Scammers and hackers are exploiting the confusion regarding Twitter’s new CEO, Elon Musk’s plans for paid blue ticks on the platform. They are sending phishing emails disguised as official Twitter notices and luring users into sharing their details. This post covers the details regarding such phishing schemes.
Twilio has suffered a second attack, leading to the compromise of its former and current employee accounts and the loss of sensitive customer information. This text shares the details of the attack, how it happened, whether it is over, whether customers are safe, how Twilio is dealing with it, and what organizations could learn from the cyberattack.
While there are various types of data breaches, one can always attribute them to a vulnerability or a security posture gap that cybercriminals exploit to gain access to the organization’s systems. Here are this week’s phishing-related news headlines, so you can plug the vulnerabilities and prevent cybersecurity breaches.
Image source: Pixabay
The OpenAPI specification has grown popular in the past few years especially when it comes to documenting and describing APIs. This is fueled by the many benefits the specification offers to organizations.
Some of the notable benefits include the support the specification gets from different API management tools and the fact that organizations can generate specifications and documentation from the client side easily.
Instead of using XML elements in OpenAPI, developers are required to use JSON objects. This comes with a schema used for contents, order, and naming. The JSON file is used to describe all the parts of the API in a standard format.
Formally known as the Swagger Specification, the OpenAPI specification can be described as an API description format used for REST APIs. With an OpenAPI file, organizations can describe their APIs. The description includes things such as;
Apart from using the specification to document their APIs, organizations can also use it to generate client code and the required documentation. The good news is that most API management tools come with support for OpenAPI specification. This not only makes it easy to create APIs but also to maintain them.
Some main components you will find with the OpenAPI specification include security, responses, parameters, and paths. Each of these components holds arrays and properties as JSON objects.
You will get descriptions, contact, license, document version, and all the information you need about the APIs in the info field. The server field, on the other hand, describes all the endpoints used in the API.
An API can be defined as a computing interface that allows applications to communicate and share information. Due to their growing popularity, cybersecurity has become one of the biggest concerns for organizations. Cybercriminals are targeting organizations through APIs to try and steal information and data that they access.
Here are a few important security facts you need to know about the OpenAPI specification;
You can define security in three different places in the OpenAPI specification. These include;
This is the default place where security is supposed to be defined in the OpenAPI specification. It is also supposed to match with a named security scheme that can be or will be found under #/components/securitySchemes.
If by any chance you do not define security under #/security or it is found to be an empty object, then your API will not be secured by default. This is common with small APIs that come with few endpoints open to most users. However, they define security specific to certain operations.
This is the default place for the definition of the security options you have for your API. Smaller APIs normally come with a single option. You can set anything you want as the key name. The name you set here will be used when being referenced from anywhere else in the specification.
Type is, however, a required parameter. It can be either oauth2, HTTP, apikey, or the new openIdConnect and mutualTLS. All the other parameters change depending on the type used.
Finally, you can set your OpenAPI security under certain operations. Again, you will use one of oauth2, HTTP, apikey, or the new openIdConnect and mutualTLS. However, this is done under a certain operation that lies on a certain path.
If you do not have security defined under certain operations, then the top-level security defined under #/security will be used by the API. This is important for APIs with operations that need to use different security parameters.
OpenAPI 3.0 comes with a dedicated part of its document known as security schemes where you are supposed to declare all security definitions. The OpenAPI specification has standardized how all the parts of the document are supposed to be declared.
This ensures that you can reuse anything declared in the security schemes across different paths without any problems. Previously in OpenAPI 2.0, the shared components were left at the mercy of developers. In OpenAPI 3.0, all of them can now be found within the components key.
In addition, OpenAPI 3.0 comes with support for OpenID Connect. Organizations are also able to include different oAuth2 flows in their security definitions. This is one of the most popular functionalities today.
OpenAPI 2.0 specification comes with a section that is dedicated to the declaration of all security requirements and features used in your API. These security features can be used anywhere in the API operations and paths.
It also comes with support for a type of security definition known as basic. This is the previous plain HTTP format of authentication.
Unfortunately, you will not find any other built-in security features with OpenAPI 2.0. You cannot even define your custom security definitions without having to use extensions provided by external vendors.
Even though this is enough for most API security requirements, it might not work well with some special cases. Understanding the security features in both OpenAPI 2.0 and 3.0 is vital in making sure that your APIs are secure.
In today’s evolving threat landscape, attackers are strengthening their social engineering efforts using human-centric activities. Follow this article to know how negligent actions led cybercriminals to one of the biggest automakers worldwide, Toyota’s server.
Taking cybercriminals lightly is no longer an option with the evolving threat landscape. One needs to be aware of what they are up to, to avoid becoming their victim. To that end, here are this week’s phishing and data breach headlines.
Individuals in the United Kingdom are targeted by sophisticated phishing campaigns to target finances and personal details, taking advantage of the rising cost of living and post-COVID changes. This article delves deep into the latest UK phishing campaign, shares key statistics, how fraudsters target brits, and how to protect against phishing.
Airline giant, American Airlines released a data breach notification, informing about a data breach compromising the accounts of its employees. This article shares details of the data breach, the information that was leaked, how American Airlines is dealing with it, and what employees can do to protect themselves.
This article delves into the recent Mailchimp security breach and how it affected DigitalOcean users. Additionally, it discusses the factors that contributed to the breach, the actions that were carried out to address it, and some key takeaways from the incident.
Taking advantage of how Windows handles Dynamic Link Libraries (DLLs), attackers are creating a malicious version of DLLs required by the program and infecting victims’ computers. Read on to know how it happens and ways you can protect yourself.
After hitting South Korea, Japan, Taiwan, Germany, the US, and the UK, the Roaming Mantis campaign recently moved to target iOS and Android users in France and likely compromised numerous devices. Here is a look at the Roaming Mantis malware and how such smishing campaigns affect individuals and organizations.
The threat from RDP attacks that spread ransomware has always been present. RDP is a popular MO for cybercriminals because it allows easy access to a device.
The last 5 years have seen a vast increase in RDP attacks, with cybercriminals taking advantage of the coronavirus pandemic and even the Ukrainian conflict to attack both vulnerable businesses and individuals, holding their systems and files to ransom.
The recently discovered Follina vulnerability in Microsoft Support Diagnostic Tool has been causing all kinds of harm by employing word documents to do their dirty work. The vulnerability was found in May but has been reportedly exploited for nearly a month and has been making headlines in the cybersecurity world and creating all kinds of doubts regarding the safety of one of the most widely used software, MS Word. Microsoft has responded against the zero-day vulnerability and shared the latest mitigation advice that you can use to block attacks before the official patch.
Email policies are necessary for businesses old and new, big and small. They protect you from legal liability and establish firm guidelines for employee conduct.
Let’s dive into why you need an email policy, what you should include in its contents, and how to implement best practices for privacy and data security.
The MRSC’s (Microsoft Security Response Center) Identity Project Research Grants started in 2020 to support external researchers and strengthen protocol and system security. One of the two grants provided to Avinash Sudhodanan has borne fruit, and Microsoft has revealed a new class of a cyberattack, Account Pre-Hijacking.
Account hijacking involves malicious actors gaining access to an innocent user’s account. However, suppose the malicious actor already has access to the victim’s email. In that case, they can create an online account using that address before the victim and put it into a pre-hijacked state, allowing them to regain access to accounts even if a victim recovers it.
In the past few years, cybersecurity threats have become more and more common. Attacks left and right are happening to businesses of all sizes, from Fortune 500 companies to tech startups that are just getting on their feet. These attacks can range from data breaches through software vulnerabilities to social engineering attacks in the form of phishing.
This ever-increasing danger of cyberattacks has got everyone mostly spooked when it comes to keeping their security infrastructure well-maintained. Ransomware has especially become increasingly common and has resulted in large losses amounting to around $16.8 million for businesses.
Remote work comes with a list of benefits, both for employees and employers. Ever dialled into a Zoom meeting from the beach? The looks on your colleagues’ faces make you briefly forget about the sand in your spacebar and the glare of the sun on your screen.
We all value our privacy and when that privacy gets compromised, it’s not an enjoyable experience. A lot of what you share data-wise with companies is handed over willingly but with the hope that it’s going to be looked after.
No matter if you operate in B2C or B2B, email outreach is a tall order. Even if you use an opt-in verified contact database and have a trustworthy sender domain, your messages may be cluttered by dozens of incoming emails in leads’ inboxes. Email marketers shouldn’t, hence, neglect sending a follow-up email. Not unless they care about the ROIs of their outreach efforts.
The short answer to that question is a definite yes.
In fact, according to cyber intelligence firm CYFIRMA, there has been a stunning 600% increase in threat indicators between February and early March alone with hackers from all over the globe cooking up new schemes.