Welcome to today's issue of Secret CISO. We're diving into a series of data breaches that have been making headlines, starting with the overselling of cybersecurity by companies. As the NH Business Review warns, such incidents can lead to regulatory fines. In Bloomington, Indiana, victims of the 2021 ParkMobile data breach are still feeling the effects, with thousands paying extra transaction fees for parking. Meanwhile, Rhode Island's health benefits system has been targeted in a major cyberattack, potentially exposing sensitive data including names, addresses, and Social Security numbers.

The Clop ransomware group has claimed responsibility for data theft attacks on Cleo, a stark reminder of the ongoing threat posed by cybercriminals. Amid these incidents, a Trump adviser has called for the US to do more to make cyber attackers pay. In other news, the Department of Justice has recorded more than 480 data breaches over the last three years, highlighting the need for robust cybersecurity measures across all sectors.

Finally, we'll be looking at the potential security risks posed by AI shopping agents, the growing physical security market, and an urgent warning to iPhone owners about a bug that could leak all your passwords. Stay tuned for these stories and more in today's Secret CISO newsletter.

Data Breaches

1. Don't Oversell Your Cybersecurity: Companies are being warned not to overstate their cybersecurity measures, as they could face regulatory fines if a data breach occurs. Source: NH Business Review
2. ParkMobile Data Breach: Victims of the 2021 ParkMobile data breach, including thousands in Bloomington, Indiana, are facing extra transaction fees for parking. Source: Bloomingtonian
3. Rhode Island Health Benefits System Cyberattack: The Rhode Island health benefits system has been targeted in a major cyberattack, with potentially sensitive information compromised. Source: NBC26
4. Clop Ransomware Claims Responsibility for Cleo Data Theft Attacks: The Clop ransomware group has claimed responsibility for data theft attacks on Cleo, a developer of data leak sites. Source: Bleeping Computer
5. Department of Justice Records More Than 480 Data Breaches Over Last Three Years: The Department of Justice has recorded more than 480 data breaches over the last three years, including key areas like international protection and the response to the Ukraine refugee crisis. Source: Breaking News Ireland

Security Research

1. Suspected drone sightings over New Jersey spark frenzy of speculation: Security researchers are investigating a series of drone sightings over New Jersey, which have caused widespread speculation and concern. The drones' origin and purpose remain unknown, highlighting the potential security risks posed by unmanned aerial vehicles. Source: Semafor
2. This AI Researcher Has A Warning For Those Of Us Using Autonomous Agents To Shop: AI shopping agents, while convenient, could pose significant security risks, warns a prominent AI researcher. These autonomous agents could potentially be exploited by malicious actors to gain unauthorized access to personal and financial information. Source: Inverse
3. Physical Security Market Set to Reach USD 200.81 Billion by 2032: The physical security market, encompassing access control systems and video surveillance solutions, is projected to reach USD 200.81 billion by 2032. This growth is driven by rising security concerns and increased infrastructure protection needs. Source: GlobeNewswire
4. Urgent warning to iPhone owners over bug that could leak all your passwords: Security researcher Tommy Mysk has discovered a bug in iPhones that could potentially leak all user passwords. The researcher warns that malicious networks can easily intercept and exploit this vulnerability. Source: The US Sun
5. 'I thought I'd been microchipped': How abusers spy on partners with 'parental control' apps: Cybersecurity researchers warn that 'parental control' apps can be misused by abusers to spy on their partners. These apps can be exploited to monitor and control the victim's device without their knowledge. Source: Yahoo News UK

Top CVEs

1. CVE-2024-7701 - Percona Toolkit Password Hash Vulnerability: The Percona Toolkit has been found to have a vulnerability where it uses a password hash with insufficient computational effort. This allows for potential encryption brute forcing, compromising the security of the system. Users are advised to update to the latest version. Source: Vulners.
2. CVE-2024-55969 - Syncfusion Essential Studio for ASP.NET MVC DocIO XMLException: A vulnerability has been discovered in the DocIO component of Syncfusion Essential Studio for ASP.NET MVC before version 27.1.55. The software throws an XMLException during the resaving of a DOCX document with an external reference XML, potentially leading to data corruption or loss. Source: Vulners.
3. CVE-2024-56072 - FastNetMon Community Edition sFlow v5 Plugin Vulnerability: An issue has been discovered in FastNetMon Community Edition through version 1.2.7. The sFlow v5 plugin allows remote attackers to cause a denial of service (application crash) via a crafted packet that specifies many sFlow. Users are advised to update to the latest version. Source: Vulners.

Final Words

And that's a wrap for today's edition of Secret CISO. As we've seen, the cybersecurity landscape is ever-evolving, with new threats and challenges emerging daily. From the fines faced by companies due to data security incidents, to the major cyberattacks on public assistance programs, it's clear that cybersecurity is not something to be taken lightly. Remember, it's not just about protecting your own data, but also about ensuring the security of your customers' information.

So, don't oversell your cybersecurity, instead, invest in it. If you found this newsletter helpful, please consider sharing it with your friends and colleagues.

Let's spread the word and help each other stay safe in this digital world. Stay vigilant, stay informed, and most importantly, stay secure. Until next time, this is Secret CISO, signing off.