Secret CISO 4/19: Caregard, Webster Bank, Chinese drone maker, Saint Louis University breaches, Cybersecurity management challenges, Data Privacy Regulations complexity, LabHost phishing site down, Frontier Communications cyberattack
Welcome to today's edition of Secret CISO, your daily dose of cybersecurity news and insights. Today, we're diving into a series of data breaches that have rocked the automotive, banking, and drone industries. First up, we have a former executive revealing a data breach at Caregard, a provider of automotive protection products. This breach has raised serious questions about the security measures in place at the company. In the banking sector, Webster Bank customers affected by a data breach could be eligible for a payout, but the clock is ticking as the deadline is just days away. Meanwhile, Chinese drone maker SZ DJI Technology Co., Ltd. has suffered a major data breach, resulting in the leak of crucial customer data. In the world of academia, Saint Louis University has issued a data breach alert, urging those affected to discuss the incident and understand their rights and interests. We also delve into the state of cybersecurity, discussing the challenges of managing what you can't see and navigating the complexity of the latest data privacy regulations. In government news, officials have confirmed that data breach letters from the U.S. Department of Justice are legitimate, quelling concerns of a potential scam. We'll also be looking at the latest cybersecurity threats, newly discovered vulnerabilities, and data breaches affecting various sectors. Finally, we'll explore the world of artificial intelligence and its potential impact on security, as well as the latest research in security and its implications for our future. Stay tuned for these stories and more in today's Secret CISO newsletter.
Data Breaches
- Caregard Data Breach: A former executive revealed a data breach at Caregard, a company that provides vehicle service contracts and warranties. The specifics of the breach, including the number of individuals affected and the type of data exposed, have not been disclosed. Source: Automotive News
- Webster Bank Data Breach Settlement: Customers affected by Webster Bank's data breach could receive up to $5,000 in a settlement. The deadline for making a claim is fast approaching. Source: Tech.co
- SZ DJI Technology Data Breach: Chinese drone maker SZ DJI Technology Co., Ltd. suffered a significant data breach, resulting in the leak of crucial customer data. The extent of the breach and the specific data leaked have not been detailed. Source: Business Insurance
- Saint Louis University Data Breach: Saint Louis University issued a data breach alert. The details of the breach, including the number of individuals affected and the type of data exposed, have not been disclosed. Source: PR Newswire
- U.S. Department of Justice Data Breach: Ocean County officials confirmed that letters from the U.S. Department of Justice informing people of a data breach are legitimate. The breach occurred at a federal government contractor's office. Source: Jersey Shore Online
Security Research
- Deepfakes Becoming a Greater Concern: Kaspersky's principal security researcher, David Emm, discussed the growing threat of deepfakes in a recent interview. As AI technology advances, the potential for misuse in creating convincing fake videos increases, posing significant security risks. Source: YouTube and eNCA
- DARPA's AI Tools Effort: DARPA is looking to accelerate the development of AI tools for national security research. The aim is to enhance the velocity of AI tools to meet the growing demands of national security. Source: MeriTalk
- Chinese Hackers Targeting US Infrastructure: According to security researchers at Microsoft and Google, Chinese hackers, specifically the group Volt Typhoon, are preparing to attack critical US infrastructure. Source: The Hill
- Evil XDR: Turning Security Software into Malware: A researcher has demonstrated how a powerful security solution can be turned into potent malware, capable of granting comprehensive access over a targeted system. The research highlights the potential misuse of security software. Source: Dark Reading
- Google's Project Zero Discovers Security Flaws in Windows Registry: Led by Mateusz Jurczyk, Google's Project Zero has discovered 50 security flaws in the Windows Registry. The vulnerabilities were found during the development of a coverage-based Windows kernel fuzzer. Source: Cyber Kendra
Top CVEs
- CVE-2023-3758 - Race Condition in SSSD: A race condition flaw in sssd could lead to inconsistent application of GPO policy for authenticated users, potentially causing improper authorization issues. Source: CVE-2023-3758
- CVE-2024-20380 - HTML Parser Vulnerability in ClamAV: A vulnerability in ClamAV's HTML parser could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. Source: CVE-2024-20380
- CVE-2024-29987 - Information Disclosure in Microsoft Edge: A vulnerability in Microsoft Edge (Chromium-based) could lead to information disclosure. Source: CVE-2024-29987
- CVE-2024-29964 - Multiple Vulnerabilities in Docker Instances in Brocade SANnav: Docker instances in Brocade SANnav before v2.3.1 and v2.3.0a have an insecure architecture and configuration that leads to multiple vulnerabilities, potentially allowing an attacker total control over the Ova appliance. Source: CVE-2024-29964
- CVE-2024-2761 - Stored XSS in Genesis Blocks WordPress Plugin: The Genesis Blocks WordPress plugin before 3.1.3 does not properly escape data input provided to some of its blocks, allowing users with at least contributor privileges to conduct Stored XSS. Source: CVE-2024-2761
Final Words
That's a wrap for today's edition of Secret CISO. We've covered everything from the Caregard data breach to the complexities of data privacy regulations. Remember, cybersecurity isn't just a one-time fix, it's an ongoing process. Stay vigilant, stay informed, and most importantly, stay secure. If you found this newsletter helpful, please consider sharing it with your friends and colleagues. We're all in this together, and the more people who are informed about these issues, the safer we all are. Stay tuned for tomorrow's edition where we'll bring you more updates from the world of cybersecurity. Until then, keep your data safe and your systems secure. Share Secret CISO with your network today and help us in our mission to make the digital world a safer place for everyone. Stay safe out there. [Share Secret CISO](#)