These days Passwords^12 is taking place in Oslo - a conference only dedicated to passwords and pin codes. With temperatures around -15 degrees (Celsius) outside, in the conference rooms of the University in Oslo, Department of Informatics, talks by well known security experts are given.

Every day you use passwords. While logging on to your computer, smartphone or tablet, accessing your emails or your social network site and also for online banking and online shopping. Recent database breaches of user logins show that there is a high demand for more security in this area. During these days talks and discussions only care about this.

Kaspersky Lab is paying a lot of attention to IT security education & literacy development sharing its knowledge & experience actively through its educational program "Kaspersky Academy" which offers unique opportunities for students & young professionals to improve their knowledge of IT security, gain new experience and communicate with industry experts, realize their scientific potential as well as get exciting career opportunities & open the door to the professional world of IT security. Ram Herkanaidu, educational manager, is telling about academic initiatives of the company.

Since yesterday I've been attending the annual Hack-in-the-Box Quad-Track Security Conference in Amsterdam/NL. There's a very nice and open atmosphere here at the conference, besides the beautiful city of Amsterdam.

First, Joe Sullivan (CSO at facebook), held a very interesting keynote about the development of security innovations at facebook. For him innovation is „these hacking culture, we think about each day at facebook“. After explaining some of the newer security innovations (https-only, login notifications, login approvals [if e.g. geo-location of a user is suspicious], recognized devices, recent activity) he talked about the recent fb-scams with malicious scripts. „No one would do that, copying and pasting a script into the browser! - Yes, they do...“, he said.

Also a remarkable talk I attended was about binary planting, given by Mitja Kolsek (CTO at ACROS Security). In "Binary Planting: First Overlooked, Then Downplayed, Now Ignored" Mitja also showed a new method he called "advanced binary planting", which uses a feature from Windows' special folders (like control panel, printers, etc.) and clickjacking to make it possible to own the users' computer.

In the winter garden of the conference hotel there's a technology showcase area. Hackerspaces from all over Europe and the Netherlands are showcasing their projects here. There also is a capture-the-flag competition happening, a lock-picking and (sponsor) companies-showcase.

For more informations please see the conference website.

Security researchers from around the world are digesting the weekend's fare at Infiltrate2011, organized by security outfit Immunity. "No policy or high-level presentations, just hardcore thought-provoking technical meat" was promised, and presenters served it up sizzling.

The sessions folded in a variety of topics slicing up current offensive security issues with some defensive interest mixed in. Discussions spread from technical wizardry attacking hardened linux kernels to general network exploration and reconnaisance. Infiltrate2011 itself follows somewhat on the Blackhat/Defcon conference model, but reduces the corporate marketing at those conferences. The peer reviewed set of presentations and research sponsored by one of the best known offensive security/penetration testing groups in the business sets the bar high and undistracted for the level of technical content. The final agenda is listed here.

Last week I got the chance to drop by the IIT campus in Mumbai, India, for the Techfest 2011 conference.

This was a great opportunity to meet some of the world’s brightest students and to listen to some very interesting lectures from people such as Richard Stallman – who needs no introduction, William Baker – the structural engineer for the famous Burj Khalifa, KS Pua – the inventor of the pen drive, or Jaap Haartsen, the engineer who developed the Bluetooth specification. For a full lineup of the speakers, you can go here: http://www.techfest.org/lectures/

The holidays are nearly here! If you're still searching for the final perfect present, and are thinking of buying online, here's a few practical tips to help keep your last-minute purchases secure:

1. Keep your Internet Security solution updated, not just to the day but to the hour! We release frequent updates to make sure you're protected from the very newest malware. Scan your system before you start shopping.

2. Don't forget to use our Kaspersky Virtual Keyboard which is integrated in Kaspersky Internet Security products for all your online transactions, especially when you’re asked to input any personal data like your names, numbers (credit card, pin, date of birth, zip code, etc) or address.
   

   Using the virtual keyboard prevents Trojans from stealing information which you enter via the keyboard or other input device.

3. Don’t shop from public WiFi networks which aren't secured using WPA2. These networks can be easily hijacked by cybercriminals, and your sensitive financial data could be compromised.

4. Make sure your system is up-to-date! You should make it a habit to download and install updates not just for your operating system but also for third party applications like:
   
   
   
   
   • Browsers like IE, Firefox, Opera, Safari, Google Chrome or any other you use
     
   • Adobe system applications.
     
   • Media players like Realpayer, Winamp, etc.
     
   
   
   You can use the Kaspersky Vulnerability Scan integrated in Kaspersky Internet Security product to check your system for vulnerabilities.

5. Check that the sites you shop on are secure! A secure online shopping site will have a valid digital certificate which is used to encryption and secure your online transaction and it will have an icon showing a closed padlock in the bottom or the top of your browser.
   

   The address bar should have an ‘https’ string before the page address.

   

   Remember - NEVER shop on a page which doesn’t have ‘https’ in the address bar:

   

   or if the padlock is open or broken, or if you get a warning regarding the digital certificate of the page you’re on!

   
   
   

Wishing you safe online shopping and happy holidays!

Following on from last Wednesday's post - if you're interested in attending our Malware Defence Workshop (which includes puzzles like the one shown above!), do contact us on malwaredefence [at] kasperskylab.co.uk and we'll send you a schedule.

Over here in the UK we're launching our Malware Defence Workshop. If you're responsible for corporate security, developing security strategies, or keeping your company network free of malware, this workshop is for you.

We're offering a mix of theoretical, practical and demonstration sessions to give an insight into how malware works – in a secure, risk-free environment.

Topics range from how malware has developed over the years, through propagation methods, Trojans, botnets, ransomware and mobile malware. There'll be sessions on evaluating security solutions, and what the future may hold.

We'll be running the workshop regularly, so if you're interested in meeting malware face-to-face, do contact us for more details.

Roel recently posted about user education. Last week I co-moderated a discussion workgroup at Net Focus UK on 'Building and managing an effective IT security training and awareness program'. I thought I'd share some of the key points that came out of the discussions on the subject of staff awareness as part of an overall security strategy.

1. It's education, not training. You're trying to influence attitudes and approaches, not create security experts.
   
2. You're educating your employees; they're not 'users'.
   
3. If it's done properly, education can make a big difference to company security.
   
4. Keep it personal; this will make it more effective. e.g. tie it in with home PC security.
   
5. Make it engaging and interesting. You could use
   
   
   
   • Your company intranet
     
   • Online training
     
   • Poster campaigns
     
   • Foyer displays
     
   • Tip of the month
     
   • Calendars or screen-savers.
     
   
   
6. Keep it simple.
   
7. Keep guidelines about what to do or not do, what to report, and who to report to as straightforward as you can.
   
8. Make sure you have a written policy that includes guidelines and expectations.
   
9. Foster an attitude of openness; otherwise security problems will not be reported.
   
10. Avoid making employees feel stupid, or you'll just alienate them.
    

Yesterday I took part in a symposium organized by "De Consumentenbond", the Dutch consumer organization.

One of the goals was to get security professionals and users to mingle, which was quite educational for both groups. I certainly encountered some terms that weren't familiar to me, such as "trojan virus" as well as a number of Dutch terms.

It’s clear that some of these terms are being used to simplify security issues, making it easier for end users to get to grips with the topic. But I'm not sure that it will make things easier - not only were some terms translated into Dutch, while others were left in English. When a user wants to search for additional information on a topic, s/he will come up empty handed, as security companies aren’t using these terms.

It's clear that user education is in some ways similar to malware classification - efforts still have to be made in terms of co-ordination and terminology.