Hello there, Secret CISO readers! Today's newsletter is packed with critical insights and updates from the world of cybersecurity. We're diving into the top 10 GDPR audit tools that are simplifying data protection impact assessments and aiding companies in breach response management. We'll also be exploring the cybersecurity predictions for 2024, where AI is set to revolutionize everything, for better or worse. In recent news, TAG Heuer's website hack exposed the personal data of 2,900 Korean customers, highlighting the importance of robust data protection measures. Speaking of which, India is set to introduce a 'digital by design' platform for data protection, promising hefty fines for data breaches.

We'll also be discussing the rise of AI security threats to small businesses, the increasing maturity of secure remote access as cybersecurity demands grow, and the latest security changes coming to Microsoft's Outlook. Lastly, we'll be looking at some recent data breaches, including a $526,714,000,000 bank revealing a data breach, and the potential risks following Apple-ChatGPT integration. Stay tuned for these stories and more in today's issue of Secret CISO. Stay safe and informed!

Data Breaches

1. Personal data of 2,900 Korean customers exposed in TAG Heuer website hack: Hackers attacked TAG Heuer's website between 2019 and 2020, exposing the personal data of 2,900 Korean customers. The country's data protection watchdog is currently investigating the breach. Source: Korea JoongAng Daily
2. Greylock McKinnon Associates data breach exposed DOJ data of 341,650 people: A data breach at Greylock McKinnon Associates has exposed the Department of Justice data of 341,650 individuals. The breach was part of a larger ransomware attack that also impacted London hospitals, leading to the cancellation of over 800 operations. Source: Security Affairs
3. TAG Heuer penalised for data breach, impacting South Korean customers: TAG Heuer has been penalised for a data breach that exposed the private information of nearly 2,900 South Korean customers. The breach occurred during a cyberattack on the company's website. Source: India TV News
4. Genetics testing company 23andMe to be probed over a data breach that affected 7 million users: 23andMe, a genetics testing company, is set to be investigated over a data breach that affected 7 million users. The details of the breach have not been disclosed. Source: E&T News
5. $526,714,000,000 Bank Reveals Data Breach As Hacker Claims Personal Information of 65,000 Account Holders for Sale: One of the largest banks in the US has revealed a security incident that exposed the sensitive data of thousands of account holders. The breach is reportedly the work of a hacker who is now claiming to have the personal information of 65,000 account holders for sale. Source: Daily Hodl

Security Research

1. Expert Warns of Rising AI Security Threats to Small Businesses: A recent survey by the World Economic Forum has shown that ransomware attacks have increased by nearly 300%, with over 50% of these attacks targeting small businesses. The rise in AI security threats is a growing concern for small businesses. Source: IFA Magazine
2. Concerns over cops' access to personal info on TSCOP: Data security researchers have raised concerns over police's access to personal information stored in the TSCOP application. The application contains sensitive information of citizens, raising privacy and security issues. Source: Times of India
3. Brock research aims to boost worldwide food security: Brock University has been awarded a grant from the Natural Sciences and Engineering Research Council of Canada for a project aiming to enhance global food security. The project is among 18 university initiatives that received a total of $3M in grants. Source: Niagara-on-the-Lake Local
4. Global Security Advisory Group: The Global Security Advisory Group, consisting of experts from various fields, provides insights into warfare, irregular threats, and terrorism. The group includes former MI6 operations chief Nick Fishwick and cyber security expert Denise Zheng. Source: CSIS
5. Listen to Apple's brutal mockery of Microsoft's spectacular Windows Recall AI failure: Microsoft has postponed the release of a feature after security researchers discovered numerous vulnerabilities. Apple responded to the situation with a mocking announcement of its own security measures. Source: Windows Central

Top CVEs

1. CVE-2024-4258: The Video Gallery – YouTube Playlist, Channel Gallery by YotuWP plugin for WordPress is vulnerable to Local File Inclusion. This vulnerability allows unauthenticated attackers to include and execute arbitrary files on the server, potentially bypassing access controls, obtaining sensitive data, or executing code. Source: vulners.com
2. CVE-2024-6016: A critical vulnerability has been found in itsourcecode Online Laundry Management System 1.0. The vulnerability lies in some unknown functionality of the file admin_class.php, where the manipulation of the argument id leads to SQL injection. The exploit has been publicly disclosed. Source: vulners.com
3. CVE-2024-5611: The Stratum – Elementor Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘label_years’ attribute within the Countdown widget. This vulnerability allows authenticated attackers, with Contributor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: vulners.com
4. CVE-2024-4095: The Collapse-O-Matic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'expand' and 'expandsub' shortcode. This vulnerability allows authenticated attackers, with contributor-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: vulners.com
5. CVE-2024-6014: A critical vulnerability has been found in itsourcecode Document Management System 1.0. The vulnerability lies in an unknown function of the file edithis.php, where the manipulation of the argument id leads to SQL injection. The exploit has been publicly disclosed. Source: vulners.com

API Security

1. Exploit for CVE-2024-30078: A new NASL script has been developed to detect and execute commands on systems vulnerable to CVE-2024-30078. This critical vulnerability, found in certain web applications or services, allows remote attackers to execute arbitrary commands due to improper input validation. The script is designed to work with the Nessus tool, automatically handling target IP addresses and ports during a scan. Source: vulners.com
2. Exploit for OS Command Injection in Php: A new exploit has been discovered for CVE-2024-4577, a vulnerability in PHP when using Apache and PHP-CGI on Windows. If the system is set up to use certain code pages, Windows may replace characters in command-line given to Win32 API functions, which PHP CGI module may misinterpret as options. This could potentially allow a malicious user to pass options to PHP binary being run, revealing source code of scripts or running arbitrary code on the server. Source: vulners.com
3. Exploit for CVE-2024-36837: A proof of concept (POC) exploit for CVE-2024-36837 has been developed. This vulnerability was found in CRMEB Mall, an online store used by an educational institution. The vulnerability, a SQL injection, was found in CRMEB version CRMEB-KY v5.2.2 and higher. The exploit suggests using a web firewall and conducting regular security audits and vulnerability assessments to mitigate potential security issues. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We've covered everything from GDPR audit tools to cybersecurity predictions for 2024, data breaches, and the latest in AI security threats.

Remember, in the world of cybersecurity, knowledge is power. So, stay informed, stay secure, and keep an eye out for tomorrow's newsletter. If you found today's content valuable, don't keep it to yourself. Share Secret CISO with your friends and colleagues. Let's work together to create a safer digital world. Until next time, stay vigilant and remember - the secret to cybersecurity is continuous learning.