Industry Observations

Monthly AppSec News Round Up — September 2021 Edition

September marks the end of summer and the start of another school year. With some schools continuing to focus on providing remote learning environments this fall due to the spreading COVID-19 Delta variant, the education sector is becoming a more frequent target for hackers.

NTT Application Security continues to be at the forefront of these conversations, sharing their unique viewpoint and giving critical insight on the topics shaping the cybersecurity landscape.

Below is a peek into some of the events that impacted the security industry in September 2021:

Sept. 2 – SpyFone & CEO Banned from Stalkerware Biz

The Federal Trade Commission (FTC) kicked off September’s security news by kicking spyware maker SpyFone — which it described as “a stalkerware app that allowed purchasers to surreptitiously monitor photos, text messages, web histories, GPS locations, and other personal information of the phone on which the app was installed without the device owner’s knowledge” — and its CEO out of the surveillance business.

According to Threatpost, the FTC slammed SpyFone, calling it a stalkerware app that sold real-time access to “stalkers and domestic abusers to stealthily track the potential targets of their violence.” It added that SpyFone also failed to provide even basic security, exposing device owners “to hackers, identity thieves, and other cyber threats.”

Ray Kelly, principal security engineer at app security provider NTT Application Security, observed to Threatpost that, while rooting a device is common for Android users who want to sideload apps to avoid the Google Play store, once a phone’s rooted, “all bets are off as far as security goes for the user.”

Kelly noted that the breach was a “double whammy”: it occurred “when SpyFone was breached to steal the information that they, themselves, were stealing from users,” he said in an email.

 

Sept. 10 – HAProxy found vulnerable to critical HTTP request smuggling attack

On Sept. 10, Security Magazine reported that a critical security vulnerability had been disclosed in HAProxy  — a multi-purpose, software-based infrastructure component that can fulfill several networking functions including load balancer, delivery controller, SSL/TLS termination, web server, proxy server and API mediator —that could be abused by an adversary and possibly result in unauthorized access to sensitive data and execution of arbitrary commands.

Setu Kulkarni, Vice President, Strategy at NTT Application Security told the publication that with this vulnerability, adversaries who access the code could run static application security tests to determine weaknesses. Once they’ve found a potential vulnerability to exploit, they can execute large-scale attacks,

Kulkarni added, “In the case of HAProxy, the key is to upgrade to the latest version of the software package where the vulnerability has been fixed – the burden of this task has to be shared equally by DevOps, SecOps and RunOps teams to ensure that the system continues to remain operational as a critical component as HAProxy is being upgraded.”

 

Sept. 16 – IBM report finds two-thirds of cloud breaches traced to misconfigured APIs

Demonstrating the critical importance of securing the software supply chain, a new report from IBM Security X-Force published in September found that two-thirds of cloud breaches can be traced to misconfigured application programming interfaces.

“APIs are fast becoming the technical basis for both B2B and B2C business models,” Setu Kulkarni, vice president of strategy at application security company NTT Application Security told SiliconANGLE. “As such, when APIs are developed and deployed, there is really no way to estimate all the possible places the APIs are going to get used. APIs are the silently but rapidly becoming one of the most critical pieces of the software supply chain. Organizations are now one vulnerable API call away from a potential major breach.”

Kulkarni explained that an underlying challenge that is often obscured is that APIs today are facades to legacy systems that were never designed to be online or used in an integrated business-to-business or business-to-consumer setting.

By creating an API layer, these legacy transactional systems are enabled to participate in digital transformation initiatives,” Kulkarni noted. “This pattern of API enablement of legacy systems creates security issues which otherwise would not have been issues in the controlled trusted zones the legacy systems were designed to operate in.”

 

 

Sept. 23 – Education cybersecurity: K-12 schools get a mixed report card

In September’s AppSec Stats Flash report, the NTT Application Security research team focused on cyberthreats targeting education applications as security concerns in that sector continue to grow with the school year starting.

ZDNet covered the report’s findings, noting that accelerated online learning environments due to the pandemic and considerable rates of ransomware and phishing attacks against K-12 schools have increased focus on the unique cybersecurity challenges these organizations face.

According to the report, although the education sector’s breach exposure has remained relatively consistent this year, it’s taking longer to fix high severity vulnerabilities compared to other industries (206 days vs 201 days).

Setu Kulkarni, vice president of strategy at NTT Application Security, told ZDNet the education sector showed a positive trend as far as WoE is concerned.

“As we completed the research, it was surprising to see that less than 50%, actually only 46% of the critical vulnerabilities are ever fixed. That’s a shockingly low remediation rate, but that’s only half of the story. For those 46% of the vulnerabilities that get remediated, on average it takes over 200 days to fix a critical vulnerability once an organization decides to address the vulnerability,” Kulkarni explained.

“Those two factors are majority contributors to the high breach exposure for applications — that is, applications have an unacceptable WoE to attacks. Moreover, the mix of serious vulnerabilities has remained constant over time and that means, the attackers do not have to try too hard.”

 

Sept. 30 – Popular Android apps with 142.5 million collective installs leak user dat

To close out the month, CyberNews security researchers found that 14 top Android apps, downloaded by more than 140 million people in total, are leaking user data due to Firebase misconfigurations. Exposed data potentially includes users’ names, emails, usernames, and more.

Ray Kelly, Principal Security Engineer at NTT Application Security observed to CyberNews that finding basic Firebase misconfigurations in highly successful Android apps is somewhat surprising. You’d think that apps topping the Google Play charts in their respective categories would at least have put basic security measures in place. After all, Firebase real-time databases are configured with no access permissions by default.

“It’s up to the developer to add permissions as needed,” Kelly told CyberNews. “So, why would a developer decide to make the database completely open? Because it’s easy. Oftentimes, developers will take the easy route while coding their apps. Simply opening up the database will certainly speed up their process.”