These days Passwords^12 is taking place in Oslo - a conference only dedicated to passwords and pin codes. With temperatures around -15 degrees (Celsius) outside, in the conference rooms of the University in Oslo, Department of Informatics, talks by well known security experts are given.

Every day you use passwords. While logging on to your computer, smartphone or tablet, accessing your emails or your social network site and also for online banking and online shopping. Recent database breaches of user logins show that there is a high demand for more security in this area. During these days talks and discussions only care about this.

We speak about attacks on online providers that result in the leak of personal users’ passwords. Just recently we saw the leak of 6.46 million Linkedin user passwordss. Right after this we saw a leak of 400 thousand Yahoo Voices passwords. These are not isolated cases; nowadays we see many successful attacks that lead to personal data leaks. One more example of this is the leak of personal information of users of one of the popular Android forums and finally the hack of the NVIDIA developer forum. It’s worth saying that many successful attacks are just not announced and the Internet community doesn’t find out about them.

So, how do we deal with cases when our passwords can be leaked? Obviously the end user can’t do much to protect his on-line service provider and prevent the leak, but there are some basic tips on how to avoid a big disaster when our passwords are compromised.

1.    Use a different password for each different online resource. Never reuse the same password for different services. If you do, all or many of your other online accounts can be compromised.
2.    Use complex passwords. This means, in a perfect scenario, a combination of symbols, letters and special characters. The longer the better.
3.    Sometimes our online service providers don’t let us create really complex passwords, but try to use long passwords, with at least 23 characters in a combination of uppercase and lowercase letters. A password of 23 characters (131 bits) would be ok.

For some users it’s hard to remember complex passwords, in which case a good solution would be to use a password manager like Kaspersky Password Manager.

Remember, you can’t stop your service provider being hacked, but you can avoid a bigger disaster when all of your accounts get compromised at once just because you used the same password!

Follow @dimitribest

Airport kiosks have achieved a wide distribution nowadays. They offer the convenience of having access to all sorts of travel related information, IP-telephony as well as to the Internet while on the road. Which is a good thing!

However, when I travelled back from BlackHat and DefCon 19 and checked in at the Mc Carran airport in Las Vegas, one of these machines caught my eye. It showed a website I know pretty well – Facebook! But it wasn't the Login screen - as it should be - but the profile page of a member. Someone had forgotten to logout of his or her account. Anyone in this airport would now have full access to all data and - of course - be able to write status messages on the profile page of the account owner and all people in the friendlist – which could harm this person‘s reputation. Which is a bad thing!

What a coincidence! The same day I start tumblring, Tumblr users get hit by what seems to be one of the most publicized phishing attacks the social network has seen so far.

Yet another phishing attack has resulted in thousands of accounts being compromised. Nothing new here. Phishing is a game of numbers – so even though many users are aware of this threat, there still are some of them who fall victim to this old social engineering trick. Therefore, even with just a low efficiency rate in terms of percentage, thousands of accounts can still be easily compromised by cybercriminals if the phishing page is seen by enough people.

So – for those of you out there who still don’t know the basics of avoiding becoming a victim of phishing attack, here are a couple of tips:

A few days ago, we have notified you about malicious activities from the S.A.P.Z. botnet. And we provided evidence that this methodology of attack can be used to affect users of any Latin America bank, or any part of the world.

Now the S.A.P.Z. gang, which may be Peruvian, has resorted to another strategy. It is focusing on the theft of sensitive information, by spreading a variant of Palevo worm, detected by Kaspersky Lab as P2P-Worm.Win32.Palevo.cudq.

The key element of this is that with S.A.P.Z., the cyber-criminals have used the functionalities of an old web application created for the administration of stolen data, called Blackshades. As indicated in this image, now they’re not only focusing on Peruvian users, but also others countries such as Chile, Colombia, Spain and USA.

There are countless firms that sell expensive computer security products and gear. But most experts will tell you that the one step you can take to most improve the security of your home or work computer is to have and follow strict password security. But what makes a password strong (or weak)? And what tricks might hackers, malware authors and cyber criminals play to get you to part with yours? Paul Roberts of Threatpost speaks with David Emm of Kaspersky Lab about proper password hygiene and the steps you need to take to secure access to your critical online and offline accounts.

As long-time blog readers may know, I shifted my focus to North American threats some three years ago. Ever since, I've noticed major cultural differences in how security issues get tackled.

One way in which the difference is very clear is the use of secret questions as an added security measure. While secret questions are not overly common in Europe, they're very popular in the USA.

It goes without saying that out-of-band authentication used by many European banks is a much more secure approach than asking a secret qeustion next to a regular password. And banks are just one of many examples. Secret questions are everywhere now.

Enter the Facebook era. Rarely do I encounter a secret question that people wouldn't likely have posted the answer to on Facebook. It's worse with the services that allow users to reset their password based on answering the secret question(s) correctly.

The word ‘leak’ has become rather popular in recent times, but few of us actually realize just how likely it is that our own personal information could be leaked. We protect our computers, our mobile devices, keep up to speed with the latest security issues, but there are still times when we become careless. In particular, I’m speaking about public computers like this one here:

This is a genuine public access computer I came across in a hotel I was staying at last week during a short vacation. I had to use the Internet quite urgently, and of course I understood that my personal data wasn’t completely safe and could end up in someone else’s hands. I decided to try a little experiment and the results clearly demonstrated that any of us could quite easily fall victim to our own personal ‘(Wiki)leaks’:

1. The computer was infected with several malicious programs that a rather well known up-to-date antivirus solution had not detected. There was a backdoor that stole the passwords for the online banking systems of five banks – four Brazilian and one Spanish. Closer inspection showed that the computer had been infected via the Orkut social networking website on 11 July 2010. Since then the malicious program had been gathering bank account passwords from goodness knows how many people. There was also a downloader based on Java technology.
2. The option to ‘save passwords’ was ticked in the browser settings. Of course, users were not informed about it. All the passwords entered on the computer were saved under a master password that was obviously only known to the person who activated the setting.
3. In the My Documents and Downloads folders there were lots of files and photographs that users had downloaded from the Internet or their email accounts and forgotten to delete. Here are a few examples of the things I found:
   • Documents about legal proceedings and a court subpoena.
   • A report about configuration work carried out on a series of computers at an organization.
   • The schedule for a business event at a company.
   • Personal photos of people with their friends and family.
   • A property deed of conveyance.
   • A work timetable.

I’m sure very few people would want their documents, especially of this nature, falling into the hands of strangers, competitors or cybercriminals.

So, if you want to experience your own (Wiki)leaks, all you have to do is use public access computers on a regular basis at airports, in hotels, cafes, libraries etc. If you really have to use a public computer and you know a thing or two about IT security, check first of all to see if the computer is infected. Remember that antivirus scanning results don’t always reflect the real picture.

Secondly, check if the ‘save passwords’ option is activated in the browser.

Thirdly, if you are working with documents or photographs, try not to download them. Many of today’s email services allow you to work with them directly from your email account. If you do download something, don’t forget to delete it afterwards and clear it from the Recycle Bin.

It’s also worth looking at the computer itself to ensure that there are no devices between the port where the keyboard is plugged in and the keyboard itself. These devices can gather information and look something like this:

Other precautionary measures include either cleaning your Internet Activity History or, before going online, switching on the privacy mode that is included in numerous browsers these days.

I cleaned up the aforementioned computer and informed the hotel administration. I didn’t get a discount, but the hotel management was very grateful and promised that no more cybercriminals would be stealing money from their customers (although I’m not so sure about that).

In a long overdue move, Twitter turned off basic authentication for third-party applications, while enforcing OAuth for all apps. This is a move that should be applauded by anyone concerned about the security of their Twitter account.

This latest move covers a potential vulnerability in the process of giving read/write access to third-party applications, which could lead to a Twitter account being compromised. Well, not anymore. You don't need to give your username and password to third-party developers anymore if you want to use their application on your Twitter account.

Being always concerned about security, I salute Twitter's move to enforce OAuth. This lets me use an application without having to share my Twitter username and password with an unknown entity. Also, hats off to all developers that updated their applications in time and made this change as seamless as possible for the majority of users.

However, keep in mind that OAuth doesn't protect against local attacks - stealing passwords straight from the users' machines. Make sure you use a clean computer when you log-in to Twitter. Also, for more tips on staying safe, I invite you to read my quick How to Avoid Getting Your Twitter Account Hacked guide on Threatpost.

Just few hours ago Twitter officially announced the launch of their new iPhone application called “Twitter for iPhone”. The news quickly became a trendy topic in Twitter and as it used to be the criminals took advantage of this one more time. The difference this time is that the criminals behind this particular attack didn’t want to use Rogue AV malware but a Worm with dropper functions to deliver Trojan banker malware to the users machine.

This is an example of detected malicious twitts by us:

The initial Trojan is downloaded to the victim machine by a malicious Java archive file. It has several malicious features, for example: spreading through USB devices; it disables Windows task manager, the regedit application and also notifications from Windows Security Center. Also it creates a copy of itself in the system with the name of Live Messenger. The criminals even included an anti-virtualization feature. The worm checks if the hard drive of infected system is virtualized or not. If found to be in a virtual system, the malicious code won’t be executed.

As I mentioned the main goal of this Trojan is to steal on-line bank credentials of the victims!

This malware is very harmful since credit cards and on-line banking credentials are in the game. Please, be really careful specially with trend topics (searches) since in many cases they are being used by criminals.

Kaspersky Anti-Virus detects the threat as Worm.Win32.VBNA.b