Secret CISO 7/7: China's Public Security Breach, Trillion Passwords Stolen, AI Transforming Governance while OpenAI's Hidden Breach News Continues

Secret CISO 7/7: China's Public Security Breach, Trillion Passwords Stolen, AI Transforming Governance while OpenAI's Hidden Breach News Continues

Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we're diving into the world of AI technologies and their role in governance. We'll discuss the importance of stringent data security protocols and privacy-preserving technologies in the development and deployment of AI applications. We'll also take a look at China's public security ministry's response to a dike breach and how it's directing local rescue efforts. In other news, OpenAI has been infiltrated by hackers, raising concerns about the security of its data and systems. Data breaches continue to be a major concern, with the National Identity Management Commission (NIMC) urged to admit to a data leak and ensure it doesn't happen again. Meanwhile, Japan is taking steps to prevent unintended acceleration in new cars following a cyberattack on its niconico video site. In the banking sector, Charlotte-based Truist Bank is facing a lawsuit following a data breach, and the Alabama State Department of Education has also suffered a data breach.

We'll also discuss how Arctic Wolf is securing sensitive business data with iManage, and how the National Identity Management Commission (NIMC) is responding to concerns over a data breach. Finally, we'll explore the latest security vulnerabilities and exploits, including a massive data breach involving 995 crore passwords, a Ticketmaster data breach affecting Taylor Swift fans, and a ransomware attack on CDK Global. Stay tuned for these stories and more in today's issue of Secret CISO.

Data Breaches

  1. OpenAI's Latest Reputation Problem: Hackers: OpenAI, a leading AI research lab, experienced a significant data breach in early 2023. The company chose not to disclose the security breach, raising concerns about the safety of OpenAI's data and systems. Source: Business Insider
  2. Charlotte-based Truist Bank sued after data breach: Truist Bank, based in Charlotte, is facing a lawsuit from a group of customers following a data breach. The extent of the breach and the data compromised are currently under investigation. Source: MSN
  3. Data Breach: Concerns as NIMC response fails to ease Nigerians' fear: The National Identity Management Commission (NIMC) in Nigeria is under scrutiny after a data breach. The NIMC has denied any breach, but concerns remain over the safety of Nigeria's national database. Source: SolaceBase
  4. 995 Crore Passwords Stolen In Biggest Data Breach Ever: Report: In what is being reported as the biggest data breach ever, 995 crore passwords have been stolen. The breach is said to have been facilitated through a mix of old and new data breaches. Source: NDTV
  5. Ticketmaster Hacked: What Victims of Data Breach Should Know: Ticketmaster has suffered a data breach, with fans on social media sharing screenshots of an email they received from the company alerting them of the “data security incident. The exact impact of the breach is still under investigation. Source: MSN

Security Research

  1. Database With 10 Billion Stolen Passwords Found: Security researchers have discovered a file named 'rockyou2024.txt' on a criminal marketplace, containing nearly 10 billion stolen passwords. This discovery marks one of the largest collections of compromised passwords ever found. Source: The Tech Report
  2. Threat Actors Exploit Microsoft SmartScreen Vulnerability: Researchers have identified a multi-stage attack that exploits a vulnerability in Microsoft's SmartScreen. The attack uses legitimate tools such as forfiles.exe, PowerShell, mshta, and other trusted files to bypass security measures. Source: Cyble
  3. 'Windows Recall' Preview Remains Hackable As Google Develops Similar Feature: Windows Recall, a feature that was delayed due to security concerns over storing unencrypted user activity recordings, remains vulnerable to hacking. Meanwhile, Google is reportedly developing a similar feature. Source: Slashdot
  4. Hackers Leaking Taylor Swift Tickets?: Researchers have uncovered a new method used by cybercriminals to expose Child Sexual Abuse Material (CSAM) peddlers. In other news, OpenAI suffered a secret cyberattack, and cryptocurrency thefts have increased in 2024. Source: WIRED
  5. To Guard Against Cyberattacks in Space, Researchers Ask 'What if?': Security professionals are grappling with the challenge of cybersecurity threats in space. Researchers are now exploring potential scenarios and solutions to guard against these cyberattacks. Source: Discover Magazine

Top CVEs

  1. CVE-2024-6095: A vulnerability in the /models/apply endpoint of mudler/localai versions 2.15.0 allows for Server-Side Request Forgery (SSRF) and partial Local File Inclusion (LFI). The endpoint supports both http(s):// and file:// schemes, potentially allowing unauthorized access to internal HTTP(s) servers and partial reading of local files. The issue is fixed in the latest version. Source: CVE-2024-6095
  2. CVE-2024-40598: An issue was discovered in the CheckUser extension for MediaWiki through 1.42.1. The API can expose suppressed information for log events, potentially leading to information disclosure. Source: CVE-2024-40598
  3. CVE-2024-40603: An issue was discovered in the ArticleRatings extension for MediaWiki through 1.42.1. Special:ChangeRating allows CSRF to alter data via a GET request, potentially leading to unauthorized changes. Source: CVE-2024-40603
  4. CVE-2024-40599: An issue was discovered in the GuMaxDD skin for MediaWiki through 1.42.1. There is stored XSS via MediaWiki:Sidebar top-level menu, potentially leading to unauthorized script execution. Source: CVE-2024-40599
  5. CVE-2024-40601: An issue was discovered in the MediaWikiChat extension for MediaWiki through 1.42.1. CSRF can occur in API, potentially leading to unauthorized changes. Source: CVE-2024-40601

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered a lot of ground, from the transformative power of AI in governance to the latest data breaches and security concerns around the globe. It's clear that the world of cybersecurity is as dynamic as ever, and staying informed is our best defense. Remember, security isn't just about technology, it's about people too.

So, if you found today's newsletter helpful, why not share it with your colleagues and friends?

Let's spread the knowledge and build a safer digital world together. Stay safe and see you in the next edition of Secret CISO!

Read more

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Secret CISO 2/15: Americans to get $5k from data breach settlement, USAID accuses DOGE of security breach, PCSO denies data breach, DOGE faces largest data breach lawsuit, Star Solution Services and Fillmore County Hospital announce data breaches

Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news. Today, we're diving into a series of data breaches that have left hundreds of Americans eligible for a chunk of a multi-million dollar payout. We'll also explore allegations against the Department

By Secret CISO
Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Secret CISO 2/14: St. Andrew's Senior System & PPL Electric hit by data breaches, Russian ransomware group claims responsibility, 2.7 billion records leaked in Mars Hydro breach, CAPTCHA trick bypasses security scanners

Hello there, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research that you need to know. Firstly, we delve into the ongoing investigation into the data breach at St. Andrew's Resources for Seniors System. The breach has raised

By Secret CISO
Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Secret CISO 2/12: PowerSchool, DOGE, Mercer University, Duane Morris LLP under investigation for data breaches; Apple warns of security breach; Research reveals false sense of security with online scams

Welcome to today's issue of Secret CISO, where we bring you the latest news on data breaches and security vulnerabilities. Today, we're looking at a series of data breaches impacting PowerSchool, DOGE, Mercer University, and more. Attorney General Jeff Jackson is investigating a recent data breach

By Secret CISO