Welcome to today's edition of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we delve into the controversial use of Pokemon Go player data by Niantic to train AI map models, raising serious privacy concerns and potential data breach risks. We also discuss the final opportunity for Americans to claim a $5000 settlement from an undisclosed data breach involving Baer's Furniture Co. In the wake of these breaches, we explore practical tips on how to protect yourself from becoming a victim of fraud. We also examine the problems with the CFPB's new Open Banking Rule, which mandates entities accessing consumer data to adhere to specific privacy and security standards.

In the crypto world, CoinSwitch's co-founder emphasizes the need for user protection and crypto licensing amidst a surge in Bitcoin prices and a recent security breach. We also look at the security implications of AIoT solutions and the shift from passwords to more secure methods - until they are hacked too, of course. In other news, DeFi protocol Thala recovers $25.5 million after a security breach, and a Delhi court denies bail to an accused in a Parliament security breach case. We also cover the 'worst leak in streaming history' that disrupted Netflix's biggest shows, and Microsoft's testing of Windows 11 support for third-party passkeys to mitigate data breach risks. Finally, we delve into the latest research in cybersecurity, including an Irish researcher's discovery of a leak of 1.1 million NHS employee records, Microsoft's announcement of its own Black Hat-like hacking event with big rewards for AI security, and the potential of hash-based zero-knowledge tech to quantum-proof Ethereum.

Stay tuned for these stories and more, as we keep you updated on the ever-evolving world of cybersecurity. Stay safe and informed with Secret CISO.

Data Breaches

1. Niantic's use of Pokemon Go player data for AI map models: Niantic, the company behind Pokemon Go, has been quietly using player data to train AI map models, raising concerns about potential data breaches and privacy violations. Source: USA Today
2. Baer's Furniture Co. data breach settlement: A significant data breach that occurred in August 2022 at Baer's Furniture Co. has led to a large class action lawsuit, with affected individuals having the opportunity to claim up to $5000 in the settlement. Source: The Sun
3. Security breach in the cryptocurrency space: Amidst a surge in Bitcoin prices, there has been a notable security breach in the cryptocurrency space, highlighting the need for stronger regulation and user protection measures. Source: Business Standard
4. Thala's recovery of $25.5 million after a security breach: DeFi protocol Thala has managed to recover around $25 million in stolen user assets following a security breach, thanks to a collaboration with law enforcement and security experts. Source: Brave New Coin
5. 'Worst leak in streaming history' affecting Netflix: Unreleased footage from popular Netflix shows like Squid Game has been leaked, in what is being referred to as the 'worst leak in streaming history'. The leak is believed to have originated from a security breach at a post-production company. Source: The Economic Times

Security Research

1. Irish Researcher Discovers NHS Employee Records Leak: An Irish researcher has uncovered a significant data breach involving 1.1 million NHS employee records. The incident highlights the ongoing challenges in securing sensitive healthcare data. Source: DataBreaches.Net
2. South Australian Defence Technology Research Funding: South Australian national security research has received a substantial $18m in federal funding, aimed at driving breakthrough military capability. Source: The Advertiser
3. Microsoft's Black Hat-like Hacking Event: Microsoft has announced its own hacking event, similar to Black Hat, with significant rewards for researchers who report flaws in Microsoft AI, Azure, Identity, Dynamics 365, and Power platform. Source: MSN
4. Quantum-proofing Ethereum with Hash-based Zero-knowledge Tech: Dr. XinXin Fan, the head of cryptography at IoTeX, co-authored a research paper on enabling a smooth migration towards post-quantum security for Ethereum using hash-based zero-knowledge technology. Source: TradingView
5. Purdue University's Mandatory Research Security Training: Purdue University has implemented mandatory research security training to address evolving federal regulations and research security. The training module takes approximately 30 minutes to complete. Source: Purdue University

Top CVEs

1. PHP Buffer Overread Vulnerability (CVE-2024-11233): In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3.* before 8.3.14, a flaw in the convert.quoted-printable-decode filter can lead to a buffer overread by one byte. This could potentially cause crashes or disclose the content of other memory. Source: Vulners.
2. PHP ldap_escape() Function Vulnerability (CVE-2024-11236): In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3.* before 8.3.14, long string inputs to the ldap_escape() function on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds error. Source: Vulners.
3. PHP HTTP Request Smuggling Vulnerability (CVE-2024-11234): In PHP versions 8.1. before 8.1.31, 8.2. before 8.2.26, 8.3.* before 8.3.14, when using streams with a configured proxy and "request_fulluri" option, the URI is not properly sanitized. This can lead to HTTP request smuggling and allow an attacker to use the proxy to perform arbitrary HTTP requests originating from the server, potentially gaining access to resources not normally available to the external. Source: Vulners.

Sponsored by Wallarm API Security Solution

Final Words

That's a wrap for today's edition of Secret CISO. From the quiet use of Pokemon Go player data to train AI map models, to the final chance for Americans to score $5000 from an undisclosed data breach settlement, we've covered a lot of ground. We've also delved into how to protect yourself from becoming a victim of fraud, the problems with the CFPB's new open banking rule, and the ongoing issues with security breaches in various sectors. Remember, in the world of cybersecurity, knowledge is power. Stay informed, stay vigilant, and most importantly, stay secure.

If you found today's newsletter helpful, consider sharing it with your friends and colleagues.

They might find it useful too. Until next time, keep your data safe and your systems secure.