The Monday Media Wrap Up: MIT Bug Bounty Program, AI, and Shortened URLs

Articles from April 16-22

Experts Weigh-In Over FBI $1.3 Milliion iPhone Zero-Day Payout
Threatpost | Tom Spring | April 22, 2016
Was the Federal Bureau of Investigation justified in paying over $1.3 million for a hacking tool that opened the iPhone 5c of the San Bernardino shooter? For some in the security community the answer is a resounding yes. For others, the answer is not so clear-cut. Zero-day exploits can sell for between $500 to $1 million, depending on the on the exploit and affected product. Zero-day broker Zerodium says it paid $1 million to for an iOS 9 zero day last year to an unknown seller. In that case, the exploit required the iPhone to be unlocked and the user to visit the exploit code with a web browser. For those on the other side of the debate, critical of the FBI’s $1.3 million payout, they see the move as counter intuitive when it comes to security and government spending.

MIT Launches Bug Bounty Program
Dark Reading | Jai Vijayan | April 20, 2016
Bug bounty programs have proved to be an effective way for organizations to discover potentially serious security vulnerabilities in their infrastructure. It is the reason why software and technology vendors are not the only ones with such programs these days, but a growing number of enterprises as well. Under the MIT bug bounty program, bug hunters are free to search for vulnerabilities in the university’s main student information system domain, its Atlas administrative systems hub, and the MIT course management system. While bug hunters are not restricted from reporting any bugs, the university says it is most interested in discoveries involving SQL injection errors, remote code execution flaws, and weaknesses that allow privilege escalation and bypass of user authorization controls. One reason why a growing number of organizations have begun using bug bounty programs is to give bug hunters more of an incentive for reporting a bug to them instead of selling it to a malicious adversary. Previous research has shown that bug bounty programs work especially well in unearthing vulnerabilities in relatively young software.

New point-of-sale malware Multigrain steals card data over DNS
PC World | Lucian Constantin | April 20, 2016
Security researchers have found a new memory-scraping malware program that steals payment card data from point-of-sale (PoS) terminals and sends it back to attackers using the Domain Name System (DNS). Dubbed Multigrain, the threat is part of a family of malware programs known as NewPosThings, with which it shares some code. However, this variant was designed to target specific environments. Multigrain was designed with stealth in mind. It is digitally signed, it installs itself as a service called Windows Module Extension and more importantly, it sends data back to attackers via DNS queries. Stolen payment card data is first encrypted with a 1024-bit RSA key and then it’s passed through a Base32 encoding process. The resulting encoded data is used in a DNS query for log.[encoded_data], where “evildomain” is a domain name controlled by the attackers. This query will appear in the authoritative DNS server for the domain, which is also controlled by the attackers.

Palo Alto Networks working to share threat intelligence
Network World | Tim Greene | April 19, 2016
Palo Alto Networks is on board with industry-wide efforts to share threat intelligence and disseminate it so the collective knowledge businesses gather about threats can be quickly turned into defenses against new types of attacks. Network World’s Tim Greene recently spoke with Pal Alto’s CSO Rick Howard regarding the impact of the Cybersecurity Information Sharing Act, the potential value to customers, and the growth of the alliance.

A.I. + humans = serious cybersecurity
IDG | Katherine Noyes | April 18, 2016
Neither humans nor A.I. has proven overwhelmingly successful at maintaining cybersecurity on their own, so why not see what happens when you combine the two? That’s exactly the premise of a new project from MIT, and it’s achieved some impressive results. Researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) and machine-learning startup PatternEx have developed a new platform called A.I.2 that can detect 85 percent of attacks. It also reduces the number of “false positives” – nonthreats mistakenly identified as threats – by a factor of five. Creating cybersecurity systems that merge human and computer-based approaches isn’t easy, though, partly because of the challenge of manually labeling cybersecurity data for the algorithms. Recognizing that constraint, A.I.2uses machine learning first to find the most important potential problems; only then does it show the top events to analysts for labeling. On day one of its training, A.I.2 picks the 200 “most abnormal” events using unsupervised machine learning and gives them to the human expert, MIT explained. Those analysts then confirm which events are actual attacks, and the system incorporates that feedback into its models for the next set of data.

Personal data is exposed by older, shortened URLs 
Network World | Patrick Nelson | April 18, 2016
Services that convert long, cumbersome URLs, such as those found in mapping directions, to short URLs are publicly exposing the original URL. Original addresses can be obtained through brute-force scanning, researchers say. And that vulnerability allows foes to track an individual’s possibly sensitive movements, as well as see perceived-of-as-private documents. Additionally, the brute force-exposed cloud documents could allow “adversaries” to inject arbitrary malicious content into unlocked accounts, which is then automatically copied into all of the account owner’s devices. Major cloud providers have taken notice. Google Maps increased the size of its tokens from five characters to 11 or 12 after the scientists told the company about the findings. The researchers had mixed results trying to report their findings to provider firms, however. Other URL shortening providers, including Microsoft, which uses URL shortening in its Bing products, have also made security enhancements. Older shortened URLs, however, still have the vulnerability. They have not been fixed—the URLs are out there as is.