MIT Security researchers designed an Artificial Intelligence system called AI2 that is able to detect 85 percent of attacks

While the number of cyber attacks continues to increase it is becoming even more difficult to detect and mitigate them in order to avoid serious consequences.

A group of researchers at MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) is working on an ambitious project, the development of a technology that is able to early detect cyber attacks. The experts in collaboration with peers from the startup PatternEx have designed an Artificial Intelligence system that is able to detect 85 percent of attacks by using data from more than 3.6 Billion lines of log files each day.

The researchers have developed a system that combines an Artificial Intelligence engine with human inputs. , which researchers call Analyst Intuition (AI), which is why it has been given the name of

The system is composed of an Artificial Intelligence and Analyst Intuition (AI) components, for this reason, it was named by the experts Artificial Intelligence Squared (AI2).

The AI2 system first performs an automatic scan of the content with machine-learning techniques and then reports the results to human analysts which have to discriminate events linked to cyber attacks.

According to the experts at the MIT the approach implemented by the AI2 system is 3 times better than modern automated cyber attack detection systems.

“The team showed that AI2 can detect 85 percent of attacks, which is roughly three times better than previousbenchmarks, while also reducing the number of false positives by a factor of 5. The system was tested on 3.6 billion pieces of data known as “log lines,” which were generated by millions of users over a period of three months.” states a description of the AI2 published by the MIT.

The greater the number of analyzes carried out by the system, the more accurate the subsequent estimates thanks to the feedback mechanism.

“You can think about the system as a virtual analyst,” says CSAIL research scientist Kalyan Veeramachaneni, who developed AI2 with Ignacio Arnaldo, a chief data scientist at PatternEx and a former CSAIL postdoc. “It continuously generates new models that it can refine in as little as a few hours, meaning it can improve its detection rates significantly and rapidly.”

The group detailed their system in a paper titled “AI2: Training a big data machine to defend.” AI2 was presented last week at the IEEE International Conference on Big Data Security in New York City.

Security researchers from Cornell Tech discovered that web URL shorteners operate in predictable way exposing sensitive data.

The security researchers Vitaly Shmatikov and Martin Georgiev from Cornell Tech discovered that web URL shorteners operate in predictable way, and this could result in the disclosure of sensitive information.

What is a Web URL Shortner?

URL shortening is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter in length and still direct to the required page. This is achieved by using a redirect on a domain name that is short, which links to the web page that has a long URL.

The duo analyzed the most popular URL shorteners, including the services implemented by Google, Bit.ly and Microsoft and discovered that attackers can enumerate short URLs to find a sensitive information available on the web. The researchers, for example, discovered short URLs pointing Microsoft OneDrive folders that are unlocked.

“short URLs produced by bit.ly, goo.gl, and similar services are so short that they can be scanned by brute force.  Our scan discovered a large number of Microsoft OneDrive accounts with private documents.  Many of these accounts are unlocked and allow anyone to inject malware that will be automatically downloaded to users’ devices.” Shmatikov in a blog post. 

The experts also discovered that URL shorteners can reveal information that could allow to profile users.

“We also discovered many driving directions that reveal sensitive information for identifiable individuals, including their visits to specialized medical facilities, prisons, and adult establishments.” 

The details of their analysis are included in a paper titled “Gone in Six Characters: Short URLs Considered Harmful for Cloud Services.”

Google and Microsoft have pushed introduced fixes to secure new shortened URL links, anyway old links remain vulnerable.

The researchers explained that shortened URLS are generated in a predictable way by combining domain names and a sequence composed of five- to seven-character. The result is a short URL, but its brevity and the knowledge of the generation mechanism introduces the basic vulnerabilities that could allow attackers to launch brute force attacks.

“The tokens are so short that the entire set of URLs can be scanned by brute force.  The actual, long URLs are thus effectively public and can be discovered by anyone with a little patience and a few machines at her disposal.” explained Shmatikov “

The scan of 100 million URLs allowed the experts to discovere more than 1.1 million publicly accessible OneDrive documents including documents and executables.

“In our sample scan of 100,000,000 bit.ly URLs with randomly chosen 6-character tokens, 42% resolved to actual URLs.  Of those, 19,524 URLs lead to OneDrive/SkyDrive files and folders, most of them live.  But this is just the beginning.”

The random scan of Google-shortened URLs allowed the identification of 23,965,718 links, 10 per cent of them containing driving directions to sensitive locations including disease, abortion clinics, and strip clubs.

The duo demonstrated that shortening URL may expose sensitive content to third parties. The experts suggest the adoption of measures to limit automated scanning activities.

“Use your own resolver and tokens, not bit.ly. Detect and limit scanning, and consider techniques such as CAPTCHAs to separate human users from automated scanners. Finally, design better APIs so that leakage of a single URL does not compromise every shared URL in the account.” states the duo.

Apple abandons the support for the Windows version of Quicktime

It is official, Apple will no longer provide security updates for the Windows version of the popular QuickTime.

It is important to uninstall the product that remains vulnerable to cyber attacks, recently experts discovered two remote code execution vulnerabilities that at this point will remain unfixed.

The announcement that QuickTime for Windows will be no longer supported was published by ZDI that obtained the news after Steven Seeley of Source Incite reported details of the two critical vulnerabilities. The security vulnerabilities were reported to Apple on November 11, 2015, and the company communicated to ZDI on March 9 that it is deprecating QuickTime on Windows.

“First, Apple is deprecating QuickTime for Microsoft Windows. They will no longer be issuing security updates for the product on the Windows Platform and recommend users uninstall it. Note that this does not apply to QuickTime on Mac OSX.

Second, our Zero Day Initiative has just released two advisories ZDI-16-241 and ZDI-16-242 detailing two new, critical vulnerabilities affecting QuickTime for Windows.” reported Trend Micro in a blog post.

Both issues are heap corruption flaws that could be exploited by hackers for remote code execution. The attack scenario is simple and sees the victims accessing a maliciously crafted website or file.

“both of these are heap corruption remote code execution vulnerabilities. One vulnerability occurs an attacker can write data outside of an allocated heap buffer. The other vulnerability occurs in the stco atom where by providing an invalid index, an attacker can write data outside of an allocated heap buffer. Both vulnerabilities would require a user to visit a malicious web page or open a malicious file to exploit them. And both vulnerabilities would execute code in the security context the QuickTime player, which in most cases would be that of the logged on user.” continues Trend Micro.

At this point you have no choice, you must uninstall Quicktime now!

“Uninstalling QuickTime 7 also removes the legacy QuickTime 7 web plug-in, if present. Websites increasingly use the HTML5 web standard for a better video-playback experience across a wide range of browsers and devices, without additional software or plug-ins. Removing legacy browser plug-ins enhances the security of your PC.” states Apple.

What is the impact on OX users?

Apple informed users that the QuickTime plugin has been disabled in OS X and web browsers in order to protect them from cyber attacks leveraging the security flaws.

The US-CERT has issued an advisory on the vulnerabilities explaining the risks associated with the flaws.

“Computers running QuickTime for Windows will continue to work after support ends. However, using unsupported software may increase the risks from viruses and other security threats. Potential negative consequences include loss of confidentiality, integrity, or availability of data, as well as damage to system resources or business assets. The only mitigation available is to uninstall QuickTime for Windows,” states the US-CERT advisory.

At the time I was writing, security experts confirmed that they are not aware of any active attacks against these vulnerabilities currently.

Don’t waste time, uninstall QuickTime for Windows today.

US National Institute of Standards and Technology (NIST) updated its secure email guide.

The last effort of the NIST Agency in the development of email security guidelines is dated 2007 when it published the  NIST SP 800-45, Version 2 – Guidelines on Electronic Mail Security.

The new NIST guide is a document composed of 81 pages that aim to give recommendations and guidelines for enhancing trust in email. This guideline applies to Government IT environment, but it is also useful for private organizations of any size.

The recommendations in NIST guide for secure email include suggestions on the practices to adopt for securing the environments around enterprise mail servers and mail clients. This guide also provides recommendations and guidance for email digital signatures and encryption (via S/MIME), recommendations for protecting against spam messages. Security email needs a multidisciplinary approach that involves secure solutions, effective configurations and trained personnel.

“Email communications cannot be made trustworthy with a single package or application. It involves incremental additions to basic subsystems, with each technology adapted to a particular task.” states the NIST guide on secure email. 

Encryption is essential to secure email systems, the guide urge administrators to build out a cryptographic key management system (CKMS) and use keys to protect email sessions.

“As with any cryptographic keying material, enterprises should use a Cryptographic Key Management System (CKMS) to manage the generation, distribution, and lifecycle of DKIM keys. Federal agencies are encouraged to consult NIST SP 800-130 [SP800-130] and NIST SP 800-152 [SP800-152] for guidance on how to design and implement a CKMS within an agency.”

Despite the numerous incidents occurred in the last years, the NIST still considers trustable the DNS due to the numerous security enhancements, including the DNS Security Extensions (DNSSEC), which is a set of extensions to DNS that provide to DNS clients origin authentication of DNS data, authenticated denial of existence, and data integrity.

The NIST guide highlights the importance of the S/MIME (Secure Multipurpose Internet Mail Extensions) for secure email messages.

“Secure Multipurpose Internet Mail Extensions (S/MIME) is the recommended protocol for email end-to-end authentication and confidentiality. S/MIME is particularly useful for authenticating mass email mailings originating from mailboxes that are not monitored, since the protocol uses PKI to authenticate digitally signed messages, avoiding the necessity of distributing the sender’s public key certificate in advance. This usage of S/MIME is not common at the present time, but is recommended.” states the guide.

The guide included a warning to the organizations that rely on cloud services for their email, in particular on services offered by a third party.

Organizations need to make sure any email sent by third parties will pass SPF checks, the verification is simple because the enterprise administrator should include the IP addresses of third-party senders in the enterprise SPF policy statement RR.

The NIST guide is out for public comment until May 1st, I suggest you to read it.