Friday, December 15
TOP STORY
Dragos and FireEye both published writeups on the “TRISIS Malware” which targets Schneider Electric’s Triconex safety instrumented system (SIS). This is a blueprint for future industrial grid attacks, as Ars Technica notes.
HACKTIVITY
Coinbase paid out not one but two bounties over $10K in the past 24-hours! U.S. Department of Defense, Adobe, Dashlane, Baidou, VLC, and more disclosed reports on hacktivity.
TWEET OF THE DAY
Created a repo to track my stumbling through the iOS kernel. Will try document as I learn: https://github.com/staaldraad/async_wake_ios Currently this will get you temporary root. - @_staaldraad
OTHER ARTICLES WE’RE READING
White House IT Modernization Center of Excellence includes recommendations for bug bounty programs.
Safari allows special characters in the domain?! The Good, The Bad and The Ugly of Safari in Client-Side Attacks
Tripwire: Inferring internet site compromise
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
Although the attack is not highly scalable, the tradecraft displayed is now available as a blueprint to other adversaries looking to target SIS and represents an escalation in the type of attacks seen to date as it is specifically designed to target the safety function of the process,
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.