Information Technology

Singapore and Finland have inked an agreement to mutually recognise each country’s cybersecurity labels for Internet of Things (IoT) devices, aimed at helping consumers assess the level of security in such products. Touting it as the first of such bilateral recognition, Singapore says the partnership aims to reduce the need for duplicated testing. The global pandemic had accelerated the pace of digitalisation as well as surfaced many uncertainties and challenges, driving governments and businesses to drive their digital transformation, said Singapore’s Senior Minister of State for the Ministry of Communications and Information, Janil Puthucheary.Dependence on IoT had increased as nations looked to transform into smart cities, fuelled by the need for connectivity and to tap data, said Puthucheary, who was speaking Wednesday at the Singapore International Cyber Week conference. He noted that the number of connected devices worldwide was projected to double to 50 billion devices in 2030, compared to 2018. 

This growing adoption brought with it security risks that must be addressed, he said. “Majority of consumer IoT devices are built and developed to optimise functionality and cost, usually at the expense of the security of the device. However, IoT security should not and cannot be an afterthought, but should be a key consideration and a design fundamental,” he noted. “Without the requisite security in place, it leaves end users exposed to malicious cyber threat actors seeking to compromise the devices and this results in the loss of data. More importantly, privacy and trust.”Pointing to leaked footage of home cameras in Singapore last year, he stressed the need to drive consumer awareness and responsibility, enhance the skills of security professionals, and build partnerships with the international community and industry. Singapore last year introduced its multi-tiered Cybersecurity Labelling Scheme (CLS) to enable consumers to make more informed decisions when buying IoT devices, said Puthucheary. The initiative also gave manufacturers a way to differentiate their products, he added. 

Since its launch in October 2020, CLS had shored up more than 100 applications, with some labelled products available online and on the shelves of physical stores. These included products from manufacturers Signify, BroadLink, Aztech.The new agreement with Finland now extended the programme internationally, where both countries would mutually recognise cybersecurity labels issued by the Cyber Security Agency of Singapore (CSA) and Transport and Communications Agency of Finland (Traficom).According to CSA, the agreement was the first of such bilateral recognition and Singapore hoped to rope in more partners. The pact with Finland aimed to reduce the need for duplicated testing and ease market access for manufacturers, said CSA. Under the agreement, consumer IoT products that met the requirements of Finland’s cybersecurity label would be recognised as having met CLS Level 3 requirements in Singapore, and vice versa. The Singapore Standards Council, which is parked under Enterprise Singapore, on Wednesday also launched the country’s first national standard, Technical Reference (TR) 91 on Cybersecurity Labelling for Consumer IoT. The move would provide a standard that could be adopted by manufacturers, developers, testing bodies, and suppliers of consumer IoT devices across the globe. CSA added that TR 91 offered a framework for countries to align and mutually recognise their respective cybersecurity labels. The Singapore government agency said it also was increasing the number of approved test labs for Levels 3 and 4 applications to meet growing demand for CSL assessment. In addition, the national labelling scheme would be further extended to include more products and services beyond consumer IoT devices, CSA said, adding that more details on this would be provided in future. In January 2021, several devices were added to the CSL including smart lights, smart door locks, smart printers, and IP cameras. The scheme initially applied only to Wi-Fi routers and smart home hubs.Puthucheary noted that security measures also were needed for the networks of IoT devices, particularly since the potential impact of Distributed Denial of Service (DDoS) botnets could go beyond individual users. He pointed to the Mirai malware in 2016 that exploited insecure IoT devices to build a botnet that launched a DDoS attack, bringing down internet access in the US.”The work of building a safe, resilient, and secure IoT ecosystem is, thus, very important and spans across various stakeholders,” he said. In this aspect, he noted that CSA had partnered with the Global Cyber Alliance to leverage the latter’s Automated IoT Defence Ecosystem (AIDE), which was a global network of partners that shared IoT threat information. RELATED COVERAGE More

An unknown hacker has leaked the entirety of Twitch’s source code among a 128 GB trove of data released this week. The hack, first reported by Video Games Chronicle and confirmed by multiple sources, includes:The entirety of twitch.tv, with commit history going back to its early beginnings

ZDNet Recommends

Mobile, desktop and console Twitch clientsCreator payout reports from 2019Proprietary SDKs and internal AWS services used by TwitchEvery other property that Twitch owns including IGDB and CurseForgeAn unreleased Steam competitor, codenamed Vapor, from Amazon Game StudiosTwitch SOC internal red teaming tools The hacker, who called themselves “Anonymous” on a 4chan discussion board, said Twitch’s community is “a disgusting toxic cesspool, so to foster more disruption and competition in the online video streaming space, we have completely pwned them, and in part one, are releasing the source code from almost 6,000 internal Git repositories.””Jeff Besos paid $970 million for this, we’re giving it away FOR FREE. #DoBetterTwitch,” the hacker added. 
Digital Shadows
Twitch and Amazon, which owns the company, did not respond to requests for comment. They released a brief statement on Twitter confirming that a breach occurred and pledging to release updates at some point. Twitch is one of the biggest gaming platforms in the world, with an average of 15 million daily users and more than 2 million Twitch creators broadcasting monthly.

More than 18 billion hours of Twitch videos were streamed in 2020. #DoBetterTwitch has trended for weeks as the platform has faced backlash for allowing “hate raids” — where the comment sections of minority gamers are overwhelmed by slurs and abuse. Twitch was forced to address the issue in a Twitter thread in August and pledged to do more about racial abuse. “This is not the community we want on Twitch, and we want you to know we are working hard to make Twitch a safer place for creators. Hate spam attacks are the result of highly motivated bad actors, and do not have a simple fix,” Twitch said. “Your reports have helped us take action-we’ve been continually updating our sitewide banned word filters to help prevent variations on hateful slurs, and removing bots when identified.”The words did little to quell outrage and gamers held a protest last month, boycotting the site for 24 hours due to the company’s inaction on “hate raids.” Public reaction to the leak has focused on the massive earnings of popular gamers — which reached the millions for some. In an interview with BBC News, Fortnite streamer BBG Calc confirmed that his earnings in the leak were correct and other high earners backed it up. There was also a significant amount of business information from Amazon released in the hack, including the company’s plans for a rival to gaming platform Steam called Vapor.Others raised severe concerns about the security of the platform and the many bank accounts connected to it. SocialProof Security CEO Rachel Tobac warned streamers to ensure their financial services have the strongest MFA available because they will now be targets for other hackers and scammers.”For streamers with payout data leaked, this includes Venmo, CashApp, Bank, etc. If hardware based MFA is an option, move to that by end of day (though many banks still don’t offer security key options). If security key not an option, move to app-based MFA rather than SMS-based,” Tobac wrote. “Intruders supposedly leaked Twitch internal red team tools & threat models — brutal. If true, this would likely include phishing lures known to be successful against Twitch employees, the hacking playbook. If you work at Twitch, be politely paranoid about messages, requests, etc.”F-Secure researcher Jarno Niemela said password hashes have leaked, so all users should change their passwords and use 2FA if they are not doing so already. “But as the attacker indicated that they have not yet released all the information they have, anyone who has been a Twitch user should review all information they have given to Twitch, and see if there are any precautions they need to make so that further private information isn’t leaked,” Niemela added. All of Twitch’s red team security measures are now widely available, providing hackers with untold information about how to invade the company and those connected to it, she added. Among the files leaked, experts were focused on the folders “core config packages,” “devtools,” (developer tools) “infosec,” (information security). James Chappell, co-founder of Digital Shadows, said one of Twitch’s internal GitHub repositories was stolen in the attack.The leaked data was made available through torrents shared as magnet links. The data set appears to be comprehensive. It has also been labeled as a ‘part 1,’ which suggests that there is more to come. Whilst user data does not currently appear to be in the archive, users on the forum are speculating as to what may follow,” Chappell said. “There appears to be evidence that the original files came from an internal GitHub server, git-aws.internal.justin.tv, was at least part of the breach. Justin.tv was the name of a company that eventually transformed into Twitch. It rebranded as twitch in 2011 – so this looks like a long-standing piece of infrastructure.”Security experts like ThreatModeler CEO Archie Agarwal described the hack as “as bad as it could possibly be” and questioned how someone managed to exfiltrate 128 GB “of the most sensitive data imaginable without tripping a single alarm.” More

You would think that the method of protecting Chrome browsing would be the same for Chrome as for Chromebooks. After all, Chromebooks are pretty much machines designed to run Chrome. But there are differences, and we’ll discuss that in this article.

ZDNet Recommends

The best Chromebooks 2021

Not everyone needs a MacBook or a Windows 10 laptop. These Chromebook laptops feature low prices and long battery lives.

Read More

Desktop Chrome on PCs and Macs is best protected by VPN applications designed for those operating systems. We’ve done closer look articles into both of those categories, which should help.  See:  Essentially, you’re installing a VPN application that runs in the background and protects all network traffic. Chrome extensions are available for most of the popular VPN services that allow you to turn on and off features, and provide some added WebRTC protections.  For iOS and Android, users also will install a device-wide application. Mobile Chrome doesn’t support extensions, so your device-based app is your best defense. If you want to protect a Chromebook, the Chrome browser extension isn’t enough. The way most VPN vendors recommend you protect your Chromebook is by installing their Android app. Android apps now run on most modern Chromebooks, but older Chromebooks don’t have that capability. Be sure to check each vendor’s compatibility list. Once you install their Android app on the Chromebook, you’re generally protected. Finally, for Linux devices running Chrome, some vendors offer a Linux binary, but the most common method is to install VPN software on a router, and then run all traffic through that router. That doesn’t help for mobile Linux users, but it’s a start.

Let’s take a look at four of our favorite VPN services and see how they do with Chrome and Chromebook.

Chromebook Compatibility: See full list hereSimultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Chrome, plus routers, Fire Stick, and KodiLogging: None, except billing dataServers: 1,500 Locations: 75Trial/MBG: 30 dayIPVanish is a deep and highly configurable product that presents itself as a click-and-go solution. I think the company is selling itself short doing this. A quick visit to its website shows a relatively generic VPN service, but that’s not the whole truth.Also: My in-depth review of IPVanishIts UI provides a wide range of server selection options, including some great performance graphics. It also has a wide variety of protocols, so no matter what you’re connecting to, you can know what to expect. The company also provides an excellent server list with good current status information. There’s also a raft of configuration options for the app itself.In terms of performance, connection speed was crazy fast. Overall transfer performance was good. However, from a security perspective, it wasn’t able to hide that I was connecting via a VPN — although the data transferred was secure. Overall, a solid product with a good user experience that’s fine for home connections as long as you’re not trying to hide the fact that you’re on a VPN.The company also has a partnership with SugarSync and provides 250GB of encrypted cloud storage with each plan.

Chromebook Compatibility: See full list hereSimultaneous Connections: 5 or unlimited with the router appKill Switch: YesPlatforms: A whole lot (see the full list here)Logging: No browsing logs, some connection logsCountries: 94Locations: 160Trial/MBG: 30 daysExpressVPN has been burning up the headlines with some pretty rough news. We’ve chosen to leave ExpressVPN in this recommendation, and I wouldn’t necessarily dismiss ExpressVPN out of hand because of these reports, but it’s up to you to gauge your risk level. The best way to do that is read our in-depth analysis:ExpressVPN is one of the most popular VPN providers out there, offering a wide range of platforms and protocols. Platforms include Windows, Mac, Linux, routers, iOS, Android, Chromebook, Kindle Fire, and even the Nook device. There are also browser extensions for Chrome and Firefox. Plus, ExpressVPN works with PlayStation, Apple TV, Xbox, Amazon Fire TV, and the Nintendo Switch. There’s even a manual setup option for Chromecast, Roku, and Nvidia Switch.Must read:With 160 server locations in 94 countries, ExpressVPN has a considerable VPN network across the internet. In CNET’s review of the service, staff writer Rae Hodge reported that ExpressVPN lost less than 2% of performance with the VPN enabled and using the OpenVPN protocol vs. a direct connection.While the company does not log browsing history or traffic destinations, it does log dates connected to the VPN service, amount transferred, and VPN server location. We do want to give ExpressVPN kudos for making this information very clear and easily accessible.Exclusive offer: Get 3 extra months free.

Simultaneous Connections: 6Kill Switch: YesPlatforms: Windows, Mac, iOS, Android, Linux, Android TV, Chrome, FirefoxLogging: None, except billing dataCountries: 59Servers: 5517Trial/MBG: 30 dayAlso: How does NordVPN work? Plus how to set it up and use itNordVPN is one of the most popular consumer VPNs out there. Last year, Nord announced that it had been breached. Unfortunately, the breach had been active for more than 18 months. While there were failures at every level, NordVPN has taken substantial efforts to remedy the breach.Also: My in-depth review of NordVPNIn our review, we liked that it offered capabilities beyond basic VPN, including support of P2P sharing, a service it calls Double VPN that does a second layer of encryption, Onion over VPN which allows for TOR capabilities over its VPN, and even a dedicated IP if you’re trying to run a VPN that also doubles as a server. It supports all the usual platforms and a bunch of home network platforms as well. The company also offers NordVPN Teams, which provides centralized management and billing for a mobile workforce.Also: My interview with NordVPN management on how they run their servicePerformance testing was adequate, although ping speeds were slow enough that I wouldn’t want to play a twitch video game over the VPN. To be fair, most VPNs have pretty terrible ping speeds, so this isn’t a weakness unique to Nord. Overall, a solid choice, and with a 30-day money-back guarantee, worth a try.

Simultaneous Connections: UnlimitedKill Switch: YesPlatforms: Windows, Mac, Linux, iOS, Android, Fire TV, Firefox, ChromeLogging: None, except billing dataTrial/MBG: 30 dayAt two bucks a month for a two-year plan (billed in one chunk), Surfshark offers a good price for a solid offering. In CNET’s testing, no leaks were found (and given that much bigger names leaked connection information, that’s a big win). The company seems to have a very strong security focus, offering AES-256-GCM, RSA-2048, and Perfect Forward Secrecy encryption. To prevent WebRTC leaks, Surfshark offers a special purpose browser plugin designed specifically to combat those leaks.Must read:Surfshark’s performance was higher than NordVPN and Norton Secure VPN, but lower than ExpressVPN and IPVanish. That said, Surfshark also offers a multihop option that allows you to route connections through two VPN servers across the Surfshark private network. We also like that the company offers some inexpensive add-on features, including ad-blocking, anti-tracking, access to a non-logging search engine, and a tool that tracks your email address against data breach lists.

I’m running a VPN app. Do I still need a Chrome extension?

The answer will differ a bit from vendor to vendor, but generally the Chrome extension will give you in-browser control over your app. More important is that sometimes sites using WebRTC can punch through the VPN’s tunnel and grab your actual IP address. Chrome extensions can usually block that behavior.

If I have a Chrome VPN extension, do I need a full app?

Yes, because Chrome extensions only work in Chrome. If you are doing anything else on a network that’s outside of your browser, Chrome’s extensions won’t catch it.

How can I stay protected if my older Chromebook doesn’t support Android apps?

The answer to this is much like the answer to anyone asking how to stay protected on old gear: sometimes you can’t. If your gear can’t keep you safe online, either don’t go online or upgrade your gear. Sorry, but the cost of an upgrade is far less than the damage that can be caused if you’re a victim of identity theft.
You can follow my day-to-day project updates on social media. Be sure to follow me on Twitter at @DavidGewirtz, on Facebook at Facebook.com/DavidGewirtz, on Instagram at Instagram.com/DavidGewirtz, and on YouTube at YouTube.com/DavidGewirtzTV. More

Now that the world is open to travel again, digital nomads (and those learning skills suitable for remote work) are dying to start working in exotic locations. But private browser windows just aren’t enough anymore. Only a maximum strength virtual private network will ensure your privacy and the security of your data. IPVanish VPN will do that and more, and a 2-Yr Subscription is currently available at over 70% off for just $69.99.

Once you connect to IPVanish, all of your online activities will be routed through an encrypted tunnel, ensuring your privacy remains absolute. The entire time you browse the web, stream video, send messages, and everything else, your IP address is thoroughly concealed, even from the company itself. IPVanish guarantees a zero-logs policy on all of your apps. In fact, even automatic diagnostics won’t be performed. In addition to keeping your online presence private, IPVanish offers 256-bit AES encryption to keep your data perfectly safe. No need to worry anymore about hackers and snoops on public WiFi networks. And unlike a lot of other VPNs, you won’t have to sacrifice speed in order to stay safe. With IPVanish, you’ll get completely unmetered bandwidth and unthrottled speed on an unlimited number of devices. You’ll also get access to over 1,900 servers in more than 75 locations, which means geo-restrictions are a thing of the past, as well. From now on, you can watch all your favorite content from wherever you happen to be without getting that irritating message saying it’s not available in your particular location. Best of all, this all happens seamlessly. There are user-friendly apps for all platforms, no matter which device you’re using. But if you do happen to run into any issues, IPVanish offers 24/7 customer support. Users and reviewers both find IPVanish quite satisfactory. The app has a 4.5 out of 5 stars rating on Apple’s App Store, and TechRadar has this to say: “US-based IPVanish is an appealing VPN provider with a long list of features, including several that you won’t often see elsewhere.”

To surf the web securely without a trace, on a speedy connection from absolutely anywhere, grab a 2-year subscription to IPVanish today for only $69.99, a 73% discount off the usual $263 price.

ZDNet Academy More

Box on Wednesday announced new, major integrations with Microsoft and Slack, as well as a series of product updates that include new, AI-driven malware protection. Box rolled out the updates during its annual BoxWorks conference, following a turbulent year that has ramped up cloud-based content management and collaboration expectations.  “This past year and a half, everything we’ve been doing has been consistent with our long-term vision,” Box CEO Aaron Levie said to ZDNet. “But the rate of change and number of things we’re doing vastly exceeds what we would’ve imagined.” 

ZDNet Recommends

The best cloud storage services

Free and cheap personal and small business cloud storage services are everywhere. But, which one is best for you? Let’s look at the top cloud storage options.

Read More

For instance, Levie said, strong customer demand drove Box’s entry into the e-signature market — something he didn’t necessarily foresee happening a few years ago, he said. “But because of COVID-19, everyone’s moving to digital workflows, and we’re now entering a multi-billion dollar category.” After acquiring SignRequest for $55 million in February, Box released its native e-signature feature, Box Sign, to a subset of users in July. This week, Box is rolling it out to all US users.  “Fundamental patterns of work are evolving because of this hybrid nature of working in different locations,” Levie said. “It’s affecting our entire product roadmap.”  The accelerated move to digital work also spurred a spike in ransomware attacks. To respond to the problem, Box is adding new capabilities to Box Shield, the company’s flagship security control and threat detection solution. The new malware deep scan capability scans files in near real-time as they are uploaded to Box. It uses deep learning technology and external threat intelligence to analyze the data within files and contain malware. The feature is designed to minimize disruptions to workflows. Admins, for instance, can occasionally override threat verdicts for low-risk content.
Box
Box also announced improved, machine learning-powered alerts in Box Shield, as well as more detailed alerts for admins that explain why certain behaviors are deemed risky. 

Over time, Levie said, Box plans to add more features to Box Shield that will help customers with rollbacks in the event of an attack, as well as features to prevent ransomware from getting into different file environments.  In addition to updating Box Shield, Box is revamping Box Notes with more collaboration features. The improved product will let users add a table of contents, anchor links, and more to simplify content organization and navigation within a Box Note. It will also include call-out boxes so users can better highlight content, code blocks to simplify the technical collaboration process, and in-line cursors to help keep track of edits in real-time. It will also feature new security and control capabilities, like granular permissions and access stats. The updated Box Notes is expected to be generally available in January 2022 and will be included in the core Box offering at no additional cost. Meanwhile, the Box mobile app is getting a new Capture Mode, for iOS and Android, for seamlessly capturing, scanning, and uploading photos, audio, or documents. This should make it easier for field teams to add content directly into Box. The app is also getting Optical Character Recognition (OCR) technology that recognizes text automatically and turns scanned documents into searchable PDFs. The new OCR feature includes multi-language support. There will also be a redesigned iPad experience with a simplified layout.  In terms of integrations, Box for Microsoft Office will now enable real-time co-authoring on the Office desktop, and mobile apps (including Microsoft Word, Excel and Powerpoint) with all edits automatically saved to Box. Meanwhile, an updated Box for Microsoft Teams integration will allow customers to default to Box as a storage option in Teams. Box and Microsoft have hundreds of thousands of joint customers. The enhanced Box for Microsoft Office integration is expected to be available in early 2022, and the Teams integration is expected to be available by the end of the year.  Box is also deepening its integration with Slack, so users can make Box the content layer in Slack by uploading files directly to Box through the Slack interface. They can maintain Box’s security and compliance standards, even when files are uploaded through Slack. The new capabilities are expected to be available later this year and will be included in the core Box offering. More

Victims of ransomware attacks who choose to pay a ransom to cyber criminals for the decryption key could have to publicly disclose that a payment was made within 48 hours of doing so. The Ransom Disclosure Act proposed by US Senator Elizabeth Warren and Representative Deborah Ross would require organisations which fall victim to ransomware attacks and pay the ransom to detail information about the payment. Information about ransom payments which would have to be disclosed include the amount of ransom demanded and paid, the type of currency used to pay the ransom – commonly paid in Bitcoin – and any known information about the attackers demanding the ransom. The information would have to be disclosed to the Department of Homeland Security (DHS) within 48 hours of the payment being made. The aim of the bill is to provide DHS with better information about ransomware attacks to help counter the threat they pose to businesses and other organisations across the United States. “Ransomware attacks are skyrocketing, yet we lack critical data to go after cyber criminals,” said Senator Warren. “My bill with Congresswoman Ross would set disclosure requirements when ransoms are paid and allow us to learn how much money cyber criminals are siphoning from American entities to finance criminal enterprises — and help us go after them.” SEE: A winning strategy for cybersecurity (ZDNet special report)The threat of ransomware has loomed large throughout this year and several incidents have had a direct impact on people’s daily lives. The Colonial Pipeline ransomware attack led to a shortage of gas in the North Eastern United States as people rushed to stockpile – the company paid cyber criminals millions of dollars in order to get the decryption key. 

Meat processor JBS USA paid an $11 million ransom to cyber criminals after falling victim to a ransomware attack in June. While the FBI discourages the payment of ransoms, many victims feel the need to make the payment, perceiving it as the quickest way to get the network up and running again.  But even with the correct decryption key, restoring the network can still be a slow and arduous process. Many victims are also coerced into making the ransom payment because ransomware cyber criminals steal sensitive information from the network before encrypting it and threaten to leak the data if they’re not paid. But it’s because victims regularly give into extortion demands that ransomware is still so lucrative and attractive for cyber criminals.  “Ransomware attacks are becoming more common every year, threatening our national security, economy, and critical infrastructure. Unfortunately, because victims are not required to report attacks or payments to federal authorities, we lack the critical data necessary to understand these cybercriminal enterprises and counter these intrusions,” said Congresswoman Ross. “The data that this legislation provides will ensure both the federal government and private sector are equipped to combat the threats that cybercriminals pose to our nation,” she added. Currently, the Ransomware Disclosure Act is just a proposal. In order become legislation it will have to be approved by both the House of Representatives and the Senate before it could be signed into law by President Biden. MORE ON CYBERSECURITY More

Developers behind the Apache HTTP Server Project are urging users to apply a fix immediately to resolve a zero-day vulnerability. 

According to a security advisory dated October 5, the bug is known to be actively exploited in the wild. Apache HTTP Server is a popular open source project focused on the development of HTTP server software suitable for operating systems including UNIX and Windows. The release of Apache HTTP Server version 2.4.49 fixed a slew of security flaws including a validation bypass bug, NULL pointer dereference, a denial-of-service issue, and a severe Server-Side Request Forgery (SSRF) vulnerability.  However, the update also inadvertently introduced a separate, critical issue: a path traversal vulnerability that can be exploited to map and leak files.  Tracked as CVE-2021-41773, the security flaw was discovered by Ash Daulton of the cPanel security team in a change made to path normalization in the server software.  “An attacker could use a path traversal attack to map URLs to files outside the expected document root,” the developers say. “If files outside of the document root are not protected by “Require all denied” these requests can succeed. Additionally, this flaw could leak the source of interpreted files like CGI scripts.”

Positive Technologies has reproduced the bug and Will Dormann, vulnerability analyst at CERT/CC, says that if the mod-cgi function is enabled on Apache HTTP Server 2.4.49, and the default Require all denied function is missing, then “CVE-2021-41773 is as RCE [remote code execution] as it gets.” CVE-2021-41773 only impacts Apache HTTP Server 2.4.49 as it was introduced in this update and so earlier versions of the software are not impacted.  Yesterday, Sonatype researchers said that approximately 112,000 Apache servers are running the vulnerable version, with roughly 40% located in the United States.  The vulnerability was privately reported on September 29 and a fix has been included in version 2.4.50, made available on October 4. It is recommended that users upgrade their software builds as quickly as possible.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

As someone who builds integration products, I spend a lot of time researching industry and technology trends while speaking with analysts, engineers, architects, target customers, and my product peers. This work inevitably drifts my point of view into some version of “what’s happening now, what is likely to happen over the course of the next few years, and what is my role in guiding the industry to the best possible future?” This article intends to provide a synthesis of the most impactful ideas over the past year and their influence on my go-forward thinking as a connectivity Product Manager. I hope you enjoy the reading and look forward to your thoughts in the comments. APIs become a part of internet fabric  To some students of modern technological history, the “connectivity” part of the internet looked very different just a few decades ago. By “connectivity,” I mean APIs, protocols such as HTTP, and agreed-upon architectural patterns that unlock data. As a result, technology professionals speak about “legacy modernization” projects to expose old technology silos that would otherwise remain hidden from the digital lifeblood of the business. These so-called digital transformation projects often relied on XML-RPCs to enable integrations with mainframes while the new digital era brought standards such as REST, GraphQL and Web of Things.
Free for commercial use. No attribution required.
While established companies invest in new APIs to support digital transformation projects, early startups build on top of the latest technology stacks. This trend is turning the Internet into a growing fabric of interconnected technologies the likes of which we’ve never seen. As the number of new technologies peaks, the underlying fabric — otherwise known as the API economy — fuels the market to undergo technology consolidations with the historic-high number of acquisitions. There are two interesting consequences of this trend. The first is that all of this drives the need for better, faster, and easier-to-understand APIs. Many Integration-Platform-as-a-Service (iPaaS ) vendors understand this quite well. Established iPaaS solutions, such as those from Microsoft, MuleSoft, and Oracle, are continually improved with new tools while new entrants, like Zapier and Workato, continue to emerge. All invest in simplifying the integration experience on top of APIs, essentially speeding the time-to-integration (a level of growing importance when it comes to business agility). Some call these experiences “connectors” while others call them “templates.” But in the end, the leading integration minds are actively invested in this area.  The second consequence is well-defined, protocol-based connectivity. Looking at the world of REST ー a well-accepted architectural style defined in Roy Fielding’s dissertation ー we see that REST APIs dominate the scene with well-established specification standards such as the OpenAPI Specification (previously known as Swagger). Not only do these protocols enable industry-leading iPaaS solutions to agree on what the next world of connectivity will look like, they also set the foundation for new experiences — often referred to as innovation — to evolve. More technologies just keep emerging, offering visualization and transformation products that understand these standards while bringing more users into the world of connectivity.  I am excited about the potential of this space and its ability to define the fundamental building blocks of the future internet with APIs as the centerpiece of its fabric. Also: APIs, microservices succeed as long as the organization doesn’t get in the way Breaking silos with indexed search and browser-like API discovery

Moving from specialized tools and standards to a simple API discovery layer means that any employee who can write queries and logic flows will also be able to build full-fledged applications and customer-facing experiences. Many leading analysts are now seeing this dynamic as more APIs are consumed by less-technical departments like marketing, finance, sales, and HR. I see this trend further evolving in two major forms. The first of these is universal API search and discovery. Many of us are using Google to search for information, and “Googling” endpoints (the addressable location of an API) and data shouldn’t be any different. This means more tools will evolve, but the approach we take will be fundamentally different; instead of manually documenting new endpoints with references and API portals, we can start indexing new APIs dynamically based on their machine readable descriptions. Using techniques similar to Google crawler tactics that discover publicly available web pages, more users will have access to all publicly available endpoints and the data. 

The second form involves how we explore those APIs and the data they contain. Today, many developers start by searching for an API portal, finding a relevant SDK, and sampling an API’s capability with API-consumption tools like Postman. Less-technical users, however, turn to low-code/no-code solutions that bridge the technical gap by demystifying API access (a skill typically reserved for software developers). It’s interesting to think about what will change as we evolve the underlying foundation of those protocols and standards. I believe that we’re soon to see more browser-like discovery tools, where webpages are replaced by endpoints and information is replaced by data. In this world, users can search, query, play, and plug the data instead of worrying about API technicalities like URIs, endpoints syntax, query parameters, etc. Looking ahead, what I find most exciting about this development is that we will see the creation of new digital capabilities that are closer to the end user and are much faster to build. These innovations also trigger a need for enterprise professionals to see the bigger picture of how it all connects, while product leaders and CIOs must pay closer attention to inconsistencies in the customer experience or potential compliance, privacy, and security issues.Also: Turns out low-code and no-code is valuable to professional developers, too Productizing connectivity: protocols vs. connectivity as a service More than ever before, users demand access to data. Yet many existing solutions are too complex, too expensive, or too heavy. This creates a technology vacuum that will be filled in the following ways. On one hand, integration professionals like me will continue to advance connectivity standards. Optimization for ease-of-consumption, particularly by non-developers, will lead to a new API consumption layer, so that less-technical experiences can evolve on top of it.  On the other hand, new business cases will be made for creating agile API-facade-as-a-service solutions. As more users demand faster time-to-market while taking scalability, availability, and security for granted, more startups will emerge to address the need. We’re already seeing new entrants involving productivity infrastructure as a service by Nylas and a unified API from Kloudless that connects over 150 SaaS solutions through a single canonical model. All of this makes it easier than ever before to build and maintain connections with external systems.  As we’re advancing on each front, I suspect that the industry will first need to agree on common architectural patterns as we build new solutions around them.  Data is the new endpoint in security Data breaches are trending up, with a record of 1,767 publicly reported breaches in the first six months of 2021. Our most common attempts at securing data focus on protecting the infrastructure that provides access to it: endpoints. Although this approach makes sense for some organizations, as we shift more infrastructure to the cloud where the infrastructure is far less within their control, securing that infrastructure becomes more problematic. We add more users into the mix who can now search, query, and share data with their favorite apps, and we have a recipe for disaster.  To stay ahead of these trends, we first need to change our mindset. Instead of protecting endpoints in the new digital world, we must protect the data. This space is full of interesting innovations with new encryption and tokenization standards that further propagate the zero-trust model. This trend is also recognized by new startups that are building businesses around the idea of protecting data with encrypted data vaults and use-cases ranging from securing PII to offering HIPAA-compliant encrypted data stores. Regardless of how we evolve our new API layers, at the core of the “secure” approach will be our ability to discover and work with sensitive data.Also: API security becomes a ‘top’ priority for enterprise players The bottom line We are still “rounding first base” in terms of defining the next generation connectivity layer and understanding what kinds of businesses can be built on top of it. As APIs are already in the center of many digital transformations, we’re clearly seeing a trend of simplifying API consumption with low-code/no-code solutions that bring more users to create pluggable enterprises. It’s fulfilling to think of a world where everyone can contribute to improving the business.  Anton Kravchenko is  Director of Product at MuleSoft, a Salesforce Company. If you are thinking about or building products or protocols that touch on any of these ideas, he would love to hear from you. More