Secret CISO 5/21: Massive Data Breaches at PNP, Oregon, MediSecure, and NJ High School; SEC Tightens Data Breach Regulations; Research on Financial Security Risks for Parents and AI Safety Prioritization
Welcome to today's issue of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we delve into the world of data breaches, from the massive PNP data breach in the Philippines to the rising concerns over data privacy in Oregon. We also explore why health data is becoming a lucrative target for hackers, as evidenced by the recent MediSecure data breach. In the education sector, a data breach in a New Jersey high school has exposed students' names and social security numbers, while the Securities Exchange Commission is tightening data breach regulations in response to escalating cyberattacks. In the healthcare sector, we discuss the increasing number of cyberattacks on health care providers, with patient information potentially accessed during a data breach at the LA County Department of Mental Health.
We also look at how organizations are responding to these breaches, from implementing stricter coding standards and regular security audits to providing identity monitoring and protection services for affected individuals. In the world of research, we highlight the work of security researchers in identifying vulnerabilities in major cloud platforms, and the challenges they face in terrorism handling. Finally, we touch on the potential risks parents face due to lack of financial protection, as revealed by new research from MetLife UK. Stay tuned for more exclusive cybersecurity insights in tomorrow's issue of Secret CISO. Stay safe and secure!
Data Breaches
- Massive PNP Data Breach: The Department of Information and Communications Technology (DICT) in the Philippines has raised national security concerns following a massive data breach at the Philippine National Police (PNP). DICT Undersecretary Jeffrey Dy discussed the breach with Karmina Constantino on ANC PRESTIGE. Source: YouTube
- Data Privacy in Oregon: Two Oregonians have filed a lawsuit over a data breach, alleging that the state failed to adequately protect their personal information, including Social Security numbers. The case is part of a broader discussion on data privacy in Oregon and beyond. Source: OPB
- N.J. High School Data Breach: Personal information, including names and social security numbers of high school students in New Jersey, may have been exposed in a data breach. The affected students will receive identity monitoring and protection services from the district. Source: NJ.com
- SEC Plans to Tighten Data Breach Regulation: The Securities Exchange Commission is setting stricter guidelines on how financial institutions deal with data breaches as cyberattacks climb. The new regulations aim to improve the response to data breaches and enhance cybersecurity measures. Source: Bank Automation News
- Data Breach at LA County Department of Mental Health: Patient information may have been accessed during a data breach at the LA County Department of Mental Health. The breach occurred after an employee clicked on a phishing email, highlighting the ongoing threat of phishing attacks. Source: CBS News
Security Research
- DoJ Shakes Up North Korea's Widespread IT Freelance Scam Operation: The Department of Justice is targeting North Korea's IT freelance scam operation, which is a significant threat to global cybersecurity. The operation involves North Korean actors carrying out sophisticated cyber-attacks. Source: Dark Reading
- IBM Randori Activation: Know Your Attack Surface experience: IBM has launched a new security feature called Randori Activation. This tool allows clients to visualize their attack surface and engage in a conversation about enterprise security. Source: Creative Review
- Ex-OpenAI Researcher Expresses Concern Over AI Safety Prioritization: Former OpenAI researcher, Jan Leike, has expressed concerns over the prioritization of AI safety. Leike, a key figure advocating for AI security, has recently left the organization amid a security debate. Source: Elblog
- Vanderbilt researchers receive $2 million ARPA-H award to improve software security in medical devices: Vanderbilt Department of Computer Science researchers have won a $2 million award from the Advanced Research Projects to improve software security in medical devices. This initiative aims to enhance the safety and reliability of medical devices. Source: Vanderbilt News
- Cryptography Expert: Work Today Can Help Protect Blockchain From Quantum Attacks Tomorrow: A leading researcher in cryptographic security has stated that while quantum computers may not be available tomorrow, action to protect blockchains from potential quantum attacks should be taken today. Source: The Quantum Insider
Top CVEs
- CVE-2024-4323 - Fluent Bit Memory Corruption Vulnerability: A memory corruption vulnerability has been identified in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution. Source: CVE-2024-4323
- CVE-2024-4289 - Sailthru Triggermail WordPress Plugin Vulnerability: The Sailthru Triggermail WordPress plugin through 1.1 does not sanitise and escape various parameters before outputting them back in pages and attributes, leading to a Reflected Cross-Site Scripting which could be used against high privilege users. Source: CVE-2024-4289
- CVE-2024-4061 - Survey Maker WordPress Plugin Vulnerability: The Survey Maker WordPress plugin before 4.2.9 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed. Source: CVE-2024-4061
- CVE-2024-29651 - API Dev Tools json-schema-ref-parser Vulnerability: A Prototype Pollution issue in API Dev Tools json-schema-ref-parser v.11.0.0 and v.11.1.0 allows a remote attacker to execute arbitrary code via the bundle(),parse(),resolve(),dereference() functions. Source: CVE-2024-29651
- CVE-2024-4287 - mintplex-labs/anything-llm Vulnerability: In mintplex-labs/anything-llm, a vulnerability exists due to improper input validation in the workspace update process. This flaw enables users with a manager role to craft a request that includes nested write operations, effectively allowing them to create new Administrator roles. Source: CVE-2024-4287
API Security
- Prototype Pollution in API Dev Tools: A Prototype Pollution issue was found in API Dev Tools json-schema-ref-parser versions 11.0.0 and 11.1.0. This vulnerability allows a remote attacker to execute arbitrary code via the bundle(), parse(), resolve(), dereference() functions. Source: GHSA-5F97-H2C2-826Q
- Pusher Service Channel Authentication Bypass: A vulnerability in the Pusher service allows a malicious end-user to bypass the authentication mechanism for private channels. This is due to a lack of validation in the libraries provided to customers. As a result, a malicious end-user with permission to subscribe to one private channel can forge permission for any private channel owned by the same customer. Source: GHSA-7V7M-PCW5-H3CG
- Tabnabbing Vulnerability in Passbolt API: A tabnabbing vulnerability was found in Passbolt API. A user could create and share a resource with a malicious URI. When the victim opens the URI in a new tab, the malicious page has access to the window.opener object, potentially leading to data integrity issues or phishing attacks. Source: GHSA-QM5V-PJ64-852J
- Unauthorized Dataset Deletion in Lunary API: In lunary-ai/lunary version 1.2.2, the DELETE endpoint is vulnerable to unauthorized dataset deletion due to missing authorization and authentication mechanisms. This vulnerability allows any user, even those without a valid token, to delete a dataset, potentially leading to data loss or disruption of service. The issue was fixed in version 1.2.8. Source: CVE-2024-3761
Sponsored by Wallarm API Security Solution
Final Words
That's it for today's edition of Secret CISO. We've covered a lot of ground, from massive PNP data breaches to the lucrative nature of health data for hackers. Remember, staying informed is the first step in maintaining a robust security posture.
If you found this newsletter helpful, please consider sharing it with your colleagues and friends. The more we spread awareness about these issues, the better we can protect ourselves and our organizations. Stay safe, stay informed, and see you in the next edition of Secret CISO.