May 2024 Security Update: The Worst API Data Breaches this Year… So Far

Each innovation can bring new vulnerabilities – and AI is no exception.

Q1’s Worst API Breaches

A report from Wallarm ranks the worst API data breaches, many of which can be traced back to errors in artificial intelligence (AI) development cycles.

Topping the list are:

  1. Mercedes-Benz: A significant API leak gave hackers unrestricted access to source code and GitHub Enterprise, exposing cloud keys and internal documents.
  2. ZenML: ZenML identified a critical security vulnerability in ZenML versions prior to 0.46.7 which has been assigned the following CVE ID: CVE-2024-25723. This vulnerability potentially allows unauthorized users to take ownership of ZenML accounts through the user activation feature. The issue lies in the /api/v1/users/{user_name_or_id}/activate REST API endpoint. An existing username, along with a new password provided in the request body, can be misused to gain unauthorized access.
  3. GitLab: An account takeover vulnerability (CVE-2023-7028) gave hackers the ability to intercept password reset codes by email, which could give them access to an organization’s GitLab account.
  4. NVIDIA: The NVIDIA AI Platform Path Traversal Exploit (CVE-2023-31036) allowed code execution, privilege escalation, and other opportunities for threat actors.
  5. Grafana: The Grafana exploit (CVE-2024-1442) gave users with data source creation permissions the ability to grant access to read, query, edit, and delete all data sources within the organization.

Action Items:

  • All ZenML users are encouraged to immediately upgrade to the latest version (0.46.7 or above) or one of the patched versions (0.44.4, 0.43.1, 0.42.2) to mitigate this risk. Read more about ZenML CVE-2024-25723: Critical Security Update for ZenML users.
  • Evaluate DevOps and development tools, which Wallarm determined to have 42 percent of vulnerabilities that introduce risk early in the software development process.
  • Secure your entire IT ecosystem, since half of all API-related threats impacted traditional, i.e. non-cloud architectures.
  • Read the Wallarm ThreatStats report.

DHS Establishes the AI Safety and Security Board

The Department of Homeland Security (DHS), announced on April 26, that policymakers have joined its Artificial Intelligence Safety and Security Board. The goal of the board is to support responsible AI development and deployment.

Joseph Thacker, principal AI engineer and security researcher at AppOmni, commented, “By bringing together a wide array of experts, the board will provide valuable insights and recommendations which will hopefully mitigate the risks associated with AI while still reaping the benefits.”

“I believe the board will have the biggest impact in two key areas. First, it will provide really great information and education about how AI systems function and how they’re improving. Second, by creating a forum for information sharing between DHS, the critical infrastructure community, and AI leaders, the Board could be a great place for collaboration and knowledge exchange. Essentially it could enable a more coordinated approach to addressing AI-related risks,” he said.

However, he added, “One major concern I have is that there is a large conflict of interest by bringing in the companies that are developing the closed source AI models. They are incentivized to recommend against open source models for ‘safety reasons’ when it would massively help their business models and positively affect their bottom line.”

Action Items:

Key Findings of the Hybrid Work Security Trends Report

Netwrix surveyed more than 1,300 IT professionals around the world as remote and hybrid work continue and organizations prioritize the security of their expanding IT environments.

Key findings in the report include:

  • 79 percent of organizations detected a cyberattack within the last 12 months, up from 68 percent last year.
  • 45 percent of those organizations incurred unplanned expenses, and 20 percent reported losing a competitive edge due to these attacks.
  • Phishing is still the most common attack vector both on-premises and in the cloud.
  • Account compromise attacks in the cloud spiked, with 55 percent of respondents reporting them in 2024.
  • 28 percent of respondents named implementing AI tools among their top IT priorities compared to only 9 percent in 2023.

Action Items:

  • Invest resources to determine the root cause of incidents and adapt procedures and policies to prevent them in the future.
  • Put solutions in place that detect suspicious activity quickly so the security team can respond before extensive damage occurs.
  • Read the 2024 Hybrid Security Trends

How Secure is Your iPhone?

The Cybernews team installed the 100 top free apps in a factory-reset iPhone SE, opened them all at least once, and connected with newly created Apple or Google accounts.

During the five days of the experiment, the iPhone made 16,542 DNS queries, ranging from 2,711 to 4,178 daily, and averaging 3308 queries – or a single query every 26 seconds. The iPhone never contacted servers in China, but I contacted a server in Russia at least once per day.

Action Items:

The Cybernews team offers this rule of thumb: the fewer apps mean fewer data collections and connections, reducing points of failure.

Make Every Day World Password Day

World Password Day was May 2. However, the importance of strong authentication and identity verification is something organizations need every day.

AJ Lindner, solutions architect at One Identity said organizations must re-evaluate their protocols and policies and ensure they align with current standards.

Lindner adds, “There’s no excuse not to complement passwords with a strong second factor wherever possible, even if certain applications are unable to support it. Most modern applications support federation protocols like security assertion markup language (SAML), OpenID Connect (OIDC), and the RADIUS networking protocol, and also enable the ability to easily implement multifactor authentication.”

Action Items:

To strengthen passwords, Lindner recommends:

  • Increasing organization passwords to a minimum length of 8 to 13 characters
  • Removing composition rules and complexity requirements
  • Only requiring password changes when there is evidence of a compromise
  • Comparing all passwords against values that are commonly used, expected, or compromised, then rejecting those passwords in case of a match.

 

For more security updates and insights, visit DevPro Journal’s Security resources page.

Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.


Mike Monocello

The former owner of a software development company and having more than a decade of experience writing for B2B IT solution providers, Mike is co-founder of DevPro Journal.