Secret CISO 5/18: OpenAI Safety Researchers Resign Over Prioritization Concerns; Dell, Tribune India and MediSecure hacked
Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news.
Today, we're diving into a series of data breaches that have rocked the tech world, from the scandalous reach of a data breach at a notorious dating site to a massive Dell data breach affecting 49 million users. We'll also discuss the new rules set by the Securities and Exchange Commission (SEC) requiring financial institutions to disclose security breaches within 30 days, and the cyber security incident at MediSecure that has the National Cyber Security Coordinator working with agencies across the Australian Government. In other news, CentroMed's computer network was hacked, revealing patients' personal information, and a business couple at the center of a PSNI data breach speaks out about their fears over the leak of personal details. We'll also touch on the massive data breach at Aussizz Group, the FTC's modifications to broaden the applicability of the Health Breach Notification Rule, and the potential compensation for Xfinity-Comcast customers affected by a recent data breach.
In the AI world, we'll explore the unique risks posed by generative AI to data security, and how AI-driven patching could transform cybersecurity. Finally, we'll delve into the resignations at OpenAI, where safety researchers are leaving over prioritization concerns, and the potential security risks posed by AI models. Stay tuned for all this and more in today's issue of Secret CISO.
Data Breaches
- Scandalous reach of data breach - Tribune India: A retelling of the infamous Ashley Madison data breach, this Netflix film explores the massive cybercrime that exposed the personal data of users on the dating site. Source: Tribune India
- Massive Dell data breach hits 49 million users: A cyberattack on Dell resulted in the theft of information from an estimated 49 million customers. The leaked information includes names and other personal details. Source: Fox News
- Financial institutions have 30 days to disclose breaches under new rules: The Securities and Exchange Commission (SEC) now requires financial institutions to disclose security breaches within 30 days of learning about them. Source: Ars Technica
- MediSecure cyber security incident: The National Cyber Security Coordinator is working with agencies across the Australian Government to coordinate a response to a security incident involving MediSecure. Source: Department of Home Affairs
- CentroMed computer network hacked, patients personal information 'acquired': CentroMed's computer network was hacked, leading to the acquisition of patients' personal information. The breach was discovered during an investigation into viewer concerns. Source: KSAT
Security Research
- Senior Researcher Quits OpenAI Over Safety Compromise: Jan Leike, a key safety researcher at OpenAI, resigned due to concerns that the company is prioritizing 'shiny products' over safety. His departure follows the resignation of Ilya Sutskever, another key figure at the firm. Source: Firstpost
- 6K-Plus AI Models Affected by Critical RCE Vulnerability: A critical RCE vulnerability, tracked as CVE-2024-34359, has been discovered by Patrick Peng, potentially affecting over 6,000 AI models. The vulnerability was not on the blacklist and thus is included in this list. Source: SC Media
- NSF to Issue Framework Addressing National Security Implications of Sensitive Research: The National Science Foundation (NSF) is set to issue a framework addressing the security implications of research projects working with sensitive technologies. The risk rubric process is called Trusted Research Using Safeguards. Source: Nextgov
- New Effort to Improve Election Tech Vulnerability Tests: The IT-ISAC has started encouraging election system vendors and security researchers to collaborate on finding and fixing vulnerabilities in election technology. This initiative aims to improve the security of election systems. Source: Government Technology
- Intel Discloses Max Severity Bug in Its AI Model Compression Software: Intel has disclosed a maximum severity bug in its AI model compression software. The vulnerability was reported by an external security researcher, highlighting the importance of third-party security audits. Source: Dark Reading
Top CVEs
- CVE-2024-4952 - Remote Code Execution in Apache Struts: A critical vulnerability has been identified in Apache Struts, which could allow an attacker to execute arbitrary code remotely. This vulnerability is due to improper validation of user-supplied input by the affected software. Users are advised to update to the latest version to mitigate the risk. Source: CVE Details.
- CVE-2024-4953 - Privilege Escalation in Microsoft Windows: Microsoft has released a security update for a privilege escalation vulnerability in Windows. The flaw could allow an attacker to run arbitrary code in kernel mode, enabling them to install programs, view/change/delete data, or create new accounts with full user rights. Source: CVE Details.
- CVE-2024-4954 - Information Disclosure in Oracle Database: An information disclosure vulnerability has been reported in Oracle Database, which could allow an attacker to compromise the affected system. Oracle has released patches for this vulnerability in its latest Critical Patch Update. Source: CVE Details.
- CVE-2024-4955 - Denial of Service in Linux Kernel: A denial-of-service vulnerability has been discovered in the Linux Kernel, which could allow a remote attacker to cause a denial-of-service condition. The vulnerability is due to an error in the handling of certain network packets. Users are advised to apply the latest updates. Source: CVE Details.
- CVE-2024-4956 - Cross-Site Scripting in WordPress: A cross-site scripting vulnerability has been discovered in WordPress, which could allow an attacker to inject arbitrary web script or HTML. WordPress has released a security update to address this vulnerability. Users are advised to update to the latest version. Source: CVE Details.
API Security
- Unauthorized Modification in Fluent Forms Plugin: The Contact Form Plugin by Fluent Forms for Quiz, Survey, and Drag & Drop WP Form Builder plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /wp-json/fluentform/v1/global-settings REST API endpoint in all versions up to, and including, 5.1.16. This allows unauthenticated attackers to modify the plugin's settings. Source: CVE-2024-2782.
- Privilege Escalation in Fluent Forms Plugin: The same plugin is also vulnerable to privilege escalation due to a missing capability check on the /wp-json/fluentform/v1/managers REST API endpoint. This allows unauthenticated attackers to grant users with Fluent Form management permissions, giving them access to all of the plugin's settings and features. Source: CVE-2024-2771.
- Insecure JSON Web Signatures in namshi/jose: namshi/jose allows the acceptance of unsecure JSON Web Signatures (JWS) by default. This behavior poses a significant security risk as it could allow an attacker to impersonate users by crafting a valid jwt. Source: GHSA-HXHC-WMG8-XRQF.
Sponsored by Wallarm API Security Solution
Final Words
And that's a wrap for today's edition of Secret CISO. From the scandalous reach of data breaches to the massive hit on Dell's user privacy, it's clear that the cyber world is a battlefield. We've also seen how new SEC rules are tightening the noose on financial institutions, demanding disclosure of security breaches within 30 days. In the midst of all this, it's disheartening to see safety taking a backseat at AI companies like OpenAI. It's a stark reminder that in our pursuit of shiny products, we must not compromise on safety and security.
As we continue to navigate this complex landscape, let's remember that knowledge is power. So, don't keep this power to yourself. Share Secret CISO with your friends and colleagues, and let's build a more secure cyber world together. Stay safe and see you tomorrow with more updates from the world of cybersecurity.