On Software Liabilities

Read Time:2 Minute, 41 Second

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: “Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor.”

Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section 2 canvasses the different fields of law (warranty, negligence, products liability, and certification) that could provide a starting point for what would have to be legislative action establishing a system of software liability. The conclusion is that all of these fields would face the same question: How buggy is too buggy? Section 3 explains why existing software development frameworks do not provide a sufficiently definitive basis for legal liability. They focus on process, while a liability regime should begin with a focus on the product—­that is, on outcomes. Expanding on the idea of building codes for building code, Section 4 shows some examples of product-focused standards from other fields. Section 5 notes that already there have been definitive expressions of software defects that can be drawn together to form the minimum legal standard of security. It specifically calls out the list of common software weaknesses tracked by the MITRE Corporation under a government contract. Section 6 considers how to define flaws above the minimum floor and how to limit that liability with a safe harbor.

Full paper here.

Dempsey basically creates three buckets of software vulnerabilities: easy stuff that the vendor should have found and fixed, hard-to-find stuff that the vendor couldn’t be reasonably expected to find, and the stuff in the middle. He draws from other fields—consumer products, building codes, automobile design—to show that courts can deal with the stuff in the middle.

I have long been a fan of software liability as a policy mechanism for improving cybersecurity. And, yes, software is complicated, but we shouldn’t let the perfect be the enemy of the good.

In 2003, I wrote:

Clearly this isn’t all or nothing. There are many parties involved in a typical software attack. There’s the company who sold the software with the vulnerability in the first place. There’s the person who wrote the attack tool. There’s the attacker himself, who used the tool to break into a network. There’s the owner of the network, who was entrusted with defending that network. One hundred percent of the liability shouldn’t fall on the shoulders of the software vendor, just as one hundred percent shouldn’t fall on the attacker or the network owner. But today one hundred percent of the cost falls on the network owner, and that just has to stop.

Courts can adjudicate these complex liability issues, and have figured this thing out in other areas. Automobile accidents involve multiple drivers, multiple cars, road design, weather conditions, and so on. Accidental restaurant poisonings involve suppliers, cooks, refrigeration, sanitary conditions, and so on. We don’t let the fact that no restaurant can possibly fix all of the food-safety vulnerabilities lead us to the conclusion that restaurants shouldn’t be responsible for any food-safety vulnerabilities, yet I hear that line of reasoning regarding software vulnerabilities all of the time.

Read More

Do you still need antivirus protection for Windows in 2024?

Read Time:4 Minute, 48 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The question of whether you need antivirus (AV) for Windows devices is always up for debate. The advancements and new technology have made the operating system (OS) more secure and reliable. Nevertheless, the effectiveness and lethality of cyber threats have increased as well. And every year, millions of Windows users fall victim to various digital perils.

This article will discuss whether antivirus software is needed for Windows devices. You’ll discover how AVs work and the most common cyberattacks they can prevent. Moreover, we’ll review the benefits and drawbacks of built-in and third-party antivirus software.

How does antivirus work?

Scanning, removing, preventing – these are the 3 main stages of how an antivirus works.

Once you install an AV, it scans every email, app, and file. During this process, it compares the results with its database. If something is off, the antivirus marks it as malware.

Then, the AV either quarantines the malicious files or entirely obliterates them. And while all that is happening, a reliable antivirus runs smoothly in the background, preventing intruders from harming your devices and stealing your data.

According to Datto’s global research, Windows device users should be the most concerned about their safety. Around 91% of gadgets that use this OS have been targeted by ransomware attacks.

Nevertheless, none of the OS are entirely immune to various online perils. Whether using a Mac, Windows, or Android device, it’s better to be safe than sorry and use an AV. That way, you won’t put yourself, your devices, or your precious data at risk.

What threats can a Windows antivirus prevent?

As we briefly mentioned, a reliable antivirus can protect your device from online dangers. There are a few most common ones. Below, you’ll find them and what threat they pose:

Viruses: These malicious programs multiply and spread from one computer to another. Viruses can attach themselves to programs and files, damage the system, and let other malware in.
Malvertising: Cybercriminals can inject malicious code into online advertisements. These compromised ads can infect users’ devices or redirect them to dangerous websites without their knowledge or consent.
Ransomware: Malicious actors use this tactic to lock up your data and demand a ransom, usually in cryptocurrency, in exchange for the decryption key.
Phishing attack: You might receive fake emails and messages or be redirected to websites asking for information. That way, cybercriminals want to get access to your usernames, passwords, and financial data.
Drive by downloads: You might stumble across malicious sites that automatically download unwanted files onto your device. The software then can wreak havoc on your computer or smartphone.
Password attacks: Malicious actors can use brute-force attacks (repeatedly trying different combinations), keylogging (recording keystrokes), or credential stuffing (using known usernames and passwords obtained from other breaches) to steal your information.

You can fall victim to any of these attacks. Therefore, we highly recommend getting a powerful & reliable antivirus for Windows 11.

Built-in or third-party Windows antivirus: which one should you choose?

You probably know that Windows comes with its built-in antivirus, Windows Defender. It’s automatically enabled and provides real-time protection against various types of malware, including viruses, spyware, and ransomware. While it’s suitable for basic safety, it’s far from ideal.

Sadly, Windows Defender doesn’t have the advanced protection features that third-party AVs have. Moreover, other anti-malware apps perform better on Windows devices without taking a massive toll on the system. Plus, using a third-party antivirus can create a more diverse security ecosystem that will ensure better security and privacy.

Therefore, if you don’t want to risk your data and be 100% sure that no one breaches your privacy, it would be wiser to use top-tier third-party antivirus software for Windows.

How to choose the best Windows Antivirus?

There are loads of antivirus apps that claim to be the best for Windows OS users. However, you shouldn’t trust every claim they make. Therefore, before choosing an AV, we suggest looking at the most important aspects that will help you pick a trustworthy antivirus:

Reputation. To find out whether an antivirus is truly worth it, check out Reddit threads, forums, and review sites. They gladly share their experiences with the AVs, so you’ll get a better understanding of how good the antivirus is.
Effectiveness. Another thing you need to look at is how well the AV performs when detecting and eliminating malware. For that, you should check out independent testing sites like av-test.org or selabs.uk.
Privacy. Don’t forget to look at your potential provider’s privacy policy. Some AVs are notorious for collecting users’ data and later selling it to data brokers.
Ease of use. An antivirus should provide an intuitive interface and easy configuration settings. Yet again, you can depend on Reddit threads or test it out yourself if an AV has a free trial period or a free version.
Features. At the very least, the antivirus should provide real-time scanning, firewall protection, email filtering, and behavioral analysis. Moreover, some providers might include useful extras, like password managers, VPNs, ad blockers, etc.

Conclusion: Is antivirus software for Windows really necessary?

The short answer is absolutely! As we mentioned before, Windows devices are the most targeted OS by malicious actors and snoopers. While there’s Windows Defender to keep you safe at first, you need more robust protection nowadays. That way, viruses, malvertising, password attacks, and a bunch of other digital perils won’t be a problem.

Read More

Do you still need antivirus protection for Windows in 2024?

Read Time:4 Minute, 48 Second

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

The question of whether you need antivirus (AV) for Windows devices is always up for debate. The advancements and new technology have made the operating system (OS) more secure and reliable. Nevertheless, the effectiveness and lethality of cyber threats have increased as well. And every year, millions of Windows users fall victim to various digital perils.

This article will discuss whether antivirus software is needed for Windows devices. You’ll discover how AVs work and the most common cyberattacks they can prevent. Moreover, we’ll review the benefits and drawbacks of built-in and third-party antivirus software.

How does antivirus work?

Scanning, removing, preventing – these are the 3 main stages of how an antivirus works.

Once you install an AV, it scans every email, app, and file. During this process, it compares the results with its database. If something is off, the antivirus marks it as malware.

Then, the AV either quarantines the malicious files or entirely obliterates them. And while all that is happening, a reliable antivirus runs smoothly in the background, preventing intruders from harming your devices and stealing your data.

According to Datto’s global research, Windows device users should be the most concerned about their safety. Around 91% of gadgets that use this OS have been targeted by ransomware attacks.

Nevertheless, none of the OS are entirely immune to various online perils. Whether using a Mac, Windows, or Android device, it’s better to be safe than sorry and use an AV. That way, you won’t put yourself, your devices, or your precious data at risk.

What threats can a Windows antivirus prevent?

As we briefly mentioned, a reliable antivirus can protect your device from online dangers. There are a few most common ones. Below, you’ll find them and what threat they pose:

Viruses: These malicious programs multiply and spread from one computer to another. Viruses can attach themselves to programs and files, damage the system, and let other malware in.
Malvertising: Cybercriminals can inject malicious code into online advertisements. These compromised ads can infect users’ devices or redirect them to dangerous websites without their knowledge or consent.
Ransomware: Malicious actors use this tactic to lock up your data and demand a ransom, usually in cryptocurrency, in exchange for the decryption key.
Phishing attack: You might receive fake emails and messages or be redirected to websites asking for information. That way, cybercriminals want to get access to your usernames, passwords, and financial data.
Drive by downloads: You might stumble across malicious sites that automatically download unwanted files onto your device. The software then can wreak havoc on your computer or smartphone.
Password attacks: Malicious actors can use brute-force attacks (repeatedly trying different combinations), keylogging (recording keystrokes), or credential stuffing (using known usernames and passwords obtained from other breaches) to steal your information.

You can fall victim to any of these attacks. Therefore, we highly recommend getting a powerful & reliable antivirus for Windows 11.

Built-in or third-party Windows antivirus: which one should you choose?

You probably know that Windows comes with its built-in antivirus, Windows Defender. It’s automatically enabled and provides real-time protection against various types of malware, including viruses, spyware, and ransomware. While it’s suitable for basic safety, it’s far from ideal.

Sadly, Windows Defender doesn’t have the advanced protection features that third-party AVs have. Moreover, other anti-malware apps perform better on Windows devices without taking a massive toll on the system. Plus, using a third-party antivirus can create a more diverse security ecosystem that will ensure better security and privacy.

Therefore, if you don’t want to risk your data and be 100% sure that no one breaches your privacy, it would be wiser to use top-tier third-party antivirus software for Windows.

How to choose the best Windows Antivirus?

There are loads of antivirus apps that claim to be the best for Windows OS users. However, you shouldn’t trust every claim they make. Therefore, before choosing an AV, we suggest looking at the most important aspects that will help you pick a trustworthy antivirus:

Reputation. To find out whether an antivirus is truly worth it, check out Reddit threads, forums, and review sites. They gladly share their experiences with the AVs, so you’ll get a better understanding of how good the antivirus is.
Effectiveness. Another thing you need to look at is how well the AV performs when detecting and eliminating malware. For that, you should check out independent testing sites like av-test.org or selabs.uk.
Privacy. Don’t forget to look at your potential provider’s privacy policy. Some AVs are notorious for collecting users’ data and later selling it to data brokers.
Ease of use. An antivirus should provide an intuitive interface and easy configuration settings. Yet again, you can depend on Reddit threads or test it out yourself if an AV has a free trial period or a free version.
Features. At the very least, the antivirus should provide real-time scanning, firewall protection, email filtering, and behavioral analysis. Moreover, some providers might include useful extras, like password managers, VPNs, ad blockers, etc.

Conclusion: Is antivirus software for Windows really necessary?

The short answer is absolutely! As we mentioned before, Windows devices are the most targeted OS by malicious actors and snoopers. While there’s Windows Defender to keep you safe at first, you need more robust protection nowadays. That way, viruses, malvertising, password attacks, and a bunch of other digital perils won’t be a problem.

Read More

MoqHao evolution: New variants start automatically right after installation

Read Time:5 Minute, 43 Second

Authored by Dexter Shin 

MoqHao is a well-known Android malware family associated with the Roaming Mantis threat actor group first discovered in 2015. McAfee Mobile Research Team has also posted several articles related to this malware family that traditionally targets Asian countries such as Korea and Japan. 

 Recently McAfee Mobile Research Team found that MoqHao began distributing variants using very dangerous technique. Basically, the distribution method is the same. They send a link to download the malicious app via the SMS message. Typical MoqHao requires users to install and launch the app to get their desired purpose, but this new variant requires no execution. While the app is installed, their malicious activity starts automatically. This technique was introduced in a previous post but the difference is that this dangerous technique is now being abused by other well-known active malware campaigns like MoqHao. We have already reported this technique to Google and they are already working on the implementation of mitigations to prevent this type of auto-execution in a future Android version. Android users are currently protected by Google Play Protect, which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. McAfee Mobile Security detects this threat as Android/MoqHao. 

How it is distributed 

MoqHao is distributed via phishing SMS messages (also known as Smishing). When a user receives an SMS message containing a malicious link and clicks it, the device downloads the malicious application. Phishing messages are almost the same as in previous campaigns: 

 

Figure 1. Smishing message impersonating a notification from a courier service. 

 Japanese message: I went to the delivery address, but no one was there. So, I brought it back. 

One noticeable change is that they now use URL shortener services. If the malware authors use their own domain, it can be quickly blocked but if they use legitimate URL shortener services, it is difficult to block the short domain because it could affect all the URLs used by that service. When a user clicks on the link in the message, it will be redirected to the actual malicious site by the URL shortener service. 

What is new in this variant 

As mentioned at the beginning, this variant behaves differently from previous ones. Typical MoqHao must be launched manually by the user after it is installed but this variant launches automatically after installation without user interaction: 

Figure 2. Differences between typical MoqHao and Modern MoqHao 

We explained this auto-execution technique in detail in a previous post but to briefly summarize it here, Android is designed so when an app is installed and a specific value used by the app is set to be unique, the code runs to check whether the value is unique upon installation. This feature is the one that is being abused by the highly active Trojan family MoqHao to auto-execute itself without user interaction. The distribution, installation, and auto-execution of this recent MoqHao variant can be seen in the following video: 

 

On the other hand, this recent MoqHao variant uses Unicode strings in app names differently than before. This technique makes some characters appear bold, but users visually recognize it as “Chrome”. This may affect app name-based detection techniques that compare app name (Chrome) and package name (com.android.chrome): 

 

Figure 3. App name using Unicode strings. 

Additionally, they also use social engineering techniques to set malicious apps as the default SMS app. Before the settings window appears, they show a message telling you to set up the app to prevent spam, but this message is fake: 

Figure 4. Fake message using social engineering techniques. 

Also, the different languages used in the text associated with this behavior suggests that, in addition to Japan, they are also targeting South Korea, France, Germany, and India: 

Figure 5. Fake messages designed to target different countries. 

After the initialization of the malware is completed, it will create a notification channel that will be used to display phishing messages: 

Figure 6. Create a notification channel for the next phishing attack. 

 

The malware checks the device’s carrier and uses this notification to send phishing messages accordingly to trick users into clicking on them. MoqHao gets the phishing message and the phishing URL from Pinterest profiles 

 

Figure 7. Phishing message and URL in Pinterest profile 

 

If the phishing string is empty, MoqHao will use the phishing message in the code: 

Figure 8. Phishing notification code for each carrier 

 This variant also connects to the C2 server via WebSocket. However, it has been confirmed that several other commands have been added in addition to the commands introduced in the previous post: 

 

Command 
Description 

getSmsKW 
Send all SMS messages to C2 server 

sendSms 
Send SMS messages to someone 

setWifi 
Enable/disable Wifi 

gcont 
Send whole contacts to C2 server 

lock 
Store Boolean value in “lock” key in SharedPreferences 

bc 
Check SIM state 

setForward 
Store String value in “fs” key in SharedPreferences 

getForward 
Get String value in “fs” key in SharedPreferences 

hasPkg 
Check specific package installed on device 

setRingerMode 
Set Sound/Vibrate/Silent mode 

setRecEnable 
Set Vibrate/Silent mode according to SDK version 

reqState 
Send device information (Network, Power, MAC, Permission) to C2 server 

showHome 
Emulate Home button click 

getnpki 
Send Korean Public Certificate (NPKI) to C2 server 

http 
Send HTTP requests 

call 
Call a specific number with Silent mode 

get_apps 
Get list of installed packages 

ping 
Check C2 server status 

getPhoneState 
Get unique information such as IMEI, SIM number, Android ID, and serial number 

get_photo 
Send all photos to C2 server 

 MoqHao malware family is an active malware that has been around for years. Although many years have passed, they are using more and more different ways to hide and reach users. We are seeing a much higher number of C2 commands than in previous, the active use of legitimate sites like Pinterest to store and update phishing data, and code with the potential to target Asian countries like Japan and South Korea, as well as countries like France, Germany, and India. Moreover, we expect this new variant to be highly impactful because it infects devices simply by being installed without execution. 

 It is difficult for general users to find fake apps using legitimate icons and application names, so we recommend users to install secure software to protect their devices. For more information, visit McAfee Mobile Security. 

Indicators of Compromise (IOCs) 

SHA256 
Application Name 
Package Name 

2576a166d3b18eafc2e35a7de3e5549419d10ce62e0eeb24bad5a1daaa257528 
chom 
gb.pi.xcxr.xd 

61b4cca67762a4cf31209056ea17b6fb212e175ca330015d804122ee6481688e 
hm 
malmkb.zdbd.ivakf.lrhrgf 

b044804cf731cd7dd79000b7c6abce7b642402b275c1eb25712607fc1e5e3d2b 
cm 
vfqhqd.msk.xux.njs 

bf102125a6fca5e96aed855b45bbed9aa0bc964198ce207f2e63a71487ad793a 
chro 
hohoj.vlcwu.lm.ext 

e72f46f15e50ce7cee5c4c0c5a5277e8be4bb3dd23d08ea79e1deacb8f004136 
hroe 
enech.hg.rrfy.wrlpp 

f6323f8d8cfa4b5053c65f8c1862a8e6844b35b260f61735b3cf8d19990fef42 
chre 
gqjoyp.cixq.zbh.llr 

 

The post MoqHao evolution: New variants start automatically right after installation appeared first on McAfee Blog.

Read More

USN-6626-1: Linux kernel vulnerabilities

Read Time:1 Minute, 47 Second

Quentin Minster discovered that a race condition existed in the KSMBD
implementation in the Linux kernel when handling sessions operations. A
remote attacker could use this to cause a denial of service (system crash)
or possibly execute arbitrary code. (CVE-2023-32250, CVE-2023-32252,
CVE-2023-32257)

Marek Marczykowski-Górecki discovered that the Xen event channel
infrastructure implementation in the Linux kernel contained a race
condition. An attacker in a guest VM could possibly use this to cause a
denial of service (paravirtualized device unavailability). (CVE-2023-34324)

Zheng Wang discovered a use-after-free in the Renesas Ethernet AVB driver
in the Linux kernel during device removal. A privileged attacker could use
this to cause a denial of service (system crash). (CVE-2023-35827)

Tom Dohrmann discovered that the Secure Encrypted Virtualization (SEV)
implementation for AMD processors in the Linux kernel contained a race
condition when accessing MMIO registers. A local attacker in a SEV guest VM
could possibly use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2023-46813)

It was discovered that the Microchip USB Ethernet driver in the Linux
kernel contained a race condition during device removal, leading to a use-
after-free vulnerability. A physically proximate attacker could use this to
cause a denial of service (system crash). (CVE-2023-6039)

It was discovered that the TLS subsystem in the Linux kernel did not
properly perform cryptographic operations in some situations, leading to a
null pointer dereference vulnerability. A local attacker could use this to
cause a denial of service (system crash) or possibly execute arbitrary
code. (CVE-2023-6176)

Xingyuan Mo discovered that the netfilter subsystem in the Linux kernel did
not properly handle dynset expressions passed from userspace, leading to a
null pointer dereference vulnerability. A local attacker could use this to
cause a denial of service (system crash). (CVE-2023-6622)

It was discovered that the TIPC protocol implementation in the Linux kernel
did not properly handle locking during tipc_crypto_key_revoke() operations.
A local attacker could use this to cause a denial of service (kernel
deadlock). (CVE-2024-0641)

Read More

Smashing Security podcast #358: Hong Kong hijinks, pig butchers, and poor ransomware gangs

Read Time:23 Second

Is this the real life? Is this just fantasy? A company in Hong Kong suffers a sophisticated deepfake duping, be one your guard from pig butchers as Valentine’s Day approaches, and spare a moment to feel sorry for poor ransomware gangs.

All this and much much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Lianne Potter from the “Compromising Positions” podcast.

Read More

DSA-5618-1 webkit2gtk – security update

Read Time:25 Second

The following vulnerabilities have been discovered in the WebKitGTK
web engine:

CVE-2024-23206

An anonymous researcher discovered that a maliciously crafted
webpage may be able to fingerprint the user.

CVE-2024-23213

Wangtaiyu discovered that processing web content may lead to
arbitrary code execution.

CVE-2024-23222

Apple discovered that processing maliciously crafted web content
may lead to arbitrary code execution. Apple is aware of a report
that this issue may have been exploited.

https://security-tracker.debian.org/tracker/DSA-5618-1

Read More