Attack on unauthenticated API endpoint at Optus, CISA’s Warning on Cyber Risk, and Another perspective on the Uber hack.
This week witnessed an API endpoint attack at Optus. Optus is an Australian telecommunications company headquartered in New South Wales. It is the second-largest wireless carrier in Australia, with 10.5 million subscribers. We also see another perspective on the Uber hack from Bruce Schneier, and the CISA executive director, Brandon Wales, says boards need to push their companies to invest more on digital defense, adding that insurers and shareholders will be exerting pressure as well.
*Originally reported by ISMG’s Data Breach Today
As ISMG reported, “the data breach, which ranks as one of the country’s largest ever, is under investigation by the Australian Federal Police. Optus, which is a subsidiary of the Singaporean telecommunications conglomerate Singtel Group, detected it on Sept. 21.
“Early Saturday, a person going by the nickname “Optusdata” published two samples of the purported stolen data on a well-known data leak forum. The attacker writes that Optus can prevent the sale of the data to other cybercriminals if it pays $1 million in the Monero cryptocurrency.”
Take Note: The Data Breach Source was an Unauthenticated API
The Australian broadcaster ABC reported on Friday a possible cause for the breach. The ABC quoted a “senior figure” inside Optus who said that an API for an Optus customer identity database was opened to a test network that “happened to have internet access.” APIs are software interfaces that allow systems to exchange data, but they could pose risks of data breaches if exposed directly to the internet.
This incident speaks directly to both the lack of visibility and discovery of APIs, as well as a limited (or missing) API protection solution that would immediately identify unauthenticated APIs and block potential attacks or misuse.
More Details and Perspectives on the Uber Hack
In Bruce Schneier’s New York Times article, The Uber Hack Exposes More Than Failed Data Security, he gives another perspective on the Uber hack, and outlines that in many cases, security is still simply an afterthought. Oftentimes, especially for high-tech startups, the priority is customer acquisition and aggressive growth, to remain in business if and when the venture capital funding runs out. Anything that isn’t considered absolutely necessary to that goal is typically left out.
Schneier points out that this approach ultimately is a failure in the organization to prioritize data security, which in most cases, leads to significant loss of sensitive data. This has both deeper implications for the security of all personal data, but also national security implications.
The Wall Street Journal recently reported that pressure is mounting when it comes to treating cyber threats as a core aspect of business risk. This is somewhat related to Schneier’s NYT article discussed above – it’s about establishing the right priorities, or end up suffering the consequences.
As the WSJ reported, “the U.S. Securities and Exchange Commission proposed that companies be required to disclose detail on board members’ cyber expertise and how often the board addresses cybersecurity.
Already, critical infrastructure operators such as financial services firms and pipelines must comply with government-mandated cybersecurity requirements. But eventually a combination of forces will push all publicly traded companies to invest in cybersecurity, Mr. Wales said: Insurers will require certain practices and tools for companies to get coverage, while shareholders will demand them, he added.”
“Businesses face growing hacking risks, yet cybersecurity still isn’t as ingrained in corporate thinking as it needs to be”, said Brandon Wales, the agency’s executive director, speaking on Tuesday at the Wall Street Journal’s CIO Network Summit. “This needs to be driven at the board level,” he said. “You don’t want to start thinking about cybersecurity after your network has been brought down by a ransomware operator.”
Bonus: Article by David Colombo, “How I got access to 25+ Teslas around the world. By accident. And curiosity.”
As a bonus, we decided to include this fascinating article written by David Colombo about hacking into 25+ Tesla electric cars. Colombo is a cybersecurity expert and thought leader who, back in January of this year, wrote a medium article about how he was able to hack over 25 Teslas, ultimately showing readers why the automotive ecosystem needs to be more secure.
Colombo was able to run remote commands such as “disable Sentry Mode”, “unlock the doors”, “open the windows” and even “start Keyless Driving”. He includes an entire presentation of his findings in the article.
Traceable is the industry’s leading API security platform that identifies APIs, evaluates API risk posture, stops API attacks, and provides deep analytics for threat hunting and forensic research. With visual depictions of API paths at the core of its technology, its platform applies the power of distributed tracing and machine learning models for API security across the entire software development lifecycle. Book a demo today.