Public speaking engagement on malware - help!

Because of the work I've done for several people in my county, I've been asked to speak to the local computer club on several topics. Of these, the one I feel least comfortable talking about is malware.

Don't get me wrong - I know exactly what I'm talking about, but the stigma of recommending a product or even recommending they pick one from a wide selection leaves me kind of queasy. Worst of all, I am most nervous about talking about social engineering popups and emails with a mostly older crowd that is sensitive about the fact that many of them have fallen for those things. And let's not even begin to think about the "I hate Product X! Product X is scum!" lambasting I could run into with some people.

I want these guys to have a good experience and go home less afraid of the internet and their computers than they were before they heard me speak. I want them to not be overloaded with trivial knowledge and geekspeak/techspeak, but still get the point of what I have to say. Are there any recommendations out there on how to accomplish this?

 

You may want to peruse a talk given by Eugene Kaspersky.
http://blogs.zdnet.com/security/?p=728

 

Hi, I think it's cool that you've been invited to speak. I'm not one of the big experts here, but I have a suggestion. It would be good to point out that it is necessary to keep Windows, security programs and other internet facing programs (IM's, media players, etc.) up to date. Most malware targets exploits in existing programs that are not updated/vunerable. The bad guys go after the easy, vulnerable targets or 'the low hanging fruit'. Tell them if they can't afford to keep there 'preferred' security softwares up to date, there are good free one's available. Maybe a simple handout with some links and simple rules like 1 AV, 1 firewall and 1 AS/AM.

It may be a little much, but you may stress scanning everything they download with all there scanners before installing the download. Perhaps suggest a few on-demand scanners and let them pick 2 for this job and to update them before scanning the download. In My Documents, I have a folder named downloads that everything gets downloaded to.

Then, tell them to get a sandbox program and virtualization and imaging programs... Nah... I'm just kiddin'. Just be yourself and you'll be fine. They chose you for a reason to speak. You must be doing something right .

 

A good example would be exploits on MySpace. From one analysis,

http://isc.sans.org/diary.html?storyid=3060
The decoded result of /routine.php is an attempt to exploit vulnerable IE client browsers using the Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) for which Microsoft released a patch in May 2006.


----
rich

 

What if they dont understand Russian