Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we delve into the aftermath of the British Airways' breach that has reshaped today's web security challenges. We also explore the unfortunate case of a domestic abuse victim whose home address was leaked due to a data breach, and the data breach at a Long Island plastic surgery practice that compromised the data of over 161,000 individuals.

In corporate news, Nokia is investigating a breach after a hacker claimed to steal source code, and S Ventures is making significant investments in cybersecurity. Meanwhile, half a million people were affected in the Columbus data breach, and a lawsuit has been filed against a security researcher involved in the attack. We also cover the arrest of a Canadian suspect over the Snowflake data breach and extortion attacks, and question why organizations still struggle to protect our data.

In healthcare, a data breach at a law firm used by Presbyterian may have impacted patients' personal information, and the Houston Housing Authority was hit by a data breach amid an ongoing contracts scandal.

Finally, we look at the financial impact of data breaches, which cost firms an average of USD $677 million, and discuss the importance of security awareness training in preventing attacks. Stay tuned for more updates and insights in the world of cybersecurity.

Data Breaches

1. British Airways' Breach: British Airways' security breach has sparked a new wave of web security challenges. The company's domain was used to exfiltrate data, leading to the company purchasing the domain to host its blog. Source: Hacker News
2. Domestic Abuse Victim's Data Leak: A domestic abuse victim's home address was leaked to her ex-partner due to a data breach, causing significant distress and necessitating police intervention for safety measures. Source: The Independent
3. LI Plastic Surgery Practice Data Breach: A data breach at a Long Island plastic surgery practice in January compromised the data of 161,707 individuals. The group declined to comment due to security concerns. Source: Newsday
4. Nokia Data Breach: Nokia is investigating a breach after a hacker claimed to have stolen source code. The company is aware of reports that an unauthorized actor has gained access to third-party contractor data and possibly Nokia's data. Source: Bleeping Computer
5. Columbus Data Breach: A data breach in Columbus affected 500,000 individuals, leading to a lawsuit against the security researcher involved in the attack. The details of the breach and the lawsuit are still being explored. Source: Information Security Buzz

Security Research

1. UMS leads blue economy, maritime security research initiative in Sabah: The University Malaysia Sabah (UMS) has launched a comprehensive maritime security research initiative. The study aims to enhance maritime security and promote the blue economy in the seas surrounding Sabah. Source: CISO Series
2. Australia partners with the Philippines for 'cyber boot program': The Australian Cyber Security Cooperative Research Centre is collaborating with the Philippines to launch a 'cyber boot program'. The initiative aims to enhance cybersecurity skills and awareness. Source: Help Net Security
3. Kaspersky Uncovers Global Cybercrime Campaign Targeting Fintech Users via Telegram: Kaspersky's security researchers have discovered a global cybercrime campaign that targets fintech users through Telegram. The campaign underscores the need for vigilance against suspicious emails and links. Source: The Hacker News
4. Researchers address quantum computing security challenges: Researchers are addressing the security challenges posed by quantum computing. The research is expected to contribute significantly to the field of quantum computing security. Source: Tech Xplore
5. Student Finds 'Hacker-like' Approach to Bypass Cell Phone Security: A student has discovered a 'hacker-like' approach to bypass cell phone security. The research could have significant implications for mobile security. Source: Forensic Mag

Top CVEs

1. CVE-2024-51560: Wave 2.0 has a vulnerability due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information. Source: CVE-2024-51560
2. CVE-2024-51559: Wave 2.0 has a vulnerability due to missing authorization check on certain API endpoints. An authenticated remote attacker could exploit this vulnerability by manipulating a parameter “user_id” through API request URLs which could lead to unauthorized creation, modification and deletion of alerts belonging to other users. Source: CVE-2024-51559
3. CVE-2024-51561: Aero has a vulnerability due to improper implementation of OTP validation mechanism in certain API endpoints. An authenticated remote attacker could exploit this vulnerability by intercepting and manipulating the responses exchanged during the second factor authentication process. Successful exploitation of this vulnerability could allow the attacker to bypass OTP verification for accessing other users. Source: CVE-2024-51561
4. CVE-2024-50346: WebFeed, a lightweight web feed reader extension for Firefox/Chrome, has multiple HTML injection vulnerabilities that can lead to CSRF and UI spoofing attacks. A remote attacker can provide malicious RSS feeds and attract the victim user to visit it using WebFeed. The attacker can then inject malicious HTML into the extension page and fool the victim into sending out HTTP requests to arbitrary sites with the victim's credentials. Source: CVE-2024-50346
5. CVE-2024-51408: AppSmith Community 1.8.3 before 1.46 allows SSRF via New DataSource for application/json requests to 169.254.169.254 to retrieve AWS metadata. Source: CVE-2024-51408

API Security

1. Unclear Documentation in ParseWithClaims: The error behavior in ParseWithClaims can lead to situations where users are potentially not checking errors in the way they should be. If a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. Source: vulners.com
2. Cross Site Scripting in localai: localai <=2.20.1 is vulnerable to Cross Site Scripting (XSS). When calling the delete model API and passing inappropriate parameters, it can cause a one-time storage XSS, which will trigger the payload when a user accesses the model. Source: vulners.com
3. Stored Cross-Site Scripting in gaizhenbiao/chuanhuchatgpt: The project, version <=20240802 is vulnerable to stored Cross-Site Scripting (XSS) in WebSocket session transmission. An attacker can inject malicious content into a WebSocket message. When a victim accesses this session, the malicious JavaScript is executed. Source: vulners.com
4. Error Behavior in golang-jwt: golang-jwt is a Go implementation of JSON Web Tokens. Unclear documentation of the error behavior in ParseWithClaims can lead to situations where users are potentially not checking errors in the way they should be. Especially, if a token is both expired and invalid, the errors returned by ParseWithClaims return both error codes. If users only check for the jwt.ErrTokenExpired using error.Is, they will ignore the embedded jwt.ErrTokenSignatureInvalid and thus potentially accept invalid tokens. Source: vulners.com
5. Improper Exception Handling in Wave 2.0: This vulnerability exists in the Wave 2.0 due to improper exception handling for invalid inputs at certain API endpoint. An authenticated remote attacker could exploit this vulnerability by providing invalid inputs for “userId” parameter in the API request leading to generation of error message containing sensitive information. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've delved into the depths of the British Airways' breach, explored the implications of data breaches on domestic abuse victims, and examined the security challenges faced by organizations like Nokia and the Houston Housing Authority.

Remember, in the world of cybersecurity, knowledge is power. So, don't keep this power to yourself.

Share Secret CISO with your friends and colleagues, and help them stay informed and protected.

Tomorrow, we'll be back with more insights, more news, and more ways to keep your data safe. Until then, stay secure and vigilant.