Hacking, AppSec, and Bug Bounty newsletter
2018-05-15 | Blue cloud of death, EFAIL latest, and Apple ID-targeted GDPR phishing scam
Tuesday, May 15
EFAIL latest: The high-level overview site: https://efail.de/ has been published by the researchers (yes, there’s a logo included) and Ars Technica’s Dan Goodin has an updated post which provides a good recap. Overall, lots of debate on both sides about the impact. Matthew Green says “the real news here is probably about S/MIME, which is actually used in corporate e-mail settings. Attacking and modifying encrypted email stored on servers could actually happen, so this is a big deal.”
TWEET OF THE DAY
Today, as your management loses their minds over another logo+branded "vuln" please don't forget that one allowing *remote code execution* was found over the weekend: https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2018-1000136---Electron-nodeIntegration-Bypass/ … - this is probably a way bigger deal for 90% of orgs out there. - @dk_effect
OTHER ARTICLES WE’RE READING
Blue Cloud of Death: Red Teaming Azure by Bryce Kunz
Discussion thread: Scott Piper asks “Can nmap take a list of hosts and associated ports”?
Apple ID-targeted GDPR phishing scam reported by Threatpost
Kate Conger reports that Google employees are resigning to protest Google’s involvement in a controversial military pilot program called Project Maven.
ABOUT ZERO DAILY
Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.
Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?
Have a news tip / story to highlight? We’d love to hear about it. Email: firstname.lastname@example.org
Get this email forwarded to you? Click here to subscribe to the Zero Daily
I still use it [PGP] every day to reply to the notification emails I get about a new MySpace message.
HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.