Secret CISO 5/6: Massive Data Breaches at BerryDunn and MedStar, Biometric Leak in El Salvador, Lookout Survey Reveals Mobile Security Gaps, Research on AI Data Security and Authentication Vulnerabilities

Secret CISO 5/6: Massive Data Breaches at BerryDunn and MedStar, Biometric Leak in El Salvador, Lookout Survey Reveals Mobile Security Gaps, Research on AI Data Security and Authentication Vulnerabilities

Welcome to today's issue of Secret CISO, your daily digest of the most pressing cybersecurity news. In today's edition, we're taking a deep dive into the alarming gaps in mobile endpoint protection revealed by a recent Lookout survey. We'll also be discussing the fallout from a data breach at Portland-based BerryDunn that affected over a million people, and the massive leak of biometric data in El Salvador.

In legislative news, we're examining the potential impact of the American Privacy Rights Act, while also looking at Microsoft's renewed commitment to making security its top priority. We'll also be covering a range of data breaches, from Hong Kong government departments to the city of Wichita, and the potential risks posed by electric cars and modern authentication methods.

Finally, we'll be exploring the latest cybersecurity vulnerabilities, from Clario's weak permissions to the Fancy Product Designer WordPress plugin's lack of sanitization and escape settings. Stay tuned for all this and more in today's issue of Secret CISO.

Data Breaches

  1. Lookout Survey Reveals Critical Gaps in Mobile Endpoint Protection: A new survey by Lookout, Inc. has revealed alarming trends in data-centric cloud security, highlighting the need for improved mobile endpoint protection. Source: Yahoo Finance
  2. Portland-based BerryDunn Faces Lawsuits Over Data Breach Affecting 1.1M People: BerryDunn, a Maine accounting firm, is facing lawsuits after a data breach exposed the personal information of over a million people. Source: WGME
  3. El Salvador Suffered a Massive Leak of Biometric Data: Resecurity discovered a massive leak involving the exposure of personally identifiable information (PII) of over 5 million citizens of El Salvador. Source: Security Affairs
  4. Hong Kong Urged to Improve Accountability After Two More Gov't Data Breaches: Data belonging to 17,000 people was breached by the Electrical and Mechanical Services Department last week, prompting calls for the government to improve accountability. Source: Hong Kong Free Press
  5. City of Wichita Shuts Down Network Following Ransomware Attack: The city of Wichita has shut down its network following a ransomware attack. The identity of the ransomware group responsible for the attack has not been disclosed for operational security purposes. Source: SecurityWeek

Security Research

  1. Best Practices for Board Email Security: The U.S. government and Microsoft researchers have recently disclosed information regarding the compromise of email security. This has prompted board directors to reassess their email security practices to prevent potential breaches. Source: MSN
  2. Cyber Security News Weekly Round-Up: JFrog's security research team has discovered that almost one-fifth of the repositories in Docker Hub have been used to distribute malware and phishing scams. This highlights the need for improved security measures in Docker Hub to prevent such threats. Source: Cyber Security News
  3. Electric Cars as a Potential Threat to National Security: Researchers have recently warned that electric cars could be hacked in the future, posing a potential threat to national security. They suggest that it could be possible to control these cars remotely, emphasizing the need for advanced security solutions in the electric vehicle industry. Source: Express UK

Top CVEs

  1. CVE-2024-34474 - Clario Desktop Weak Permissions: Clario's desktop application has been found to have weak permissions for %PROGRAMDATA%\Clario and attempts to load DLLs from there, posing a potential security risk. Source: CVE-2024-34474
  2. CVE-2024-3756 - MF Gig Calendar WordPress Plugin CSRF Vulnerability: The MF Gig Calendar WordPress plugin up to version 1.2.1 lacks CSRF checks in some places, allowing attackers to potentially delete arbitrary events via a CSRF attack. Source: CVE-2024-3756
  3. CVE-2024-0904 - Fancy Product Designer WordPress Plugin XSS Vulnerability: The Fancy Product Designer WordPress plugin before version 6.1.81 does not sanitize and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks. Source: CVE-2024-0904
  4. CVE-2024-4506 - Ruijie RG-UAC OS Command Injection: A critical vulnerability has been found in Ruijie RG-UAC up to 20240428. The manipulation of the argument text_ip_addr/orgprelen/orgname leads to OS command injection. The exploit has been disclosed to the public. Source: CVE-2024-4506
  5. CVE-2024-34500 - UnlinkedWikibase Extension in MediaWiki XSS: An issue was discovered in the UnlinkedWikibase extension in MediaWiki before 1.39.6, 1.40.x before 1.40.2, and 1.41.x before 1.41.1. XSS can occur through an interface message. Error messages are not escaped before being passed to Html::rawElement() in the getError() function. Source: CVE-2024-34500

API Security

  1. CVE-2024-23188: E-Mail Attachment Vulnerability: A newly discovered vulnerability allows maliciously crafted E-Mail attachment names to execute script code in the user's browser session. This could lead to attackers performing malicious API requests or extracting information from the user's account. Users are advised to deploy the provided updates and patch releases to mitigate this risk. Source: CVE-2024-23188
  2. CVE-2024-23186: Malicious Display-Name Information: This vulnerability could trigger client-side script execution when using specific mobile devices if an E-Mail contains malicious display-name information. Attackers could perform malicious API requests or extract information from the user's account. Users are urged to deploy the provided updates and patch releases to secure their accounts. Source: CVE-2024-23186
  3. CVE-2024-23187: Content-ID Based Embedding Vulnerability: This vulnerability could be exploited to trigger client-side script code when using the "show more" option in E-Mails. Attackers could perform malicious API requests or extract information from the user's account. User interaction is required for the vulnerability to be exploited. Users are advised to deploy the provided updates and patch releases. Source: CVE-2024-23187

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From the alarming gaps in mobile endpoint protection to the massive data leak in El Salvador, it's clear that the cyber landscape is as dynamic as ever. As we navigate through these challenging times, let's remember to stay vigilant and proactive in our cybersecurity efforts. Remember, security isn't just a one-man job. It's a collective responsibility.

So, don't keep these insights to yourself. Share this newsletter with your colleagues and friends, and let's work together to create a safer digital world. Stay safe, stay informed, and see you in the next edition of Secret CISO.

Read more

Secret CISO 11/24: Niantic's AI Map Data Breach, Baer's Furniture Co. Settlement, Netflix's Worst Leak, Microsoft's Security Failures, Irish Research on NHS Leak, Quantum-Proof Ethereum

Secret CISO 11/24: Niantic's AI Map Data Breach, Baer's Furniture Co. Settlement, Netflix's Worst Leak, Microsoft's Security Failures, Irish Research on NHS Leak, Quantum-Proof Ethereum

Welcome to today's edition of Secret CISO, your daily dose of the most impactful cybersecurity news. Today, we delve into the controversial use of Pokemon Go player data by Niantic to train AI map models, raising serious privacy concerns and potential data breach risks. We also discuss the

By Secret CISO