PoS Fail and Browser Side-Channel – WSWiR Episode 149

As if every week wasn’t busy enough with new information security (InfoSec) news, this week was the RSA Conference, which brings with it a whole new batch of security news. If you find yourself struggling to keep up, follow my daily or weekly videos to get a quick summary of the latest relevant news.

This week, I was too busy at the RSA Conference to post my daily videos, but you can still catch some of the week’s news in today’s summary episode. In it, I cover the latest updates about the White House breach, I share some interesting tidbits from an RSA PoS security presentation, and I point out some great new research highlighting a side-channel attack that affect most web browsers. Watch the video for the details, and check out the references for more stories.

As an aside, I will be attending another industry conference next week as well, so I may not be able to post my regular Daily Security Byte. However, I’ll still post a weekly video at the very least. I’ll continue with the Daily Bytes the week following next. Have a great weekend, and stay safe out there.

(Episode Runtime: 7:20)

Direct YouTube Link: https://www.youtube.com/watch?v=gGqDplwMJA4

EPISODE REFERENCES:

• Latest updates on WhiteHouse and State Department Breaches
  • RussianDoll campaign uses 0day, and related to APT28 – FireEye
  • Kaspersky disects CozyDuke malware – Securelist
  • Trend Micro covers Operation Pawn Storm – Trend Micro
  • FireEye releases APT28 report on russian cyber actors – FireEye
  • Reuter’s article on the RussianDoll 0day – Reuters
• PoS Vendor uses default password since 1990s
  • The Point of Sale is a PoS presentation [PDF] – RSA Conference
  • Major unnamed PoS systems use same password (RSA) – The Register
  • Google search suggests the PoS vendor is Verifone – Computer World
• The Spy in the Sandbox
  • The spy in the sandbox; browser-based cache side-channel attack – Cornell
  • The spy in the sandbox paper [PDF] – Cornell
  • Forbes article on this browser-based side-channel attack – Forbes

EXTRAS:

• Brute Logic denied bounty for 32 Groupon XSS vulnerabilities – BetaNews
• Verizon’s Latest Breach report says phishing accounts for most attacks – TechDirt
• Verizon’s 2015 Data Breach Report – Verizon
• A NASA scientists pleas against the Federal HTTPS Only campaign – Github
  • The federal HTTPS-Only standard proposal – CIO.gov
• An evil WiFi network can lock your iOS device (RSA) – SkyCure
• RSA CEO says the security industry has failed to protect (RSA) – Tech Radar
• FBI sends alert to airlines after a researcher is banned for a joke – BBC
  • Good opinion piece on why banning the researcher is dumb – Slate
• SANS directors offers three technologies that prevent breaches (RSA) – Search Security
• Homeland Security still against encryption (RSA) – Digital Trends
• “Aaron’s Law” is going through Congress again – Naked Security
  • Other senators propose ”anti-Aaron’s law” bills – TechDirt
• Two “cyber security” bills pass through the US House (like CISA) – Network World
  • Another take on the two information sharing bills that passed – The Register
• FireEye researcher finds flaw to pull fingerprints from Samsung phones – Forbes
• Sony breach may have been caused by Apple ID phishing emails – Computer World
• The patched “rootpipe” vulnerability is still exploitable in OS X – Tech Spot
• 1500 iOS apps still suck at HTTPS – Ars Technica
• Fox-IT develops signatures to help detect Quantum Insert – Fox-IT

— Corey Nachreiner, CISSP (@SecAdept)

Share This: