Yet Another Russian Hack of the NSA -- This Time with Kaspersky's Help

The Wall Street Journal has a bombshell of a story. Yet another NSA contractor took classified documents home with him. Yet another Russian intelligence operation stole copies of those documents. The twist this time is that the Russians identified the documents because the contractor had Kaspersky Labs anti-virus installed on his home computer.

This is a huge deal, both for the NSA and Kaspersky. The Wall Street Journal article contains no evidence, only unnamed sources. But I am having trouble seeing how the already embattled Kaspersky Labs survives this.

WSJ follow up. Four more news articles.

EDITED TO ADD: This is either an example of the Russians subverting a perfectly reasonable security feature in Kaspersky's products, or Kaspersky adding a plausible feature at the request of Russian intelligence. In the latter case, it's a nicely deniable Russian information operation. In either case, it's an impressive Russian information operation.

What's getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA's inability to keep anything secret anymore?

EDITED TO ADD (10/8): Another article.

Posted on October 6, 2017 at 8:06 AM • 131 Comments

Comments

Bruce SchneierOctober 6, 2017 8:08 AM

Please remember that this is not the place for political discussions. Stories about Russia are regularly problems, and I will be deleting any comments I feel stray from the security topics.

225October 6, 2017 8:34 AM

I feel like someone from Norway should suggest you archive paywalled sites

http://archive.is/wt6az

It feels like antivirus software is a racket, and this is one side flexing to scare people into changing who they pay their protection money to.

Bruce SchneierOctober 6, 2017 8:45 AM

I just deleted seven comments. It might not be possible to have a discussion this story that doesn't cross over into the political discussions that I don't want on this blog.

If I have disabled comments on this thread, this is why.

Bruce SchneierOctober 6, 2017 8:46 AM

If your comments have been deleted and you want to discuss it, please email me. Do not ask me about it in comments.

EvanOctober 6, 2017 8:49 AM

Experts said the software [Kaspersky AV], in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA.

So, the anti-virus program identified files containing computer security exploits, which is what it's supposed to do. That people viewing this information happened to be Russian hackers and they used it to identify files that might be NSA tools isn't Kaspersky's fault - except insofar as a Kaspersky protected computer still got hacked anyway. Assuming all the conjectured details proffered by anonymous sources are actually correct.

This looks to me like a pretty clear case of trying to make Kaspersky look bad, both to cover up the failure of the NSA's own security measures and to push out of the market security software they cannot control, influence, or sidejack.

Bruce SchneierOctober 6, 2017 8:50 AM

"It feels like antivirus software is a racket, and this is one side flexing to scare people into changing who they pay their protection money to."

It it is certainly true that anti-virus companies benefit from a general fear of worms and viruses. And while I think they all artificially inflate the number of viruses in the wild, I don't think that any of them go so far as to publish new ones. Clyance has been accused of creating new virus variants in their test suites, but not of putting them out in the wild.

ArthurOctober 6, 2017 9:15 AM

To make any argument stronger, should we not be weary about using "unnamed sources" as concrete, definitive evidence of malfeasance and criminal activity. "Unnamed sources" and random hearsay evidence are not to be trusted.

Sonny DayeOctober 6, 2017 9:30 AM

From the article:

"...the theft included information on penetrating foreign computer networks and protecting against cyber attacks..."

A good haul for sure.

The contractor ".....worked at the NSA’s Tailored Access Operations unit for elite hackers before he was fired in 2015."

Ouch! Very sensitive job. Note, we are just hearing about it. The breach is at least two years old.


"Russian government officials could have used flaws in Kaspersky software to hack into the machine in question..."

My questions are, how many other computers were hacked and how many other AV apps are a source of risk? It seems most all of them phone home a great deal. Seemingly sending packets hoe more than necessary for simple updates. More like url collection and/or keylogger flow.

RyanOctober 6, 2017 9:33 AM

In all seriousness, I feel that Kaspersky is likely not a full pawn of Russian intelligence, but rather just a target of opportunity that the FSB & other agencies have leveraged in attacks elsewhere. It's doubtful that Kaspersky could recruit and retain the number of researchers they have if it was collaborating with the FSB even in secret.

Of course this comes back to the Red Team vs Blue Team question, and often it's easier to attack than it is to defend. Blue team has to be perfect while Red just has to get a foothold somewhere. With our digital footprint expanding by orders of magnitude it becomes that much easier for the red team to get wins like this.

ScissorsOctober 6, 2017 9:36 AM

This incident adds fuel to what seems to be a larger trend: a greater distrust of security products/algorithms/knowledge from foreign sources. I think this is a good thing, to a degree: Kaspersky (or any other security-oriented entity) cannot be immune from their own government's meddling, so other countries should trust them accordingly. However, when the threat actor is international (as 'normal' cybercrime can be) but security research and development are 'siloed' into national blocks, a mutual distrust hampers the ability to address these international issues.

JonKnowsNothingOctober 6, 2017 9:38 AM

It all looks like a Much Ado About Nothing...

afaik every AV product has limited abilities to do anything really useful.

afaik every AV product uses some master listings to compare code DNA to known attacks

afaik if an AV product detects something odd that is not on their listing they upload a copy to their systems. You can even manually click "check this file please".

afaik every bug/virus/hacking tool is often loaded into repositories for anyone to check. Hey M$ did you fix "this"? Hey Google did you fix "that". Oh, look "this one is 20 years old"...

afaik every security service in the world is WATCHIN'CHU. So no surprise that something got picked up along the way.

afaik you would have to be rather short sighted to not figure out that every security service will be working on V2.0 V3.0 V4.0 V-M$10 V-IOS-DecryptHDSeasame

afaik nearly every system today is designed to Phone-Home-Telemetry which is sliced and diced and hashed.

There is nothing new here except:

  • Someone took Work Home.
  • Someone that is supposed to be such a hot-shot-coder that they could fix all of TAO solo after hours.
  • Someone who took all that great super-hot-shot code and loaded it on an unsecured home laptop with a public facing internet.


Gee... aint that just a great co-incidence? How handy! And right on time for reauthorization too! Just in the nick of time!!! WOW!!!

...

The Intercept is running a much more interesting article on how the FBI is using their surveillance abilities to find two piglets...

And that they even know the code names for them: Lucy and Ethel or is it Lilly and Lizzie?

That your personal exchanges are being FISA-ed for missing piglets which are an embarrassment to their previous and dubious owners and should the FBI find them are sure to be Ham and Bacon for the FISA Breakfast Buffet.

ht tps://theintercept.com/2017/10/05/factory-farms-fbi-missing-piglets-animal-rights-glenn-greenwald/
(url fractured to prevent autorun)

TesterOctober 6, 2017 9:41 AM

>Clyance has been accused of creating new virus variants in their test suites, but not of putting them out in the wild.

Any responsible antivirus vendor should do this to some extent. If the software can't detect a substantial fraction of new minor variants on existing viruses, it's easily beaten in the wild.

ParabarbarianOctober 6, 2017 9:44 AM

Call me naive but I think an even more serious problem is that the contractor was even able to get the data onto his home machine. Doesn't the NSA do any real background checks on these guys? I have a pretty good idea how hard it is stop a determined and skilled person from exfiltrating data. In the final analysis it comes down to the integrity of the individual with access and the skills to steal the data. It seems to me that a strict background check would be absolutely required for access to copy such sensitive data.

BF SkinnerOctober 6, 2017 9:50 AM

So Kaspersky probably feels ill done by and will no doubt deny their product serves the will of the Russian IC. There will be, reasonable, claims that the WSJ article is a hit job planted by USA IC to discredit Kaspersky (and by extension other non-made-in-the-USofA products).

There will be the usual, again reasonable, assertions that open source secures from this sort of fear, uncertainty and doubt threat. And the usual complete dismissal, by silence of private enterprise that open source is a viable business model (though MySQL seems to have done well enough). And nothing will move on this front.

Will not the end result be people basing their risk decisions on whether they believe the Americans or Russians? And then make their purchase decisions in a new first world / second world cold war dynamic.

BrookeOctober 6, 2017 9:54 AM

If we get past the Russia/Kaspersky ties on this one and look at this as an attack vector, do we know that Norton, Trend and the others aren't capable of doing something similar? Your AV scans your computer, if a hostile actor is now at Symantec, is it any better/worse? Seems like AV as an attack vector or recon tool is highly likely being actively used in areas other than Kaspersky. We should all take note.

Who?October 6, 2017 9:56 AM

It would be great if these documents became public so we can improve the security of our own networks. This one is the only way we can really honour the "S" in NSA.

Vesselin BontchevOctober 6, 2017 9:57 AM

An opinion from someone who has worked 15 years in the anti-virus industry (and has spent another 13 doing anti-malware stuff in academia) and who knows Eugene Kaspersky personally and is very familiar with the early versions of his product:

1) Kaspersky is a man of very high intelligence and high integrity. He would never do such a stupid thing intentionally.

2) I believe that the accusations are true - in the sense that the attackers indeed used the data feed from his product to locate a prospective target. This is not a real "leak" (in the sense of a rogue employee babbling to the press); this information was released to the Washington Post intentionally.

3) I do not believe that KAV was used to penetrate the target and to exfiltrate the data - and I don't think that the article claims that it was.

So, it is very natural for Kaspersky to ask for evidence - he wants to know how exactly 2) was achieved and if there is something in his product that he needs to fix.

Note: the following is speculation from my part.

Several months ago Google's Project Zero found a serious problem in how KAV was checking SSL certificates. Instead of a proper cryptographic check, they only checked the name and a CRC-32 checksum. This allowed for MitM attacks. After the bug was reported, it was fixed - but the leak is from 2015, when the bug was still present.

If the certificate checking was the same everywhere in the product (very likely, IMO), it would have been possible for the attackers (Russian intelligence) to MitM KAV's data feed on Russian soil and to monitor what it was reporting to Kaspersky.

The product is very good as an anti-virus product, meaning that its detection rate is excellent. It is definitely possible that it detected some of NSA's tools when it was scanning them. Since it didn't find anything it knew exactly (those were new tools, under development after the Snowden leaks) but only some bits of code associated with other Equation Group malware (i.e., the NSA), they were reported as "suspicious" or "new variants". Most good AV programs have the ability to submit automatically suspicious samples to the developer. It is always optional but in some products it is opt-in, in others it is out-out. I don't recall how exactly it is in KAV; I think it's opt-in. Assuming it was turned on on the scanned computer, these samples were submitted to Kaspersky Lab.

When the attackers monitoring the feed saw "new variants of Equation Group malware", they knew it was an interesting target. Maybe they saw other things that looked promising - like the paths of the scanned files or other interesting telemetry data. That's how they figured out that the computer was worth attacking, so they hacked it and exfiltrated the data.

What we need to know:

1) Is this the bug in KAV that was used (which would mean that it is now fixed) or was it something else (that still needs fixing)? Thus Kaspersky asking for concrete evidence.

2) Why banning only Kaspersky? Why not Dr. Web (also a Russian product)? Why not ban all non-US anti-virus products? How do you know that Bitdefender isn't being similarly exploited by the Romanian intelligence, for instance? Or Avira by the German BSD? Or Sophos by the GCHQ?

You do realize that the REAL problem is an NSA employee taking classified materials to his home PC. You can hardly blame Kaspersky for that. If there is still a vulnerability in his product that allows third parties to monitor its telemetry, then he needs to be told about it, so that he could fix it.

Unfortunately, most likely we'll never get a proper answer. For instance, imagine if the NSA has some HUMINT intelligence on the Russian side, telling them "the GRU hacked Kaspersky's data feed to locate the target, I don't know how". They can't reveal the existence of this source and they don't know how KAV was hacked exactly, so there is nothing substantial they can reveal.

Rick LobrechtOctober 6, 2017 10:04 AM

Not a WSJ subscriber, so I haven't read the article. In the handful of summaries I've seen, I've seen no mention of Snowden. Isn't he still in Russia? Is he, could he be, involved with this somehow? It seems to me that he is likely to have some insider knowledge on the potential people at NSA who would be copying secrets and storing them on their home PCs. This would give whatever "Russian hackers" that are responsible a small set of targets, and potentially enough background material on them to allow for social engineering on them.

Kaspersky is going to have a tough market in the foreseeable future because of this.

MarkOctober 6, 2017 10:18 AM

Or Kaspersky simply tends to examine computers that have interesting malware on them. Remeber that malware author are testing there creations against anti virus products. I'm willing to wager they do that in order to catch malware in development stages. That may also explain fast response times they tend to have.

TatütataOctober 6, 2017 10:21 AM

How did the TLAs figure out that Kaspersky was apparently phoning home? And did they use that source for their own purposes before being forced to release this info? (i.e., does monitoring foreigners who monitor Murricans constitute an illegal monitoring of Murricans?)

A place I formerly worked for insisted that employees installed a certain AV (it wasn't the Russian product) on their home computers, for which signed up. I can't say in retrospect whether there was anything untoward, but in retrospect I'm slightly creeped out. AV software is rather useless anyway.

Was the Kaspersky licence a private one, or was it offered by the NSA when they were still in Uncle Sam's good grace?

trentOctober 6, 2017 10:25 AM

> But I am having trouble seeing how the already embattled Kaspersky Labs survives this.

In non-Russian markets, sure. But the news that Microsoft had most likely backdoored their platforms for the NSA didn't end that company.

My follow up question is: are foreign security vendors now considered legit military targets? because that changes a few of the rules of engagement, and "cyberattacks" have already been described as Acts Of War.

(hopefully not too political a comment)

ScottOOctober 6, 2017 10:37 AM

AV software - the nearly perfect attack vector. Willfully installed everywhere that matters, full system access, scans every file on the machine and has the means to exfiltrate data with impunity. If I wanted to build a way to quietly steal information, it is the way I would do it.

There were some earlier comments about intentionality of Kaspersky and I argue it really doesn't matter as the mere existence of the software makes it a prime target for bad actors, internal, external and the like. The revelation of this breach in the WSJ, true or not, brings a focus on the likely scenario that there is a high a risk that a product coming from a country with a known strong emphasis on cyber operations is compromised.

Open source is about the only way to provide oversight but there still exists the "concentration risk" of millions of systems using a common piece of software with a high level of access to the machines internals.

KasperowitschOctober 6, 2017 10:52 AM

> What is it with the NSA's inability to keep
> anything secret anymore?

Planting back-doors everywhere ultimately leads to no-secrets no-where information-network.

BillBOctober 6, 2017 11:15 AM

Anyone reading this blog was hopefully aware that something like this was not only theoretically possible, but not even that hard for a company like Kaskpersky to accomplish. As others have pointed out, Microsoft is in a similar position. In fact any software that is automatically updated on a regular basis could be quickly retasked by its supplier to do whatever they want within the limits of the security context in which end users use the software. Since operating systems and security software usually have unrestricted access, this obviously means that you are (at least in the short term) at the mercy of these suppliers. It seems obvious to me (but apparently not to everyone else) that this means that traditional commercial off the shelf software should not be used in any situation where the security of the data or continued operation of a system is important. Can somebody explain how I am wrong? Or am I right, but this is something like a Hans Christian Andersen's "The Emperor's New Clothes" situation. Everyone realizes the real situation, but nobody is willing to say so publicly because of the fear of the consequences of doing so.

SharkieOctober 6, 2017 11:35 AM

Who in NSA/USG thought this was a good idea? Seriously?

Or letting foreign adversaries access source code to ArcSight?

It's as if we've done a complete 180 from the days that exporting crypto was banned under the Arms Export Control Act to a laissez-faire attitude about the relationship of tech to national security in the United States.

It appears NSA's ship may not be adrift anymore, it is now aground.

albertOctober 6, 2017 12:28 PM

I have questions, but no answers, only opinions.

Why does NSA still have USB ports on their computers?

I'm tired of all the pissing and moaning about IC data theft, and the 'solutions' offered, like 'better vetting' by the agencies. It's moved from ridiculous to absurd.

Another absurdity is the requirement for AV software on most operating systems. This cat-and-mouse game is destined to last forever. It makes me think of Hypernormalization: maintain the status quo, and keep the money flowing in.

There -are- solutions to these problems. Most have been posted in this blog. 'Patching' the present system will never work; it's too big, too complicated, and too bureaucratic, and, primarily, too corrupt (on the business side; I don't know about the technical side).

@trent,
"...and "cyberattacks" have already been described as Acts Of War....". This is an extremely dangerous situation. We learned about this in the run-up to -every- war since the invention of mass media. When you have a planet with truth-by-proclamation social systems, you run the risk continuous wars started for secret reasons.

@LPA-11K,
I've nothing good to say about Google, but I can't help thinking that pressure from on high has 'influenced' that 'decision', just as the Hil'ry 'search' fiasco. You don't get that big without becoming 'part of the problem', so to speak.

@BillB,
"...that traditional commercial off the shelf software should not be used in any situation where the security of the data...". That's the 362.87kg elephant in the room. In a way, it 'levels the playing field' if everyone uses the same crappy OS and software (and hardware/firmware). Don't forget, we 'see' only what the LE/IC wants us to see, and it's always political. Other big players in the cyber arena experience the same hacks and leaks. They never talk about them, and they have more 'efficient' means of controlling the press. So, the playing field is a lot more level than US MSM would have us believe. The DOD has a very serious -offensive- cyber program.

. .. . .. --- ....

DanielOctober 6, 2017 12:30 PM

What's getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA's inability to keep anything secret anymore?

Well, it should. How do we know that the NSA person involved is not a Russian mole? It's a great scam: Country A plants a mole in Country B and then said mole "inadvertently" or "accidentally" leaks the documents. At some point in time gross incompetence become indistinguishable from malice. As the cliché goes: with friends like these who needs enemies?

So I do think that is the real story here. If the NSA were no such a sieve, the Russians would have a much more difficult time getting what they want.

Nathan MacInnesOctober 6, 2017 12:48 PM

"What is it with the NSA's inability to keep anything secret anymore?"

Contractors.

Clive RobinsonOctober 6, 2017 12:49 PM

@ Bruce,

What's getting a lot less press is yet another NSA contractor stealing top-secret cyberattack software. What is it with the NSA's inability to keep anything secret anymore?

Well firstly Rodgers is very much to blaim, lets say his military style would not wash with a big chunk of the military. And it certainly does not work with civilians who are not just "grist to the mill" for him but more so by their actual employers...

Further his administrative skills are not what they could be, and he realy does not come across well in interviews and other public performances, where people now play the "Spot the lie" competition, first one to ten gets the comfy chair and first dibs on the popcorn.

The thing is though his problem was not so much "leadership" as "lagership" the entire NSA senior staff come across as running to catch up not pushing forward and confidence is low. NSA staffers have "jobs for life" if they keep their heads down and toe the line. The contractors however don't have the job security or much else the staffers get, and that's a cause of further friction. As well as the "unloved" feeling Ed Snowden's trove has revealed sufficient that people are now questioning the existance of the NSA and in turn the people that work there. The public perception is nolonger "unsung heros" but more "Dirty old men".

It's likely that the unnamed contractor took work home for a couple of reasons. Whilst I won't rule out a "Pet Project" or similar, the odds are he was just trying to keep up with the workload...

But the NSA is also not getting the staff they need, they never realy adjusted to post cold war, and they are most certainly not the first choice for anyone with "skillz" any more be they maths, computers or communications. Plus compared to industry the pay and extras suck. The things they are still leaders at tend to be looked at as not only "non transferable" they are also "holes in your CV".


Clive RobinsonOctober 6, 2017 1:06 PM

@ ALL,

As I said over on the current squid page the WSJ reporting needs to be taken with caution,

https://www.schneier.com/blog/archives/2017/09/friday_squid_bl_594.html#c6761686

In short it is not just pathetic it's inacurate and needless assumption riddled.

Further I also pulled up the issue of Kaspersky and compared it to the CarrierIQ debacle a few years ago now.

https://www.schneier.com/blog/archives/2017/09/friday_squid_bl_594.html#c6761695

Put simply CarrierIQ software was put on mobile phones in the US by the service providers (SP). Supposadly it was a "Tech support tool" however it logged just about everything you did on the phone including all the keystrokes etc. Then sent the logs "Off to the Mother Ship" without any security.

At the time I noted it was a god send for the NSA, all they had to do was sit at the upstream router and hover up the data sight unseen.

This may be what has happened to Kaspersky we don't know and the WSJ should not be peddling the US Gov "Party line" the way it is. Not only is it a stupid thing to do it makes most think it's a "stich up" and that the WSJ are either "Patsies or Brown nosers" of the USG.

GrauhutOctober 6, 2017 1:20 PM

'Kaspersky is “aggressive” in its methods of hunting for malware, Mr. Darché said, “in that they will make copies of files on a computer, anything that they think is interesting.”'

Sounds a little like "we hate Kaspersky for detecting and copying our sh*t from this traitors box". :)

Kaspersky Software is available everywhere, so why did no indy security researcher ever find such an evil Russian backdoor in it? Would have been easy enough to set up a honeypot for this bear.

JeanOctober 6, 2017 1:25 PM

What if it is simply not true? :) No proof, unnamed source... Too good to be true.

Retired Secret SquirrelOctober 6, 2017 1:36 PM

It's clearly time to do something no one is crazy enough in Washington to do and that's close the doors to the NSA at least until a thorough Counter-Intelligence and Security review can take place (by outsiders no one on NSA staff).

Send all the military members back to their home units, furlough the civil servants and give the contractors their walking papers.

Security there has become a complete joke.

While some are quick to blame contractors, they're ignoring the two biggest failures in counter-intelligence history Ames and Hansen were Civil Servants and in all CI cases across the IC, it's been a mix of civil servants, military and contractors that have decided to betray their country willing or were completely incompetent and took Classified out of facilities for whatever reason made sense to them (Martin a recent example) and this case well.

Regardless its clearly time for drastic measures as the NSA security team has proven to be a complete farce once again.

JonKnowsNothingOctober 6, 2017 1:57 PM

There was a super interesting blog on Brian Krebs site a while back detailing how Malware Providers use a Stealthing Service to evade AV detection.

iirc The malware developer ships a copy of their code to another anonymous service which rips that code thru every known current variant of AV detection. They encrypt and re-encrypt until they get a zero-hit rate. This version is returned to the malware developer for deployment.

In this case he was detailing how the bad guys do it but it's not too far to imagine this is exactly how the sort-of-good-guys-depending-on-where-you-live do it.

It might be that the person was attempting to "live test" that the NSA-zero-hit code was really zero-hit.

In which case ...

Either the NSA zero-hit team goofed

Or

It worked exactly as intended and got picked up by the only system that they selected that could detect it.


JonKnowsNothingOctober 6, 2017 2:12 PM

@ Retired Secret Squirrel

Mr Delisle would give Ames and Hansen a run for that title...

Comes from looking too close to the red white and blue to notice the blue part is missing..


ht tps://en.wikipedia.org/wiki/Jeffrey_Delisle
ht tps://en.wikipedia.org/wiki/Stone_Ghost
(url fractured to prevent autorun)

JohnnySOctober 6, 2017 2:55 PM

@Bruce,

"What is it with the NSA's inability to keep anything secret anymore?"

"Three can keep a secret, if two of them are dead." Attributed to Benjamin Franklin.

If the TLA agencies are going to hire hundreds and thousands of workers to handle, share and learn very sensitive information, it's going to leak, sooner or later. You will ALWAYS have a Snowden or a Manning as long as you continue to spread secret information around to far too many people. They need to cut back on the number of eyes that see this stuff.

Clive RobinsonOctober 6, 2017 3:48 PM

@ Grauhut,

Kaspersky Software is available everywhere, so why did no indy security researcher ever find such an evil Russian backdoor in it?

The same thought occured to me as CarrierIQ got caught by an indy.

I must be honest and say I don't use AV software on my dev machines as it has caused no end of grief in the past. As a consequence my dev machines only talk to a private "hardwired" network by Cat-5.

I know some people consider that having your own personal air-gapped network is "Geek paranoia". But hey would you alow work from an "untrusted network" to run on your protected network.

TeddyROctober 6, 2017 3:56 PM

Two thoughts on this:

1.
Is NSA somehow a useful idiot here?

2.
I don't think this just spells the end for Kaspersky. I think this is going to spell the end of 'AV' in earnest. The end of AV has been talked about forever but now your average Joe is going to begin to get wise to it.

ContravectorsOctober 6, 2017 4:03 PM

"What is it with the NSA's inability to keep anything secret anymore?"

Contractors.


wumpusOctober 6, 2017 5:16 PM

@Ryan "In all seriousness, I feel that Kaspersky is likely not a full pawn of Russian intelligence, but rather just a target of opportunity that the FSB & other agencies have leveraged in attacks elsewhere."

While it is certainly possible that rule of law is more stringently followed in Russia than in the USA, I certainly wouldn't be surprised if Kaspersky was slipped the Russian equivalent of a National Security Letter. Should Russian Intelligence be interested in slipping routines into Kaspersky software, I'd expect it would be easy to do so.

I'm also wildly amused by the idea of Microsoft working together with the NSA. Not that any morality would stop either of them, but between Microsoft's "no security whatsoever" (not to mention H-1B permatemps writing the actual code) and the NSA's completely anal security practices, getting anything done would be spectacularly useless. All for "backdoors" in an operating system that can be trivially hacked. The backdoors might be there, but I suspect they are only used by teams that found them independently (which probably include those in the NSA).

I'm not saying the NSA would give up if they need a backdoor. I just suspect that after *way* too many futile meetings, some staffer might suggest using the myriad of backdoors already available and shelve adding more until needed.

Sancho_POctober 6, 2017 5:23 PM

Hilarious! This is a huge deal (@Bruce), but not for the NSA.
On the contrary, a superb advertisement for the Russian Security SW:
Kaspersky Lab antivirus software detects top secret (NSA) spyware
on a PC and sends it home to investigate.
This is exactly what is expected a AV SW to do. Kudos!

From the WaPo’s FUD story:
“It’s a lot harder to beat your opponent when they’re reading your playbook, and it’s even worse when someone on your team gives it to them,” said Sen. Ben Sasse (R-Neb.).
Cheating when playing blind man’s buff is nasty, we all know that.
What the Russians do to the American IC is severe child abuse and therefore they must be prosecuted, esp. without evidence, judge or notice.
Similar to Bin Laden. Because we can.

Look, there is this mysterious piece of software, it is neither encrypted nor hidden.
But very likely exxxxtreeeeeemely dangerous.
Who knows?
It’s so sophisticated that it’s completely unknown (to the American IC) what it does, but, be assured, it does harm the US National Spy Agency.
It’s COTS software. People buy it. People run it. Probably Trump does. OMG.
But for sure the DNC did it - oh wait, we are back at the beginning:

”It’s astounding and deeply disturbing that the Russian government continues to have this tool at their disposal to harm the United States.” (Shaheen)

No evidence. No intelligence.
Worse: Anonymous sources familiar with the fact that Kaspersky antivirus identifies (NSA) malware on any PC.

But what the US IC does to the Russians borders on physical cruelty.
Worse than by any embargo they are hampered by laughing day in, day out about America.

If you want to protect your machine use Russian AV software!!!

GrauhutOctober 6, 2017 6:09 PM

@Clive

11th commandment: Don't talk about it! :)

But you are crazy if you don't have onion like security rings and internal sniffers and honeypots. Its fun to read some logs sometimes. Mostly after testing some new iobs toys or firmware updates. ;)

If i want to let the whole world know something i use a windows box with kav and a side loaded chinese phone management software on it. Sometimes the alphabet community is a valid marketing target cause they are the only part of .gov listening to you! :D

JonKnowsNothingOctober 6, 2017 8:14 PM

It would not be too hard to access anything with or without help from Outside with the latest feature from Apple:

A rather cute picture shows you can ask for a PW Hint to unlock your encrypted HDs.

You don't even need the FSB to have penetrated the system, you just need Apple OS.


ht tp://www.theregister.co.uk/2017/10/05/apple_patches_password_hint_bug_that_revealed_password/
(url fractured to prevent autorun)


iirc in past there have been plenty of hints that US Corps and Strong Relations have been served with various types of warrants to slip stream code and officially-approved-spywares into systems. The US Courts have found this to be Just Fine And Dandy.

If in doubt this book has some interesting insights as to why NOTHING is un-expected and un-tracked.

Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are [Seth Stephens-Davidowitz]

There is no way this could have been a "surprise" to the NSA.


gordoOctober 6, 2017 9:34 PM

House Panel Receives Classified Briefing on Kaspersky
By Billy House | Bloomberg | September 26, 2017

On Sept. 14, the committee sent a letter to Eugene Kaspersky, the company’s chief executive officer, asking him to appear at a hearing on Sept. 27. At the time, the committee said it wanted to conduct oversight of the cybersecurity posture of the U.S. government and examine how much it relied on Kasperky products. But the hearing was postponed and hasn’t been rescheduled.

https://www.bloomberg.com/news/articles/2017-09-26/house-panel-is-said-to-receive-classified-briefing-on-kaspersky

U.S. House committee calls new hearing on Kaspersky software
Dustin Volz | Reuters | October 6, 2017

The House science committee did not say who would be called to testify at the [October 26th] hearing.

https://www.reuters.com/article/us-usa-kaspersky-hearing/u-s-house-committee-calls-new-hearing-on-kaspersky-software-idUSKBN1CB2K6

See also: https://science.house.gov/news/press-releases/sst-committee-probes-kaspersky-lab-cabinet-level-request

Theatre* aside, a sober space of honorable agreement and sense of détente is desirable. In that light, the House committee should reinvite Mr. Kaspersky to testify.

-------

*Theater:

NSA (No Security Anywhere)
YANCS ("yet another NSA contractor stealing")
MSM (Meddling Straw Man)
=====================================
YARNS (Yet Another Russia News Story)

J.B.October 6, 2017 10:59 PM

@Sancho_P • October 6, 2017 5:23 PM
Hilarious! This is a huge deal (@Bruce), but not for the NSA.
On the contrary, a superb advertisement for the Russian Security SW:
Kaspersky Lab antivirus software detects top secret (NSA) spyware
on a PC and sends it home to investigate.
This is exactly what is expected a AV SW to do. Kudos!

That's pretty much my sentiment too. After reading this sort of story I feel like perhaps I should switch to use Kaspersky if their product is that good (+ being that I do not work for NSA nor want NSA stuff "accidentally" running on my machines).

justina colmenaOctober 6, 2017 11:27 PM

@russian trolls

Kaspersky Lab antivirus software detects top secret (NSA) spyware on a PC and sends it home to investigate. This is exactly what is expected a AV SW to do. Kudos!
  1. "top secret (NSA) spyware on a PC" is a delusion or false flag
  2. kaspersky has shady connections to thieves in law
  3. the same old thieves in law are running that tired old "antivirus" protection racket on microsoft windows

Ollie JonesOctober 7, 2017 8:52 AM

If there's any lesson of the past few years of infosec history, it is this: Secrets don't stay secret.

Depending on firewalls and other perimeter measures to keep secrets is a form of "security by obscurity." Most people who know Dr. Scheier's work know how ineffective it is. A resilient global security system needs other kinds of infosec defenses in addition to perimeter defenses.

Maybe secrets should be kept in smaller caches, so fewer secrets leak in each given incident.

Maybe monitoring and prompt public disclosure of incidents should be mandatory.

Maybe the useful lifetime of secrets should be limited somehow. (Get day-1 software exploits scheduled for fixes. Rotate and change up taxpayer id numbers. This one is hard.)

We have to change our thinking. Just blaming people is proving to be stupid.

Winston SmithOctober 7, 2017 11:37 AM

"What is it with the NSA's inability to keep anything secret anymore?"

Institutions are run by people. Even well trained people's psyches are vulnerable to being "human" (for all that that entails).

I'm suggesting that the NSA is still unprepared for the situation where trusted individuals inside the organization socially engineer their way toward "whistleblower" status because they 1) are afflicted by the wholesale privacy and security crimes committed by their own organization or 2) perhaps seek status and gratification by copycatting Snowden, Binney, et. al. Or both.

With regard to Kaspersky, personally speaking my takeaway from this post is that security is predicated on trust, of course, and, you can't trust anyone.

Here's another example: Piriform's CCLeaner (owned by Avast) was distributing malware in their binaries, apparently without their knowledge. This software (not necessarily the infected version) has been downloaded hundreds of millions of times. The brand name has cultivated trust among a large community.

https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users

You can't trust anyone, yet, the world will not function without trust. So there is no choice but to trust the untrustworthy. Over and over again.

Ed JohnstoneOctober 7, 2017 3:21 PM

@more trolls:


  1. "top secret (NSA) spyware on a PC" is a delusion or false flag

  2. kaspersky has shady connections to thieves in law

  3. the same old thieves in law are running that tired old "antivirus" protection racket on microsoft windows


GrendelOctober 7, 2017 3:29 PM

@Grauhut
Sounds a little like "we hate Kaspersky for detecting and copying our sh*t from this traitors box". :)

Kaspersky Software is available everywhere, so why did no indy security researcher ever find such an evil Russian backdoor in it?

Good question.

@Clive Robinson
The same thought occured to me as CarrierIQ got caught by an indy.

If I remember correctly, CarrierIQ did not run on PCs but on network hardware. But correct me if I'm wrong here.

BearOctober 7, 2017 3:44 PM

I am quite happy that my new job is not in security.

The real issue is that this guy took classified bits home with him.

As a former security guy, I can testify that it is damned difficult to get buyin from all the people who work with anything about it actually being secret and that it is not okay to take it home. There are always a few who don't get the memo, a few who don't understand what it means, a few who don't take it seriously, a few who don't think it applies to them, a few who think they are good enough that they won't cause the kind of problem the rule is supposed to prevent, etc.

And it only takes one of them being wrong. That's the thing they don't get. 99% isn't good enough. If 100 people take it home and 99 of them don't cause a problem, there is still a problem, and the problem is just as bad as if all 100 of them had caused it. That's the nature of secrets and confidential information.

The link that gives way is always something that's obviously stupid in hindsight. Putting penetration tools on an unsecured laptop with a Russian AV program that sends copies of unfamiliar malware home? Um. Well, yeah, that doesn't seem smart. But he probably hadn't thought about where his AV was from or that it sent files home in a year. Somebody always fails to think of all the things about their environment and risks that makes it a bad idea; that's why you have to count on them to think of their orders that say DON'T TAKE IT HOME instead - much simpler, much more immediate, much harder to forget.

But that presumes you can get 100 out of every 100 people to take the damned security orders seriously. 99 out of every 100 isn't good enough.

Tamper TentroomOctober 7, 2017 5:47 PM

@Mr. Bontchev,

Thank you for weighing in, I value the years of hard work you put in.

Clive RobinsonOctober 8, 2017 1:10 AM

@ Grendel,

If I remember correctly, CarrierIQ did not run on PCs but on network hardware. But correct me if I'm wrong here.

CarrierIQ's software was installed on mobile phones by the mobile network operators.

Supposadly it was a "Tech support tool" in that just about everything you did on or with the phone was logged. Then the logs were sent to CarrierIQ's servers, with what in effect was plaintext of your SMS's and anything else you typed in etc.

The result would have been for the NSA a "god send" because all they would have to do is sit on the upstream node from CarrierIQ's servers and hover up what passed by.

If you want to know more about the CarrierIQ "RootKit" have a look at,

http://androidsecuritytest.com/features/logs-and-services/loggers/carrieriq/

But NOTE that information was from CarrierIQ's public information, the software most probably does more, much more.

Gunter KönigsmannOctober 8, 2017 6:58 AM

Perhaps this NSA hack was simpler than it seems. I imagine it the following way:
1) Programmer takes something home for extra work that is supposed to be a NOBUS.
2) The PC of the programmer is protected by a virus scanner that is intelligent enough to detect that Tha code is suspicious and configured to send this code to the experts
3) the experts see code that look like a state grade attack and inform their government.

Wouldn't surprise me, that.

Dr. I. Needtob AtheOctober 8, 2017 7:47 AM

Arthur says:

"To make any argument stronger, should we not be weary about using "unnamed sources" as concrete, definitive evidence of malfeasance and criminal activity. "Unnamed sources" and random hearsay evidence are not to be trusted."

If you receive a message from an anonymous source, then no, you have no reason to trust it. A good example would be a chain email telling you to "pass this on to ten of your friends."

But when the report itself comes from a source you trust with a well-established reputation, then yes, the report can be trusted even if the identity of the original source is protected. You may not know where the information originally came from, but you can be confident that your trusted source does know, and they're highly motivated to preserve their reputation by reporting only information from sources they trust, while simultaneously protecting their identities in order to maintain their trust and their willingness to continue providing newsworthy information.

I guess you could call it a sort of "web of trust."

Clive RobinsonOctober 8, 2017 8:31 AM

@ Dr. I. Needtob Athe, Arthur,

But when the report itself comes from a source you trust with a well-established reputation, then yes, the report can be trusted even if the identity of the original source is protected.

That's all well and good if it's "you" that knows the contact. Unfortunatly it's not you or me or Athur that know these unnamed contacts, which I'm assuming that none of us do.

We are atleast one step removed through a journalist. Now I don't know the journalist and do not think I've ever read any other news piece by them. Which is a problem because the WSJ piece is how do I put it politely not of a standard I would expect of an investagative journalist, or even a desk reporter.

Now I don't know as much about the US MSM as I could do, but largely I've learned to be suspicious of them and political and government insiders. Often what is reported is not what the journalist has found out but what the journalist has been handed by somebody playing political games.

Thus my cautionary warning about the WSJ article.

Dr. I. Needtob AtheOctober 8, 2017 9:23 AM

My previous post was as general as I could make it without naming any specific news sources, but I do agree with you about the WSJ (Wall Street Journal). They're not particularly trustworthy.

However, there's no news source in the USA that has established itself as more reliable on political matters than the Washington Post, and that's who we're talking about here.

TatütataOctober 8, 2017 11:24 AM

Often what is reported is not what the journalist has found out but what the journalist has been handed by somebody playing political games.

That is by no means new or exclusive to the US. I witnessed first hand how the leak game is played. The trick is to find the sweet spot between the hack's biases, interests and constraints, and the message to be communicated, taking into account the notion of the "news cycle". Yes Minister...

Thorough investigative journalism involving FOI battles and patient data crunching produces too few column inches for the buck, or won't sustain reader interest long enough.

BTW, the WSJ is these days a Murdoch rag.

Frank WilhoitOctober 8, 2017 11:54 AM

"...What is it with the NSA's inability to keep anything secret anymore?"

It probably has a lot to do with the fact that if you keep acting like you'll never need a friend, then when you do need one, you won't have any.

(These are weasel words, but you deprecate "politics".)

MichaelOctober 8, 2017 12:53 PM

Some IT companies (Google being one example) provide secure laptops to all employees dealing with technical stuff, so they could work from home. It is hard to believe that NSA does not do the same for their elite hackers, unless the management is totally incompetent.

CassandraOctober 8, 2017 4:26 PM

There's an old debating tactic that is used to sow confusion/doubt in the minds of impartial onlookers: first accuse your opponent of doing what you are suspected of doing, and complain about it in the strongest possible terms. Then, when your opponent accuses you of doing the same thing, mischaracterise it as sour grapes.

Given the existence of National Security Letters or their equivalent in other countries, and the privileged position of Anti-Virus software, I would not be surprised if most, if not all such software, quietly phones home to report novel malware and a copy of that either explicitly, or by clandestine monitoring techniques, is obtained by the relevant national (cyber) intelligence agency. It's what I would do.

The news here is not that Kaspersky phones home, it is the lax security apparently exhibited by the NSA. It is almost as if they are trying to appear incompetent.

Furthermore, if this really had significant national security implications, a block on reporting it would have occurred (what used to be known as a 'D'-notice in the UK). Anyone who thinks that 'The First Amendment' allows journalists in the USA to publish what they like is being naïve.

Clive RobinsonOctober 8, 2017 4:52 PM

@ Cassandra,

what used to be known as a 'D'-notice in the UK

DORA was such a lovely girl...

The thing is that D-notices had no real leagle teeth, and after Maggie Thatcher repeatedly made a fool of those condemed by their duty to fall on their sword over it people started to give the D-notice scant attention. Which is why you don't hear off them.

CassandraOctober 8, 2017 6:08 PM

@Clive

Well, they have been rechristened DSMA notices - see https://en.wikipedia.org/wiki/DSMA-Notice and http://www.dsma.uk/, but they are still 'voluntary'. That said, dissemination of TOP SECRET classified material will allow prosecution under the Official Secrets Act 1989. Section 5 allows for "the prosecution of newspapers or journalists who publish secret information leaked to them by a crown servant in contravention of section 3. This section applies to everyone." Public interest immunity was removed by the 1989 act. Whistleblowing can be a dangerous action.

Clive RobinsonOctober 9, 2017 1:58 AM

@ Cassandra,

That said, dissemination of TOP SECRET classified material will allow prosecution under the Official Secrets Act 1989.

I don't know if you know, but even though Maggie Thatcher tried to reduce the number of "defenses" in OSA, one oddity still remained. Which was if you had committed the act of breaking national security, you could claim the defence of doing it for national security (if you had done it in a certain way).

Wesley ParishOctober 9, 2017 4:57 AM

I've worked my way through the comments while listening to The Man From Ironbark, an Aussie song made from a well-loved poem by Banjo Paterson, and the two seem to go together. (I don't do paywalls.)

Let's see: Kaspersky is a Russian firm. We've seen how the NSA operates in the US with US firms: it is expecting miracles to demand the Russian security apparatus doesn't do the same sort of thing. This is NOT the Age of Miracles.

What is it with the NSA's inability to keep anything secret anymore?
I believe I may have previously quoted the US WWII Intelligence and Propaganda veteran and CIA dogsbody Dr Paul Myron Linebarger aka Cordwainer Smith on the joys of unprotected universal secrets. If you label everything you can, "TOP SECRET", you've got a vast wetted surface, and having more wetted surface than strictly necessary is strictly a NO-NO in serious hydrodynamics and aerodynamics engineering. And on a boat while crossing an ocean when the wind velocity reaches 60 to 100 or more knots.

One could go all political and say the NSA is part of the US vulnerability vector, and is designed with the specific purpose of failing to secure anything it touches.

BobOctober 9, 2017 11:32 AM

I think on terms of politics and psyops and info warfare. This is a recent DNC post-Kennedy commie fear thing, in light of their stunned loss. Fog machine. If the US were genuine about it, why would Kaspersky gain traction as a federal contract from the beginning? As I have said before, however, why would Kaspersky even attempt a govt contract given their history of busting US fail out?

That can be re-formulated. How stupid are govt workers to allow Kaspersky from the get-go? If I cannot figure the smear, it makes the pinnacle of govt retardation anyways. Security clearance procedure for contracts? WTF?

Consider some US consumer behavior/psychology: people use Kaspersky with the idea that such a foreign company will work hard to expose fail and malware stateside. That is polar to using a US-born AV company which may be part of the problem.

I think in terms of liability to the consumer. Third-party AV bears no liability to your machine. Windows, Apple, Alphabet, etc does. People goff at the idea of relying on Windows Defender until they realize the slime factor of IT. Liability and procedure trumps an AV company.

I can't believe it. I would be firing people left and right. Firing would be the only proof to the story. Just like the OPM story. What's her name was like "we still have COBOL crap" and "a meta-doc download burned your expensive AI firewall." Go ahead and let 1st-gen Americans pass security clearance.

Denialism is a GOP patentOctober 9, 2017 12:19 PM

"This is a recent DNC post-Kennedy commie fear thing, in light of their stunned loss. Fog machine."

It appears you're not reading very much about this and just inject political opine where you have holes in factual narrative.

You want to pretend the Kremlin has no interest in destabilizing the US, that's false.
Demonstrably false. Proven many times. Impossible to deny at this point. Fact.

Kaspersky itself has not been proven to have done anything malicious, at least in public, but their close ties to the KGB/Vympel (of necessity, says Eugene - and I buy that) coupled with the fact that KAV is detecting NSA malware (a feather in KAV's hat IMO) have made it reasonable for US contractors to move away from the platform to minimize the potential impact if another shoe drops. This isn't unreasonable.

" Third-party AV bears no liability to your machine. " - legally that's horseshit.
I'm not going to write a legal paper proving that, you can google EULAs for yourself.

"Firing would be the only proof to the story." - Reductive logic = no logic at all.

Trump supporters need to think more.

BobOctober 9, 2017 1:03 PM

@Denialism
No. And I am not a Trump supporter. I am a non-voting centrist that hates both parties.

This Kaspersky contract situation pre-dates Trump. Their Virginia office was prior to. That puts Hillary's lack of DSS procedure and security clearance at the front. I also watched Obama do roughly jack during Crimea. We also know that the Clintons accepted over 2mil from Russian Uranium lobby into their charity.

What I see is the DNC writing hot checks, trying to dump everything on a new president before his first year is over. I see Mueller trying to hammer puzzle pieces together that don't fit. You can't dump on a new president what was started in previous administrations. You can't verify Russians with a voting system that doesn't even have an ID check. Putin didn't hack my brain with adspace. Yes, I am questioning the Democrats PBS NewsHour logic. Get used to it.

" Third-party AV bears no liability to your machine. " - legally that's horseshit.

No it's not. They don't. The OS is responsible for distro vulnerability and your third party servers and apps are responsible for their vulnerability. An AV company is legally not responsible to catch everyone's lack of security. EULAs not withstanding for anything. AV only has a "reasonable" attempt at solving someone's problem. Find me a court case where an AV company was sued for not catching a new virus. At least the OS bears some guilt for app fail and bad OS design, if not behavior-based. Since AV will catch a new virus after damage was done, the reason why corporate America now buys cyber-insurance.

The same situation applies with third-party security firms. They do damage control and tell you what you should already have known, otherwise there is no need for a security firm except for preventative auditing.

"Firing would be the only proof to the story." - Reductive logic = no logic at all.

Since I really haven't been shown anything but information warfare, hunting down the person that allowed the Kaspersky contracts is a priori. Sorry, but journalists are paid to run stories.

Maybe it would scare you that there are more than two sides. Life is gray-scale, not a binary process. Since a centrist doesn't have a buy-in, I can laugh at the descent. Consider dropping allegiance in order to solve problems.

Let's be reasonable.October 9, 2017 1:31 PM

"What I see is the DNC writing hot checks, trying to dump everything on a new president before his first year is over."

= I can't tell if you're serious about this, or serious about not being a Trump defender...

"Maybe it would scare you that there are more than two sides."

Why should it? I didn't vote for Hillary nor Trump. I actively campaign against both.

The fact is there ARE two political parties that dominate the US. One of them plays off the other and vice versa. One cannot and need not listen to their respective rhetoric to come to an apolitical and disaffected vantage point to compare the two in reasonably rigorous metrics. That comparison seems to be impossible for Trump supporters and as seen they try to obfuscate their way away from it at all opportunities. Hillary supporters may be quick to cry foul but that doesn't mean no fouls existed. They did, and they continue to. They will be problems in the future - and you're basically giving the current administration a pass not only for not dealing with them, but pretending they don't exist in an increasingly unbelievable fashion.

"Since a centrist doesn't have a buy-in, I can laugh at the descent."

BS, frankly. If you're a citizen you have as much to lose as anyone else. Anarchy has never proven itself a viable solution and so Libertarianism has never been more than an escapists ideology from the reality that is governance.

"Sorry, but journalists are paid to run stories."

And they're mostly also paid to vet those sources, confirm details, and stand by them - or be fired. (Fox, an exception)

"An AV company is legally not responsible to catch everyone's lack of security."

-Was not claimed by anyone to the contrary. They are responsible for THEIR security, in side the platform in which they operate, to the extent that their EULA cannot shield them from every conceivable failure that leads to damages for a plaintiff.

To say " Third-party AV bears no liability to your machine " is false as stated. Fact.
You can hire a lawyer and look into this yourself.

" You can't dump on a new president what was started in previous administrations. "

No one has done that here. We hold Trump accountable for his own actions/words.
He contradicts the 17 intelligence agencies and offers NOTHING as proof.

Let's face it, you're defending Trump and pretending none of this is his fault because Obama existed and in some form or another everything is his fault as a result.
You want to pretend loose journalism standards are to blame for this. Ha.

I hope Breitbart sends you a nice check for maintaining civility with this obviously intentional dissonance.

Let's be reasonableOctober 9, 2017 1:42 PM

"That puts Hillary's lack of DSS procedure and security clearance at the front. I also watched Obama do roughly jack during Crimea. We also know that the Clintons accepted over 2mil from Russian Uranium lobby into their charity."

And you pretend to be a centrist while you tow the Fox News party line?
Bob, a little more honesty would go a long way. Try that someday.

You're running distraction for Trump and blaming Hillary. Hillary is not POTUS.
She will never be.

Trump is not vindicated nor condemned by a CNN report. He is condemned by a proven lie that comes from his lips and has massive paperwork contradicting it that he has read.

Security requires trust. Hillary violated that trust and paid a political price.

Trump has in fact done EXACTLY what Hillary has done, specifically using a 3rd party 'private' email for government business and disseminated 'secret' 'sensitive' 'noforn' information to people without clearances. Fact. His failures in security do not end there, rather he has doubled down to attempt to make his supporters question what constitutes a security failure and what is just his "business know-how" instead.

All while they continue to chant "lock her up" for that which his family members, who he nepotistically appointed to high US offices in contravention of US laws, (http://thehill.com/homenews/administration/353572-doj-releases-memos-that-supported-coverage-of-presidents-in-anti) are without question admittedly guilty of themselves.

Now you want to pretend to be "fair and balanced" about things, that's great.

Just try to make it more plausible please, as you pretend not to be a Trump defender while implausibly defending same from attacks he himself has levied in the near past.

CassandraOctober 9, 2017 2:56 PM

@Clive

No, I didn't know about that oddity. Nice though it is, I wouldn't like to have to rely upon it.

The active suppression of (embarrassing) discussions on national security grounds is probably one of the causes of the creation of Wikileaks

BobOctober 9, 2017 3:06 PM

First off, I used to be an admin for a corporate law firm and know business liability and the weight that is on the admin to provide security. EULA bears little liability concerning AV company when the defense lawyers point to the criminal causation and true intent. I had to work through NT4 and Norton Server which was hell. You have to prove gross negligence, such as not adding a virus profile which has been around for awhile. That gray zone allows for judicial precedence, important for the IT community, and something I hate.

It is the lack of explicit liability of an AV company that makes Kaspersky dangerous, regardless of Russian backdoor which is currently just an allegation since I haven't heard any technical proof. On pure common sense, I would not allow a foreign born company work on federal sector security. Other countries' governments do not have that luxury, but we do.

I am playing counter-point at the Dems pattern of insinuation and re-kindled commie fear when we do business with them every day. Yes, liberal journalists and Dems are insinuating quite a bit. The binary logic that I am defending Trump de facto is wrong. I think he is an inarticulate sycophant. Just trying to remind Dems they are not God's chosen party of flawless morality. Some people can see the game. You think that only conservative outlets are guilty? Get real. You are the one that needs some honesty.

Yes, they pull the same crap. Again, your binary response is a bad assumption.

Yes I can laugh. How are two failed parties better than one failed party? Since I follow the Pirate Party in Sweden and Iceland, I am looking for 3+ options. Our politicians have strings attached that will not provide allowance. Sometimes you have to break the system before you can fix it. Let it break. I stand on the perimeter. Part of this country's problem is the State Dept., both parties guilty of doing nothing. Our politicians' fear tactics don't work on me because I throw it in the trash. Have a nice thread and go hug a terrorist we let in.

aboniksOctober 9, 2017 5:38 PM

So, the NSA writes up their methodology for stealing data, which is then stolen by someone they hired and vetted, and then stolen again from that person, by people who the NSA regularly tries to steal data from.

Meanwhile, we're all supposed to pretend this is really a story about Kaspersky.

BobOctober 9, 2017 6:11 PM

@aboniks
Thank you for your efficiency. Nobel Peace Price that.

At what point in time do you make a decision about our govt's competence? What does it take?

Do you need Ed Snowden? I have one thing: CALEA. That's all I need.

You are not American if you risk your lifepath infiltrating a govt agency. We don't need it... no really... we don't. So if some journalist gets a story from some pissed off NSA agent that got a pink slip, what does that mean? It means no proof.

This idea of infiltrating the govt and spilling the beans is sociopathic. The idea of getting your cherry popped on intel is bogus.

My message to journalists: stay on campus until you figure out scientific theory and proof. "I have to protect my sources." Maybe that means don't run the story. Get a real job.

RatioOctober 9, 2017 10:35 PM

Jonathan Nichols has an interesting theory on Twitter:

I've previously highlighted to anyone who cares that there is a massive loophole in the Vulnerabilities Equities Process... […] See VEP paragraph 6.2.d. vulnerabilities developed by US contractors on unclassified systems are exempt from the review process... Because of this loophole, it makes PERFECT SENSE for an NSA contractor to develop malware while on his home (unclassified) computer. If that contractor happens to use Kaspersky anti-virus, it then also makes PERFECT SENSE how Kaspersky saw the NSA malware and reported it.

WaelOctober 9, 2017 11:08 PM

@Ratio,

it then also makes PERFECT SENSE how Kaspersky saw the NSA malware and reported it.

To detect and report such malware is possible. To attribute it to NSA, Kaspersky would need another piece of information: how would Kaspersky know the contractor works for NSA?

Clive RobinsonOctober 10, 2017 12:32 AM

@ Cassandra,

The active suppression of (embarrassing) discussions on national security grounds is probably one of the causes of the creation of Wikileaks

Thus we should perhaps ask "the who, what, where" questions about the onset of "over classification". If I remember correctly it was noticed that low classified information could be used as what we would now call meta-information to deduce the existance of things that were classified all the way beyond secret. Kind of like "Traffic analysis" on public information.

One such trick being to cross refrence publicity information from various companies that indicate they have worked on defence contracts. You often find names of projects or products that can give an indication of capabilities or terms with which to make other searches of information.

One such search these days might be on say the CVs on Linked In which would give other terms project names and even names of people.

Another search method might be by using Freedom Of Information (FOI) requests on the terms to get further documents or document names etc.

Both of which you can then get other names and terms to make further searches/requests on, that give you other names and terms to make further requests on...

Each time you build up a little more information in your "catalog" till you can make definate statments. It's the sort of thing investagative journalists are supposed to do.

One way to stop this or atleast make it very much harder is to make as much information as you can "secret". Unfortunately that also makes hiding ones embarrassments or burying information on fraud oh so much easier, which we know has happened and now makes us rightly suspicious.

It's been going on so long that it's made it's way into comedy programes even fourty years ago such as the likes of "Yes Minister" and it's follow up "Yes Prime Minister".

Baron Vladimir HarkonnenOctober 10, 2017 3:30 AM

https://en.wikipedia.org/wiki/Kaspersky_Lab#Malware_discovery

Kaspersky Lab’s Global Research and Analysis Team (GReAT) was established in 2008. It investigates cybersecurity threats and other work by malware operations. IT security companies are often evaluated by their ability to uncover previously unknown viruses and vulnerabilities. Kaspersky's reputation for investigating cyber-security threats has been influential in gaining international sales and prestige.

Beginning around 2010, Kaspersky exposed a series of government-sponsored cyber-espionage and sabotage efforts. These include Stuxnet, Duqu, Flame, Gauss, Regin and the Equation Group. According to WIRED, "many of them [were] seemingly launched by the US and its UK and Israeli allies. Kaspersky is especially well-known for its work uncovering Stuxnet and Flame."

Stuxnet
Flame
Red October
Mask
Reign
Equation Group
Duqu
Android cyber-espionage (Hacking Team)
Silverlight
Poseidon Group
And....

I'll use Kaspersky's Free AV from now on. I also appreciate their free Linux AV LiveCD!

TuesdayOctober 10, 2017 11:53 AM

@Ratio Very interesting theory indeed.

Perhaps the NSA is no different than your average software company today. A 'do code anything' and 'get stuff done' mentality subverts policy and active controls. In NSA's case this means forcing counter measures to prefer institution of passive detection and response. i.e. if you do wrong, we may not prevent it, but we will know, and you will get burned.

TuesdayOctober 10, 2017 11:59 AM

@Wael I disagree. The amount of interesting information available in this developer's filesystem and logged to Kaspersky could have been enough to flag NSA roots early on. And even if not, Kaspersky's crew may have started analyzing the 'interesting' malware as they normally do when encountering something new in the wild. Knowledge that the source was NSA may not have been immediately apparent or relevant until Russian intelligence caught wind of it. It does not mean they were colluding with Russian intelligence, only that RI knew about it and thought it was interesting too.

We don't know if Russian intelligence used Kaspersky's client to gain entry or if they just used the SIGINT from the client to target the computer and used some other means to gain entry?

It is possible that Kaspersky is just be an unwitting participant. Russian intel most certainly infiltrates Kaspersky just like any other key organization, but we're not sure to what degree Kaspersky is aware of it? We may never know the truth.

Regardless, widely shelving Kaspersky software is the only solution here.

WaelOctober 10, 2017 1:07 PM

@Tuesday,

I disagree. The amount of interesting information ...

I understand. Your disagreement is valid under one condition: that I negated Kaspersky has the means to correlate data and infer that a contractor works for NSA. What I wrote was:

To detect and report such malware is possible. To attribute it to NSA, Kaspersky would need another piece of information: how would Kaspersky know the contractor works for NSA?

In reality, they can correlate such data. Kaspersky, see, uploads a huge amount of information on systems they protect -- something US based companies cannot do because of privacy issues. I had Kaspersky once upon a time on one of my devices. A really good AV solution. But one day I noticed something I didn't like when I looked at traffic. Spoke to one of my -- remain nameless -- colleagues who works in the AV industry and basically told me: "We can't do what Kaspersky does because of regulations."

In essense, Kaspersky is able to see local file systems, including PST files, and other meta-data that gives them X-ray vision to the device and the user they protect. Now I am not accusing Kaspersky of deliberate malicious intentions. Unlike @Vesselin Bontchev, I do not know Eugene Kaspersky personally, but I am giving him the benifit of the doubt. The fact that Kaspersky maybe (I say maybe becuase I have not validated that myself) collecting PII and other things from local file systems puts a huge liabilty on thier shoulders. This liability does not erode regradless whether any "breach" of user's PII data happens intentionally or unintentionally on thier servers. They have it, they are liable, and unfortunatly accusable as well.

So why did I write my initial comment the way I did, you may ask! The answer is: I have no proof to make accusations, and I cannot validate the authenticity of all the information being shared. I don't know what's fake from what's true. All I know is that I don't want Kaspersky to get that level of information from my system. To be honest, on some of my systems I don't use any AV solutions because Kaspersky wasn't the only AV that did things I not like.

BobOctober 10, 2017 1:11 PM

They did gain a lot of prestige. Especially back when Norton was so bad it looked like part of the problem. Years ago, I brought up the idea that AV people know enough to perpetuate their business, however. How strange that Russians had a better profile on the virus database. As if they were so skilled as to gain an edge in the cubicles.

Theory which has proven to work is the Dems are shaming Trump, forced to distance himself from anything Russia so it looks like there is no collusion. Thus, the Dems get their way in re-kindling the cold war. The ghost of Kennedy strikes. What looks prudent and late to me, is timely during this inquisition. There may be collusion or not. Either way, the Dems win, even if there is no Russian backdoor.

The adspace thing is a real campaign. I went to PC Gamer one day and caught a Russian ad I could not replicate because PC Gamer made immediate change.

//Incident 20 Aug 2017 ~1424hrs
//Sitrep
unknown process tcp:6667 37.157.4.14 found with processhacker
spawned from firefox which was updated at that time
imrk.net russian hit counter dns unresolved from eventviewer
failed domain lookup
GoDaddy registrar here in US
NS1.IMRK.NET
NS2.IMRK.NET

37.0.0.0 - 37.255.255.255 failed domain lookup RIPE range

It showed a Russian website before going away. I was dumb to not printscreen real fast. It was taken down in front of my eyes.

Nom de guerreOctober 10, 2017 2:13 PM

"but we're not sure to what degree Kaspersky is aware of it? We may never know the truth."

If there's no evidence KAV did anything "wrong" then "that's the facts" of it. Right?
Occam's razor applies IMO. If we can prove it, then we can accuse it.

The real problem is we're between two competing nations' intel agencies on this.
KAV is caught in the middle. We can neither indict nor defend them without details.
Those details are secret.

"Regardless, widely shelving Kaspersky software is the only solution here."

Isn't that a leap of logic? At least until you can prove it was more than just an unwitting witness to the theft of NSA malware from an insecure environment?

I mean by that logic why are we allowing MS Windows to be used AT ALL? It's a massive ant hill! Is it any more trustworthy? We've CAUGHT MS LYING, and not Kaspersky.

If someone wants to put a hole in KAV and sink it, PROVE this allegation.

KAV = Russian product, US = sanctioning Russia, damaging their exports is a strategic aim since the 50's, and if you kick out everyone based on an innuendo alone why stop there?

And if it's NOT innuendo, isn't the government (US) responsible for providing evidence to people to defend its action to warn against a consumer-grade product?

And if it's NOT innuendo, shouldn't we be doing more to ensure that it isn't used all over critical businesses and infrastructure, which this US.gov exclusion does NOT do?
It all seems very half baked and half believed.

KAV is not Putin. Putin himself likely sees value in not torpedoing his export s/w.
If for no other reason than continuing to use it for surreptitious data collection.

So what possibilities are we left with?
1. It's a s/w flaw in KAV that was exploited. -possible
2. KAV did its job yet data was intercepted, then exploited by other tools -possible
3. A setup by NSA to embarrass itself with the aim of hurting Russian exports. -doubtful

I'm leaning at 2, it seems more likely than 1. KAV has admitted its flaws in the past and if this one exists presumably someone would expose it. Eugene has his credibility on the line and to date he has defended that with all due rigor. Would he flush it all for this single op to procure NSA spying tools that he's already detecting? IDTS.

ClipperOctober 10, 2017 2:46 PM

I wonder how this can be, NSA has a budget of gazillion dollars and yet the employees/contractors are such amateurs. Now they complain that their top secret malware got detected by some AV software, which sounds more like an advertisement for Kaspersky. So how they want us to take them seriously?

TuesdayOctober 10, 2017 4:47 PM

@Nom de guerre

"Isn't that a leap of logic? "

Yes, unless one is a citizen of a NATO-backed nation.


"I mean by that logic why are we allowing MS Windows to be used AT ALL? It's a massive ant hill! Is it any more trustworthy? We've CAUGHT MS LYING, and not Kaspersky."

Agreed, there is some truth to this. Trust always has origins. One seems to use MS Windows because of a trust or complacency in either MS, the USG, or whatever laws that govern their citizenry. I cannot think of another reason.

Keep in mind that in 2015 the Russian Federation began enforcing a new law requiring many foreign Internet companies (MS, Google, etc.) to localize their data in service to its citizens or get out. That is a kind of effect that works with the distrust argument.


"At least until you can prove it was more than just an unwitting witness to the theft of NSA malware from an insecure environment?"

Does it matter if the Kaspersky entity is guilty or not? Lines are somewhat drawn by the nations that best represent one's interests. e.g. Should an average US citizen distrust Symantec under the NSA or Kaspersky under the FSB for their AV?

DwarvenHoneypotOctober 10, 2017 5:21 PM

Info plant by either party just for giggles - possible
If there is something real, ident would spread, consumers and businesses told what to do with their installs. Why assume Russians would stop at govt sector? A cordoned off lame story with everyone left with eyebrows raised. Games. To escape govt trolls, turn to page 42.

Nationalism is a fool's checkbookOctober 10, 2017 5:26 PM

"Does it matter if the Kaspersky entity is guilty or not?"

Well that depends if you care about correct attribution of blame in a semi-major (allegedly) hack involving at least 2 nation-state blackhat efforts, ongoing.

There are more than these 2 places in the world, other people would surely like to know.
Will that information leave the intelligence sphere and become public knowledge? Maybe.

I'll tell you this, I sure as hell don't trust Symantec and I'm made of pure apple pie.
I'd like to know. I think the public should know, I think it's important.

Even if it turns out the NSA made the whole thing up - and especially in that case.

WaelOctober 10, 2017 10:22 PM

@Update bygones article,

The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.

Of course. We can also infer the following:

  • Current and former govenment officials are in violation of their own protocols
  • Rules of classification imply that one can disclose classified information if they are anonymous. Seriously? So if Snowden did not identify himself, it'd be OK?
  • Anyone can contact NY Times and give them some bogus information and claim they cannot identify themselves because of... "classification rules". If they do identify themselves and trust that the NY Times won't rat on them then they are naive and I definatley have a few Rolex watches to sell them along with a pile of Enron stocks at discount prices
  • Or is this sentence carefully crafted to mislead, and the real meaning of "classification rules" has nothing to do with "classified information"?

“Antivirus is the ultimate back door,” Blake Darché, a former N.S.A. operator and co-founder of Area 1 Security. “It provides consistent, reliable and remote access that can be used for any purpose, from launching a destructive attack to conducting espionage on thousands or even millions of users.”

Damnit! Protection tools are snitches, too! Damned if you do, damned if you don't!

The N.S.A. bans its analysts from using Kaspersky antivirus at the agency, in large part because the agency has exploited antivirus software for its own foreign hacking operations and knows the same technique is used by its adversaries.

Well, well, well. Is this "official news" too, or was this shared under "conditions of annonymity" becuase of "classification rules"?

Among them have been nearly two dozen American government agencies — including the State Department, the Department of Defense, Department of Energy, Justice Department, Treasury Department and the Army, Navy and Air Force. [that use Kaspersky]

I wonder if the Chinese use Kaspersky, or US developed AV at their "Government Agencies". I think the Kremlin uses Norton Anti Virus... Na! I don't believe that for a second. And if they did, then they'll stop that immediatley after they read the shoking news piece in the NY Post. If they don't then I have a few left Rolex watches for them too. Rats! That won't work... They're made in China -- can't sell snow to Eskimos, I'm not thaaat good ;)

That was an amusing piece... Thank you!!!

Brass taxOctober 10, 2017 10:44 PM

From your story,

"It is not clear whether, or to what degree, Eugene V. Kaspersky, the founder of Kaspersky Lab, and other company employees have been complicit in the hacking using their products. Technical experts say that at least in theory, Russian intelligence hackers could have exploited Kaspersky’s worldwide deployment of software and sensors without the company’s cooperation or knowledge. Another possibility is that Russian intelligence officers might have infiltrated the company without the knowledge of its executives.

But experts on Russia say that under President Vladimir V. Putin, a former K.G.B. officer, businesses asked for assistance by Russian spy agencies may feel they have no choice but to give it. To refuse might well invite hostile action from the government against the business or its leaders. Mr. Kaspersky, who attended an intelligence institute and served in Russia’s Ministry of Defense, would have few illusions about the cost of refusing a Kremlin request."

So no real definitive answer as to KAV's direct involvement as anything other than a widely used tool for finding malware signatures, including the capability of detecting NSA malware, then takes a hash of it and sends that to the company HQ like all AV's do more or less.

KAV detects NSA malware and is located in Russia. It makes a lot of practical sense that Russian intelligence would use a Russian company's product to detect malware that western companies were not detecting and try to obtain code samples of it.

So there are ultimately 2 possibilities:

Eugene Kaspersky is a liar running a technical spying apparatus wink/nod for the Kremlin under the cover of pretty-darn-good AV that does the job effectively enough to detect NSA malware on NSA folks' home computers also running KAV (d'oh that),

OR, we're underestimating the abilities of state-sponsored hacking-bear groups to infiltrate a major security organization's systems without timely detection and use them for their own purposes, and blaming KAV for being "in on it" without direct evidence is semi-akin to blaming Shodan for the IOT debacle.

Clive RobinsonOctober 11, 2017 12:46 AM

@ Nationalism...,

I'll tell you this, I sure as hell don't trust Symantec and I'm made of pure apple pie.

Why should you trust them or any other company such as Microsoft that "calls it's mothership" with "telemetry" that you have no way of knowing what the contents are it is in effect stealing. Or forces your data into a cloud solution etc etc etc.

If people want to blaim anyone, it's those with a free hand via lobbyists keeping privacy and similar legislation out, to protect their business models.

We have a name for this sort of thing it's "The law of intended consequences". Where person A's interests are in line with person B's interests. Person A encorages or even funds Person B to push the agenda. We saw this playout crudely during the SCO-v-Linux case where Microsoft gave SCO money to keep on fighting what was a loosing battle.

We are being brain washed into believing that we don't own the data about us, or the data we create. That somehow "for our safety" we have to hand everything over to what are cyber-criminals, running an electronic version of a "protection racket"...

Clive RobinsonOctober 11, 2017 1:23 AM

@ Brass tax,

OR, we're underestimating the abilities of state-sponsored hacking-bear groups to infiltrate a major security organization's systems without timely detection and use them for their own purposes

If you read the NY Times piece linked to above, it reports that Kaspersky had, had their systems invaded by Israeli hackers, using a more sophisticated version of the Stuxnet software used to attempt to attack the North Korean nuclear program through Iran.

Kaspersky gave their reasons for thinking it was Israel not the USA, they could have been wrong.

Thus we know from Kaspersky's own admission that their systems were not just vulnerable to state level actors but had in fact been "owned" for a while that went back to 2013 or earlier. So part of your second option has been confirmed.

Thus we now have to confirm the actual state(s) involved. Kaspersky thinks it was Israel with a joint US-Israeli tool.

We know that both the NSA and CIA did not use Kaspersky software, yet alowed other --possibly rival-- US departments carry on using it.

Thus an argument could be made that the NSA or CIA SigInt bods had been using Kaspersky themselves for quite a period of time to spy on US commercial and governmental agencies.

It's an aspect of the "smoke and mirrors" game that espionage is that we should talk more about.

After all we know the NSA spyed via all maner of means on US Citizens, the Kaspersky AV software like other software would be ideal "deniable vector" for attacking more important targets.

Thus the US SigInt agencies have explaining to do about their complicit behaviour in alowing other USG agencies, US Corporates and even US Citizens get attacked via the KAV software for so long...

My gut tells me there is a whole raft of nasties in the wood piles at Fort Meade and Langley that are just itching to make their way into the light.

Not a PrincessOctober 11, 2017 1:42 AM


“I give low probability that somebody on an enduring basis hacked Kaspersky and is using them to essentially prosecute an engine for surveillance,” says Chris Inglis, Cipher Brief expert and former Deputy Director of the NSA.

"“The more likely scenario is that Russian intelligence has some sort of automated monitoring of the traffic that comes back to Kaspersky,” says James Lewis, Cipher Brief expert and a Senior Vice President and Program Director at the Center for Strategic and International Studies (CSIS)."

“The problem isn’t really Kaspersky, it’s the nature of the Russian state and how its agencies operate,” says former GCHQ chief Hannigan. “They see the Russian private sector as an extension of their power. Unless that changes, which is unlikely, Russian companies with access to Western data and networks are going to struggle to be trusted.”

I would ask Hannigan given what we know of US PRISM and NatSec letters exactly how is it so different that the Russians do that, but then my xkeyscore would probably double and I'd get some funny binaries injected in ads during CSI and probably later die in a freak car accident after some well-paid paparazzi ex-SAS special forces guy rams me and drives away, never to be investigated again because he's later found with two bullet holes in his head after he's locked himself in his DIESEL CAR and poured several gallons of gasoline on himself and burned his presumably suddenly suicidal corpse of any fiber evidence... Oh wait I'm not Princess Diana, they'd just shoot me.

GrauhutOctober 11, 2017 10:48 AM

Funny:

"Israeli intelligence officers looked on in real time as Russian government hackers searched computers around the world for the code names of American intelligence programs. ...

The Israeli officials who had hacked into Kaspersky’s own network alerted the United States to the broad Russian intrusion, which has not been previously reported"

https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html


If Kaspersky proactively scanned for NSA tools, does that really mean russian .gov hackers must have been involved?

Or could it mean Kaspersky simply has a large customer base that wants to work on NSA-free systems and this was a service for their customers? A service that makes the NSA feel a little pissed off? :D

No magic wandsOctober 11, 2017 11:52 AM

@ Grau

We don't publicly know if they were tipped off by automated processes or if they went looking for top secret NSA utility keywords instead. Depending on when/where/how/who that activity can be attributed to, it was either 'an insider' at KAV or someone using their data feed without their knowledge. Eugene claims no knowledge, no one has proven otherwise that I'm aware of.

Some seem to have expected Kaspersky to be immune to APT infiltration attempts on the grounds that "they're a security company" but that's unrealistic for obvious reasons. They don't have a magic wand, they can't defend against all 0-days or methods. Moreover given the data-topography in Russia they could have been listened in on without their knowledge or consent from the beginning. I believe that's the more likely scenario.

But because Kaspersky isn't about to leave Moscow, the fear is this could repeat. In that sense it doesn't matter if KAV was aware of the activity and complicit or not really, they have to get away from it. For myself I would still like to know.

GrauhutOctober 11, 2017 12:09 PM

@Wand: Leaving Moscow wouldn't help Kaspersky. Then someone would argue they brought Russian .gov moles with them.

Bad opticsOctober 11, 2017 12:38 PM

"Then someone would argue they brought Russian .gov moles with them."

But at least their telemetry wouldn't go (unencrypted?) right through Kremlin controlled ISP's, which is the only option in their current location. I suppose KAV could make local datacenters in the US and other countries and keep the telemetry internal to them, but that's probably too little way too late now to get full confidence back at this point.

Eugene for his part has said he'll fully cooperate with any investigation and is managing his own internally. But the damage is done. It's kind of unfortunate all around.
The only reason anyone found out about this is because an NSA employee broke the rules.

FishyOctober 11, 2017 2:14 PM

What is intriguing is the enormous effort to try and control readers' perceptions and understanding of this growing scandal. The more they trolls try to conceal the real damage done to people who blindly trusted KAV. I can think most of the users are now past the phase of denial and now in the phase of negotiation and attempting to rationalize their instinctive responses of trying to find a way to continue using KAV without the unpleasant cognitive dissonance that would go with that choice.


Www.emptywheel.net/2017/10/11/on-the-kaspersky-hack/

and somewhere at hackers news are discussed the patents Kaspersky hold and how they may explain the possible capabilities of KAV

Throwing out the baby and the bath waterOctober 11, 2017 2:26 PM

There goes the option for using pirates software. In comes the need to build one's own software from scratch using only open source software tools!

GrauhutOctober 11, 2017 2:34 PM

@bad optics "But at least their telemetry wouldn't go (unencrypted?) right through Kremlin controlled ISP's, which is the only option in their current location."

They could always use some cloud provider in Europe or the US. But i don't think this is fixable, so they can just let it be.


@Fishy "the real damage done to people who blindly trusted KAV"

You are so right about this well trained cognitive dissonance, it's just like the _NSAKEY that was found in 1999 and those stupid end users still use that crap. :)

Handle_XOctober 11, 2017 2:49 PM

@ Fishy

"The more they trolls try to conceal the real damage done to people who blindly trusted KAV. I can think most of the users are now past the phase of denial and now in the phase of negotiation and attempting to rationalize their instinctive responses of trying to find a way to continue using KAV without the unpleasant cognitive dissonance that would go with that choice."

But almost ALL of the major AV's have been shown to have 0-days at some point.
KAV was among the fastest to fix theirs in that latest major pandemic.

Russian intelligence (or others) could have hacked any number of those also, they invariably all have phone-home-with-new-threat capability, the only question remaining is whether they can detect NSA malware or not. KAV has one of the highest detection rates of COTS AV, usually 1st - 3rd for years. You want to pretend to be so smart, what's your competing product YOU endorse, eh? Put some skin in your narrative game!

https://www.us-cert.gov/ncas/alerts/TA16-187A

https://www.computerworld.com/article/2490527/malware-vulnerabilities/many-antivirus-products-are-riddled-with-security-flaws.html

"Koret disclosed vulnerabilities and some other security issues, like the lack of ASLR protection for some components, in antivirus products from Panda Security, Bitdefender, Kaspersky Lab, ESET, Sophos, Comodo, AVG, IKARUS Security Software, Doctor Web, MicroWorld Technologies, BKAV, Fortinet and ClamAV. However, he also claimed to have found vulnerabilities in the Avira, Avast, F-Prot and F-Secure antivirus products."

"Some of his other recommendations for vendors include using programming languages "safer" than C and C++, not using the highest privileges possible when parsing network packets and files because "file parsers written in C/C++ code are very dangerous," running potentially dangerous code in emulators or sandboxes, using SSL and digital signatures for updates and removing code for old very threats that hasn't been touched in years."

"Independent of Koret's analysis, researchers from Offensive Security recently found three privilege escalation vulnerabilities in Symantec's Endpoint Protection product. The flaws can be exploited by a local user with limited privileges to gain full system access. Symantec is currently investigating the flaws."

Handle_XOctober 11, 2017 2:57 PM

Full disclosure, I've never paid for KAV - though I did use their free tools on occasion.
Rkill/tdss stopped a couple nasty ones and I didn't seem to have any... ill effects...

Wait a second... I love VODKA! Damn you Eugene! I immediately implicate YOU PERSONALLY!

What a fool I was to trust you!

Tinker TailorOctober 11, 2017 3:24 PM

Problems: How do agencies protect their assets? How do we, individuals, protect our own assets?

The agencies' problem is that employees are taking software home to insecure systems. In theory, it should be policy that anybody taking code out the door should be prosecuted. (For all I know, the code is actually produced exclusively by a contracting agency, and the NSA just uses it.)

Our problem is that we are surfing the web using insecure systems.

To a certain extent, all of our systems are secure by obscurity. It's an obscure hole that allows someone to do a buffer overrun and own host the computer. I've been working on OpenSSL guts lately, and I'm aghast at that code. Yes, it's better than some, but it's worse that a lot of others I've used. And getting something done that doesn't fit in their happy path is a pain in the @$$. (Yes, I'm aware of LibreSSL.)

Software that monitors a system, especially an OS like Windows, is essential. Years ago, when I ran Windows 2000, I was hit by a drive-by download. Now I run Linux in a very paranoid fashion, and I haven't had a problem. But I would never ask my landlord or mechanic run Linux. That's way too much for them.

We can only protect ourselves just so far. Beyond that, we have to have recovery plans.

Sancho_POctober 11, 2017 5:33 PM

Honestly, I don’t understand what all the fuss is about.
So I wrote down what I understood and found remarkable.

KAV client (I guess the standard COTS version?) found (parts of?) suspicious (likely because not perfectly hidden) unknown executables and sent them home to be analyzed in depth.
Bravo, kudos again, that’s what a good AV should do.

On it’s way to the well known destination the data passed tapping points of nearly all spy agencies, ISP’s or not, first to mention the US National Spy Agency, and the traffic must alert all of them because the destination is not a private dynamic IP in Moscow.

1) So this is remarkable:
The NSA didn’t notice, likely because the “S” doesn’t stand for security?

Some here suspect the Russian gov could have tapped Kaspersky’s fiber in Moscow, only I would be seriously disappointed if they have not.
All others would do as well (Israel, Canada, Britain, Sweden, Germany, France , Spain, China, only to name a few) if they can,
- even on foreign grounds.

Oh, the US can’t, because of secret laws, I understand.
And their (nasty) friends wouldn’t share them intelligence, as we know.

Now Kaspersky in Moscow was analyzing the malware, trying to make sense of that snippets they got from the front end.
Likely they extracted more detailed data on demand, but again, this is something that should alarm at least the NSA: We all assume the spy agencies know exactly each instruction of that cheap COTS mass software, don’t we?

2) So this is remarkable:
Again the NSA didn’t notice.

However, the Israelis, being inside of Kaspersky’s rectum (this is what we would assume of good spy agencies, wouldn’t we?) and very likely “The Russians” were alarmed by increased activity between the Kasperky’s analyzers and the remote US client, probably hinting at a upcoming global treat (all very reasonable, and not illegitim, because of National Security, we know).

But suddenly the Israelis realized Kaspersky is investigating some software snippets that the Israelis have (no, not stolen, remember: National Security) seen before at the very secret NSA TAO servers in the US!

3) So this is remarkable:
At least the Israelis had already access to NSA secret development servers (mind you, the malware was still worked on, not in production / shared status).

... OMG the Russians, probably Putin himself, have access to parts of NSA malware in development, we must inform our comrades!

4) So this is remarkable:
The Israelis blew their cover to protect America (?).

OK, officially they say something along “These SW pieces found at Kaspersky’s lab are written by NSA TAO because we know their typos well”.

But the outing remains heroic [1].

Now, in the aftermath, the American officials wake up and realize the danger of PC’s and their vulnerabilities in OS and apps, crying foul because good foreign AV SW blew their cover.

5) So this is remarkable:
America (via MSM) now drums up all the world's Nazzionalists in thinking about how dangerous foreign OS and SW could be, especially with the US predominance + actively keeping sensitive devices insecure, and in context with US spy- and malware.
Great.
Kudos.

I for one do not use AV SW, but if, I’d buy KAV because they proved to be good.

[1]
That said, I have to confess: I do not trust in MSM, esp. when their info comes from anonymous sources familiar with the facts of the spy scene.
On the contrary,
I’m aware that what was reported very likely is the opposite of the truth.

HmmOctober 12, 2017 1:29 AM

"Honestly, I don’t understand what all the fuss is about."\

Well honestly the US intelligence agencies do. That's their job.

What is yours?

Clive RobinsonOctober 12, 2017 2:26 AM

@ Sancho_P,

KAV client (I guess the standard COTS version?) found (parts of?) suspicious (likely because not perfectly hidden) unknown executables and sent them home to be analyzed in depth.

Which raises an interesting question for developers...

What criteria does Kaspersky use to decide what executables go back to the Kaspersky "mothership"?

That is if you write a new piece of software will Kaspersky just ship it back to their Mothership?

I assumed a long time ago it was everything, which is another reason why I don't have AV software on my development machines and they are on a wired network, with no access to any other network.

GrauhutOctober 12, 2017 12:40 PM

@Clive Air gapping helps, being able to scan a USB stick also helps.

Imho its good style to scan sneaker net sticks with an open source av like clamav when inserted in a box in an airgapped net.

Another good practice is never to use a USB stick for data transfer on the same operating systems. If the stick gets infected on one end this infection is useless in most cases if the next box uses a different os. A small arm soc in between helps if both source an target box have to run the same os.

handle_xOctober 12, 2017 3:28 PM

@Clive

What criteria does Kaspersky use to decide what executables go back to the Kaspersky "mothership"?

Tthey claim they don't send the executables!

They render it safe and take a hash of it, the HASH is sent. So they say.
So if that's true then an outside-of-KAV attack was going on to get at files.

The ruleset to determine what is identified & what is hashed/uploaded is massive.
It also can apparently be tweaked with "dark" parameters that aren't visible to the end user, ostensibly to avoid pop-up windows when submitting "suspicious" unknown files, which in some environments it would be doing regularly. Very regularly. That's not so odd.

The question is was it tweaked to look specifically for NSA tools by intel-gleaned filename matching or was it automatically detecting actual known malware signatures, if/by whom was it tweaked, exactly how, and who noticed it when?

It's not out of school for KAV to be looking for modern codenamed NSA malware bits or filenames, because KAV is one of the major players dissecting the Duqu/Flame/Gauss/Stuxx adventures. They have been among those taking the malware apart to see how it works so they can defend against it, that's exactly up their alley IMO, that's their job. They'd be incompetent as 0-day security researchers if they didn't.

What "we" don't 'know' is if there is a backdoor in KAV itself that is being actively utilized by intel operators, or if the legit KAV detection web simply was being monitored by the intel operators and they then used that data to launch a separate attack on that target using other outside tools. As stated, supposedly KAV does not upload the executables themselves, so either that's not entirely true or someone used other tools to get the actual goods once found.

It's real bad in any of the 3 scenarios for KAV: complicit, unwitting, hackable-ongoing.
But I'd still like to know how deep the hand in glove was.

Bottom line : Windows machine + foreign SPECIFICALLY DISALLOWED AV + NSA tools, really?
Security is a chain. We're looking at KAV as the weak point here, it wasn't the weakest part apparently. It did its job too well, so well that it could be abused to target those who really, really did not do their jobs well at all.

GrauhutOctober 12, 2017 4:24 PM

@Handle x: "Supply chain attacks are real - Just saying :)"

Thats why i buy some stuff in real shops. ;)

Sancho_POctober 12, 2017 5:57 PM

@Clive Robinson
”I assumed a long time ago it was everything, …”

That probably would be to much re upload speed and (not only ordinary) people would complain.
What some would call intelligence must reside on the client. I’d assume if any file by “coincidence” contains certain “known” opcodes / fingerprints (e.g. modifying registry) but is not in the local database (contains both, good and bad) the client will send the suspected snippets of the file (hashed, hmmm? They have to be reconstructed at the lab, otherwise they are useless), but (at first) not the whole file.

If the lab is interested they will ask for more - and I guess the client will send whatever they request. This dialog is the part a third party observer should recognize.
To tweak the client for NSA code one already has to know the NSA code, see the chicken and egg mystery. OK, if they reused Stuxnet code …

But who knows - Only the spy agencies should know.

Sancho_POctober 12, 2017 6:00 PM

@Grauhut, Clive Robinson

USB is overly complex for a sensitive environment.
”A small arm soc in between …” would be nice but I don’t know of any open source version (?).
Here is a goody: USG(ood) instead of USB(ad)
https://github.com/robertfisk/USG/wiki/Technical-Details-for-the-Curious

Two caveats:
- Speed is limited to USB 1.1 (Full Speed, 12 Mbit/s), most devices (theoretically all) must support that today, but some don’t. But tomorrow?

- Host and client ports are galvanically coupled via SPI lines and power supply. This may have fatal consequences if one connects some kind of USB killer, but anyway I’d prefer an optocoupler in between with separated power supply on the client side, just in case …

Clive RobinsonOctober 13, 2017 3:33 AM

@ Grauhut,

Air gapping helps, being able to scan a USB stick also helps.

I lost faith in USB security wise some years ago, for a number of reasons. But one primary one was making a mandated choke point was effectively out of the window, as trying to instrument USB's comms and then police the data was past the point of being practical for ordinary engineers to be able to do.

That said a couple of FT232 chips back to back galvanicaly isolated is a starting point to limit EmSec type attacks. Putting a fast microcontroler in the middle to do instrumentation and policing is reasonably possible for quite a few Makers and up and many hardware engineers should be able "to do it in their sleep" for simple text based protocols.

The real problem is the protocols we use today, they are way to "flexible" thus highly complex and thereby have a lot of effective redundancy thus entropy in them. And it's that redundancy where all sorts of evil can be hidden...

GrauhutOctober 13, 2017 12:06 PM

@Sancho_P: I have shares in tech that is usable today. If there is something better tomorrow, nice, but... I have to work today. :)

You can use an Allwinner A20 device blob-less. An easy start would be a banana pi running armbian with mainline kernel, for instance. https://www.armbian.com/download/

This does not necessarily mean that i use exactly this device with this os as a gateway between my online and airgapped systems, but this would be usable. ;)

Connect such a soc with an eth cable to a dedicated, fully firewalled network port in an airgapped system, put in your transfer stick into one of that soc's usb ports, ssh from inside your airgapped box onto that soc, scan the stick with clamav for instance and then sftp the encrypted and signed files you want to transfer onto your airgapped system.

Fckn good enough for me. Where is my logical mistake? ;)


@Clive: As long as i use an usb stick, bought in a local shopping mall, only for transfers between my online and air gapped systems via sec gateway soc i feel good with it.

If that stick was a gigolo, stickin in every pc hole he finds, then i would feel less good with it. :D

Sancho_POctober 13, 2017 5:28 PM

@Grauhut

I see the vulnerability in the USB’s protocol complexity, which is unneeded for simple file transfer.
Your innocent USB stick is (probably) OK (up to your first mistake).

But the standard USB socket is the real vulnerability, the open door that leads to your ‘secure’ network.
You may control access to that open door but be aware there is not so much difference which door is open, front, back, side, garage or A20.

GrauhutOctober 13, 2017 7:33 PM

@Sancho_P: I understand the riscs of the usb subsystem quite well, thats why there is that "usb2ssh" soc is in between that air gapped system und the usb stick.

And could you please name one usb exploit that works on unknown platforms, every possible hardware / os combination? Without usb hid and other unneeded usb drivers?

Sancho_POctober 14, 2017 6:26 PM

@Grauhut:
I hear ya, but I’m old school: Avoid complexity whenever possible.
It’s not that I know of suspicious functions or exploits, on the contrary, it is my absolutely not knowing what kind of USB support is or will be included in which Kernel (or HW/FW/chipset) and the consequences thereof.
So it’s only my nose, not knowledge.

SD cards can be interfaced in simple SPI mode, with interesting features (e.g. raw storage).

handle_xOctober 15, 2017 3:04 PM

@ Grau

"Thats why i buy some stuff in real shops. ;)"

Yeah but... it only takes 1. :/

With the USB attack, you don't NEED a "single" device that can infect "all" possible hw/sw combinations, you only need the one that works for "most".

If you're using minority hw/sw OS combos, bully for you, that's a good level-1 choice.
It cuts you off from 99% of the crap that would autorun and get the common targets.
But it's a different thing than saying there's no way to compromise your USB.

"there is that "usb2ssh" soc is in between that air gapped system und the usb stick"
- Assuming it self-identifies as a USB flash drive, right? It might not.

GrauhutOctober 15, 2017 5:07 PM

@sancho, handle: Relax guys, if you configure and build your own monolithic kernel there is no usb wonderweapon. Complexity only exists if you allow it. And the usb subsystem in most kernels is modular, disabling unwanted usb features is really easy.

It's difficult to hack a system via badusb if this system runs a kernel without other usb drivers than usb storage.

Get a rubber ducky and insert it into a system without usb hid driver. What will happen? Nothing. If you enabled debug you will see a line in your logs that shows a failed usb hid registration attempt. Nice, tells me someone tries.

Sometimes you have to invest some time into cutting back complexity if you need speed and security. If you have to transfer big data sets from an online to an airgapped zone usb storage is still a fast and relatively easily securable transfer medium if you only use it on a hardened special purpose device. And airgapped should mean 'always airgapped', cause hardening / firewalling a network is much more difficult.

Clive RobinsonOctober 16, 2017 2:07 AM

@ Grauhut,

Relax guys, if you configure and build your own monolithic kernel there is no usb wonderweapon.

Agreed, but that's not realy my problem with USB on devices I build. But it is a problem for the majority of users who have to, for various reasons effectively beyond their control use Microsoft, Apple or Google OS's where a kernel rebuild is not possible or practical.

My problem with USB is the bandwidth and shared usage, and trying to make a security choke point which is instrumented. Think of it if you will as "A USB Firewall Appliance with AV and protocol checking" that police the data streams.

The USB mass storage standards / protocols are relatively simple when compared against standard file protocols that are now used for "rich" documentation and media. The fact that some are also compressed does not make life any easier either.

The original "data diode", protocol policing devices I made using serial data transfere can not keep up with the modern file protocols. You actually need the equivalent of about two Raspberry Pi 3's... Which is a whole new complexity game of it's own...

Sancho_POctober 16, 2017 5:56 PM

@Clive Robinson, re data diode

SPI (SD card) is similar to RS232, a data diode is possible, protocol policing devices are feasible, too.
Re AV and such, I’d assume the data stream to be always encrypted, a packet content inspection during transmission would be useless therefore (OK, only to ensure randomness probably?).
I love the possibility to access absolute addresses on the SD card, bypassing the filesystem.

PS: Glad to read your comments, keep upright!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.