Tuesday, April 25, 2017

How future policy and regulations will challenge AI

I recently wrote about how radical the incorporation of artificial intelligence (AI) to cybersecurity will be. Technological revolutions are however frequently not as rapid as we think. We tend to see specific moments, from Sputnik in 1957 to the iPhone in 2007, and call them “game changing” – without appreciating the intervening stages of innovation, implementation and regulation, which ultimately result in that breakthrough moment. What can we therefore expect from this iterative and less eye-catching part of AI’s development, looking not just at the technological progress, but its interaction with national policy-making process?

I can see two overlapping, but distinct, perspectives. The first relates to the reality that information and communication technology (ICT) and its applications develop faster than laws. In recent years, examples of social media and/or ride hailing apps have seen this translate into the following regulatory experience:

  1. Innovation: R&D processes arrive at one or many practical options for a technology;
  2. Implementation: These options are applied in the real world, are refined through experience, and begin to spread through major global markets;
  3. Regulation: Governments intervene to defend the status quo or to respond to new categories of problem, e.g. cross-border data flows;
  4. Unanticipated consequences: Policy and technology’s interaction inadvertently harms one or both, e.g. the Wassenaar’s impact on cybersecurity R&D.

AI could follow a similar path. However, unlike e-commerce or the shared economy (but like nanotechnology or genetic engineering) AI actively scares people, so early regulatory interventions are likely. For example, a limited focus on using AI in certain sectors, e.g. defense or pharmaceuticals, might be positioned as more easily managed and controlled than AI’s general application. However, could such a limit really be imposed, particularly in the light of potential for transformative creative leaps that AI seems to promise? I say that would be unlikely – resulting in yet more controls. Leaving aside the fourth stage of unknown unknowns of unanticipated consequences, the third phase, i.e. regulation, would almost inevitably run into trouble of its own by virtue to having to legally define something as unprecedented and mutable as AI. It seems to me, therefore, that even the basic phases of AI’s interaction with regulation could be fraught with problems for innovators, implementers and regulators.

The second, more AI-specific perspective is driven by the way its capabilities will emerge, which I feel will break down into three basic stages:

  1. Distinction: Creation of smarter sensors;
  2. Direction: Automation of human-initiated decision-making;
  3. Delegation: Enablement of entirely independent decision-making.

Smarter sensors will come in various forms, not least as part of the Internet of Things (IoT), and their aggregated data will have implications for privacy. 20th century “dumb lenses” are already being connected to systems that can pick out number plates or human faces but truly smart sensors could know almost anything about us, from what is in our fridge and on our grocery list, to where we are going and whom we will meet. It is this aggregated, networked aspect of smarter sensors that will be at the core of the first AI challenge for policy-makers. As they become discriminating enough to anticipate what we might do next, e.g. in order to offer us useful information ahead of time, they create an inadvertent panopticon that the unscrupulous and actively criminal can exploit.

Moving past this challenge, AI will become able to support and enhance human decision-making. Human input will still be essential but it might be as limited as a “go/no go” on an AI-generated proposal. From a legal perspective, mens rea or scope of liability might not be wholly thrown into confusion, as a human decision-maker remains. Narrow applications in certain highly technical areas, e.g. medicine or engineering, might be practical but day-to-day users could be flummoxed if every choice had unreadable but legally essential Terms & Conditions. The policy-making response may be to use tort/liability law, obligatory insurance for AI providers/users, or new risk management systems to hedge the downside of AI-enhanced decision-making without losing the full utility of the technology.

Once decision-making is possible without human input, we begin to enter the realm of speculation.  However, it is important to remember that there are already high-frequency trading (HFT) systems in financial markets that operate independent of direct human oversight, following algorithmic instructions. The suggested linkages between “flash crash” events and HFT highlight, nonetheless, the problems policy-makers and regulators will face. It may be hard to foresee what even a “limited” AI might do in certain circumstances, and the ex-ante legal liability controls mentioned above may seem insufficient to policy-makers should a system get out of control, either in the narrow sense of being out of the control of those people legally responsible for it, or in the general sense of it being out of control of anybody.

These three stages would suggest significant challenges for policy-makers, with existing legal processes losing their applicability as AI moves further away from direct human responsibility. The law is, however adaptable, and solutions could emerge. In extremis we might, for example, be willing to add to the concept of “corporate persons” with a concept of “artificial persons”. Would any of us feel safer if we could assign legal liability to the AIs themselves and then sue them as we do corporations and businesses? Maybe.

In summary then, the true challenges for AI’s development may not exist solely in the big ticket moments of beating chess masters or passing Turing Tests. Instead, there will be any number of roadblocks caused by the needs of regulatory and policy processes systems still rooted in the 19th and 20th centuries. And, odd though this may sound from a technologist like me, that delay might be a good thing, given the potential transformative power of AI.

 



from Paul Nicholas

Monday, April 24, 2017

4 steps to managing shadow IT

Shadow IT is on the rise. More than 80 percent of employees report using apps that weren’t sanctioned by IT. Shadow IT includes any unapproved hardware or software, but SaaS is the primary cause in its rapid rise. Today, attempting to block it is an outdated, ineffective approach. Employees find ways around IT controls.

How can you empower your employees and still maintain visibility and protection? Here are four steps to help you manage SaaS apps and shadow IT.

Step 1: Find out what people are actually using

The first step is to get a detailed picture of how employees use the cloud. Which applications are they using? What data is uploaded and downloaded? Who are the top users? Is a particular app too risky? These insights provide information that can help you develop a strategy for cloud app use in your organization, as well as indicate whether an account has been compromised or a worker is taking unauthorized actions.

Step 2: Control data through granular policies

Once you have comprehensive visibility and understanding of the apps your organization uses, you can begin to monitor users’ activities and implement custom policies tailored to your organization’s security needs. Policies like restricting certain data types or alerts for unexpectedly high rates of an activity. You can take actions when there are violations against your policy. For instance, you can take a public link and make it private or create a user quarantine.

Step 3: Protect your data at the file level

Protecting data at the file level is especially important when data is accessed via unknown applications. Data loss prevention (DLP) policies can help ensure that employees don’t accidentally send sensitive information, such as personally identifiable information (PII) data, credit card numbers, and financial results outside of your corporate network. Today, there are solutions that help make that even easier.

Step 4: Use behavioral analytics to protect apps and data

Through machine learning and behavioral analytics, innovative threat detection technologies analyze how each user interacts with the SaaS applications and assess the risks through deep analysis. This helps you to identify anomalies that may indicate a data breach, such as simultaneous logons from two countries, the sudden download of terabytes of data, or multiple failed-logon attempts that may signify a brute force attack.

Where can you start?

Consider a Cloud Access Security Broker (CASB). These solutions are designed to help you achieve each of these steps in a simple, manageable way. They provide deeper visibility, comprehensive controls, and improved protection for the cloud applications your employees use—sanctioned or unsanctioned.

To learn why CASBs are becoming a necessity, read our new e-book. It outlines the common issues surrounding shadow IT and how a CASB can be a helpful tool in your enterprise security strategy.

Read Bring Shadow IT into the Light.

 



from Microsoft Secure Blog Staff

Friday, April 21, 2017

[SANS ISC] Analysis of a Maldoc with Multiple Layers of Obfuscation

I published the following diary on isc.sans.org: “Analysis of a Maldoc with Multiple Layers of Obfuscation“.

Thanks to our readers, we get often interesting samples to analyze. This time, Frederick sent us a malicious Microsoft Word document called “Invoice_6083.doc” (which was delivered in a zip archive). I had a quick look at it and it was interesting enough for a quick diary… [Read more]

[The post [SANS ISC] Analysis of a Maldoc with Multiple Layers of Obfuscation has been first published on /dev/random]



from Xavier

Thursday, April 20, 2017

Archive.org Abused to Deliver Phishing Pages

The Internet Archive is a well-known website and more precisely for its “WaybackMachine” service. It allows you to search for and display old versions of websites. The current Alexa ranking is 262 which makes it a “popular and trusted” website. Indeed, like I explained in a recent SANS ISC diary, whitelists of websites are very important for attackers! The phishing attempt that I detected was also using the URL shortener bit.ly (Position 9380 in the Alexa list).

The phishing is based on a DHL notification email. The mail has a PDF attached to it:

DHL Notification

This PDF has no malicious content and is therefore not blocked by antispam/antivirus. The link “Click here” points to a bit.ly short URL:

hxxps://bitly.com/2jXl8GJ

Note that HTTPS is used which already make the traffic non-inspected by many security solutions.


Tip: If you append a “+” at the end of the URL, bit.ly will not directly redirect you to the hidden URL but will display you an information page where you can read this URL!


The URL behind the short URL is:

hxxps://archive.org/download/gxzdhsh/gxzdhsh.html

Bit.ly also maintains statistics about the visitors:

bit.ly Statistics

It’s impressive to see how many people visited the malicious link. The phishing campaign was also active since the end of March. Thank you bit.ly for this useful information!

This URL returns the following HTML code:

<html>
<head>
<title></title>
<META http-equiv="refresh" content="0;URL=data:text/html;base64, ... (base64 data) ... "
</head>
<body bgcolor="#fffff">
<center>
</center>
</body>
</html>

The refresh META tag displays the decoded HTML code:

<script language="Javascript">
document.write(unescape('%0A%3C%68%74%6D%6C%20%68%6F%6C%61%5F%65%78%74%5F%69%6E%6A%65%63
%74%3D%22%69%6E%69%74%65%64%22%3E%3C%68%65%61%64%3E%0A%3C%6D%65%74%61%20%68%74%74%70%2D
%65%71%75%69%76%3D%22%63%6F%6E%74%65%6E%74%2D%74%79%70%65%22%20%63%6F%6E%74%65%6E%74%3D
%22%74%65%78%74%2F%68%74%6D%6C%3B%20%63%68%61%72%73%65%74%3D%77%69%6E%64%6F%77%73%2D%31
%32%35%32%22%3E%0A%3C%6C%69%6E%6B%20%72%65%6C%3D%22%73%68%6F%72%74%63%75%74%20%69%63%6F
%6E%22%20%68%72%65%66%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%64%68%6C%2E%63%6F%6D%2F%69
%6D%67%2F%66%61%76%69%63%6F%6E%2E%67%69%6
...
%3E%0A%09%3C%69%6D%67%20%73%72%63%3D%22%68%74%74%70%3A%2F%2F%77%77%77%2E%66%65%64%61%67
%72%6F%6C%74%64%2E%63%6F%6D%2F%6D%6F%62%2F%44%48%4C%5F%66%69%6C%65%73%2F%61%6C%69%62%61
%62%61%2E%70%6E%67%22%20%68%65%69%67%68%74%3D%22%32%37%22%20%0A%0A%77%69%64%74%68%3D%22
%31%33%30%22%3E%0A%09%3C%2F%74%64%3E%0A%0A%09%3C%2F%74%72%3E%3C%2F%74%62%6F%64%79%3E%3C
%2F%74%61%62%6C%65%3E%3C%2F%74%64%3E%3C%2F%74%72%3E%0A%0A%0A%0A%0A%3C%74%72%3E%3C%74%64
%20%68%65%69%67%68%74%3D%22%35%25%22%20%62%67%63%6F%6C%6F%72%3D%22%23%30%30%30%30%30%30
%22%3E%0A%3C%2F%74%64%3E%3C%2F%74%72%3E%0A%0A%3C%2F%74%62%6F%64%79%3E%3C%2F%74%61%62%6C
%65%3E%0A%0A%0A%0A%3C%2F%62%6F%64%79%3E%3C%2F%68%74%6D%6C%3E'));
</Script>

The deobfuscated script displays the following page:

DHL Phishing Page

The pictures are stored on a remote website but it has already been cleaned:

hxxp://www.fedagroltd.com/mob/DHL_files/

Stolen data are sent to another website: (This one is still alive)

hxxp://www.magnacartapeace.org.ng/wp/stevedhl/kenbeet.php

The question is: how this phishing page was stored on archive.org? If you visit the upper level on the malicious URL (https://archive.org/download/gxzdhsh/), you find this:

archive.org Files

Go again to the upper directory (‘../’) and you will find the owner of this page: alextray. This guy has many phishing pages available:

alextray's Projects

Indeed, the Internet Archives website allows registered users to upload content as stated in the FAQ. If you search for ‘archive.org/download’ on Google, you will find a lot of references to multiple contents (most of them are harmless) but on VT, there are references to malicious content hosted on archive.org.

Here is the list of phishing sites hosted by “alextray”. You can use them as IOC’s:

hxxps://archive.org/download/gjvkrduef/gjvkrduef.html
hxxps://archive.org/download/Jfojasfkjafkj/jfojas;fkj;afkj;.html
hxxps://archive.org/download/ygluiigii/ygluiigii.html (Yahoo!)
hxxps://archive.org/download/ugjufhugyj/ugjufhugyj.html (Microsoft)
hxxps://archive.org/download/khgjfhfdh/khgjfhfdh.html (DHL)
hxxps://archive.org/download/iojopkok/iojopkok.html (Adobe)
hxxps://archive.org/download/Lkmpk/lkm[pk[.html (Microsoft)
hxxps://archive.org/download/vhjjjkgkgk/vhjjjkgkgk.html (TNT)
hxxps://archive.org/download/ukryjfdjhy/ukryjfdjhy.html (TNT)
hxxps://archive.org/download/ojodvs/ojodvs.html (Adobe)
hxxps://archive.org/download/sfsgwg/sfsgwg.html (DHL)
hxxps://archive.org/download/ngmdlxzf/ngmdlxzf.html (Microsoft)
hxxps://archive.org/download/zvcmxlvm/zvcmxlvm.html (Microsoft)
hxxps://archive.org/download/ugiutiyiio/ugiutiyiio.html (Yahoo!)
hxxps://archive.org/download/ufytuyu/ufytuyu.html (Microsoft Excel)
hxxps://archive.org/download/xgfdhfdh/xgfdhfdh.html (Adobe)
hxxps://archive.org/download/itiiyiyo/itiiyiyo.html (DHL)
hxxps://archive.org/download/hgvhghg/hgvhghg.html (Google Drive)
hxxps://archive.org/download/sagsdg_201701/sagsdg.html (Microsoft)
hxxps://archive.org/download/bljlol/bljlol.html (Microsoft)
hxxps://archive.org/download/gxzdhsh/gxzdhsh.html (DHL)
hxxps://archive.org/download/bygih_201701/bygih.html (DHL)
hxxps://archive.org/download/bygih/bygih.html (DHL)
hxxps://archive.org/download/ygi9j9u9/ygi9j9u9.html (Yahoo!)
hxxps://archive.org/download/78yt88/78yt88.html (Microsoft)
hxxps://archive.org/download/vfhyfu/vfhyfu.html (Yahoo!)
hxxps://archive.org/download/yfuyj/yfuyj.html (DHL)
hxxps://archive.org/download/afegwe/afegwe.html (Microsoft)
hxxps://archive.org/download/nalxJL/nalxJL.html (DHL)
hxxps://archive.org/download/jfleg/jfleg.html (DHL)
hxxps://archive.org/download/yfigio/yfigio.html (Microsoft)
hxxps://archive.org/download/gjbyk/gjbyk.html (Microsoft)
hxxps://archive.org/download/nfdnkh/nfdnkh.html (Yahoo!)
hxxps://archive.org/download/GfhdtYry/gfhdt%20yry.html (Microsoft)
hxxps://archive.org/download/fhdfxhdh/fhdfxhdh.html (Microsoft)
hxxps://archive.org/download/iohbo6vu5/iohbo6vu5.html (DHL)
hxxps://archive.org/download/sgsdgh/sgsdgh.html (Adobe)
hxxps://archive.org/download/mailiantrewl/mailiantrewl.html (Google)
hxxps://archive.org/download/ihiyi/ihiyi.html (Microsoft)
hxxps://archive.org/download/glkgjhtrku/glkgjhtrku.html (Microsoft)
hxxps://archive.org/download/pn8n8t7r/pn8n8t7r.html (Microsoft)
hxxps://archive.org/download/aEQWGG/aEQWGG.html (Yahoo!)
hxxps://archive.org/download/isajcow/isajcow.html (Yahoo!)
hxxps://archive.org/download/pontiffdata_yahoo_Kfdk/;kfd;k.html (Yahoo!)
hxxps://archive.org/download/vuivi/vuivi.html (TNT)
hxxps://archive.org/download/lmmkn/lmmkn.html (Microsoft)
hxxps://archive.org/download/ksafaF/ksafaF.html (Google)
hxxps://archive.org/download/fsdgs/fsdgs.html (Microsoft)
hxxps://archive.org/download/joomlm/joomlm.html (Microsoft)
hxxps://archive.org/download/rdgdh/rdgdh.html (Adobe)
hxxps://archive.org/download/pontiffdata_yahoo_Bsga/bsga.html (Microsoft)
hxxps://archive.org/download/ihgoiybot/ihgoiybot.html (Microsoft)
hxxps://archive.org/download/dfhrf/dfhrf.html (Microsoft)
hxxps://archive.org/download/pontiffdata_yahoo_Kgfk_201701/kgfk.html (Microsoft)
hxxps://archive.org/download/jhlhj/jhlhj.html (Yahoo!)
hxxps://archive.org/download/pontiffdata_yahoo_Kgfk/kgfk.html (Microsoft)
hxxps://archive.org/download/pontiffdata_yahoo_Gege/gege.html (Microsoft)
hxxps://archive.org/download/him8ouh/him8ouh.html (DHL)
hxxps://archive.org/download/maiikillll/maiikillll.html (Google)
hxxps://archive.org/download/pontiffdata_yahoo_Mlv/mlv;.html (Microsoft)
hxxps://archive.org/download/oiopo_201701/oiopo.html (Microsoft)
hxxps://archive.org/download/ircyily/ircyily.html (Microsoft)
hxxps://archive.org/download/vuyvii/vuyvii.html (DHL)
hxxps://archive.org/download/fcvbt_201612/fcvbt.html (Microsoft)
hxxps://archive.org/download/poksfcps/poksfcps.html (Yahoo!)
hxxps://archive.org/download/tretr_201612/tretr.html
hxxps://archive.org/download/eldotrivoloto_201612/eldotrivoloto.html (Microsoft)
hxxps://archive.org/download/babalito_201612/babalito.html (Microsoft)
hxxps://archive.org/download/katolito_201612/katolito.html (Microsoft)
hxxps://archive.org/download/kingshotties_201612/kingshotties.html (Microsoft)
hxxps://archive.org/download/fcvbt/fcvbt.html (Microsoft)
hxxps://archive.org/download/vkvkk/vkvkk.html (DHL)
hxxps://archive.org/download/pontiffdata_yahoo_Vkm/vkm;.html (Microsoft)
hxxps://archive.org/download/hiluoogi/hiluoogi.html (Microsoft)
hxxps://archive.org/download/ipiojlj/ipiojlj.html (Microsoft)

[The post Archive.org Abused to Deliver Phishing Pages has been first published on /dev/random]



from Xavier

Navigating cybersecurity in the New Age

In today’s rapidly evolving tech landscape, tools, gadgets, and platforms aren’t the only things advancing. Cyberattacks are becoming more powerful, wide-ranging, and harmful to organizations around the globe.

For any enterprise, cybersecurity is one of the most essential factors to business success. With new and emerging technology, leaders have to explore modern security needs via stronger, more intelligent solutions. Today, the modern security officers must:

  • Recognize the intricacies of the cyberspace and the cyberattacks that threaten it
  • Take advantage of machine learning and cloud platforms that enhance security
  • Gain insights to top trends and the future of the cybersecurity industry

Navigating today’s advanced cyber threats is a team effort. Organizations must learn new skills to protect themselves from cyber criminals and ensure infrastructure security. It takes a team of security experts, analysts, IT specialists, and risk assessors to restructure and refine cybersecurity.

On May 10th, Microsoft will live stream from the Security Summit, an invitation-only event for Chief Information Security Officers.  Attend the live, Virtual Security Summit to hear from leading security experts about best practices and solutions to keep your organization safe.

Don’t miss out on the opportunity to gain insights and learn how to protect your organization, detect, and respond to evolving cyberattacks.

 

 



from Microsoft Secure Blog Staff

[SANS ISC] DNS Query Length… Because Size Does Matter

I published the following diary on isc.sans.org: “DNS Query Length… Because Size Does Matter“.

In many cases, DNS remains a goldmine to detect potentially malicious activity. DNS can be used in multiple ways to bypass security controls. DNS tunnelling is a common way to establish connections with remote systems. It is often based on “TXT” records used to deliver the encoded payload. “TXT” records are also used for good reasons, like delivering SPF records but, too many TXT DNS request could mean that something weird is happening on your network… [Read more]

[The post [SANS ISC] DNS Query Length… Because Size Does Matter has been first published on /dev/random]



from Xavier

"Gamify Your Awareness Program - At the #SecAwareSummit"

Editor's Note: Graham Westbrook is the head of awareness atGeisinger Health System in PA/NJ. Heis one of the speakers for the upcoming Security Awareness Summit 2/3 Aug in Nashville, TN. Below he gives an overviewhisupcoming talk on Gamification. I entered the cybersecurity industry from the back door, you could say, having gone to school for &hellip; Continue reading Gamify Your Awareness Program - At the #SecAwareSummit

from lspitzner