2017-04-14 | The Internet of Broken Things, Google Play banking trojan, and inmates building computers in the ceiling

Friday, April 14

Have a good Friday!

TODAY’S TOP STORY

Today is the last day to apply for Microsoft Research’s Project Sopris. Sopris has been called Microsoft’s solution to the IoT security problem. Their paper, the 7 properties of highly secure devices showcases how Microsoft implemented all 7 in low-cost microcontrollers. Project Sopris is to test it in the wild with hackers. We’ll see how it stands up. Regardless, we know more hardware, more problems. Kudos to Microsoft for taking steps for bringing high-value security to low-cost devices.

HACKTIVITY

Remote Code Execution (RCE) in a DoD website [15 upvotes] - no bounty for this report to Department of Defense by @joaomatosf. This was the hackers first report on HackerOne! You have a bright future, friend. DoD quote in summary “This was a very clever demonstration.”
Unfiltered `class` attribute in markdown code [ 8 upvotes] - no bounty for this report to GitLab by @skovorodan. Very cool to see the amount of work a researcher puts into the report, for the good of the internet. No monetary compensation, but credit for the hard work. Well done to all.

You can see all the latest and greatest disclosures and bounties on hackerone.com/hacktivity.

OTHER ARTICLES WE’RE READING

Banking malware in Google Play targeting many new apps (0ver 400 banks targeted)
The Internet of Broken Things. Talk on real life experience in avionics security assessment, including exotic attack vectors including software + hardware.
Hacker’s gonna hack. Inmates built computers hidden in ceiling, connected them to prison network.
Malicious payload for CVE-2017-5638, leads to RCE, reported by Gotham Securities.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

“Whenever you find yourself on the side of the majority, it is time to pause and reflect.”
Mark Twain

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty solutions encompass vulnerability assessment, crowdsourced security testing and responsible disclosure management. Discover more about our hacker powered security testing solutions or Contact Us today.