Security Week 19: AI in security, zero days at Microsoft and Adobe, a different look at crypto-fiber

Let's start the issue with another production news: IBM intends to use the Watson supercomputer to solve problems in the field of information security ( news , official press release ). Let me remind you, Watson is, as stated in official documents, a software and hardware complex (a cluster of 90 servers) capable of answering questions in a natural language, or some kind of artificial intelligence. In 2011, Watson defeated the pitiful little people with multiple winners in the game Jeopardy (we have this “Own game”).

IBM wants to teach Watson how to handle a large flow of information related to information security, so that the supercomputer can "distinguish viruses from trojans." To do this, IBM will collaborate with a number of American universities, whose students will accordingly prepare the information for further processing. There is a lot of data, we are talking about billions of records. However, it is too early to say that artificial intelligence and human-like robots will protect us from all cyber threats. The final goals in the announcement are given by very broad strokes: “automate the finding of relationships between data [about incidents], potential threats and protection strategies”.

On the one hand, the topic of machine learning, artificial intelligence and the search for anomalies in the huge data flow (for example, in network traffic) is very promising, and in fact these algorithms are already widely used: from detecting new threats based on information about previous incidents and to identifying complex, targeted attacks. On the other hand, almost everyone in the industry agrees that it will not be possible to automate everything, even if you equip every major warning with a pair of Watsons. The share of "manual labor", or rather the need for highly skilled experts to investigate threats, remains very high. The human factor plays a large role in security, and this is a very badly algorithmized task. However, IBM formulates the task correctly: “give new opportunities to security experts”. Do not replace them. This is the key difference of this initiative from other attempts to advertise on the theme of the Maching Machines, promising that “the computer will understand everything”, and will learn to detect any attacks. Do not learn. Why - I will explain under the cut.
')
Previous episodes of the series - here .

Of all the recent successes in the field of artificial intelligence, the victories of machines over people to intellectual games are the most popular. Deep Blue against Kasparov in chess, Watson in His Own Game, and, most recently, the supercomputer's victory in go. In March, when I was at the RSA conference, the victory in go was mentioned almost in every second speech. I will quote RSA President Amit Goran on this topic: AI is cool, but do not expect any breakthroughs in this direction in relation to IT security, based on today's successes.



It’s one thing to win even in a complex “human” game, another to be able to predict and prevent cyber attacks. In the first case, the game is played by the rules. In the second - there are no rules. AI in information security helps only in solving individual tasks, and the more such “trained” technologies are, the more time the expert will have to deal with other problems - to assess risks, predict attack vectors and prevent the most complex incidents. Replacing a person completely is not yet obtained and is unlikely to succeed.

Dangerous vulnerabilities in Windows and Adobe Flash are already being used to attack users and retail networks.
News about Microsoft. News about Adobe.

Vulnerability in Windows patched two times: partially a hole that allows to execute arbitrary code with system privileges was closed in one of the April patch packages, and finally - in a fresh update released this Tuesday . The vulnerability affects all current versions of Windows, from 7 to 10, and was discovered, alas, during the analysis of a series of successful attacks. Moreover, cybercriminals sightedly searched for companies and devices used to process payments from credit cards. The campaign was discovered in March by FireEye: the initial penetration into the victim’s network was traditionally conducted using a “prepared” Word document sent via e-mail. In general, the season of attacks on American retail chains that I mentioned earlier continues: cybercriminals try to catch up to the introduction of EMV payments (with a chip and pincode, as in all normal countries), with which interception of these credit cards becomes much more complicated.

Critical vulnerability in Adobe Flash is either used or not: Adobe claims that they have not seen attacks, independent sources deny. Considering the potential danger of vulnerability (exploitation may cause the application to crash and gain control over the system), Adobe warned in advance of its detection on May 10, and released a cumulative patch on the 12th.

Kryptolokery: a view from the victim
An article on Threatpost.

The most popular publication on Threatpost this week is not news, but it shows an ransomware Trojan problem from an unexpected angle. The IT specialist of the company managing the online casino shared a look at the problem from the side of the victim and asked not to give names before publication. The company employs about a thousand employees. Despite the fact that such a business is very vulnerable to cyber attacks, as is often the case, IT security is not the top priority - there are plenty of other problems.

The article gives an example of a real attack of a crypto-fiber on a company's infrastructure. The point of entry is an external consultant - a specialist working remotely on a laptop provided by the company. For some reason, the laptop is not protected by anything, but it has a connection to the corporate network folders, allegedly due to incorrect configuration (file balls are mounted in the Public folder of the user section, not the best option). After trying to open an attachment in a letter similar to the usual invoice, data encryption begins. And here it is clearly seen how slowly the user and IT specialists react to this problem, while it is necessary to react quickly.



The owner of the laptop dials up to support for half an hour, it still seems to him that some technical malfunction has occurred. While he explains what is happening, data encryption continues, finally he gets the right advice: disconnect the laptop from the network right now. In the meantime, files on the server and some other employees' computers, which are also crookedly connected to network folders, have time to encrypt. In general, the story is typical: an attack through the most vulnerable link, which usually turns out to be a contractor or freelancer, encryption of data on a computer and on network folders, the rapid spread of the problem over the network. Fortunately, in this case, important data was not lost and the company's work was not disrupted. Finally, an interesting private observation: if six months ago, the company's administrators recorded one attempt at a crypto-fiber attack per day, they now block at least three. The company was attacked by TeslaCrypt Trojan, which we wrote about in detail last year.

What else happened:
Another vulnerability in system software on Lenovo laptops.

An interesting longride about the complex relationship between the US FBI and Eastern European cybercrime in Wired magazine.

Kryptolker tried to attack the American Congress.

The creator of the anonymous payment system LibertyReserve was put for 20 years.

Antiquities:
"Something-658"

A resident very dangerous virus is recorded at the beginning of the COM files that are run. On the 11th, it monthly erases the C: /AUTOEXEC.BAT file, writes the DEL * .COM, DEL * .EXE commands to it, and then creates a zero-length SOME file. Intercepts int 21h. It contains texts: "Something v1.1", "some c: \ autoexec.bat del * .com del * .exe".

Quote from the book "Computer viruses in MS-DOS" Eugene Kaspersky. 1992 Page 83.

Disclaimer: This column reflects only the personal opinion of its author. It may coincide with the position of Kaspersky Lab, or it may not coincide. Then how lucky.