by Brian Focht | Mar 31, 2023 | Cybersecurity News & Updates, Data Privacy & Protection
How bad can a zero-day exploit get? As it turns out, pretty freaking terrible.
Zero-day exploits are vulnerabilities in applications, firmware, and operating systems that are exploited before even the original developer of the targeted platform is aware of the problem. As such, the problem can be exploited before any fix can even be created, much less distributed.
These exploits can then be used to do any number of things, depending on their nature. Some zero-days only allow basic access to systems with limited importance and no actionable intelligence. Others, well, they can be both critically important and disturbingly insidious. As far as the “importance” part goes, you’re talking about command and control; complete access to an ecosystem. But it’s the “insidious” part that makes the topic for today particularly interesting.
These two zero-day exploits do not require the victim to do anything for the attack to succeed. No link to click on, no image to download. All that needs to happen is for the cybercriminal to initiate the attack, and there’s nothing you can do about it.
How do you know if you’re vulnerable? Check out the podcast to find out. (FYI, one of the vulnerable systems is currently installed in a significant number of cars worldwide right now.)
For more information, resources, and a full transcript of this episode, check out the original post.
by Brian Focht | Feb 24, 2023 | Cybersecurity News & Updates, Cybersecurity Tools, Products, & Services, Data Privacy & Protection
In today’s fast-paced digital landscape, APIs have become the backbone of software integration and innovation. With an ever-increasing reliance on APIs, the need for robust security measures and the use of API Best Practices has never been more critical. As T-Mobile demonstrated recently, the breach of an API can be catastrophic – 37 million users’ data… gone!
In this episode, we discuss essential strategies and techniques to help you build a solid foundation for secure API development. You’ll learn about key principles like the importance of authentication, authorization, and ensuring data privacy in every API interaction.
3 API Best Practices
First, we discuss how to limit a threat actor’s access to your system before they even have the chance to breach your defenses. If cybercriminals are unable to even find the API, you have negated their ability to use it as a tool against you.
Next, we explore how to protect sensitive data transmitted through APIs, emphasizing the need for encryption, both in transit and at rest. We discuss the benefits of using SSL/TLS encryption and offer practical tips for managing and rotating your API keys to prevent security vulnerabilities.
Finally, we touch upon the topic of rate limiting and logging, and their crucial role in maintaining API security. You’ll discover how rate limiting can protect your APIs from DDoS attacks and prevent abuse, while ensuring optimal performance and availability for legitimate users, and how proper logging will keep you apprised of improper use.
This podcast episode is a must-listen for developers, IT professionals, and anyone involved in creating or managing APIs. Don’t miss this opportunity to enhance your understanding of API security best practices and build a more secure foundation for your digital endeavors. Tune in now and stay ahead of the curve in the ever-evolving world of API security!
For more information, resources, and a full transcript of this episode, check out the original post.
by Brian Focht | Feb 18, 2023 | Cybersecurity News & Updates, Cybersecurity Tools, Products, & Services, Data Privacy & Protection
T-Mobile recently announced that hackers had breached their systems and stolen the records of 37 million customers. While the records apparently didn’t include financial information, enough personal information was taken to create significant risks for the victims.
How did the hackers gain access to T-Mobile’s data? They were able to get in by exploiting T-Mobile’s Application Program Interface, or API. APIs are everywhere, and you use them all the time. They’re incredibly popular among software development companies, and they’re incredibly useful.
They’re also very popular with hackers, with API exploits increasing by over 600% in the past year. So, you really need to know about APIs, particularly why they are so popular, and how they can be secured.
In this episode, we discuss:
- How APIs connect different programs and applications;
- The different types of APIs that you are most likely to interact with;
- The reasons that APIs are so popular among programmers and software developers; and
- The reasons APIs commonly contain major vulnerabilities that make them such a popular target for hackers.
For more information, resources, and a full transcript of this episode, please check out the original post.
by Brian Focht | Jan 20, 2023 | Cybersecurity News & Updates
In August of 2022, LastPass announced that they had been the victim of a cyberattack. The hackers had penetrated their security and stolen some company information, including source code. But, they assured the world, no customer information had been accessed. Fast forward to November 30, and LastPass issued another statement: there had been another breach, and this time, some customer information appeared to have been accessed.
But nothing further. Until December 22, as everyone was leaving for the holidays. LastPass announced that this most recent breach (separate and distinct from the original breach, but likely by the same actors and using information stolen in the first breach) was bad. It turns out that the customer data that had been taken was, well, all of it. The hackers had stolen an entire backup of every user’s vault. Fortunately, LastPass said, the hackers did not have the decryption keys, which meant that the information in the vaults should be reasonably safe.
Except, as it turns out, even that statement of reassurance by LastPass wasn’t exactly… honest.
In this episode of the Fearless Paranoia podcast, we discuss what happened in the LastPass breach, including how the hackers appeared to gain access to LastPass’s user backups, and what kind of information they took. We also discuss what this breach means for LastPass users in general, and provide three things all LastPass users absolutely need to do immediately to keep themselves safe. Check out the episode:
For more information, resources, and a transcript of this episode, check out the original post.
by Brian Focht | Dec 9, 2022 | Cybersecurity News & Updates, Cybersecurity Tools, Products, & Services
Eufy made a name for itself as a video baby monitor company that provided peace of mind – in the form of top-of-the-line security to protect your privacy. It turns out their promises were more than a little bit hollow. When you promise things like end-to-end, military-grade encryption; when you promise things like no data stored in the cloud; when you promise things like only your device has access – those are all major security promises.
When you make those promises about a video baby monitor – one that not only involves a one-way video feed of your child sleeping, but a two-way audio feed (meaning you can talk to your baby from the other room), you had freaking well better know what you’re talking about! And when you’re given information that your security is falling short of those promises by a security researcher, maybe take them seriously.
Oh, and incredibly important extra point here – when a respected tech journal calls and asks for a comment, don’t flatly deny the existence of the problem and then disappear.
Those are all things that happened to Eufy, a subsidiary of the company Anker, this week. It’s bad.
For more information, resources, and a transcript of this episode, check out the original post.
by Brian Focht | Dec 2, 2022 | Cybersecurity News & Updates, Improving Your Cybersecurity
So, right from the start, let’s clarify – this is about the Uber hack that occurred (or was discovered/publicized) in September of 2022. In fact, it was a rather unique breach of an oft-breached company. The hacker who breached Uber appears to have used very basic phishing techniques to initially gain access, and then took advantage of – well, I guess you could say the need people have for human communication – to get a remarkable level of access within the company.
It appears that he didn’t steal anything, didn’t seek to make any money. In fact, he documented the breach and then told the world about it.
So how did this person manage to exploit the internal systems of a company that should have some remarkable security – given how much personal information they have on millions and millions of people? We discuss that and more in today’s episode:
For more information, resources, and a transcript of this episode, check out the original post.
