2018-07-23 | Being a security expert, Latest social engineering trends, and FISA documents released for first time

Monday, July 23

TOP STORY

Chad Loder’s thread on being a “security expert” and related, a Gartner CIO survey shows that only 65 percent of organizations currently staff a security expert

TWEET OF THE DAY

Latest social engineering trends: Dropbox was the top lure for phishing this past year (source below). Although Dropbox was top lure for phishing, DocuSign attacks had highest click rates – 5X higher than the avg click rate for the top 20 lures - @racheltobac

OTHER ARTICLES WE’RE READING

Photon: quickly extract URLs, emails, website accounts, aws buckets, endpoints, files and more from a target. Created by @s0md3v
Public by default: Researcher Hang Do Thi Duc dives into what Venmo knows about its users, and leaves public “One would think that when it comes to money, privacy by design is of greater importance and higher demand. One would be disappointed in this particular case.”
RCE on Yahoo Luminate short write up by @uraniumhacker, testament to hacker collaboration on recon and hunting
The SIM hijackers, in depth article by Motherboard on how phone numbers are the access to
Digital Shadows looks into the tactics, techniques and procedures of the GRU as shown in the Mueller Indictment, deploying the MITRE ATT&CK™ framework to play back Mueller’s findings
The FISA Documents on the wiretapping of former Trump administration campaign advisor Carter Page have been released by the Justice Department, something the New York Times says is the first time these documents have been made public.

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

By hijacking Rachel’s phone number, the hackers were able to seize not only Rachel’s Instagram, but her Amazon, Ebay, Paypal, Netflix, and Hulu accounts too. None of the security measures Rachel took to secure some of those accounts, including two-factor authentication, mattered once the hackers took control of her phone number.

Motherboard

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.