Secret CISO 9/15: TfL, Fortinet, Vastaamo Data Breaches; Siddaramaiah's Security Breach; Research on iPhone Attacks, Google Street View Privacy
Welcome to today's issue of Secret CISO, your daily source for the most impactful cybersecurity news. Today, we're diving into a series of data breaches and security incidents that have hit the headlines. First up, we discuss the argument that governments should not be the last resort for cyber insurance, as highlighted by the Financial Times. Then, we delve into the recent data breach at Transport for London, which has delayed market data by at least 15 minutes. In a shocking turn of events, a youth was detained for breaching the security cordon of Karnataka CM Siddaramaiah, triggering widespread panic. This incident raises serious questions about the effectiveness of our current security measures.
We also cover the story of a dark web expert who warned his US hometown about a significant hack, only to be sued by the city. This case raises questions about the role of whistleblowers in cybersecurity and how they should be treated. In other news, cybersecurity firm Fortinet has confirmed a data breach and ransom demand, while thousands of Vastaamo leak victims are seeking higher compensation. We also discuss the debate around blurring homes on Google Street View, with some arguing it could lead to a data breach.
Finally, we touch on the latest vulnerabilities discovered in various software and systems, including aimhubio aim, h2oai h2o-3, and the Login with phone number plugin for WordPress. Stay tuned for more in-depth analysis and expert opinions on these stories. Stay safe, stay informed with Secret CISO.
Data Breaches
- Cybersecurity Firm Fortinet Confirms Data Breach and Ransom Demand: Fortinet, a renowned cybersecurity firm, has confirmed a data breach that led to the loss of 440 GB of customer data. The data was published online after the company refused to pay a ransom. Source: Tech Report
- Data Breach at Retirement Insurance Affects 370,000 People: The French Pension Insurance recently faced a major cyberattack, affecting 370,000 people. The breach has raised questions about the steps that could be taken to further enhance the security of this data. Source: 24matins.uk
- Thousands of Vastaamo Leak Victims Seek Higher Compensation: Victims of the massive Vastaamo psychotherapy centre data breach are seeking higher compensation, represented by two lawyers. The dissatisfaction of the clients has been highlighted in this case. Source: DataBreaches.Net
- Toyota's Data Dilemma as Hackers Leak 240GB of Customer Information: Toyota faced a significant data breach as hackers leaked 240GB of customer information. The company initially acknowledged the leak but later claimed that the data was stolen from a third-party entity. Source: CyberGuy
- Hackers Steal Nearly 1.7 Million Credit Card Numbers in Breach: In a serious data breach, hackers have stolen nearly 1.7 million credit card numbers. The breach is particularly concerning as it involves sensitive financial information. Source: MSN
Security Research
- Kaspersky reveals previously unknown hardware 'feature' exploited in iPhone attacks: Kaspersky's Principal Security Researcher, Boris Larin, has discovered a unique vulnerability in iPhones. This is not an ordinary vulnerability, as it exploits a previously unknown hardware feature. The closed nature of iOS makes this a significant discovery. Source: MSN
- WhatsApp's 'View Once' Feature Has a Major Privacy Flaw: Security researcher Tal Be'ery has identified a major privacy flaw in WhatsApp's 'View Once' feature. The flaw was flagged by TechCrunch, highlighting potential privacy concerns for the popular messaging app's users. Source: MSN
- Henrico schools implement new safety protocol for football games: Security expert Cliff Lent, President of M7Solutions, has commented on the new safety protocol implemented by Henrico schools for football games. Lent suggests that such measures should prompt increased security scrutiny and action. Source: WRIC
- The hidden truth about Adani JKIA deal: A security researcher has revealed undisclosed details about the Adani JKIA deal. The research focuses on what happened to oil in Turkana and the mafia's involvement. Source: YouTube
- Security Researcher on high cost of living: Security researcher Kalonzo Musyoka has called out the KK government over the high cost of living. The researcher's views have garnered significant attention, with over 637K views on YouTube. Source: YouTube
Top CVEs
- CVE-2024-8863 (Aimhubio Aim up to 3.24): A problematic vulnerability has been found in the function dangerouslySetInnerHTML of the file textbox.tsx of the component Text Explorer. This vulnerability allows for cross-site scripting attacks through the manipulation of the argument query. The vendor has not responded to this disclosure. Source: CVE-2024-8863.
- CVE-2024-8862 (H2Oai H2O-3 3.46.0.4): A critical vulnerability has been found in the function getConnectionSafe of the file /dtale/chart-data/1 of the component JDBC Connection Handler. This vulnerability allows for deserialization attacks through the manipulation of the argument query. The vendor has not responded to this disclosure. Source: CVE-2024-8862.
- CVE-2024-6482 (WordPress Login with Phone Number Plugin): A privilege escalation vulnerability has been found in all versions up to and including 1.7.49. This vulnerability allows authenticated attackers to update their role to any other role, including Administrator. The vulnerability was partially patched in version 1.7.40. Source: CVE-2024-6482.
- CVE-2023-3410 (WordPress Bricks Theme): A Stored Cross-Site Scripting vulnerability has been found in versions up to and including 1.10.1. This vulnerability allows authenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Source: CVE-2023-3410.
- CVE-2024-44058 (CryoutCreations Parabola): An Improper Neutralization of Input During Web Page Generation vulnerability allows for Stored XSS. This issue affects Parabola from n/a through... Source: CVE-2024-44058.
Final Words
And that's a wrap for today's edition of Secret CISO. As we navigate the ever-evolving landscape of cybersecurity, it's crucial to stay informed and vigilant. From the latest data breaches to the ongoing discussions on the role of governments in cyber insurance, we hope this newsletter has provided you with valuable insights. Remember, cybersecurity isn't just about protecting systems and data; it's about safeguarding our way of life in the digital age.
So, let's continue the conversation. Share this newsletter with your friends, colleagues, and anyone else who might benefit from staying in the loop. Stay safe, stay informed, and see you in the next edition of Secret CISO.