Hello Secret CISO readers, In today's issue, we're diving into a whirlpool of data breaches, security leaks, and the urgent need for robust security protocols. Starting off with Coolblue, a company that was fined €40000 for unlawful data collection via cookies, we'll explore how this breach of privacy could have been avoided. We'll also delve into the unanswered questions surrounding the Griswold password leak and the aggressive approach taken towards the data breach.

Next, we'll take a look back at the 5 worst cyberattacks of 2024 and discuss how these breaches could have been prevented. We'll also touch on the lawsuit filed against USAA over a data breach and the implications of this case. In the automotive industry, we'll discuss the quick fix implemented after the disclosure of a data leak from 800,000 electric cars and owners. We'll also highlight the importance of addressing the human factor in cybersecurity, as demonstrated by a recent incident involving Palestinian security forces. In the world of politics, we'll examine the diversity issue in the DNC race and its potential impact on security.

We'll also discuss the recent laws signed by N.Y. Gov Hochul intended to protect online data of residents. Finally, we'll round off with some expert tips on changing your relationship with money in 2025, and how to protect yourself from scams. Stay tuned for these stories and more in today's issue of Secret CISO. Stay safe and informed!

Data Breaches

1. Coolblue fined for unlawful data collection: The Dutch online retailer, Coolblue, has been fined €40,000 for unlawful data collection via cookies. The company was found to be in breach of privacy regulations, highlighting the importance of proper data handling and consent procedures. Source: NL Times
2. Unanswered questions in Griswold password leak: A security breach involving a password leak in Griswold has raised several unanswered questions. The incident underscores the need for robust password management and security measures to prevent such breaches. Source: Colorado Springs Gazette
3. USAA faces lawsuit over data breach: USAA, a Texas-based financial services company, is facing a class-action lawsuit over a previous data breach. The case highlights the legal and financial repercussions companies can face in the wake of a data breach. Source: MySA
4. Data from 800,000 electric cars and owners exposed online: A security flaw exposed customer data from 800,000 electric cars and their owners online. The issue was quickly resolved following responsible disclosure, emphasizing the importance of swift action in mitigating the impact of data breaches. Source: Bleeping Computer
5. Ticketmaster warns Canadians of data breach: Ticketmaster has informed its Canadian customers of a data security incident involving customer information. The incident serves as a reminder of the ongoing threat of data breaches to companies and their customers. Source: MSN

Security Research

1. Warrior Joins Advanced Nuclear Weapons Alliance As Expert Guest: China is reportedly expanding its nuclear arsenal, raising global security concerns. The increase in the number of warheads indicates an unquenchable thirst for nuclear weapons. Source: Warrior Maven
2. Apple Photos phones home on iOS 18 and macOS 15: An Apple security researcher has raised concerns about the lack of informed choice when it comes to privacy on Apple's latest operating systems. The issue lies in the fact that Apple Photos phones home on iOS 18 and macOS 15. Source: Hacker News
3. OODAcon 2024: China – Current Threats and Emerging Risks: At the cybersecurity research conference OODAcon 2024, security researchers led a discussion on the current threats and emerging risks posed by China. The conversation was spearheaded by the founder of ChinaCon, Kristin Del Rosso. Source: OODAloop
4. A survey on advancements in blockchain-enabled spectrum access security for 6G: A recent survey highlights the challenges of interoperability, scalability, and the need for comprehensive security frameworks in blockchain-enabled spectrum access for 6G cognitive radio IoT networks. The paper also proposes future research directions. Source: ResearchGate
5. Hackers hijacked legitimate Chrome extensions to try to steal data: Security researcher Jaime Blasco has discovered that hackers have hijacked legitimate Chrome extensions in an attempt to steal data. The attack appears to be random and not specifically targeting any particular entity. Source: The Verge

Top CVEs

1. CVE-2024-12998 in Online Car Rental System 1.0: A problematic vulnerability has been found in the GET Parameter Handler of the Online Car Rental System 1.0, leading to potential cross-site scripting. The exploit is public and can be initiated remotely. Source: vulners.com
2. CVE-2024-12995 in Rebuild 3.8.6: A problematic vulnerability has been discovered in the Project Tasks Section of Rebuild 3.8.6, leading to potential cross-site scripting. The exploit is public and can be initiated remotely. Source: vulners.com
3. CVE-2024-13002 in Bookstore Management System 1.0: A critical vulnerability has been found in the /order_process.php file of the Bookstore Management System 1.0, leading to potential SQL injection. The exploit is public and can be initiated remotely. Source: vulners.com
4. CVE-2024-56512 in Apache NiFi 1.10.0 through 2.0.0: A vulnerability has been found in Apache NiFi versions 1.10.0 through 2.0.0, affecting authorization checking for Parameter Contexts, referenced Controller Services, and referenced Parameter Providers. The exploit is limited to authenticated users authorized to create Process Groups. Source: vulners.com
5. CVE-2024-12238 in Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress: A vulnerability has been found in the Ninja Forms plugin for WordPress, allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From Coolblue's cookie debacle to the unanswered questions in the Griswold password leak, it's clear that the world of cybersecurity is as dynamic as ever. Remember, the first step to fortifying your defenses is staying informed. So, whether it's the latest data breach or the most recent cyberattack, we've got you covered. But we can't do it alone.

Share this newsletter with your friends and colleagues to ensure they're in the loop too.

After all, cybersecurity is a team sport.

Until next time, stay safe and stay vigilant.