2018-05-07 | The billion dollar bank heist, Iframes and harmless buttons by filedescriptor, and Michigan’s CySAFE framework

Monday, May 7

TOP STORY

ZooPark malware is a cyber-espionage campaign targeting Android users in the Middle East and North Africa through the chat app Telegram according to recent Kaspersky Labs report

HACKTIVITY

Persistent XSS in [redacted] [20 upvotes] - $400 bounty for this report to Reverb.com by @bigshaq.
Team object in GraphQL discloses team group names and permissions [52 upvotes] - $2,500 bounty for this report to HackerOne by @haxta4ok00.

You can see all the latest and greatest disclosures and bounties on www.hackerone.com/hacktivity

TWEET OF THE DAY

Let’s play a game. Assume you’ve been hired as the CISO of a 1000 employee org that has literally no security infrastructure.

What types of product-based security solutions are REQUIRED purchases to build an effective sec program within 3 years? - @chrissanders88

OTHER ARTICLES WE’RE READING

MacOS Security with Osquery and AWS Kinesis Firehose by Craig Huber
CySAFE framework distills more than 400 controls from popular frameworks into 36 cybersecurity best practices. Developed in a collaborative effort by 5 counties in Michigan and the state of Michigan.
All hail collaboration: Atlantic Council researcher Jason Healey thinks Cyber Incident Collaboration Organizations (CICOs) can make multi-party incident response processes streamlined and well, better, faster, stronger.
Collection of bug bounty report templates by Gwendal Le Coguic
“Harmless” buttons and iframe fun in filedescriptor’s newest post: Google YOLO
This is entertaining: a virus scan is not incident response and more, Base64 is not encryption, a scan is not a pentest…
For a late night read check out The billion dollar bangladesh bank heist by the New York Times Magazine

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

Get this email forwarded to you? Click here to subscribe to the Zero Daily

In cybersecurity, it is time to go beyond sharing and ad hoc cooperation,
to collaboration at scale across borders, stakeholders, and sectors.

Jason Healey, Atlantic Council

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.