Hertz Data Stolen 🚗, Threat Modeling Github 🐙, Meta Resumes Training on EU Data 🤖

Hertz has reported a data breach that affects customers across multiple regions due to a cyberattack on Cleo Software between October and December ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌  ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ ‌ 

Sign Up |Advertise|View Online TLDR Together With TLDR Information Security 2025-04-15 Scaling Security in the Age of AI: Lessons from Vanta, Wiz, & Modo Labs (Sponsor) As AI rapidly advances, many of us are curious how our peers approach the security lifecycle. What are their top priorities when it comes to GRC, cloud security, even your team? And, how should that shape your own strategy? Join Vanta + Wiz + Modo Labs on May 8th for a live fireside chat where they'll explore key questions about AI's impact on scaling security programs–what to watch out for, how to adapt, where to adopt AI, and what to focus on next. This interactive discussion will include: Insights into top-of-mind issues for GRC and Security Pros Actionable steps to strengthen your existing program by actioning on risks Key areas to focus on getting visibility into AI technologies and leveraging AI in your program Register to save your spot! 🔓 Attacks & Vulnerabilities Hertz says customers' personal data and driver's licenses stolen in data breach (2 minute read) Hertz has reported a data breach that affects customers across multiple regions due to a cyberattack on vendor Cleo Software between October and December 2024. Exposed data includes names, contact information, driver's licenses, payment details, and some Social Security numbers. Google Chrome Fixes Browser History Leaks by Purple "Visited" Links (2 minute read) Historically, bad actors have been able to track users' browsing history by utilizing the ":visited" CSS selector, which turns links purple. Google is aiming to address this leak by changing the way that the ":visited" selector is applied to only display if the user has visited the site from the current top-level site and frame origin. Effectively, the browser will now display purple links based on the combination of the current site and visited sites. Govtech Giant Conduent Confirms Client Data Stolen in January Cyberattack (2 minute read) Conduent, which provides business services to over 600 government agencies, confirmed that client data was stolen following a January cyberattack. Its investigators have discovered that the stolen data contains extensive details on its clients' end-users but have not provided additional details. Per Conduent, the data has not been posted on the dark web or elsewhere. 🧠 Strategies & Tactics GitHub Actions and the Pinning Problem: What 100 Security Projects Reveal (3 minute read) GitHub Actions can be silently changed, putting workflows at risk. Pinning your GitHub Actions to specific commit SHAs can help maintain consistency. Many popular security repositories do not pin all their actions, leaving them vulnerable to potential changes. Security Analysis: Potential AI Agent Hijacking via MCP and A2A Protocol Insights (1 minute read) Communication protocols are vital for AI Agent development. Anthropic's MCP connects agents to external tools, while Google's A2A enables agent collaboration. This post dives into security vulnerabilities in these protocols that could lead to agent hijacking and data leakage. A Not So Comprehensive Guide to Securing Your Salesforce Organization (12 minute read) This article discusses Salesforce security vulnerabilities. Insecure SOQL queries in Apex can bypass sharing models, risking sensitive data exposure without enforcing object-level security. It warns against storing credentials in cleartext in Custom Metadata Types, Settings, Objects, and Apex comments. It also explains managed packages with namespaces, authorization, and Apex Actions via REST API, setting the stage for real-world exploitation scenarios. 🧑‍💻 Launches & Tools [Free Guide] How to Conduct an AI Risk Assessment (Sponsor) Nudge Security has discovered over 1,000 unique GenAI tools in customer environments to date, with new ones like DeepSeek popping up daily. Download this guide to learn how to take a proactive approach to mitigating AI risks. Get the guide dAWShund (GitHub Repo) dAWShund is a suite of tools for managing and visualizing AWS permissions, assisting in identifying and organizing access conditions between resources. It includes tools like sAWSage for policy enumeration and Gerakina for simulating IAM policies. Gerakina outputs can also be imported into a Neo4j database for further analysis using Cypher queries. Cybermonit (Website) Cybermonit tracks key cybersecurity metrics and statistics from the last 30 days, such as News, Leaks, CVEs, Ransomware, and Software Releases. Witness (GitHub Repo) Witness is a pluggable framework for software supply chain risk management. It automates, normalizes, and verifies software artifact provenance. 🎁 Miscellaneous Hacktivism resurges – but don't be fooled, it's often state-backed goons in masks (8 minute read) Hacktivists targeting critical infrastructure increasingly resemble state-backed actors rather than independent activists. Groups like CyberArmyofRussia_Reborn1 and BlackJack have sophisticated capabilities and strategic timing that suggest government connections. Threat Modeling GitHub - How Vulnerable-by-Design is GitHub? (7 minute read) GitHub was built around the principles of openness and collaboration to facilitate open-source development. As the platform has matured, it has become an enterprise standard, and trade-offs between openness and security have revealed its inherent security flaws. This post looks at access control, GitHub Actions and CI/CD, Secrets Management, and Repository security design issues, as well as supply chain and SHA1 collision attacks. Microsoft Starts Final Windows Recall Testing Before Rollout (2 minute read) Microsoft has begun to roll Windows Recall out to Insiders in the Release Preview channel. Following community outrage, Microsoft initially delayed the feature, made it an opt-in feature, and required Windows Hello to access the stored screenshots. Microsoft has also stated that it has added anti-hammering and rate-limiting protections to Recall. ⚡ Quick Links Pre-Installed Malware on Cheap Android Phones Steals Crypto via Fake WhatsApp (3 minute read) Certain low-cost Android phones may contain malware that stealthily alters cryptocurrency wallet addresses, often bundled with fake apps like WhatsApp. Trend Micro Flags Incomplete Nvidia Patch That Leaves AI Containers Exposed (2 minute read) Nvidia's patch for the CVE-2024-0132 vulnerability in the Nvidia Container Toolkit is incomplete and could potentially expose enterprises to container escape attacks and data compromise. Meta to resume AI training on content shared by Europeans (2 minute read) Meta will resume training its AI models using content from adult users in Europe but will not use private messages or data from Europeans under 18. Love TLDR? Tell your friends and get rewards! Share your referral link below with friends to get free TLDR swag! https://refer.tldr.tech/dc263000/8 Track your referrals here. Want to advertise in TLDR? 📰 If your company is interested in reaching an audience of cybersecurity professionals and decision makers, you may want to advertise with us. Want to work at TLDR? 💼 Apply here or send a friend's resume to jobs@tldr.tech and get $1k if we hire them! If you have any comments or feedback, just respond to this email! Thanks for reading, Prasanna Gautam, Eric Fernandez & Sammy Tbeile Manage your subscriptions to our other newsletters on tech, startups, and programming. Or if TLDR Information Security isn't for you, please unsubscribe.