2018-07-24 | No more phishing at Google, Huawei router botnet, and Electron makes open redirects great again

Tuesday, July 24

TOP STORY

Researchers at the Israel Institute of Technology identified a security vulnerability in two related Bluetooth features: Secure Simple Pairing and LE Secure Connections. CERT has more in Vulnerability Note VU#304725

OTHER ARTICLES WE’RE READING

WSJ reports [paywall] that the US Department of Homeland Security (DHS) has revealed that a Russia-backed group hit hundreds of U.S. electrical utility targets last year and the campaign likely continues today. Axio’s Joe Uchill says it’s not time to panic (yet).
CVE-2017-17215 exploited by malware author to build 18,000-strong Huawei router botnet. The vulnerability is a known security flaw which Huawei had already published a security fix for. New Sky researcher Ankit Anhubav posted details on twitter.
No more Phishing at Google. Brian Krebs reports that since the company began requiring all employees to use physical Security Keys in place of passwords and one-time codes they have had zero phishing incidents.
Varonis published a report “The World in Data Breaches” last week. Total data records lost or stolen since 2013: 9.7 billion. About 64 percent of the total stolen data records occurred in the United States.
Electron makes open redirects great again. Michael Bentkowski blogged about a vulnerability in Google Hangout chat
Starting today, Google Chrome will issue warnings to users when they visit websites not equipped with HTTPS encryption with a valid certificate
Motherboard documents some code of conduct enforcement concerns at the NYC HOPE conference. Some attendees published a statement on Medium titled “No Fascists at HOPE”.
GraphQL art by ITSecurityguard

ABOUT ZERO DAILY

Zero Daily is a daily newsletter that highlights application security, bug bounty, and hacker focused topics. The content is curated with love by @luketucker and brought to you by HackerOne.

Friends don’t keep good things to themselves - forward this to your homies and co-workers. BTW, want to see who runs bug bounties?

Have a news tip / story to highlight? We’d love to hear about it. Email: zerodaily@hackerone.com

They even found one vulnerable machine in their own lab. This was so that another research group, at MIT, could remotely operate the robot using virtual reality. “But we should’ve taken it offline after we were done”...

MIT Technology Review on hijacking robots for fun and sabotage

HackerOne is the #1 hacker-powered security platform, helping organizations find and fix critical vulnerabilities before they can be criminally exploited. As the contemporary alternative to traditional penetration testing, our bug bounty program solutions encompass vulnerability assessment, crowdsourced testing and responsible disclosure management. Discover more about our security testing solutions or Contact Us today.