Secret CISO #9: US House of Representatives, BMW, and 9m AT&T users compromised

Welcome to the 9th edition of our Secret CISO newsletter. We hope this finds you well and that you're having a great week.

Firstly, we would like to extend our sincerest gratitude to all of you who took the time to provide us with feedback and suggestions to improve our newsletter. We appreciate your valuable insights and we're thrilled to see that our weekly news is becoming more helpful for you. A special shoutout goes to Tim K., Jeremy K., and Jonathan F. for their excellent feedback.

As always, our goal is to provide you with the latest updates on cybersecurity trends, news, and best practices. And yes, to share something else than SVB collapse news. We believe that sharing our experiences and insights will help us all become better equipped to handle the challenges that come with being a CISO.

We hope that you find this edition informative and engaging. Please don't hesitate to share your thoughts with us by leaving a comment or suggestion. Your feedback is always welcome and appreciated.

Enjoy your reading!

Around 9m AT&T customers' data was breached in January

The exposed data was related to Customer Proprietary Network Information (CPNI), such as wireless account numbers and phone numbers. AT&T clarified that no sensitive personal information, such as credit card details, Social Security numbers, or passwords, was exposed. The company has reported the breach to federal law enforcement, and customers are advised to turn off CPNI data sharing on their accounts to reduce future exposure risks.

Source: https://www.bleepingcomputer.com/news/security/atandt-alerts-9-million-customers-of-data-breach-after-vendor-hack/

US House of Representatives Data Breach: Sensitive Information of Members and Staff Stolen

The FBI is investigating a data breach affecting members and staff of the US House of Representatives after their sensitive personal information was stolen from DC Health Link's servers. The breach notification email from the House Chief Administrative Officer confirms that account information and personal identifiable information of hundreds of House staff and members may have been compromised. One threat actor, known as IntelBroker, is already selling the stolen data, which includes names, addresses, email addresses, phone numbers, Social Security numbers, and much more. The Public Information Officer for Health Benefit Exchange Authority confirmed that the data of some DC Health Link customers has been exposed online, and the investigation is ongoing. The FBI has purchased some of the stolen information put up for sale online.

Source: https://www.bleepingcomputer.com/news/security/fbi-investigates-data-breach-impacting-us-house-members-and-staff/

BMW Italy Exposes Sensitive Client Data and Business Secrets

BMW Italy potentially exposed sensitive files and client data after Cybernews researchers found an unprotected environment (.env) and .git configuration files hosted on the official BMW Italy website. These files contained data on production and development environments, and would allow attackers to steal customer data and access the company's source code. Sensitive personal information collected by BMW includes home addresses, vehicle location data, and online account details, which could be used for phishing and credential-stuffing attacks. BMW has secured the data that wasn't meant to be public in the first place, but customers are advised to stay vigilant and monitor any suspicious emails or banking activity.

Source: https://cybernews.com/security/bmw-exposes-italy-clients/

WebGL-Fuzzer

This is an old WebGL fuzzer from 1990BC (as the author claimed it) that was based on an IDL definition. The fuzzer was able to find some interesting vulnerabilities in WebKit back in the day. The code includes a sample script that creates a WebGL program and performs various fuzzing techniques such as creating a buffer, attaching a shader, creating a framebuffer, and using various WebGL functions with unexpected parameters. The code is designed to cause errors and exceptions, which could reveal previously undiscovered security flaws in the WebGL implementation.

GitHub: https://github.com/ant4g0nist/webgl-fuzzer

Bypassing Asymmetric Client Side Encryption Without Private Key

The article explains how to bypass client-side encryption that uses asymmetric encryption, which makes it impossible to decrypt the request without the private key. The solution involves using the Chrome override feature to modify the application's JavaScript code to return plain text instead of encrypted requests. The PyCript extension is then configured to encrypt the request using the same encryption logic as the application's JavaScript code. The approach is demonstrated through an example using node-forge library for encryption.

Medium: https://infosecwriteups.com/bypassing-asymmetric-client-side-encryption-without-private-key-822ed0d8aeb6

Unauthorized Access to GitHub Codespace Secrets via Repository Security Advisory Feature

A security issue in GitHub's Repository Security Advisory feature allowed unauthorized access to plaintext Codespace secrets of any organization including GitHub. The Security Advisory feature allows maintainers to draft public advisory information about a reported vulnerability and create a private fork of the repository to work on a patch. With the new feature release, external users can report vulnerabilities to public repositories and get added as a collaborator to the vulnerability report. However, external reporters could exploit the vulnerability by creating a private fork and accessing the organization level secrets via Codespace for the private fork, which allowed them to escalate the vulnerability further and access GitHub's internal repositories. The issue was reported to GitHub's security program, and it was confirmed and patched within a few days.

Write-up: https://ophionsecurity.com/blog/access-organization-secrets-in-github

Gabriela Smith-Sherman: From Military Service to Cyber Governance

Gabriela Smith-Sherman, Director of the Governance Risk and Compliance Department at MindPoint Group, shares her journey from being a former federal agency CISO and disabled US combat veteran to her current role in leading and implementing comprehensive enterprise cybersecurity programs. She credits her military experience in preparing her to thrive in the chaos of the IT world and be calm in chaotic situations. Despite the difficulties of transitioning to civilian life, she remains dedicated to delivering innovative solutions and high-quality results to customers.

Listen: https://www.ivoox.com/en/gabriela-smith-sherman-thriving-in-the-chaos-cyber-governance-audios-mp3_rf_104060991_1.html

Self-Sufficient Security: The Benefits of a vCISO

In this episode of The New CISO, Steve speaks with Laura Louthan, founder and vCISO at Angel Cybersecurity, who shares her unconventional career journey, the perks of being a self-sufficient cybersecurity expert, and her experience as a contracted CISO. Laura emphasizes the importance of understanding one's abilities and being truthful about them, avoiding struggle, and embracing challenges. She also addresses the external pressure for CISOs to address privacy needs and the challenges women face in terms of likeability during negotiations and job applications. Laura advises women to apply for jobs that challenge them, just like men do.

Listen: https://podcasts.apple.com/us/podcast/self-sufficient-security-the-perks-of-being-a-vciso/id1460075361?i=1000603475199

The Correlation between Disaster Recovery and Cybersecurity

Disaster recovery and cybersecurity are crucial for any organization, and it's recommended to plan both initiatives together. Although managed by different teams, there is enough correlation to make one activity critical to the overall effectiveness of the other. In this episode, guest W. Curtis Preston, "Mr. Backup" and Chief Technical Evangelist at Druva, discusses the importance of integrating disaster recovery and cybersecurity strategies to ensure business continuity in the face of a crippling attack. Your DR plan could be the last line of defence to restore your data and system to a secure state.

Listen: https://soundcloud.com/user-305373143/cyber-recovery-and-disaster-recovery-strategies-ciso-talks

Chief Information Security Officer at Minnesota IT Services

Minnesota IT Services is seeking a Chief Information Security Officer to lead the agency's cybersecurity strategy and ensure the protection of the state's data, systems, and networks from cyber threats. The CISO will oversee people, processes, technology, and governance of the state's security program and will engage and partner with diverse groups. The successful candidate must have at least 8 years of experience in compliance/cybersecurity, including 5 years in a supervisory leadership role, as well as advanced business, fiscal, and human resource management skills. The position offers a salary range of $116,928/yr - $167,395/yr, full state fringe benefits, and is eligible for full-time teleworking, hybrid or full-time in the office depending on the needs of the business unit and with supervisor approval.

Apply: https://www.linkedin.com/jobs/view/3510085985

Director, CISO at David Yurman

David Yurman is seeking a Chief Information Security Officer (CISO) to lead the organization's assurance activities related to the availability, integrity, and confidentiality of business information, applications, and IT systems. The CISO will work with executive management to determine acceptable levels of risk for the organization and develop, implement, and monitor a comprehensive enterprise information security and IT risk management program. The successful candidate must have a bachelor's degree in a technology-related field, professional security management certification, at least 10 years of experience in risk management, information security, and IT, and hands-on experience with security-related technologies. The position offers a salary range of $230,000-$250,000 and a comprehensive benefits package. David Yurman is an equal employment opportunity employer.

Apply: https://www.linkedin.com/jobs/view/3513221427

Deputy Chief Information Security Officer (CISO) - Corporate - US

Sysco, a foodservice distribution company, is looking for a Deputy Chief Information Security Officer (CISO) to manage the Cybersecurity Program Management Office functions, including budgetary management of capital and operating expenses. The Deputy CISO will be responsible for directing initiatives related to cybersecurity operations, risk assessments, implementation in defensive security technologies, and overseeing senior management changes in the applicable arenas affecting cybersecurity. They will also manage cybersecurity staff within scope and certify technology compliance with company-wide cybersecurity policies. The ideal candidate should have a bachelor's degree in Computer Science, Cybersecurity, Information Technology, or related fields, at least 14 years of combined experience in risk management, cybersecurity, and IT jobs, and leadership skills to direct the Cybersecurity team and collaborate with other business teams.

Apply: https://www.linkedin.com/jobs/view/3518925569

Thank you for joining us for the 9th episode of Secret CISO. We hope you found the insights and information shared by our anonymous CISO valuable and informative. As a thank you for reading it in full, we have a digital gift for you - a cyber squirrel:

We're excited to announce that our 10th episode of Secret CISO will mark our anniversary, and we promise something new and special. So stay tuned for that!

As always, we value your feedback and would love to hear your thoughts on this episode or any suggestions for future topics. Please reply to this email with any comments or feedback you may have.

Thank you again for being a part of Secret CISO. See you next Monday at 13:37 UTC, as always!