Welcome to today's issue of Secret CISO, your daily dose of cybersecurity insights and updates. Today, we delve into the persistent threat of social engineering, which continues to be the top cybersecurity menace, accounting for almost 70% of data breaches. We explore the human element in cybersecurity, the root cause of security analyst burnout, and how organizations can safeguard their most vital assets. We also bring you updates on legislative moves in Michigan aimed at enhancing consumer protections against data breaches and price gouging. In other news, the Internet Archive has suffered another security breach through its Zendesk email support platform, while Japanese tech giant Nidec confirms a data breach and ransomware attack.

We also discuss the emerging threats and safety concerns surrounding AI, as international cybersecurity experts call for global cooperation and proactive strategies. In the legal arena, CBIZ faces lawsuits claiming over $5 million in damages over a data breach that leaked clients' personal information. In today's issue, we also cover the ongoing cybersecurity troubles of the Internet Archive, the $30 million settlement by 23andMe over a cyber-attack lawsuit, and the continuing fallout from the data breach involving Marriott and Starwood Hotels & Resorts. Stay tuned for more updates on the expansion of AI data security reach by Cyera with its $162m acquisition of Trail Security, Cisco's denial of a data breach exposing sensitive personal data, and Europe's tech gap posing a major security problem.

Finally, we share insights on building cybersecurity safeguards in the construction industry, the denial of data breach claims by UK Biobank, and the issue of unmanaged long-lived cloud credentials in organizations. Don't miss our special features on the pioneering nanotechnology research to combat E. coli in rice and the role of human error in cybersecurity. Stay safe and informed with Secret CISO!

Data Breaches

1. Japanese tech giant Nidec confirms 8Base data breach, company data published: Japanese tech giant Nidec has confirmed a data breach following a ransomware attack earlier this year. The extent of the breach and the data compromised is yet to be fully disclosed. Source: Cyber Daily
2. Michigan AG Seeking More Consumer Protections Against Data Breaches, Price Gouging: Michigan's Attorney General is pushing for legislation that would require companies to provide timely notice of data breaches affecting 100 or more Michigan residents. This move is aimed at enhancing consumer protection against data breaches and price gouging. Source: Mondaq
3. Lawsuits claim more than $5 million in damages over CBIZ data breach: CBIZ, a professional services company, is facing lawsuits claiming over $5 million in damages following a data breach earlier this year. The breach reportedly leaked the personal information of CBIZ's clients' retirees. Source: Crain's Cleveland Business
4. 23andMe Settles Cyber-Attack Lawsuit: $30 Million: Genomics company 23andMe has agreed to pay up to $10,000 per person to victims of a data breach. The total settlement amounts to $30 million. Source: Panda Security
5. Marriott and Starwood Hotels & Resorts Still Dealing With Data Breach Fallout: Marriott International and Starwood Hotels & Resorts are still dealing with the legal fallout from a major data breach. The breach has raised significant legal issues in the commercial real estate sector. Source: Globest

Security Research

1. Researchers Pioneer Nanotechnology to Combat E. coli in Rice, Strengthen Food Safety: A team at the University of Texas at El Paso has made a significant advancement in agricultural biotechnology. They are using nanotechnology to combat E. coli in rice, enhancing food safety measures. Source: Food Safety News.
2. Griffith Researcher Unites Generations for Global Peace and Security: Dr Helen Berents, an Australian Research Council DECRA Fellow and Hub Lead at the Griffith Asia Institute, is working on uniting generations for global peace and security. Source: Griffith News.
3. Human Error is the Weakest Link in the Cyber Security Chain: Despite significant advancements in cybersecurity, human error remains the most significant vulnerability. Research has consistently shown that human error is the primary cause of security breaches. Source: The Conversation.
4. USENIX NSDI '24 - Reasoning About Network Traffic Load Property at Production Scale: A new research paper presented at USENIX NSDI '24 discusses the challenges of reasoning about network traffic load property at a production scale. Source: Security Boulevard.
5. Hackers Exploit Roundcube Webmail XSS Vulnerability to Steal Login Credentials: Unknown threat actors have been exploiting a patched security vulnerability in Roundcube Webmail to steal login credentials. Source: The Hacker News.

Top CVEs

1. CVE-2024-10196: A critical vulnerability was discovered in the Pharmacy Management System 1.0 by code-projects. The flaw lies in the /add_new_invoice.php file and can lead to SQL injection through the manipulation of the argument text. The exploit is publicly available and can be initiated remotely. Source: CVE-2024-10196.
2. CVE-2024-10197: Another vulnerability in code-projects' Pharmacy Management System 1.0 has been identified. This issue affects the /manage_supplier.php file and can lead to cross-site scripting (XSS) through the manipulation of the address argument. The exploit is publicly available and can be launched remotely. Source: CVE-2024-10197.
3. CVE-2024-43945: A Cross-Site Request Forgery (CSRF) vulnerability has been found in Latepoint LatePoint. The issue affects all versions of LatePoint and allows for CSRF attacks. Source: CVE-2024-43945.
4. CVE-2024-10200: The Administrative Management System from Wellchoose has a Path Traversal vulnerability. This flaw allows unauthenticated remote attackers to download arbitrary files. Source: CVE-2024-10200.
5. CVE-2024-10198: A third vulnerability has been found in code-projects' Pharmacy Management System 1.0. This flaw affects the /manage_customer.php file and can lead to cross-site scripting (XSS) through the manipulation of the suppliers_name/address argument. The exploit is publicly available and can be launched remotely. Source: CVE-2024-10198.

Final Words

As we wrap up today's edition of Secret CISO, it's clear that the human element continues to be a significant factor in cybersecurity threats. From social engineering to analyst burnout, our vulnerabilities can often be traced back to us, the users. In other news, we've seen a surge in data breaches, from the Internet Archive to Japanese tech giant Nidec, reminding us of the importance of robust security measures.

Meanwhile, the debate on AI security continues, with experts calling for global cooperation and proactive strategies. In the legal realm, lawsuits are piling up over data breaches, with companies like CBIZ and Marriott still dealing with the fallout. And in the tech industry, companies like Cyera are expanding their reach in AI data security. Remember, cybersecurity isn't just about technology; it's about people too.

So let's continue to educate ourselves and our colleagues about the risks and how to mitigate them. If you found this newsletter helpful, please consider sharing it with your friends and colleagues. Let's work together to create a safer digital world. Until next time, stay safe and secure!