Archive

Archive for the ‘exploitation’ Category

RSA Conference 2015: Enhancing Cloud Trust

March 31st, 2015 No comments

RSA Conference USA 2015 is just a few weeks away (April 20-24) in San Francisco. Given the numerous noteworthy cybersecurity events that have occurred over the last 12 months, I expect this conference to be well attended, yet again!

Once more, Microsoft is a Diamond sponsor, and Scott Charney, Corporate Vice President, Trustworthy Computing, will deliver a keynote at the conference. His keynote, entitled “Enhancing Cloud Trust,” will be delivered Tuesday, April 21st at 8:50 AM PT.

On Tuesday, April 21st at 1:10 PM PT, I will be delivering a speaker session, “Exploitation Trends: from potential risk to actual risk” as part of the Breaking Research track. Microsoft researchers have studied some of the exploits discovered over the past several years and the specific vulnerabilities in Microsoft software that were targeted. The goal of this of study is to understand which vulnerabilities are exploited, who exploits them, the timing of exploitation attempts relative to when security updates are available, and how these vulnerabilities were introduced into code. These findings are key in helping security professionals more accurately assess the risk vulnerabilities pose.

I’m excited to be joined by two exploit researchers Matt Miller, Principal Security Software Engineer from the Microsoft Security Response Center and David Weston, Principal Program Manager from the Microsoft One Protection Team. Together, we will be discussing the long-term trend data and our brand new research.

And finally, we will examine how exploits are monetized through exploit kits that are sold as commercial software or as a service as well as development practices that can help minimize such vulnerabilities.

There are several Microsoft speakers at the conference this year; below is a full list of their sessions.

MICROSOFT SPEAKER SESSIONS

Title Date Time (PT)
License to Kill: Malware Hunting with the Sysinternals Tools – Mark Russinovich Tuesday, 4/21 1:10 PM
Exploitation Trends: from potential risk to actual risk – Tim Rains, Matt Miller, David Weston Tuesday, 4/21 1:10 PM
Security and Privacy in the Cloud:  How Far Have We Come? – Bret Arsenault (Panel Discussion) Tuesday, 4/21 4:40 PM
Assume Breach: An Inside Look at Cloud Service Provider Security – Mark Russinovich Wednesday, 4/22 8:00 AM
Doing Security Response with your Cloud Service Provider – Jerry Cochran (Peer-to-Peer Session) Wednesday, 4/22 8:00 AM
License to Kill: Malware Hunting with the Sysinternals Tools – Mark Russinovich Wednesday, 4/22 9:10 AM
Enterprise Cloud: Advancing SaaS Security and Trust – Chang Kawaguchi Wednesday, 4/22 10:20 AM
The Legal Pitfalls of Failing to Develop Secure Cloud Services – Cristin Goodwin Thursday, 4/23 10:20 AM
Pass-the-Hash II: The Wrath of Hardware – Nathan Ide Thursday, 4/23 10:20 AM

 Microsoft is also hosting a booth on the expo floor where we will host a number of theater sessions. To find session descriptions and times, as well as details on the Microsoft party (Wednesday, April 22nd, 8:00 PM PT), please visit http://rsa2015.microsoft.com.

One other session that I think you should check out is being delivered by a longtime colleague, Nicole Miller, Senior Vice President, Cybersecurity & Issues Management, Waggener Edstrom. Nicole has been working with companies on cybersecurity for many years, and it’s a rare treat to hear her speak in public. Her session is called “From the Battlefield: Managing Customer Perceptions in a Security Crisis” and is scheduled on Tuesday, April 21, 2015 at 3:30 PM PT.

I hope to see you at the conference!

Part 1: New data on youth “nudes” show disturbing trend

Young people around the globe are taking and sharing nude photos and videos of themselves, and the phenomenon appears to be occurring among younger and younger age groups, according to results from a new study sponsored by Microsoft.

Data released today by the UK-based Internet Watch Foundation (IWF) show 17.5 percent of the more than 3,800 sexually explicit photos and videos analyzed by IWF late last year were produced by young people believed to be under the age of 15. Meanwhile, 7.5 percent, or 286 images, were assessed as featuring children 10 or younger.

Even more startling is the severity of the content. The majority (72.4 percent) of the images depicting individuals believed to be 16-20 years old was classified as “Category C,”[1] with 27.6 percent deemed “Category B or A.” In sharp contrast, 46.9 percent of the images analyzed as featuring children 15 and under constituted Category A and B.

Print“The findings tell a distinctively different story from the research conducted in 2012,” said IWF Chief Executive Officer Susie Hargreaves. “However, our message around the ease at which content can be ‘lost’ online remains the same. Ninety percent of the imagery had been taken from its original upload location and copied to somewhere else. Whilst the 2012 study provided valuable insight into the increasing accessibility of sexual content depicting young people, this research reveals younger children and in some cases more explicit sexual behavior than we previously saw.”

Indeed, 85.9 percent of the images and videos assessed as depicting youth under 15 were taken via webcam captures from a personal computer or laptop. Just 8.5 percent were taken with a mobile phone, challenging the belief that the majority of “sexting” photos are captured via cell phone. IWF reported that, among this age group, 1.8 percent of the images were shot with a traditional digital camera.

I first learned of IWF’s work analyzing “indecent self-generated imagery among youth” some 18 months ago when Microsoft was refreshing its child online protection strategy. As noted, IWF had conducted a similar study in 2012 when it reviewed more than 12,000 nude images and videos taken and shared by youth. Those results showed that 88.15 percent of the content had migrated to so-called “parasite websites” where people downloaded the images, sometimes for a fee, and in all instances probably unbeknownst to the original explicit selfie-taker. IWF stresses there was “not a single instance” three years ago where a child was assessed as being 13 years of age or younger.

We approached IWF to see if the research had been repeated or was set to be re-run. An opportunity for collaboration emerged and the current research’s photos and images were analyzed over September, October and November 2014. We asked, in particular, that IWF examine the commercial aspects of the data given the 2012 results. A piece of “good news” from the current study is that only 1.7 percent of the 2014 data-set was assessed as being “commercially available.”

Parents who may be aware of this pattern of youth behavior are often confused by it. Others are hard-pressed to believe their kids would take part. To get some perspective, we’ve produced a new factsheet and offer some general guidance:

  • Talk to kids. Ask what they do online—favorite sites, games and activities. Be inquisitive, not judgmental. Let what’s learned serve as a basis for “house rules” on technology and web use.
  • Get help from technology. Family safety settings can help block harmful content, limit information-sharing and manage website access. Tell your children if you use these features and explain they’re intended to help keep them safe.
  • Discuss sexting—even if it’s uncomfortable. Start conversations early, and talk about peer pressure to sext. Listen for signs of coercion. Discuss risks and keep perspective.

To launch the research, Microsoft and IWF are co-hosting an event today at our London offices. “Youth selfies: The real picture – New insights and a way forward,” is bringing together parents, educators, policymakers and others to hear the data and discuss possible tools and resources. In Part 2 of this two-part blog, I’ll recap the event, perspectives shared and advice given. Meantime, to learn more about online safety generally, please visit this website.

[1] IWF’s category classifications are set out in the UK Sentencing Council’s Sexual Offences Definitive Guideline. Category C is defined as no sexual activity, but a prominent focus on the naked genitalia of the individuals shown. Category B includes sexual activity shy of any actual sex act, while Category A includes sex acts and other highly graphic sexual displays.