NSA and GCHQ Attacked Antivirus Companies

On Monday, the Intercept published a new story from the Snowden documents:

The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products.

British spies aimed to thwart Kaspersky software in part through a technique known as software reverse engineering, or SRE, according to a top-secret warrant renewal request. The NSA has also studied Kaspersky Lab's software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.

Wired has a good article on the documents:

The documents...don't describe actual computer breaches against the security firms, but instead depict a systematic campaign to reverse-engineer their software in order to uncover vulnerabilities that could help the spy agencies subvert it.

[...]

An NSA slide describing "Project CAMBERDADA" lists at least 23 antivirus and security firms that were in that spy agency's sights. They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.

But antivirus wasn't the only target of the two spy agencies. They also targeted their reverse-engineering skills against CheckPoint, an Israeli maker of firewall software, as well as commercial encryption programs and software underpinning the online bulletin boards of numerous companies. GCHQ, for example, reverse-engineered both the CrypticDisk program made by Exlade and the eDataSecurity system from Acer. The spy agency also targeted web forum systems like vBulletin and Invision Power Board­used by Sony Pictures, Electronic Arts, NBC Universal and others­as well as CPanel, a software used by GoDaddy for configuring its servers, and PostfixAdmin, for managing the Postfix email server software But that's not all. GCHQ reverse-engineered Cisco routers, too, which allowed the agency's spies to access "almost any user of the internet" inside Pakistan and "to re-route selective traffic" straight into the mouth of GCHQ's collection systems.

There's also this article from Ars Technica. Slashdot thread.

Kaspersky recently announced that it was the victim of Duqu 2.0, probably from Israel.

Posted on June 26, 2015 at 6:59 AM • 19 Comments

Comments

Clive RobinsonJune 26, 2015 8:19 AM

Aside from many AV engines make your systems a good deal less secure as they significantly increase the ring zero attack surface, and frequently don't follow any secure coding practice so are easyy targets... You would expect the spys to apply techniques to render counter surveillance in effective, and AV is the nearest the vast majority of computers get to practicing counter surveillance.

As has been pointed out over and over again AV is the "lipstick end of the security pig". White lists, read only memory, file tripwires etc catch the new malware, not the AV engines.

Whilst I can not quite call AV software "snake oil" in many cases it's certainly failable enough to appear to be so.

Peter GalbavyJune 26, 2015 8:35 AM

Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.

Huh, strange that. I wonder why that could be. Surely not 'cause they're already pwned is it?

SamJune 26, 2015 10:21 AM

@Peter: Does delivering a National Security Letter really count as pwnign something? The "bureaucrat" is in this sense even less technically skilled than the "script kiddie".

Bob S.June 26, 2015 11:10 AM

I suppose some AV companies might not be listed due to inadvertent error or their defenses are too good. Another possibility is they readily agreed to cooperate so there is no need to go to the backdoor. The mind boggling part is, virtually every government in the world is, or can, play this same game...subverting security software and hardware, for our own good so they say.

I think it's getting close to the time to dump the whole internet thing and start over based on the premise that first and foremost communication will be safe, secure and private. Those who fear the usual list of bogeymen need not connect.

Realistically, that's not going to happen, however.

zJune 26, 2015 12:09 PM

I am also concerned about the lack of American or British comapanies on that list. Possibly because they simply cooperate (whether voluntarily or through coercion)?

JaysonJune 26, 2015 12:16 PM

I suspect @Sam is correct in that they US/UK firms aren't listed because it's easier to force them to comply "legally". At a guess, outright attacking domestic companies is likely somewhat taboo still.

Game OverJune 26, 2015 12:56 PM

@Sam, @z, @Jayson

What operational or legal considerations would cause Five Eyes agencies to prefer directing a NSL to, say, Symantec, rather than to Microsoft?

Iow, why would NSA/FBI/DoJ/DHS prefer to get root through Norton Internet Security, as opposed to through Microsoft Update?

meJune 26, 2015 2:35 PM

AV is a joke. Did anyone actually think a Western AV outfit would tell you if you have GCHQ's QWERTY installed? Even F-Secure sat on Regin (ala Belgacom), much to my dismay. And aside from a small mention by Symantec recently, there is no movement on the BIG hard-drive firmware problem by the *cough* "Equation Group" (haha). And it's plainly obvious you can't SSH to a Cisco router *over the net* without your credentials being stored in a database somewhere. Err, uhm.. I wonder why.

tyrJune 26, 2015 2:58 PM

I'd imagine that an AV companies worst nightmare is being
forced to defend their customers against every nation states
spooks. Of course the same band of spooks is busy dismantling
the rest of computer security like a busy bunch of ants.

They can't even defend you against the advertising weasels
why want to see every mouseclick for the same reason, it is
a horrible problem which is getting worse all the time.

historical aside: I remember when F-PROT had a virus list
that was twenty feet long on print-out. They went commercial
as F-Secure and were the best AV around. But now they are
just another business. Captain Crunch was on RT today.

ZaphodJune 26, 2015 4:10 PM

@me, err you.

Could you please elaborate on the Cisco SSH 'feature'? Enquiring minds need to know…

Thanks,
Zaphod

meJune 26, 2015 5:37 PM

@Zaphod

Switch(config)# crypto key generate rsa

At this point, you will be prompted to enter a modulus number for the key generation:

How many bits in the modulus [512]:

Hmm, looks like I misplaced my Treasure Map.

Groucho MarxJune 26, 2015 6:10 PM

That they were very concerned about EULA's in their efforts says just how sophisticated their efforts has been.

KasperskyJune 27, 2015 12:19 AM

Only ClamAV/ClamWin is FOSS. Others are proprietary.

Almost all AVs are "phone home" with user's computer information
such as computer name, local IP address, username, password, etc.
^ If you don't believe me, disconnect search. You'll find a official PDF.

SkepticalJune 28, 2015 12:09 AM


Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.

This goes back to a point I've made again and again:

You are more protected from surveillance inside the United States than you are outside the United States.

And before someone yells "Google!", recall that multinational corporations regularly extend well outside the United States. They utilize a complex variety of registered subsidiaries and affiliates. Until recently, for example, Amazon paid no UK taxes for income derived from UK.

So multinationals often contain affiliates and subsidiaries that are not really considered US entities - nor should they be, frankly.

But if a company retains it's R&D facilities inside the US, it acquires the full panoply of protections against US surveillance. That means NSA can't simply hack into that company. That means the US Government can't pay someone to steal private information from that company.

Of course, there's another explanation for their absence: NSA's and GCHQ's targets may not use AV software from American or British companies because they don't trust them. Which is, actually, a bit humorous, as those companies may actually be the most trustworthy relative to others.

Game OverJune 28, 2015 3:02 AM

... if a company retains it's R&D facilities inside the US, it acquires the full panoply of protections against US surveillance. That means NSA can't simply hack into that company...
Wikipedia cites a Symantec report claiming that a mere 1.56% of the worldwide Stuxnet impact hit systems in the United States.


I don't think the NSA targeted NSLs and gag orders at that 1.56%.

AustinJune 28, 2015 8:32 PM

Well, this doesn't surprise me one bit. It actually makes sense. They are trying to learn more about viruses and vulnerabilities.

Walter HändelOctober 26, 2015 7:11 PM

More protected from surveillance in the USA? Really?

Top Secret GCHQ surveillance programs and systems secretly collect Internet, phone, and SIGINT data from most of the US population. GCHQ secretly gives the surveillance data to NSA.

Top Secret NSA surveillance programs and systems secretly collect Internet, phone, and SIGINT data from most of the UK population. NSA secretly gives the surveillance data to GCHQ.

GCHQ does not spy directly on its own UK population to get the surveillance data. NSA does not spy directly on its own US population to get the surveillance data.

For years, NSA and GCHQ have been teaming with each other and using this surveillance strategy to circumvent and skirt domestic laws in their respective countries that prohibit them from spying directly on their own national population.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.