2017-08-25 | Togetherwehitharder, OPM Malware arrest, and Project Zero update

Friday, August 25

Mayweather or McGregor?

TOP STORY

100% of respondents in the 2017 IT Risks in Government Survey just published say employees are their largest security threat. Wired says human nature is the biggest challenge in security. And CERT’s CVD Guide says in the conclusion “... it’s not just the technology that falls short of our ideals.” Humans. We’re the problem but also the solution. As the authors of the CERT Guide say “We fix what we can, mitigate what we can’t fix, and remain vigilant over what we can’t mitigate.” #togetherwehitharder

HACKTIVITY

Reflected XSS - gratipay.com [15 upvotes] - Swag awarded for this report to Gratipay by @tungpun. Amazing thread. Read it.
dom based xss in http://www.rockstargames.com/GTAOnline/ (Fix bypass) [10 upvotes] - $500 bounty for this report to Rockstar Games by @netfuzzer. Nifty little trick; bypassing previous fix by hashing part of the payload.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

TWEET OF THE DAY

A regular reminder that social engineering happened well before the tech revolution: How Scams Worked In The 1800s - @jessysaurusrex

OTHER ARTICLES WE’RE READING

Secure Yo Jenkins Instance right meow
72% of Government Agencies Hit with Security Incidents
OPM Malware arrest yesterday. See the full indictment
Gartner: Infosec spending to grow 7 Percent to reach $86.4 Billion in 2017
Bypassing VirtualBox Process Hardening on Windows - Project Zero update

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

In the world we find ourselves occupying, software-based systems exhibit complex behaviors, increasingly exceeding the limits of human comprehension. As a society, we have become capable of building things we don’t fully understand.

CERT

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.