Secret CISO #2: US Airline Stop List Leak, T-Mobile hack, and SSL certificates lies

Hey everyone,

Thanks to all of you who helped spread the word about our first episode of the Secret CISO newsletter! With your help, we were able to add 50 new subscribers, which is amazing! We're excited to announce that our second episode is set to be released next week.

We're grateful to have such a supportive community and we're eager to continue providing valuable information to our fellow CISOs. We're setting a goal for ourselves to reach 100 new subscribers with this next episode, so please help us spread the word to your fellow CISOs.

In this episode, we have made some changes to the newsletter structure. We have renamed the "Incidents" section to "Data Breaches" to better reflect the content that we will be featuring. Additionally, we have expanded the "Threats" to the "Research" section to now include not only exploits and CVEs, but also posts from cybersecurity researchers. So, grab a cup of coffee and get ready to dive into the latest cybersecurity news and updates.

Thanks again for your support and let's make this episode even bigger and better!

1. T-Mobile reported a data breach that affected 37 million customers. The company stated that a hacker accessed personal information such as names, billing addresses, email addresses, phone numbers, date of birth, T-Mobile account number and information such as the number of lines on the account and plan features. The hacker exploited an application programming interface (API) and gained access to a trove of personal data. The company detected the breach more than a month later, on January 5, and that within a day it had fixed the problem that the hacker was exploiting. The company stated that the malicious activity appears to be fully contained at this time, and there is currently no evidence that the bad actor was able to breach or compromise our systems or our network. This is the eighth time T-Mobile has been hacked since 2018. The company's security team has to investigate the root cause of the breach and to take measures to prevent similar breaches from happening in the future. Furthermore, it is important to note that API security is a crucial part of an organization's cybersecurity strategy as APIs are becoming a prime target for hackers to gain access to sensitive data. Source: https://techcrunch.com/2023/01/19/t-mobile-data-breach/
2. PayPal reported a data breach that may have impacted customer accounts. The company stated that unauthorized parties were able to access customer accounts using login credentials, but there is no evidence that any personal information was misused or that there were any unauthorized transactions on accounts. The incident occurred between December 6 and December 8, 2022. PayPal has implemented enhanced security controls and reset the passwords of affected accounts. It is important to note that PayPal's investigation shows that they believe that this unauthorized activity occurred when the third parties were able to view, and potentially acquire, some personal information for certain PayPal users. This incident serves as a reminder for organizations to ensure that they have robust security measures in place to protect customer information, as well as to regularly monitor for suspicious activity and quickly respond to any breaches. Source: https://www.documentcloud.org/documents/23578067-paypal-notice?responsive=1&title=1
3. Nissan North America reported a data breach caused by a third-party vendor. The company has begun sending data breach notifications to customers informing them that customer information was exposed. The company stated that it is working with the vendor to determine the extent of the breach and has implemented additional security measures. It is important to keep in mind that third-party vendors can be a weakness in the security chain, and it's crucial to have a proper security measures and protocols in place when working with vendors to protect data. This incident highlights the importance of organizations to carefully vet and monitor their vendors for compliance with security standards and to have incident response plans in place to quickly address any breaches. Source: https://www.bleepingcomputer.com/news/security/nissan-north-america-data-breach-caused-by-vendor-exposed-database/

1. US Airline Exposed No Fly List on Unsecured Server - https://maia.crimew.gay/posts/how-to-hack-an-airline. A security researcher recently discovered an unsecured server containing the identities of hundreds of thousands of individuals from the US government's Terrorist Screening Database and No Fly List. The server, run by US national airline CommuteAir, was found to be exposed on the public internet by Swiss hacker maia arson crimew. The server revealed a vast amount of company data, including private information on almost 1,000 CommuteAir employees. Analysis of the server resulted in the discovery of a text file named "NoFly.csv", a reference to the subset of individuals in the Terrorist Screening Database who have been barred from air travel due to suspected or known ties to terrorist organizations. The list, according to crimew, appeared to have more than 1.5 million entries in total and included names, birth dates and multiple aliases. Notable figures on the list included Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him. Suspected members of the IRA were also on the list. Many entries on the list were of Arabic or Middle Eastern descent, although Hispanic and Anglican-sounding names were also present.
2. The SSL Certificate Issuer Field is a Lie - https://www.agwa.name/blog/post/the_certificate_issuer_field_is_a_lie. A researcher found out that figuring out what organization (called a certificate authority, or CA) issued a certificate is a surprisingly hard and widely misunderstood problem with SSL certificates. This information is useful for several reasons such as discovering an unauthorized certificate for your domain via Certificate Transparency logs and need to contact the certificate authority to get the certificate revoked. However, a certificate's issuer field is frequently a lie that tells you nothing about the organization that really issued the certificate. This can be a problem for organizations that want to make sure they are using the right certificate providers and for researchers studying the certificate ecosystem.
3. Major Git Security Flaws Patched - https://github.blog/2023-01-17-two-security-vulnerabilities-patched-in-git/2 major security flaws in Git were recently discovered and patched by the Git development team. These vulnerabilities could have allowed an attacker to execute arbitrary code on a user's machine when a user runs a command to clone a repository. The first vulnerability, known as CVE-2022-17, is a heap overflow vulnerability that occurs when parsing a maliciously crafted git tree object. The second vulnerability, known as CVE-2022-17, is a heap overflow vulnerability that occurs when parsing a maliciously crafted git tree object. The Git development team recommends that all users upgrade to the latest version of Git (2.28.0) to protect against these vulnerabilities.

1. CSP #105 – DEAR AUDITOR: WHY IS THIS A HIGH RISK FINDING? CAN WE TALK? This session offers insights on how to view auditors and strengthen a cybersecurity program from the perspective of an IT Audit leader and former CISO. Auditors play a critical role in evaluating a company's cybersecurity controls, but the process can often be stressful for CISOs. This podcast aims to provide a different perspective on how to approach audits and how to use them to improve the overall security of the organization. The session will be led by an experienced IT Audit leader and former CISO, who will share their own experiences and best practices for working with auditors. The podcast is available on https://securityweekly.com/csp105
2. Kayne McGladrey on What Businesses other than Banks Need to Know about Gramm-Leach-Bliley. This podcast discusses the impact of the Gramm-Leach-Bliley Act (GLBA) on industries other than banking, as well as the requirements for compliance with the revised GLBA Safeguards Rule. GLBA is a federal law that requires financial institutions to protect sensitive customer data and disclose their information-sharing practices. However, many other types of businesses are also subject to GLBA, including retailers, higher education institutions, and more. In this podcast, Kayne McGladrey, Field CISO for Hyperproof, will explain the new rules, the requirements for compliance, and what organizations need to do to protect customer data. He will also discuss the overlap between GLBA and other regulations such as the European General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) to help organizations understand how to comply with multiple regulations. The podcast is available on https://www.complianceandethics.org/kayne-mcgladrey-on-what-businesses-other-than-banks-need-to-know-about-gramm-leach-bliley-podcast/
3. Episode 544: Ganesh Datta on DevOps vs Website Reliability Engineering : Software program Engineering Radio. This podcast examines the role of communication in website reliability engineering and how it relates to devops. Website reliability engineering (SRE) is a discipline that combines software engineering and operations to ensure that websites and online services are highly available and performant. The role of SREs is to design, implement, and operate systems that can handle high traffic and unexpected load. In this podcast, Ganesh Datta, an experienced SRE, will discuss the differences and similarities between SRE and devops, and how communication is a key aspect of both disciplines. He will also highlight the challenges and benefits of working in an SRE role and how it requires a different set of skills than traditional software engineering. Check it at 00:39:23: They usually’re attempting to get builders to do issues and so they’re attempting to speak as much as the CISO or no matter. And it’s a sort of an analogous factor the place it’s go as much as exit sort of a system. The podcast is available on https://melhoresaplicativos.com.br/episode-544-ganesh-datta-on-devops-vs-website-reliability-engineering-software-program-engineering-radio/

Thanks for reading till the end! You are the CISO Hero! We hope you found this newsletter informative and valuable.

Please feel free to share it with your peers and colleagues. And, if you enjoyed this newsletter, please share it privately across the cybersecurity community. We would appreciate your support in growing our subscriber base and spreading awareness about the latest data breaches and threats. Have a great day ahead! 🔒💻🛡️