By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy

Josh Brunty had spent more than a decade in cybersecurity — first as a digital forensics analyst for the West Virginia State Police, then as someone who taught the subject at Marshall University — when he discovered a shocking secret about his father, Butch. Butch Brunty was still paying money every year for third-party antivirus protection on his home computer, which his son felt hadn’t been necessary for most people for years. “He was talking about renewing his antivirus. I said, ‘Are you literally paying for antivirus?’” Brunty said. “I don’t know how he ended up doing it, but he ended up getting connected to Norton, spending, like $60 a year.” Brunty’s father, like a lot of other people, hadn’t gotten the message that has become intuitive to many people who work in cybersecurity: There’s just no longer any reason for regular people to pay for antivirus software for their personal devices. It’s a shift that highlights not only how computer security has evolved in the past decade but also the way many people misunderstand the greatest threats to their computer security. Antivirus software still centers on its original use: looking for and mitigating software viruses. Because modern computer systems already do that, many programs now offer additional protections, like monitoring the dark web to see whether someone posts customers’ personal information, which experts find to be of little use. But the greatest threats most users face are no longer from viruses, particularly now that so much personal computing happens over the internet. Brunty said his dad also paid for a virtual private network, which routes a computer’s internet traffic through a third party. They were once considered vital to prevent nearby hackers from spying on online activity, but security experts now say that thanks to additional built-in security protections in most major browsers, virtual private networks are useful in only a handful of specific scenarios, like streaming video that is restricted in certain countries or getting around government censors like China’s “Great Firewall.” “He had no understanding of those two technologies, really,” Brunty said. “I think he just felt like if he spent the money, the investment of paying for it was going to protect him from everything.” Some antivirus programs can offer certain benefits, such as tools that help users avoid email-based phishing campaigns that steal sensitive login credentials. Others can help prevent identity theft. But most experts agree that the built-in antivirus protections on any major system — a fully updated Windows or Apple computer or an Android phone or iPhone — already protect against viruses just as well as the major programs people can pay for. It’s important, however, for users to keep their systems protected through automatic software updates offered by all major software providers. It wasn’t always that way. For much of Microsoft’s history, computer experts worried that Windows machines were susceptible to viruses, and there was no firm consensus about what third-party programs people needed to stay safe. But Microsoft Defender, the free and automatic antivirus program now built into Windows, has gotten so effective that it’s as good as anything customers can pay for, said Simon Edwards, the founder of SE Labs, a London-based company that compares and tests antivirus programs. “We test it regularly, and it’s one of the top products we’ve seen. It has improved a lot,” Edwards said. That doesn’t mean malicious software isn’t a threat. But newer devices tend to take care of most problems on their own. Hackers are constantly devising new ways to break into operating systems, and companies have to keep updating ways to stop them. Fortunately, the days of cybersecurity engineers’ writing patches for new, safer versions of software and just hoping users will update them is largely over. “It’s almost impossible these days to not have a fully patched Windows or Mac system because they pretty much force updates,” Edwards said. While it’s a myth that Macs can’t get viruses, the myth is well-founded: Macs essentially had antivirus protections built into their operating systems from their early days. The same goes for iPhones and Android smartphones. The British government even tells its residents not to bother buying antivirus software for their phones, provided that they don’t needlessly endanger themselves by installing programs not vetted by an app store. For more detailed reading visit OUR FORUM.

Every version of Windows is at risk due to a scary zero-day vulnerability after Microsoft failed to properly patch a similar flaw, a cybersecurity researcher claims. The newly discovered exploit is currently a proof-of-concept, but researchers believe ongoing small-scale testing and tweaking is setting the stage for a wider-reaching attack. “During our investigation, we looked at recent malware samples and were able to identify several [bad actors] that were already attempting to leverage the exploit,” Nic Biasini, Cisco Talos’ head of outreach, told BleepingComputer. “Since the volume is low, this is likely people working with the proof of concept code or testing for future campaigns.” The vulnerability takes advantage of a Windows Installer bug (tracked as CVE-2021-41379) that Microsoft claims to have patched earlier this month. This new variant gives users the ability to elevate local privileges to SYSTEM privileges, the highest user rights available on Windows. Once in place, malware creators can use those privileges to replace any executable file on the system with an MSI file to run code as an admin. In short, they can take over the system. Over the weekend, security researcher Abdelhamid Naceri, who discovered the initial flaw, published to Github a proof-of-concept exploit code that works despite Microsoft’s patch release. Even worse, Naceri believes this new version is even more dangerous because it bypasses the group policy included in the admin install of Windows. “This variant was discovered during the analysis of the CVE-2021-41379 patch. the bug was not fixed correctly, however, instead of dropping the bypass. I have chosen to actually drop this variant as it is more powerful than the original one,” Naceri wrote. BleepingComputer tested Naceri’s exploit and, within “a few seconds,” used it to open a command prompt with SYSTEM permissions from an account with “standard” privileges. While you shouldn’t be too worried just yet, this vulnerability could put billions of systems at risk if it’s allowed to spread. It’s worth reiterating that this exploit gives attackers admin privileges on the latest Windows OS versions, including Windows 10 and Windows 11–we’re talking about more than 1 billion systems. This isn’t a remote exploit though, so bad actors would need physical access to your device to carry out the attack. Microsoft labeled the initial vulnerability as medium-severity, but Jaeson Schultz, a technical leader for Cisco’s Talos Security Intelligence & Research Group, stressed in a blog post that the existence of functional proof-of-concept code means the clock is ticking on Microsoft releasing a patch that actually works. As it stands, there is no fix or workaround for this flaw. Naseri, who told BleepingComputer that he didn’t give Microsoft notice about the vulnerability before going public as a way to petition against smaller payouts in Microsoft’s bug bounty program, advises against third-party companies releasing their own patches because doing so could break the Windows installer. Microsoft is aware of the vulnerability but didn’t provide a timeline for when it will release a fix. “We are aware of the disclosure and will do what is necessary to keep our customers safe and protected. An attacker using the methods described must already have access and the ability to run code on a target victim’s machine,” Microsoft told BleepingComputer. To follow this thread and learn more visit OUR FORUM.

Last month, a researcher for Meta prepared a talk for colleagues that they knew would hit close to home. The subject: how to cope as a researcher when the company you work for is constantly receiving negative press. The talk had been approved to show at the company’s annual research summit for employees in early November. But shortly before the event, Meta’s legal and communications department determined that the risk of the contents leaking was too great. So it disappeared from the research summit’s agenda days before, along with another pre-taped talk describing efforts to combat hate speech and bullying. Both talks never saw the light of day. The pulling of the talks highlights how a barrage of leaks and external scrutiny has chilled the flow of information inside the company formerly known as Facebook. Many of the changes appear designed to thwart the next Frances Haugen, who worked in the Integrity organization responsible for making the social network safer before she quit earlier this year, taking thousands of internal documents with her. Those documents served as the basis for a series of damning stories in The Wall Street Journal and dozens of other news outlets, including The Verge. Some of them, such as internal research showing Instagram and Facebook can have negative effects on young people, have led to congressional hearings and lawsuits. And as the bad press continues, Meta executives have argued that the documents were cherry-picked to smear the company and paint an incomplete story. While the documents Haugen leaked haven’t yet caused Meta to make meaningful changes to its products, they’ve already left a lasting mark on how the world’s largest social network operates, particularly in its research and Integrity divisions. Ten of the 70 preapproved talks presented at the internal research summit a couple of weeks ago received a second, more stringent review to minimize leak risk. Senior leaders, including policy and communications chief Nick Clegg, have in recent months slowed the release of Integrity research internally, asking for reports to be reviewed again before they’re shared even in private groups. In some cases, researchers have been told to make clear what is defensible by data in their work and what is an opinion, and that their projects will need to be cleared by more managers before work begins. Last month, Meta rolled out a new “Integrity Umbrella” system designed to thwart leakers. The Umbrella maintains a list of employees in Integrity and gives them automatic access to join private Integrity groups in Workplace, the internal version of Facebook used by employees. When it was introduced, several employees internally pointed out that the system wouldn’t have stopped Haugen, since she worked in the Integrity division when she gathered the leaked documents. It’s not just the Integrity division that is locking down access to Workplace groups. The change has become so widespread that employees have taken to a group in Workplace titled “Examples of Meta Culture trending towards ‘Closed,’” where they’ve been posting screenshots of previously open groups they belong to being set to private. This story is based on conversations with current and former Meta employees and internal Workplace posts from the past month obtained by The Verge. In response to this story, Meta confirmed that the company was making changes to internal communication. “Since earlier this year, we have been talking about the right model of information sharing for the company, balancing openness with sharing relevant information and maintaining focus,” said Mavis Jones, a Meta spokesperson. “This is a work in progress and we are committed to an open culture for the company.” Complete details are posted on OUR FORUM.