Welcome to today's issue of Secret CISO. We're diving into a series of data breaches that have left millions of people exposed and companies scrambling to tighten their cybersecurity measures.

Ally Bank is facing two class-action lawsuits due to a data breach that allegedly resulted from inadequate cybersecurity procedures. The breach potentially affected 1.7 million people, exposing names, addresses, credit card numbers, and expiration dates. In another incident, a College Council Vice President was fired for a data leak that exposed the budget of the Emory Wheel. Meanwhile, Columbus' head of technology claims a ransomware group ignored the city before a massive data leak. Infosys also suffered a breach in 2023 that exposed the personal data of 6 million people, including Social Security numbers.

Personal data is becoming a hot commodity, with security guards and call center employees reportedly selling datasets for profit. In other news, a data breach at a golf course management firm, KemperSports, has impacted over 62,000 individuals. And a payment processing company, Slim CD, has acknowledged a 14-month breach that compromised nearly 1.7 million credit card holders' information. We'll also be discussing the latest research in cybersecurity, including a $400,000 NSF grant awarded for cybersecurity research in mobile health and the ongoing debate on the economic impact of reduced humanitarian assistance in East Africa.

Stay tuned for more updates and remember, knowledge is the key to cybersecurity. Stay informed, stay secure.

Data Breaches

1. Ally Bank Data Breach Lawsuits: Ally Bank is facing two class-action lawsuits due to an alleged data breach. The breach reportedly occurred due to the bank's failure to implement adequate cybersecurity procedures and protocols. Source: QC News
2. Payment-Processing Company Data Breach: A data breach at a payment-processing company potentially affected 1.7 million people. The breached data may include names, addresses, credit card numbers, and card expiration dates. Source: The Record
3. Infosys Data Breach: A data breach at Infosys in 2023 exposed the personal data of over 6 million people. The exposed information includes Social Security numbers. Source: PLANADVISER
4. Data Breach at KemperSports: Golf course management company KemperSports has disclosed a cyberattack and data breach impacting over 62,000 individuals. Source: Security Week
5. Data Breach at Infosys McCamish Systems: A data breach at technology platform Infosys McCamish Systems last year affected over 6 million customers at several financial services. Source: ThinkAdvisor

Security Research

1. Protecting Research Data National Security Threats - FTI Consulting: FTI Consulting has successfully mitigated potential insider threats at a major research company, ensuring the protection of sensitive research data from national security threats. Source: FTI Consulting
2. AI Expert Awarded $400,000 NSF Grant for Cybersecurity Research in Mobile Health: A significant NSF grant has been awarded to an AI expert to conduct cybersecurity research in mobile health. The research will focus on various aspects of security including body sensor network security, biometric security, communication security, data privacy, and trustworthy artificial intelligence. Source: YU News
3. HackerOne Partners with GuidePoint Security and Softcat: HackerOne has partnered with GuidePoint Security and Softcat to provide customers with access to a global community of security researchers. The partnership will also offer AI red teaming and bug bounty programs. Source: CityBiz
4. Security budgets continue modest growth, but staff hiring slows considerably, research finds: A report by IANS Research and Artico Search has found that while security budgets continue to grow modestly, hiring of security staff has slowed significantly. This indicates a clash between security priorities and economic realities. Source: Cybersecurity Dive
5. Researcher looks at economic impact of reduced humanitarian assistance in East Africa: A researcher is examining the economic impact of reduced humanitarian assistance in East Africa, specifically looking at security outcomes for the internally displaced population in Somalia and the refugees in Uganda. Source: VT News

Top CVEs

1. CVE-2024-44871: moziloCMS v3.0 has an arbitrary file upload vulnerability in the /admin/index.php component, allowing attackers to execute arbitrary code via uploading a crafted file. Source: CVE-2024-44871
2. CVE-2024-44872: A reflected cross-site scripting (XSS) vulnerability in moziloCMS v3.0 allows attackers to execute arbitrary code in the context of a user's browser via injecting a crafted script. Source: CVE-2024-44872
3. CVE-2024-43491: A vulnerability in the Servicing Stack of Windows 10, version 1507, has rolled back fixes for some vulnerabilities affecting Optional Components. This could allow an attacker to exploit these previously mitigated vulnerabilities. This vulnerability is addressed by installing the September 2024 Servicing stack update (SSU KB5043936) AND the September 2024 Windows security update (KB5043083). Source: CVE-2024-43491
4. CVE-2024-43461: Windows MSHTML Platform is susceptible to spoofing attacks. Source: CVE-2024-43461
5. CVE-2024-40659: In getRegistration of RemoteProvisioningService.java, there is a possible way to permanently disable the AndroidKeyStore key generation feature by updating the attestation keys of all installed apps due to improper input validation. This could lead to local denial of service. Source: CVE-2024-40659

API Security

1. CVE-2024-45790: Reedos aiM-Star version 2.0.1 has a vulnerability due to missing restrictions for excessive failed authentication attempts on its API based login. This could allow a remote attacker to conduct a brute force attack against legitimate user passwords, potentially gaining unauthorized access. Source: vulners.com
2. CVE-2024-45789: Reedos aiM-Star version 2.0.1 has a vulnerability due to improper validation of the ‘mode’ parameter in the API endpoint used during the registration process. An attacker could manipulate this parameter to bypass certain constraints in the registration process. Source: vulners.com
3. CVE-2024-45787: Reedos aiM-Star version 2.0.1 has a vulnerability due to transmission of sensitive information in plain text in certain API endpoints. An attacker could manipulate a parameter through API request URL and intercept the response, leading to exposure of sensitive information. Source: vulners.com
4. CVE-2024-45788: Reedos aiM-Star version 2.0.1 has a vulnerability due to missing rate limiting on OTP requests in certain API endpoints. An attacker could exploit this vulnerability by sending multiple OTP requests, leading to OTP bombing/flooding. Source: vulners.com
5. CVE-2024-45786: Reedos aiM-Star version 2.0.1 has a vulnerability due to improper access controls on certain API endpoints. An attacker could manipulate a parameter through API request URL to gain unauthorized access to sensitive information. Source: vulners.com

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. From Ally Bank's lawsuits to the data breach at KemperSports, we've covered a lot of ground. But remember, staying informed is only half the battle. It's crucial to take proactive steps to protect your data and bolster your security measures. If you found this newsletter helpful, don't keep it to yourself. Share it with your colleagues, friends, and anyone else who could benefit from a daily dose of cybersecurity news.

Let's work together to create a safer digital world. Stay safe and see you tomorrow for more updates from the ever-evolving world of cybersecurity.