Comments

Clive Robinson July 23, 2024 9:45 AM

@ ALL,

Re : The memo lacks substance.

Even though redacted the remaining text does not read as though it ever contained anything of import, just hearsay and worries.

The first paragraph last three sentances basically tells you this with three points,

1, It works as all AV software including all US AV does.
2, Kaspersky is based in Russia.
3, Russian law, like law in many countries, –including the US,– requires co-operation with the Government.

So it tells us one thing by inference, that US AV companies and other US software Corps are doing exactly what the US Gov is claiming of other Nations (and the US were probably the first to do so).

As for the last visible text about what was once called “Kasperskygate” you can read about,

1, Who made the allegations.
2, Which US Corps tried drumming it up for their own benifit.

https://www.theregister.com/2015/08/14/kasperskygate/

As for the memo I suspect the redacted parts reference something akin to a couple of very embarrassing incidents we already know about for the US SigInt agencies due to Kaspersky doing what it’s customers were paying it for.

Just remember that it’s known that Microsoft “does for” the US SigInt Agencies everything and more the US SigInt agencies accuse Kaspersky of doing.

It’s one of the reasons I ask the question,

“What is the valid business case for this computer to be connected to external communications?”

Yes I’m saying that people should,

“Segregate by gapping their systems”

Not just “air gapping” but actual “energy gapping”.

cybershow July 23, 2024 9:50 AM

Shame this returns 403 from every IP address I currently have access
to and I don’t have time to go through every combination of browser
agent and IP to find the magic one that’s “allowed”. Great way to
redact stuff that you’re legally obliged to put on the web, but don’t
actually want anyone to read. Summary annyone?

I’m interested because I wrote about Kaspersky here and wondered if I was being too charitable in my claims.

TimH July 23, 2024 9:59 AM

As the paper says, any AV company can be suborned by the country that the company is from. Kaspersky is good, and popular, so if banned then presumably someone using it would likely move on to a Western product… suborned by a Western gov. Sounds like an implicit admission to me.

As I remember, Windows Defender AV can only be easily disabled if there’s another AV installed… for your protection, of course.

See also https://www.schneier.com/tag/bitlocker/

Daniel Popescu July 23, 2024 10:18 AM

And that was 7 years ago…We will probably read something similar, hopefully soon :), about a very thorough report from a important agency about Crowdstrike. Depending on how the official inquest will be conducted.

Kris July 23, 2024 10:46 AM

I don’t recall that 2015 accusation against Kapersky bearing any fruit but that would be a serious allegation. I just figured that banning their software was more an anti-Russia measure than anything with basis in fact (but I guess as a correlary of the tiktik ban, not trusting another smoewhat hostile government not to cause issues makes sense). Hopefully, we can still keep the research communication going – they have some incredible malware researchers there.

Alext July 23, 2024 11:29 AM

Err? A two page memo with 50% redacted?
What is of interest here (might be missing something)?

Carlene Roach July 23, 2024 11:47 AM

Here’s the relevant text:

We assess that the use of Kaspersky Laboratory (KL) anti-virus products risks exposing government and commercial networks on which it is used to the Russian intelligence services, despite it being consistently ranked as one of the top antivirus products in the world. All anti-virus software by its nature, has persistent, invasive access to all data on customer computers, a characteristic which is not exclusive to Kaspersky Lab. However, as a Russian entity, the company would be required by Russian law to cooperate with requests for data from the Russian Intelligence services.

• (U) As with most antivirus products, KL antivirus software sends information from customer networks to a cloud-based network for storage and analysis, after which users’ computers are scanned against identified cyber threats, such as malware, viruses, vulnerabilities, and bad or suspicious Internet Protocol addresses.

██⋯██ KL products operate on hundreds of millions of systems globally, and KL antivirus software is embedded in ██⋯██ software and hardware products. ██⋯█⋯█⋯██

• (U) Kaspersky Lab has also been accused of its own unethical business practices, according to international media. For example, in 2015 the company was accused of sabotaging competitor software, by flagging benign files as malicious files so that its competitors’ anti-virus software would mark the files as dangerous. These “false-positive” hits resulting in some Kaspersky Lab computers’ customer computers not working properly as some of the falsely flagged files were essential to the operating system.

I find it more interesting in its implications than in what it actually says. Particularly that Russia could compel the company to produce information—just as the USA could compel its own companies (and has—see Lavabit et al.). Foreigners using American software and services, particularly closed-source stuff such as Windows, should really think about that.

I was surprised to see the claim that it’s common for anti-virus products to exfiltrate data from customer networks before scanning it. I thought only the “hits” would be uploaded; and I’d hope only after getting explicit consent, though I realise that’s a rare thing with modern software (cf. Windows again).

Then there’s that end bit. The company “was accused”, but note the lack of any evidence that the US government investigated these media accusations. That seems like a thing they should’ve looked into. The only part stated as more than a rumour is that some false-positives caused computers to stop working, when those computers used non-Kaspersky anti-virus software.

But, anyway, how would Kaspersky flagging software cause its competitors to break the computers of their customers? It appears to be a reference to this Reuters story. In summary: someone was taking important system files, inserting malware, and uploading the modified file to VirusTotal—claiming them to be malware. Virus scanners would see an unmodified file on customer computers, notice it looks a lot like the “malware” seen by VirusTotal, and “quarantine” it—which of course would break whatever software needed it. Kaspersky claims to have been affected by such attacks too.

Really, almost everything about this is ridiculous. The idea of enumerating “bad” files in the first place. Using add-on software to deal with them, rather than fixing whatever system flaws they take advantage of. This software just blindly removing the files without concern for breakage (also see the recent CrowdStrike incident—apparently their third such major incident this year). Doing all of this on an ostensibly-already-compromised system, and then continuing to operate said system.

Victor Serge July 23, 2024 1:45 PM

Is that the “evidence” they used to justify banning it?

Sounds like the present “justification” for the beacon mesh networks run by Apple and others:

“We are now warning you if an airtag is following you, so its OK for us to continue to abuse your location data”.

Meanwhile the worst offenders have never used Bluetooth frequency band, nor the BLE limitations.

Not convincing.

You don’t disable your enemy by slapping his face. YOU MOTIVATE HIM that way.

William Tyndale renamed his bible translation and seduced the king into sanctioning it by so doing: “Matthew Testament”. The church of England murdered him and renamed it again: “KJV” and gave no credit to Tyndale.

Stay tuned.

A. Karhukainen July 23, 2024 4:12 PM

Cheers, just wondering, are you going to say anything about the recent CrowdStrike incident?

Saladin July 24, 2024 4:29 AM

To be clear, the memo doesn’t even accuse Kaspersky Labs of anything (let alone cite evidence against them). It’s classic FUD (“risks”, “would be”, “has been accused of” etc).

Who? July 24, 2024 5:22 PM

…in 2015, the company was accused of sabotaging competitor software, by flagging benign files as malicious files so that its competitors’ anti-virus software would mark the files as dangerous. These “false-positive” hits resulted in some Kaspersky Lab competitors’ customer computers not working properly as some of the falsely flagged files were essential to the operating system.

Is it just me who thinks on the CrowdStrike affair?

David July 24, 2024 9:53 PM

Does the NSA have disassemblers capable of recreating (or at least approximating) the Kaspersky source?

ResearcherZero July 24, 2024 11:24 PM

Re: Is that the “evidence” they used to justify banning it?

No, the evidence is that a range of intelligence agencies were able to penetrate and monitor KL network traffic without them noticing. Among them the FSB and Israel’s agencies.

There may have been others engaged in activity inside their network, and perhaps they did not appreciate their methods and tools being disclosed and passed on to adversaries.

“The reported cost of corporate espionage in Australia alone amounts to over $5 Billion per annum (AON, 2018). ”

Worldwide this figure rises to over $600 Billion per annum (CSIS, 2018) and is forecast to exceed $8 Trillion (Juniper Research, 2017) by 2022.

‘https://nsi-globalcounterintelligence.com/news/threat-to-australia-at-all-time-high-from-economic-and-state-sponsored-espionage/

Corporate Spyware
https://www.theguardian.com/law/2024/apr/02/uber-vs-taxi-app-gocatch-trial-australia-corporate-espionage-allegations

ResearcherZero July 24, 2024 11:31 PM

Look. Just go in and sit there and listen to what they are talking about. We would ask the local store manager, but they already know who he is and they will recognise him again.

‘https://www.thenewdaily.com.au/finance/consumer/2024/07/24/woolworths-spy-farmers-conference

“needlessly exposed Uber and its employees to severe risk — including the likely termination of Uber’s operations and possible imprisonment of its employees — should capable security services in many overseas locations discover Uber’s espionage.”

https://www.buzzfeednews.com/article/ryanmac/ric-jacobs-uber-letter-allegations-waymo

The “preparatory offence” criminalises any act done to prepare or plan for espionage.

The “solicitation offence” makes it a crime to do any act, intending to obtain someone else to commit espionage.

‘https://law.uq.edu.au/files/64540/espionage.pdf

ResearcherZero July 25, 2024 12:05 AM

@GregW

Re: “Who scans the scanners?”

If you are interested in what all the cookie based technology is collecting…

‘https://www.wired.com/story/webxray-online-privacy-violations/

“The best way to approach webXray is to first come up with some category of protected data you are interested in, many of which are defined by laws referenced in our knowledge base. Once you have an idea of what you are looking for – be it violations of children’s privacy, medical privacy, or other such topics – you are ready to begin a search.”

‘https://webxray.ai/knowledge_base#laws

Should I spend $5b on harvesting your data? 😛

‘https://www.reuters.com/technology/artificial-intelligence/musk-launches-poll-asking-if-tesla-should-invest-5-bln-xai-2024-07-24/

Winter July 25, 2024 9:31 AM

Article:

Kaspersky says Uncle Sam snubbed proposal to open up its code for third-party review
Those national security threat claims? ‘No evidence,’ VP tells The Reg
‘https://www.theregister.com/2024/07/25/kaspersky_us_review_snub/

Despite the Feds’ determination to ban Kaspersky’s security software in the US, the Russian business is moving forward with another proposal to open up its data and products to third-party review – and prove to Uncle Sam that its code hasn’t been compromised by Kremlin spies.

Kaspersky started talking about this new “comprehensive assessment framework” to verify its security products, software updates, and threat detection rules a week ago, and exclusively provided additional details to The Register about the verification system it presented to the US Department of Commerce.

Uncle Sam, Kaspersky says, snubbed the proposal from the antivirus provider. The Department of Commerce did not respond to The Register’s questions on the matter.

Clive Robinson July 25, 2024 11:09 AM

@ Winter, ALL,

Re : The wrong tree is oft barked at.

With regards,

Russian business is moving forward with another proposal to open up its data and products to third-party review – and prove to Uncle Sam that its code hasn’t been compromised by Kremlin spies.

It’s not it’s code that the US Intel Agencies have bunched their panties over. If it was then it would have been published.

The problem is the virus sample repository which all AV companies have. It’s how they get samples of all those codes that “self erase”.

I’ve previously mentioned that there were two cases where the US Intel Agencies got embarrassed (but it appears to have not passed moderation).

The two cases that are public are,

1, US intel agency malware from TAO at NSA got “uploaded” to the Kaspersky repository and could not ve deleted by the TAO or others.

2, A person working for the NSA thought they had turned Kaspersky software off before they loaded up “data from work”. But apparently did not delete it before turning Kaspersky back on thus it got “uploaded” to the Kaspersky repository.

The fact the NSA had to let it go strongly suggests the NSA / TAO were not “inside” Kaspersky’s systems or repository.

What is probably correct is @ResercherZero’s suggestion of,

the evidence is that a range of intelligence agencies were able to penetrate and monitor KL network traffic without them noticing

This is not a new idea, it’s been stated on this blog before.

It’s known that the NSA where possible avoid going into targets sites, they sit on the first or second router up from the target “teeing-off all traffic”.

This got effectively confirmed by Ed Snowden’s trove in 2013 and China subsequently banning all US designed and manufactured network equipment from core Government, Finance, and Corporate networks.

Thus the US Intel Agencies blame Kaspersky for doing what their customers pay for, which is detecting hostile Malware “Without Fear or Favour”. Unlike most if not all US AV companies that have been clearly demonstrated as,

1, Stealing Kaspersky’s IntProperty…
2, Amazingly not detecting US IC malware ever…

So “Kaspersky Opening Up” is not much more than Kaspersky doing a “Rub their face in it” against US Federal Agencies.

Because at the end of the day, Kaspersky does not in any way have to be compelled to co-operate with the Russian, Israeli, US, UK, Danish, Swedish, and many other governments SigInt agencies, because they all “sit on the wires in the cloud watching the data fly by”.

It realy is that simple, and has been known and discussed for a decade or more in the more educated / knowledgeable security circles.

And as I’ve said not just now but in the past several times on this blog, it’s the repository where the “malware samples” get sent that is the real target of interest. And all those Intel Agencies have to do is basic “Traffic Analysis” on from where it came, to know most of what is going on…

Then and only then maybe do a little “snooping” of the repository it’s self, but as indicated that’s actually unlikely for various reasons, not least because it would be the equivalent of “tipping off” other potentially hostile government agencies.

It will be Interesting to see if this passes moderation or not.

Clive Robinson July 25, 2024 1:33 PM

@ Andy Farnell,

Re : Kaspersky and Microsoft.

Quite a few times I’ve posted two or three stock phrases,

1, Individual Rights v. Social Responsibility.
2, Security v. Efficiency.
3, What is the valid business case for this computer to have external communications?

Along with a point few want to either understand or take onboard,

“If you don’t ‘Energy Gap’ then you can not say it’s secure.”

All of which apply to your post on CyberShow. But with regards,

“I’m interested because I wrote about Kaspersky here and wondered if I was being too charitable in my claims.”

Even with the full source code I very much doubt you will find the Kaspersky AV doing anything less secure than US AV software.

Because it does not need to be insecure in any way as far as “Intellectual Property”(IP) or “State Security” is concerned.

Put simply it does very few things all of which you would expect and are paying for, as it’s almost exactly the same as other AV software.

One such thing it does is to look for and flag up unusual behaviour by software running on the users system. Unless the user configures otherwise the AV software sends the suspicious behaviour/content file back to an online repository Kaspersky runs.

Such that Kaspersky analysts can look at the file and find out if it is suspect or not.

In theory the file contents are protected by fairly strong encryption via Secure Sockets etc (which as we know has it’s own many security failings).

However what is not protected is,

1, Meta-Data.
2, Meta-Meta-Data.

Whilst most readers here know what “meta-data” in network traffic is considerably less know what meta-meta-data is. And most do not know the significance of both.

Put simply there is something called “Traffic Analysis” that gets depicted as using meta-data to build up traffic/information flows to abstract information of relevance. This provides a level of information that few appreciate. One of which is the likes of “file size” this can not be hidden by encryption you have to go about hiding it by inefficient means like “padding”. With “Security v. Efficiency” the likes of “padding” do not get used. Thus traffic sent from two different computers with the same size at similar times makes it likely in the case of AV software that the files are the same.

But there is also meta-meta-data or “information about information about data”. Let’s say you see computers that should be configured the same way behaving differently. That is meta-meta-data. As individual items it’s often not that helpful but over time a great deal can be learned.

So like all AV software Kaspersky is not running a backdoor, not providing content or much else. And it does not have to cooperate or be forced to cooperate with a Government Entity.

All the Government Entity like a State Level SigInt organisation has to do is get access to a router up-stream of Kaspersky’s repository and watch the packets fly by on the wire.

This by the way is the same for all AV software suspect file repositories.

For years I’ve been telling people to disconnect their “private/work” computer from all external communications because for something like 7 decades now one thing has been true,

“If they can not access the computer they can not attack the computer.”

If you have a need for computers to communicate then get a second computer and harden it. Also do not do anything private/sensitive/work etc on it and most certainly do not do any encryption or decryption on it but always use “End to End Encryption”(E2EE).

It’s not perfect but it does significantly reduce the “attack profile” you present to outsiders.

ResearcherZero July 27, 2024 10:51 PM

@— •

Re: Let’s remember what’s this is all about.

The government takes a really long time to respond or admit to that activity, and other activity, where Russian intelligence has been poking around inside networks for decades.

The telecommunication companies don’t really like admitting that Russian and Chinese agents have been (for decades) breaking into their exchanges, hacking into their main offices, or installing backdoors into their equipment either. For various reasons.

After one of NSO’s lawyers, Rod Rosenstein, asked if the Israeli government was going to “rescue” the company, one of Israel’s U.S.-based lawyers, John Bellinger, a former senior national security lawyer in the George W. Bush administration and now a partner at Arnold & Porter, appears to have told Rosenstein that Israel was “acutely focused on the discovery dangers and is still considering its options.”

Three days later, in mid-July 2020, Israel made a significant but secret intervention. At an urgent meeting with NSO, Israeli officials presented the company with an order issued by a Tel Aviv court granting the government powers to execute a search warrant at its office, access its internal computer systems and seize files.

“The order for a seizure of documents at NSO’s offices in Herzliya was issued by a Tel Aviv judge on behalf of the Israeli government in the context of a closely-followed lawsuit in the state of California. …In February 2024, the court handling the case ruled NSO should produce “all relevant spyware” to WhatsApp”

“a gag order has prevented the government’s actions from being made public”

‘https://forbiddenstories.org/actualites_posts/israel-maneuvered-to-prevent-disclosure-of-state-secrets-amid-whatsapp-vs-nso-lawsuit/

Facebook, claims King & Spalding’s past work with WhatsApp should disqualify the firm from working on the current lawsuit.

Rosenstein joined the law firm King & Spalding as a partner.
Rosenstein worked in the law firm’s special matters and government investigations group.
https://cyberscoop.com/nso-group-lawsuit-whatsapp-conflict-of-interest-king-spalding/

“I have counseled NSO about cyber and national security issues and assisted the defense team” ~ Rod Rosenstein

‘https://www.documentcloud.org/documents/6933591-Rosenstein-NSO-Group-Declaration.html

WhatsApp sued NSO Group in California’s 9th District Court in October 2019 for allegedly abusing its platform to hack the phones of 1,400 people around the world.
https://securitylab.amnesty.org/latest/2024/07/israels-attempt-to-sway-whatsapp-case-casts-doubt-on-its-ability-to-deal-with-nso-spyware/

ResearcherZero July 28, 2024 12:03 AM

Secrecy is often used to avoid responsibility and the shame of refusing to take action.

The same example can be seen with the lack of response to institutional abuse. Such matters are also clouded in secrecy. At the community level, at the institutional level and the government level. Gaslighting, victim blaming, or avoidance through conspiracy, where the blame can be shifted elsewhere. Imaginations can run wild, and serious scrutiny is avoided.

Simple answers are provided without tackling or implementing recommendations of inquiries.
This avoids the costs of providing support, transferring the responsibility to the victims.

The narrative is shaped and changed to hide failures and refusal to help those in need.

Police officers’ biggest mistake?

Talking too much and not letting victims and witnesses speak for themselves.
https://edition.cnn.com/2013/05/18/health/lifeswork-loftus-memory-malleability/index.html

“Can the first, perception, be influenced in important ways by the second, cognition? Do cognitive states such as memories, beliefs, and expectations affect what one perceives through the senses?”

cognitive influence on perception

‘https://www.taylorfrancis.com/books/mono/10.4324/9781315189895/thinking-perceiving-dustin-stokes

ResearcherZero July 28, 2024 2:43 AM

“The law has all manner of exceptions, exemptions, authorisations and designed-in loopholes scattered through it, and the complexities are such that there are many unintended loopholes, ambiguities and uncertainities as well. Its effect has also been greatly weakened by large numbers of exceptions and authorisations written into other legislation. Corporations and expensive lawyers and consultants spend a lot of time wading through the verbiage in order to find multiple ways in which organisations can breach data privacy, but avoid breaching data privacy law.

https://privacy.org.au/resources/privacy-law/plawsclth/

A person convicted of stalking under federal law faces up to five years in prison and a $250,000 fine. If the defendant’s unlawful conduct results in the death of or physical injury to the victim, a conviction can land them in prison for 10 years, 20 years, or even up to life.

‘https://www.law.cornell.edu/uscode/text/18/2261A

“UK law recognises a right to privacy. The right to privacy is a right of any individual against intrusion, or invasion of his own personal life or affairs, as well as the life of their family.”

The general legal principle is that what is illegal offline is also illegal online.

‘https://commonslibrary.parliament.uk/research-briefings/sn06648/

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.