We live in a world where only three things are certain: death, taxes and breaches.
Nearly every day, WhiteHat’s team of security researchers and executives are tapped to share their perspective and expertise with those reporting on the most high-profile cybersecurity issues that are continually shaping the industry’s landscape.
In this new monthly series, we’ll take a look back at the previous month through some of the most impactful news stories featuring commentary from WhiteHat.
Now, let’s dive into the news that made April 2021 such an eventful month:
APRIL 3: Business Insider reported that data and personal information of 533 million Facebook users from 106 countries, including more than 32 million records on users in the U.S., were posted for free in a hacking forum.
Security Magazine reached out to Setu Kulkarni, VP of Corporate Strategy and Business Development at WhiteHat Security, after the vulnerability exposed millions of user phone numbers and enough user information to determine an identity, for his perspective:
That very same day, it was reported that Intel was among those named in the state of Florida’s lawsuit against tech companies for allegedly using session replay software to track user’s activity—mouse movements, clicks, page visits, scrolling, tapping and other interactions.
Ray Kelly, Principal Security Engineer at WhiteHat Security, explained to Fox Business that nearly every website records user interaction analytics, and unless the data captured is able to be directly tied back to the plaintiff or personal identifiable information (PII) has been collected without consent, no GDPR laws have been broken.
General Data Protection Regulation (GDPR) states that collecting analytics is fine as long as it’s anonymous or the user explicitly gave consent to use their data, Kelly said.
APRIL 6: Security researchers at Onapsis, in coordination with SAP, released an alert warning that adversaries were actively executing attacks on known vulnerabilities within SAP systems that could ultimately cede full control of unsecured SAP applications to the hackers.
Speaking with Threatpost, Kulkarni pointed to recent WhiteHat research that suggests independent software vendors (ISVs) and technology companies have an inordinately high window of exposure, leading to a lack in security rigor as they may ultimately pass on the security responsibilities to the companies using their technology:
APRIL 12: Less than two weeks after Facebook came under fire, Clubhouse suffered an equally detrimental data breach after hackers exposed the details of 1.3 million users through Clubhouse’s application programming interface (API). After being posted on a hacking forum, the user information was advertised offering user I.D., photo, username, Twitter name, Instagram name, number of followers, number of people followed by the user and account creation data.
Kulkarni was again one of the first security executives to comment on the breach, and his insight was featured across top publications covering the news including SiliconANGLE, Security Magazine and Security Boulevard.
APRIL 29: Perhaps the biggest story of an already eventful month surfaced when Krebs on Security reported that independent security researcher Bill Demirkapi’s claims that credit scores of almost every American were exposed through Experian’s Experian Connect API tool, which allowed lenders to automate FICO-score queries. The tool was intended to be used by the Experian credit bureau, however, Demirkapi claimed it was left open on a lender site without basic security protections.
Kulkarni chimed-in immediately following the news and was featured in Threatpost’s coverage of the high-profile breach:
While Experian fixed the vulnerability the following day, Setu was asked to follow-up on the news and provide deeper insight around the nature of the attack with Security Magazine:
If you look at the flaw, it was a basic authentication flaw – something that should have been contemplated during the design phase of the software. What is worse here is that there are API Management solutions that allow organizations to compensate for missing authentication in the APIs they want to make public. When two companies decide to integrate their applications, they should explicitly account for the risks both companies inherit — which are posed by insecurities in each other’s applications. If you are an organization looking to partner with other companies, API, web and mobile applications must be tested for security to avoid consequential loss due to security vulnerabilities on the part of a strategic partner. Similar to how we view the spreading virus, it is possible to unintentionally infect your friend or your organizational partner if you do not take the necessary precautionary steps of testing and protecting your applications. Prioritize the requirement for application security assessment with your partners when you are executing on your growth strategy with them.”