, though,” the report said, “IT quickly discovered a new reason to use a security product: Some vulnerabilities are far easier blocked in the network than in each and every application.” 

The report inferred that the idea that it is more effective in blocking some attacks in the network, including data centers, cloud vendors, and SaaS providers — before access to the API occurs, has spurred demand for products that can do this. 

According to Wib, its API security platform aims at providing visibility across the entire API landscape, right from code to production. This would help unify software developers, cyber defenders, and CIOs around a single holistic view of their complete API domain. 

The platform could leverage real-time inspection, management, and control at every stage of the API lifecycle to automate inventory and API change management, according to the company. Wib was created to identify rogue, zombie, and shadow APIs and analyze business risk and impact, helping organizations reduce and harden their API attack surface. 

According to Gil Don, CEO, and co-founder of Wib, API has moved into the spotlight in the past years. “Organizations are using them as the basis of a new generation of complex applications, underpinning their move to competitive and agile digital business models,’’ says Don. 

A Whole New Category of Cyber Threat

Don explains that APIs account for 91% of all web traffic and they fit with the trend towards microservices architectures and the need to respond dynamically to rapidly changing market conditions. But APIs have given rise “to a whole new category of cybersecurity threats that explicitly targets them as a primary attack vector. Web API traffic and attacks are growing in volume and severity.” 

Over half of APIs are invisible to business IT and security teams. “These unknown, unmanaged, and unsecured APIs are creating massive blind spots for CIOs that expose critical business logic vulnerabilities and increase risk,’’ Don continues. 

On the other hand, GigaOm report called out Wib for its API source code scanning and analysis “with an eye toward API weaknesses.” Wib’s platform “provides automatic API documentation to create up-to-date documentation, as well as snapshots of changes to APIs and their risks every time they see a commit to code,” the report further read. 

As its operations grow across the Americas, UK, and EMEA, Wib says the investments will be used in order to improve its comprehensive API security platform and accelerate international growth.