Good morning, Secret CISO subscribers!

In today's issue, we're diving into the world of data breaches and their aftermath. We're starting off with a story about an international law firm that's sending out $10,000 checks to those affected by their $8 million data breach settlement. But you better act fast, Americans only have hours left to claim their share. Next, we're looking at the potential fallout from a data breach that exposed full names, addresses, driver's license numbers, and passport numbers. And if you're hunting for deals online, be aware that the more data collected and stored, the higher the risk of a security breach. In other news, dental patients affected by the Great Expressions data breach can claim up to $6,000 in compensation.

Meanwhile, Telegram has agreed to take down posts and user accounts flagged by Star Health for customers' data leaks. We're also covering the latest in AI security, with a focus on how AI is changing the game in securing 5G networks. And speaking of AI, did you know that AI-driven hackers are reshaping cybersecurity in the Middle East? Finally, we're wrapping up with a look at the rise in 'quishing' QR code scams and the latest on the UnitedHealth data breach that exposed the information of over 100 million individuals.

Data Breaches

1. International Law Firm Data Breach Settlement: An international law firm is offering $10,000 payments to those affected by their $8 million data breach settlement. Individuals with a receipt are eligible to claim. Source: The Sun
2. Great Expressions Data Breach Settlement: Dental patients affected by the Great Expressions data breach can claim up to $6,000 in a one-time payment. The settlement aims to compensate for the exposure of personal data. Source: Okdiario
3. Star Health Data Leak: Telegram has agreed to take down posts and user accounts flagged by Star Health for customers' data leak. The incident has raised concerns about the security of customer data. Source: ABP Live
4. Optus Data Breach: Optus, a telecommunications group, has claimed that the hacker involved in their 2022 data breach had a high degree of knowledge of their confidential systems. The breach has raised questions about the security of their systems. Source: AFR
5. Chinese Hackers Breach Phone Data: Hackers linked to China have breached the phone data of prominent figures including Donald Trump, JD Vance, and Kamala Harris. An investigation into the breach has been launched. Source: India TV News

Security Research

1. Satellite Photos Show Israel Hit Iran Former Nuclear Weapons Test Building: Recent satellite images reveal that Israel has struck Iran's former nuclear weapons test building. The facilities used to mix solid fuel for missiles were also targeted. The impact of these strikes is being assessed by David Albright, head of the Institute for Science and International Security research group. Source: Daily Excelsior
2. AI-driven Hackers Reshaping Cybersecurity in the Middle East: AI-driven hackers are transforming the cybersecurity landscape in the Middle East, according to security industry expert Grant Tuchten. The rise of AI in hacking presents new challenges and threats to cybersecurity measures. Source: Zawya
3. Taming AI: A Human Job: Researchers in the field of AI safety are working on addressing issues such as bias, interpretability, and security. Their work is crucial in ensuring that AI technology is developed and used responsibly. Source: Nature
4. An Update on Windows Downdate: A SafeBreach researcher has managed to take over the Windows Update process, rendering the term “fully patched” meaningless on any Windows machine. This research highlights the potential vulnerabilities in even the most trusted systems. Source: Security Boulevard
5. Android Malware Uses Smartphone's NFC Reader to Steal Payment Card Details: Security researcher Lukas Stefanko has demonstrated how Android malware can use a smartphone's NFC reader to steal payment card details. This research underscores the importance of robust security measures for mobile devices. Source: MSN

Top CVEs

1. Validate.js Regular Expression Denial of Service (ReDoS) Vulnerability: Validate.js, a declarative way of validating JavaScript objects, has been found to contain one or more regular expressions that are vulnerable to ReDoS. As of now, it is unknown if any patches are available. Source: CVE-2020-26310
2. Useragent Regular Expression Denial of Service (ReDoS) Vulnerability: Useragent, a user agent parser for Node.js, has been found to contain one or more regular expressions that are vulnerable to ReDoS. As of now, no patches are available. Source: CVE-2020-26311
3. Blood Bank Management SQL Injection Vulnerability: A critical vulnerability was found in Blood Bank Management 1.0, affecting the file /file/accept.php. The manipulation of the argument reqid leads to SQL injection. The exploit has been publicly disclosed. Source: CVE-2024-10409
4. Petrol Pump Management Software SQL Injection Vulnerability: A critical vulnerability was found in SourceCodester Petrol Pump Management Software 1.0. The manipulation of the argument id in the file /admin/edit_customer.php leads to SQL injection. The exploit has been publicly disclosed. Source: CVE-2024-10407
5. Online Hotel Reservation System Unrestricted Upload Vulnerability: A critical vulnerability was found in SourceCodester Online Hotel Reservation System 1.0. The manipulation of the argument image in the function upload of the file /admin/mod_room/controller.php?action=add leads to unrestricted upload. The exploit has been publicly disclosed. Source: CVE-2024-10410

Final Words

And that's a wrap for today's edition of Secret CISO. As we navigate the ever-evolving landscape of data breaches and security threats, remember that knowledge is power. Stay informed, stay vigilant, and most importantly, stay safe.

If you've found this newsletter helpful, why not share it with your colleagues and friends? Let's work together to create a safer digital world for everyone.

Until next time, keep your data secure and your systems protected. Remember, in the world of cybersecurity, the only constant is change.