Hacking, AppSec, and Bug Bounty newsletter
2018-05-15 | Blue cloud of death, EFAIL latest, and Apple ID-targeted GDPR phishing scam
Tuesday, May 15
EFAIL latest: The high-level overview site: https://efail.de/ has been published by the researchers (yes, there’s a logo included) and Ars Technica’s Dan Goodin has an updated post which provides a good recap. Overall, lots of debate on both sides about the impact. Matthew Green says “the real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal.”
TWEET OF THE DAY
Today, as your management loses their minds over another logo+branded "vuln" please don't forget that one allowing *remote code execution* was found over the weekend: https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/ … - this is probably a way bigger deal for 90% of orgs out there. - @dk_effect
OTHER ARTICLES WE’RE READING
Blue Cloud of Death: Red Teaming Azure by Bryce Kunz
Discussion thread: Scott Piper asks “Can nmap take a list of hosts and associated ports”?
Apple ID-targeted GDPR phishing scam reported by Threatpost
Kate Conger reports that Google employees are resigning to protest Google’s involvement in a controversial military pilot program called Project Maven.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: email@example.com
Get this email forwarded to you? Click here to subscribe to the Zero Daily
I still use it [PGP] every day to reply to the notification emails I get about a new MySpace message.