Welcome to today's issue of Secret CISO. We're diving into a whirlwind of data breaches that have left millions of users exposed. From the infamous Ashley Madison scandal that revealed some high-profile names, to Dell's preventable breach impacting 49 million customers, it's clear that no one is immune. We'll also explore the aftermath of the Georgia University System's Moveit breach, which exposed data of 800K individuals, and Nissan's ransomware attack that compromised thousands of employees' Social Security numbers.

In the healthcare sector, Singing River Health System and FEI Systems have both reported significant breaches, while online bank Varo Money faces a lawsuit over a data breach. We'll also delve into the lessons learned from these high-profile breaches and examine the alleged Meesho data breach under scrutiny. In the research corner, we'll discuss the $32M annually endorsed for AI research, vulnerabilities found in GE Ultrasound devices, and the safety and security of AI-controlled systems.

Finally, we'll highlight some expert insights on how diverse leadership can benefit the security sector, and introduce you to the top 30 cybersecurity influencers of 2024. Stay tuned for all this and more in today's issue of Secret CISO.

Data Breaches

1. Ashley Madison Data Breach (YES, AGAIN): The infamous dating site for married individuals, Ashley Madison, suffered a massive data breach exposing personal information of approximately 32 million users, including names, email addresses, and credit card information. Source: StyleCaster
2. Dell Data Breach: Dell Technologies recently notified customers of a data breach that exposed their personal information via a poorly protected application, impacting around 49 million customers. Source: CPO Magazine
3. Georgia University System Breach: The Georgia University System acknowledged a data breach from a year ago that likely impacted former students and/or employees. The exposed data includes partial or full Social Security numbers. Source: CPO Magazine
4. Nissan Data Breach: A ransomware attack targeted a Nissan virtual private network, exposing the Social Security numbers of thousands of employees. Source: CBS News
5. FEI Systems Data Breach: FEI Systems filed a notice of data breach with the Attorney General of Texas after discovering that consumers' Social Security numbers were affected. Source: JD Supra

Security Research

1. Bipartisan Senators Endorse $32M Annually for AI Research: The National Security Commission on Artificial Intelligence has called on Congress to ensure the federal government invests $32 million annually in AI research. This bipartisan endorsement highlights the importance of AI in national security. Source: BankInfoSecurity
2. Report: 11 Vulnerabilities Found in GE Ultrasound Devices: Security researchers have discovered 11 vulnerabilities in certain GE HealthCare ultrasound products. These vulnerabilities could potentially allow malicious actors to physically manipulate the devices. Source: BankInfoSecurity
3. Researchers delve into Beaufort Delta food security changes: Researchers have begun investigating food security in the Inuvialuit Settlement Region. This research, which kicked off the Aurora Research Institute's ARI Speaker Series, aims to understand and address food security changes in the region. Source: NNSL Media
4. The Program on Extremism at The George Washington University Welcomes New Head of Terrorism Research: Counterterrorism Expert and Former FBI Agent Lara Burns has joined GWU's Program on Extremism. Burns will advance global security research and contribute to the understanding of extremism. Source: KXAN
5. Ensuring the safety and security of AI-controlled systems: Neeraj Gandhi, a doctoral candidate in Computer and Information Science, is conducting research to ensure the safety and security of AI-controlled systems. His work is crucial in the era of increasing AI integration in various sectors. Source: Penn Today

Top CVEs

1. CVE-2024-35175: This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. The details for this candidate will be publicized upon announcement. Source: Vulners.
2. CVE-2024-3182: Similar to the previous entry, this candidate is also reserved for future use when a new security issue arises. The specifics will be disclosed once the issue has been made public. Source: Vulners.
3. CVE-2024-32888: This is another reserved candidate that will be utilized to announce a new security problem. The details will be shared once the problem is publicized. Source: Vulners.

Please note that the details for these CVEs are not yet available as they are reserved for future use. Once they are publicized, the specifics will be updated accordingly.

API Security

1. Magento Open Source Security Advisory: Patch SUPEE-10975: Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 have been updated with critical API security patches to address multiple vulnerabilities, including remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF), and more API related issues. Patches and upgrades are available for various Magento versions. Source: vulners.com
2. Insecure State Generation in laravel/socialite: Laravel/socialite versions prior to 2.0.9 had an insecure state generation mechanism, potentially exposing the OAuth authentication process to security risks. The issue has been addressed in version 2.0.9. Source: vulners.com
3. State Guessing Vulnerability in laravel/socialite: Laravel/socialite versions prior to 2.0.10 were susceptible to a security vulnerability related to state guessing during OAuth authentication. This vulnerability could potentially lead to session hijacking. The issue has been addressed in the latest version. Source: vulners.com
4. Read private customer data reclaiming carts in Klaviyo Magento: An API endpoint in a third-party module Klaviyo Magento 2 allows reading private customer data from stores by reclaiming any guest-cart as your own. Source: vulners.com
5. gree/jose - "None" Algorithm treated as valid in tokens: Several widely-used JSON Web Token (JWT) libraries, including node-jsonwebtoken, pyjwt, namshi/jose, php-jwt, and jsjwt, are affected by critical vulnerabilities that could allow attackers to bypass the verification step when using asymmetric keys. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From the Ashley Madison data breach to the latest security research, we've covered a lot of ground. Remember, in the world of cybersecurity, knowledge is power. So, stay informed, stay vigilant, and most importantly, stay secure. If you found today's newsletter helpful, why not share it with your friends and colleagues?

They might appreciate the heads-up, and we'd certainly appreciate the support. After all, cybersecurity is a team sport. Until next time, keep your data safe and your systems secure.