Kaspersky Lab is paying a lot of attention to IT security education & literacy development sharing its knowledge & experience actively through its educational program "Kaspersky Academy" which offers unique opportunities for students & young professionals to improve their knowledge of IT security, gain new experience and communicate with industry experts, realize their scientific potential as well as get exciting career opportunities & open the door to the professional world of IT security. Ram Herkanaidu, educational manager, is telling about academic initiatives of the company.

Security researchers from around the world are digesting the weekend's fare at Infiltrate2011, organized by security outfit Immunity. "No policy or high-level presentations, just hardcore thought-provoking technical meat" was promised, and presenters served it up sizzling.

The sessions folded in a variety of topics slicing up current offensive security issues with some defensive interest mixed in. Discussions spread from technical wizardry attacking hardened linux kernels to general network exploration and reconnaisance. Infiltrate2011 itself follows somewhat on the Blackhat/Defcon conference model, but reduces the corporate marketing at those conferences. The peer reviewed set of presentations and research sponsored by one of the best known offensive security/penetration testing groups in the business sets the bar high and undistracted for the level of technical content. The final agenda is listed here.

Last week I got the chance to drop by the IIT campus in Mumbai, India, for the Techfest 2011 conference.

This was a great opportunity to meet some of the world’s brightest students and to listen to some very interesting lectures from people such as Richard Stallman – who needs no introduction, William Baker – the structural engineer for the famous Burj Khalifa, KS Pua – the inventor of the pen drive, or Jaap Haartsen, the engineer who developed the Bluetooth specification. For a full lineup of the speakers, you can go here: http://www.techfest.org/lectures/

The holidays are nearly here! If you're still searching for the final perfect present, and are thinking of buying online, here's a few practical tips to help keep your last-minute purchases secure:

1. Keep your Internet Security solution updated, not just to the day but to the hour! We release frequent updates to make sure you're protected from the very newest malware. Scan your system before you start shopping.

2. Don't forget to use our Kaspersky Virtual Keyboard which is integrated in Kaspersky Internet Security products for all your online transactions, especially when you’re asked to input any personal data like your names, numbers (credit card, pin, date of birth, zip code, etc) or address.
   

   Using the virtual keyboard prevents Trojans from stealing information which you enter via the keyboard or other input device.

3. Don’t shop from public WiFi networks which aren't secured using WPA2. These networks can be easily hijacked by cybercriminals, and your sensitive financial data could be compromised.

4. Make sure your system is up-to-date! You should make it a habit to download and install updates not just for your operating system but also for third party applications like:
   
   
   
   
   • Browsers like IE, Firefox, Opera, Safari, Google Chrome or any other you use
     
   • Adobe system applications.
     
   • Media players like Realpayer, Winamp, etc.
     
   
   
   You can use the Kaspersky Vulnerability Scan integrated in Kaspersky Internet Security product to check your system for vulnerabilities.

5. Check that the sites you shop on are secure! A secure online shopping site will have a valid digital certificate which is used to encryption and secure your online transaction and it will have an icon showing a closed padlock in the bottom or the top of your browser.
   

   The address bar should have an ‘https’ string before the page address.

   

   Remember - NEVER shop on a page which doesn’t have ‘https’ in the address bar:

   

   or if the padlock is open or broken, or if you get a warning regarding the digital certificate of the page you’re on!

   
   
   

Wishing you safe online shopping and happy holidays!

Following on from last Wednesday's post - if you're interested in attending our Malware Defence Workshop (which includes puzzles like the one shown above!), do contact us on malwaredefence [at] kasperskylab.co.uk and we'll send you a schedule.

Over here in the UK we're launching our Malware Defence Workshop. If you're responsible for corporate security, developing security strategies, or keeping your company network free of malware, this workshop is for you.

We're offering a mix of theoretical, practical and demonstration sessions to give an insight into how malware works – in a secure, risk-free environment.

Topics range from how malware has developed over the years, through propagation methods, Trojans, botnets, ransomware and mobile malware. There'll be sessions on evaluating security solutions, and what the future may hold.

We'll be running the workshop regularly, so if you're interested in meeting malware face-to-face, do contact us for more details.

Roel recently posted about user education. Last week I co-moderated a discussion workgroup at Net Focus UK on 'Building and managing an effective IT security training and awareness program'. I thought I'd share some of the key points that came out of the discussions on the subject of staff awareness as part of an overall security strategy.

1. It's education, not training. You're trying to influence attitudes and approaches, not create security experts.
   
2. You're educating your employees; they're not 'users'.
   
3. If it's done properly, education can make a big difference to company security.
   
4. Keep it personal; this will make it more effective. e.g. tie it in with home PC security.
   
5. Make it engaging and interesting. You could use
   
   
   
   • Your company intranet
     
   • Online training
     
   • Poster campaigns
     
   • Foyer displays
     
   • Tip of the month
     
   • Calendars or screen-savers.
     
   
   
6. Keep it simple.
   
7. Keep guidelines about what to do or not do, what to report, and who to report to as straightforward as you can.
   
8. Make sure you have a written policy that includes guidelines and expectations.
   
9. Foster an attitude of openness; otherwise security problems will not be reported.
   
10. Avoid making employees feel stupid, or you'll just alienate them.
    

Yesterday I took part in a symposium organized by "De Consumentenbond", the Dutch consumer organization.

One of the goals was to get security professionals and users to mingle, which was quite educational for both groups. I certainly encountered some terms that weren't familiar to me, such as "trojan virus" as well as a number of Dutch terms.

It’s clear that some of these terms are being used to simplify security issues, making it easier for end users to get to grips with the topic. But I'm not sure that it will make things easier - not only were some terms translated into Dutch, while others were left in English. When a user wants to search for additional information on a topic, s/he will come up empty handed, as security companies aren’t using these terms.

It's clear that user education is in some ways similar to malware classification - efforts still have to be made in terms of co-ordination and terminology.

The number of phishing scams continues to grow: the Anti-Phishing Working Group recording its highest number of unique phishing web sites ever in June 2006. And, of course, financial services continues to be the biggest target for the phishers.

Clearly the losses from this type of financial fraud are high. But who pays? Well, in a case reported today, the bank did. Bank of Ireland has agreed to compensate customers who fell victim to phishing scams. However, this was a 'goodwill gesture', rather than matter of general policy.

Of course, it's hardly surprising if financial institutions are reluctant to routinely compensate customers in such situations. The key issue for consumers is being able to demonstrate that they have taken adequate precautions to avoid falling victim to phsihing scams, as highlighted by APACS [APACS, the UK payments association] in one of its BankSafeOnline FAQs.

The onus will be on the customer to demonstrate that they have 'acted with reasonable care'. The increasing sophistication of the phishers may make this harder to do.

We all know how complicated it can be to demonstrate that you have 'acted with reasonable care', so we're providing a checklist that should help you. Pin it up on the wall and be sure to follow the recommendations.

• Don't fill out forms contained in e-mails. You should only fill out forms on secure web sites - after you have typed in the URL yourself, not clicked a link in an e-mail!.
• Only enter information on a secure web site. Check that the URL starts with 'https://', look for the padlock symbol in the status bar of your browser to confirm the site you're accessing and double-click the padlock to check the web site's certificate and ensure that it really comes from that site.
• Always use the latest version of your browser and install any security patches that have been issued.
• Don't divulge passwords, PINs, etc. to anyone else; and don't even type confidential data like this on a web site unless you've gone through this checklist first.
• Check bank account records regularly and report anything suspicious to your bank immediately.

We've just received a report of a destructive virus that will wipe all data from the hard disk. We're not the least bit worried though. Why? Well, it's just a hoax.

So what is a hoax? Typically, a hoax takes the form of an e-mail message that carries a warning about the 'imminent danger' posed by a non-existent threat. The aim is to scare users into sending the false warning to their contacts: friends, family, colleagues. Hoaxes cause no direct harm to data. However, a user's well-meaning action in forwarding the message gives credence to the hoax, spreads the fear, doubt and uncertainty even further and clogs up networks with increasing amounts of 'self-inflicted spam'.

Trying to stamp out a hoax can be as difficult as putting out a forest fire: 'successful' hoaxes often come back again and again, like recurrent bouts of malaria. To make matters worse, sometimes a real threat will model itself on the 'look-and-feel' of a previous hoax.

So how do you decide if something's a hoax or not? Here are some general guidelines.

• Don't simply forward such an e-mail message without checking first to see if it's a hoax.
• If it didn't come from a security vendor's news or alert service, check out the hoax sections of specialist security web sites.
• If in doubt, check with your anti-virus vendor, or send it to 'newvirus@kaspersky.com' for analysis.
• Never click on attachments in e-mails that come from an unknown source.