InfoSec scam links July 9, 2014

July 9, 2014

Phishy Steam Guard File Steals SSFN - Christopher Boyd - Malwarebytes Unpacked

If you buy stuff from another user on the Steam store be very aware of who you are buying from. Also, if they ask you to install something, don’t do it.

"Tracy Morgan Is Dead" Fake Video in Circulation - Christopher Boyd - Malwarebytes Unpacked

Scammers aren’t just waiting for big news to happen; they’re starting to make their own news in an effort to get you install malware. As the article says, stick to high reputable news sources for stories like these.

Heroes of the Storm Beta Keygen: A Wizard Did It - Christopher Boyd - Malwarebytes Unpacked

Getting into beta is a wonderful feeling. I’ve been lucky enough to get into a few beta programs for games that had yet to be released. Heroes of the Storm is another highly anticipated game that has started a beta program. You can sign up on their official site. Any other site claiming to have keys is likely a scam.

This post first appeared on Exploring Information Security.

Infosec links June 23, 2014

June 23, 2014

Hacker Hijacks Synology NAS Boxes for Dogecoin Mining Operation, Reaping Half Million Dollars in Two Months - Pat Litke - Dell SecureWorks

I don't own a Synology myself, but I know a few people that do and they weren't aware that this had happened. This appears to have happened at the end of last year to the beginning of this year. The article has a good analysis of the event, but the tl:dr version is that someone was able to get malware installed on Synology boxes and run Dogecoin mining operations and they made a lot of money during the operation.

Gear to Block 'Juice Jacking' on Your Mobile - Brian Krebs - Krebs on Security

And now to the super paranoid. Brian Krebs uses a device that defends against Juice-Jacking, which is a technique where data is accessed via a USB cable that you use to charge up your electronic device. Our electronic devices are setup to sync data when connected via USB. Even if you're just trying to charge it, the device will try to sync with whatever you plug into. Just like ATM skimmers you could see the possibility of a USB power station being compromised OR setup to grab data off your electronic device. The solution is to buy a device that stops the sync from happening. Krebs previews to of these devices: USB Condom; and the Juice-Jack Defender. This might not be something you need to worry about, but you should certainly be aware of it, especially, if you handle sensitive information.

DotA 2 Phishing Page Offers Up Treasure Keys and Rare Items - Christopher Boyd - Malwarebytes Unpacked

Time to wrap up with a good ol'phishing scam. This is your typical phishing site: scammers setup a fake website and offers discounted/rewards/free stuff in an attempt to lure people (in this instance gamers) to login into their website with account information. Thus compromising their account. In this particular scam they want Yahoo login credentials. Broken records: always be aware of where you're logging into and setup two-factor authentication where ever you can. Yahoo Mail does offer two-factor authentication and would help mitigate this attack, if you compromised your account by accident.

This post first appeared on Exploring Information Security.

InfoSec links June 12, 2014

June 12, 2014

Striking similarities between a WoW raid team and an infosec team - Tripwire - The State of Security

If you’re not a gamer or hate World of Warcraft (WoW), then go ahead and pass on this article. It talks about how a WoW raid team has different roles, responsibilities and skill sets to make a successful raid run. Those same ideas and concepts can be applied to a infosec team which requires different roles, responsibilities and skill sets to accomplish its objective of securing the business. I primarily played a healer on my WoW raid teams and I think I could make a case I’ve done the same thing in information security.

Flash Poll: The Hunt For Cyber Talent - Marilyn Cohodas - Dark Reading

Information security professionals are at a premium right now. Companies are struggling to find not only security professionals, but the right security professionals with the right skillsets and at the right price to secure an environment. I’ve seen this within organizations. While it’s frustrating from a day to day operation standpoint, finding the right people and the right amount of people; I’m actually starting to see some personal career benefit.

InfoSec Conferences - Client Side Vs Server Side - Javvad Malik - J4vv4d

Javvad gives some great tips on going to security conference. If you’re in information security or trying to get into the field, one of the best things you can do for your career is attend security conference. They’re all over the place and take place throughout the year. In the last month I’ve been to two and in about a week and half I plan to go to another one. It’s a great place to learn and explore as well as make connections within the infosec community. Javvad’s final suggestion is to make content, which I’ve begun doing. You can check that stuff out in my photography section under media.

This post first appeared on Exploring Information Security.