Slashdot Mirror
Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC (zdnet.com)
Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.
WSJ, MSM,..... WMD anyone?
Smear, smear, smear, its the russian!!! Oh wait its the DNC!!!! Squirrel with Tits just ran behind that tree!!!
Their version of events is much more believable than the others offers so far. Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour). During this time his machine had an open backdoor.
What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.
const int one = 65536; (Silvermoon, Texture.cs)
SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
I think the focus is a miss... W T F was a NSA employee doing with Kaspersky installed in the F* first place? Is that how the NSA takes care of sensitive data? By installing "anti virus software on windows machines" ? xDDD
No surprise here,
Source: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/?comments=1
Direct quote:
The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.
A government makes malware. A foreign malware protection company finds it and defeats it making the interwebs a little bit more secure. The NSA and CIA are turning the interwebs into a Swiss cheese of security holes and, as we've seen, they're lousy a keeping seecrets. Someone's got to do something about it.
Why do I have visions of a mobster saying:
"Trust me. Come on! Trust me!"
Just stick to McAfee anti-virus scanner for your PCs.
Some bullshit about the product working only as intended. Hackers have been practicing obfuscated, "looks good but has a malicious side-channel" code since forever, and you'd be an utter dimwit (or vatnik!) to think that Mr. Kaspersky himself of the KGB's technical school doesn't know how to put these ideas into practice both programmatically AND socially.
But guess what? Even if Kaspersky has the most honest intentions in the world, which they don't, that still doesn't prevent SORM from capturing everything, or from the business from being coerced into providing those telemetry, binaries, and incidentally collected files. Same reason Russia wisely banned Pokemon GO from their country: it's not Niantic you worry about hoovering up all that telemetry and incidental data. It's the government who inspect and grab that traffic over top of them for mass collection and analysis to map out a country's signals with useful idiots.
NSA->employee->Home system->Kaspersky AV->Kaspersky Lab servers --------> Russian Govt?
If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?
Oh, and the NSA dude needs some jail time as well.
So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.
The real question is why wouldn't Kaspersky submit it to other AV Firms or even Microsoft for analysis instead of just deleting it? From what it sounds like they had full source code on a virus. I would think that would be the equivalent of striking gold in the AV community regardless of the virus's source, Unless Kaspersky was afraid that the US would Pressure the heck out of them if they disclosed, which is not much different from what's happening now.
In Soviet Russia, Trojan exploits YOU!
how many weapons get lost/stolen/leaked from the NSA. Thank god this agency doesn't have nukes!
So basically, commercial software, namely an antivirus, proceeded as intended (detected malicious/suspicious code). Nothing new.
Then the Russian gov., just like the US or the UK govs. pulled that software/information based on the principle of screwing anyone's privacy (especially foreigners) over national security concerns (which when you look at it from an impartial point of view, like me (someone who literally stands between both countries in western Europe), it's a contextually solid argument, even though I am completely opposed to this relegation of privacy to second place. This is also not new, and the US knows this happens frequently. They know it because they also do it. How many Sillicon Valley corps. are sueing the US gov. to prevent just that? (Well, Microsoft just dropped it because, well, the government had a bad case and decided to pull back).
At least they're not loading Linksys hardware with trojans for deployment to China and Russia's top tier installations.
Seems like a very plausible explanation from Kaspersky, clearly not at fault, and will be a clear case of hypocrisy by whichever government decides to slander private business of the company. Not only is the government at fault (that was bad BAD behavior from the employee, unless he was whistleblowing something, like Snowden), but they also do this.
Demand local servers, just like Brasil did to Facebook, if you are worried about your info being offshored to jurisidictions you can't control the full chain of behavior.
https://usa.kaspersky.com/abou...
It took the NSA 3 years to notice or 3 years to let everyone else know...
since they were leaked on the internet. It would make sense that a company specializing in AV and security took a look at them. After all, NSA are trying to break into your computer, while Kaspersky is trying to stop them.
You should be thankful that they took a look at the tools to learn how to keep them and NSA out of your computer.
After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.
To be fair, this puts them in a bind. They acquired NSA malware source code but they got it because their product uploaded it to them. If they keep it and use it they are breaching the trust of their client. I trust and give Kaspersky permission to scan for viruses and pull their executables. I don't give them permission to look through various source code on my computer. This isn't about saving or shielding the NSA, it's about the integrity of their contract with their users. Screw the NSA but Kaspersky showed more integrity here than the NSA has ever shown in its entire existence.
I mean are you REALLY naive enough to believe that Windows is
1) an even slightly secure OS
2) Microsoft (and therefore the NSA) really don't/aren't using their own backdoors built right into Windows (and maybe Intel's IME) to conduct ongoing scans, analysis and upload of anything/everything of "interest" that you ever have on your PC ?
The problem is clearly the NSA employee who took the code home and put it on his Windows PC in the first place. He of all people should have known WAAAY better.
I'm willing to bet that Kaspersky had an employee who was also an unknown intelligence spy on the payroll.
The intelligence agency figured out the US Govt was using software - submitted resume for spy to open job - and spy reported to work as instructed. Aren't we worried that the NSA is asking Google/Apple/ISP (cough AT&T) to open the door a crack?
Isn't this the fear of many in security? - that an unknown group could change the C compiler source code to ignore or replace certain instructions. Then modify the encryption software with a backdoor that matches the pattern the compiler is looking for - and thus inject a backdoor? Said backdoor is not visible/obvious in the encryption software.
And the method to do this is have spies report to work at legitimate businesses. with external orchestration of their activities.
Also possible that said spy figured out the zero-day which was put to use from another group outside. OR coded said backdoor or side-channel vector.
NSA knows bad employee. NSA decides to watch employee to see how bad leak is. NSA installs backdoor in comp themselves. Kaspersky installed accidentally steps on ongoing investigation.
fuck off with your propaganda
See subject: It seems like the antivirus was doing its job correctly (the NSA guy probably wasn't taking their spyware home) but they should have dismantled it on Kaspersky's end as you said & put out signatures etc. vs. it.
* Additionally in YOUR FAVOR?
Others are "hitting on" YOUR POINT & extending it too w/ factual data from the sources covering it!
E.G./I.E. - the NSA guy left on a setting in the AV that did indeed put his data into the Kaspersky security network https://yro.slashdot.org/comments.pl?sid=11273351&cid=55429569/
APK
P.S.=> Yes folks - it's PRETTY SAD when your own gov't. who is SUPPOSED to protect YOU is spying on you indiscriminately (absolute power corrupts absolutely) - what else am I or anyone else supposed to think - & then they try crap on a company doing its job to cover THEIR ASS & extend their "agenda"? Anyone's free to convince me otherwise though... apk
Because it would be the interrest of the FSB to get the new malware and signature for two reasons (and I would not be surprised the NSA do the same ) 1) be made aware of new zero day exploit and find counter for the russian's firm/gov security 2) get new exploitable weapons they themselves did not come up with , why otusource when some civilian can build something
C. Sagan : A demon haunted world:
http://www.amazon.com/gp/product/0345409469/
visit randi.org
KSN and all similar technologies, including the Microsoft malware submission tool, should be made illegal.
Rationale:
* All software is protected by copyright.
* Only the copyright holder has the legal authority to authorized copying the software.
* Transferring malware from the infected user to researchers therefore violates the rights of the copyright holder.
To what extent the above is sarcasm is left as an exercise for the reader.
The sarcasm begins in part 2 of the rationale, with "Only the copyright holder has the legal authority to authorized copying the software." The copying would almost certainloy be found, by any court, to be defensible as Fair Use.
The purpose of the copying is to analyze the malware, not to use/enjoy the malware in the usual manner.
The nature of the copyrighted work is functional, not artistic. And it's already published and shared with whomever the NSA has chosen to investigate.
The effect of the copying on the marketability of the malware is zero. Anyone who didn't want the malware before, still won't want it.
And finally, it shouldn't be copyrightable anyway, because the NSA does not need a government-granted monopoly in order to have incentive to create and publish the malware. Even PD or GPLed malware would be good enough for their purposes.
You still have to prove the most-likely hypothesis is correct. And a less-likely (more complicated) hypothesis can still turn out to be the correct one.
Rational people assume the most-likely until reasonable evidence proves otherwise.
Here's another thought about why it happened -- is it possible that NSA treats some of their more brilliant analysts the same way companies treat executives? Everywhere I've worked, security policies apply to absolutely everyone except the C-level and senior VP ranks. Execs just tell IT to plug whatever new shiny thing they got at a conference or Best Buy into the network, override password policy so they don't have to log in to their machines, and a whole bunch of other things that would get ordinary workers fired. Maybe if you're a super-brilliant borderline autistic cybersecurity genius, the NSA decides it's not worth it to try to enforce policy?
I'm sure a lot of the safeguards around classified information are the equivalent of "security theatre" but I'm kind of surprised NSA would let their analysts casually walk out the door with unreleased exploit code and bring it home with them. People I know who work for defense contractors on much more mundane stuff can't even mount USB drives on their computers read-only, let alone copy files, but it seems like they just let things like this happen once you get a certain level of access beyond the perimeter. Some of the things I've heard described are totally security theatre, like covering whiteboards when the janitor comes through or insisting that every piece of garbage be burned _and_ shredded...but at least they have the common sense to prohibit employees from taking confidential data home and employees I've spoken with are well-trained to not talk about exactly what they're working on. I have a feeling we'd never know about this if it hadn't gotten to a machine without Internet access.
Almost all companies work like this too -- once you're inside everything is trusted and can talk to everything else. That's absolutely the wrong thing to do, but rebuilding the network and walling things off to an "assumed-compromised" posture is super expensive and hard to implement. Lots of companies don't even have internal PKI right yet so port-level authentication on network gear isn't even possible. And the app landscape is so vast and much of it is so old that totally locking down some things would take tons of research and effort...all of which the company won't pay for. You would think NSA would be all over that though, given what they work on.
"if we accidentally get some of your files, we delete them immediately-- any files of any type, no matter what they are or what they do."
But if it got malware, how are they supposed to know if YOU wrote the malware (and thus the policy would be to delete it) or if you just downloaded it (and thus their policy should be to catalogue and hash)?
We are assuming here that Kaspersky is not actually clueless.
Among other things, the fact that you have source code and several previous versions of the file might serve as a clue.
http://www.geoffreylandis.com
Yes, that's a different question. I was addressing the post by AmiMoJo stating that what they should have done was copied the customer's files, analyzed them, and published them.
http://www.geoffreylandis.com
Iâ(TM)m pretty sure nobody got executed for mishandling cyber weapons a few decades ago.
Oh, and I corrected that annoying spelling error in the subject that everyone else has been ignoring.
How about that - NSA guy gets the malware on his home computer with the intention of giving it to whistle blowers. He infects intentionally his station with malware, then runs a few AV scans from multiple products to make sure it is properly detected and logged. Then sends the NSA malware to Wikileaks or whatever through a side channel. He now has an alibi and can maintain that the stuff was stolen by the malware on his computer. In the process Kaspersky receive a copy of the NSA stuff two, they may or may not have deleted it. Now everything is blown out of proportion and the guy is just a poor employee that made a mistake instead of a whistle blower.
so the guy had office pirated, but somehow had kaspersky original...
anybody that pirates shit knows one thing: out of all of the pirate programs out there, the one thats GOING TO have a virus on it every single time, its the antivirus. It never ever fails. Thats the reason people use free antivirus software, the reason why some years ago, avast was installed everywhere, because people KNOW you dont touch a kaspersky torrent with a ten foot pole with a condom on one end, and the only decent alternative was the other one, which at one point was pretty good even tho it was free. It installing cracked antiviruses would be safe, people would have used kaspersky all the time. But it isnt
so this guy had an original kaspersky suite, but a pirated office.
I dont know rick, it looks fake
also the guy worked in the nsa and instead of using virustotal to check the keygen he just used one antivirus... i dont know man, this does not look real to me
Ess Pee Aitch
I'm going to continue using the Host File Engine. Your software is well written, functional. The Host File Engine performs exactly as promised by mmell
his hosts program is actually pretty good by xenotransplant
his hosts tool is actually useful for those cases in which one does indeed want to locally block stuff outright while consuming minimum system resources by alexgieg
(APK's) work, I've flat out said it's good by BronsCon
I've tried his hosts file generating software. It works by bmo
APK your posts on this & the hosts file posts, and more, have never been in error &/or bad advice by BlueStrat
Your premise that hostfiles are a good way to deal with advertising & malvertising is quite valid by JazzLad
I like your host file system by Karmashock
(NEED MORE? Ask!)
* It's recommended/hosted by Malwarebytes' hpHosts!
APK
P.S.=> China imitates me http://www.theregister.co.uk/2017/04/26/boffins_supercharge_the_hosts_file_to_save_users_plagued_by_dns_outages/ ... apk
Wow. Now that headline is a hard left spin. It could just as accurately have been "Kaspersky Admits Their Software Behaves Just Like All Other Mainstream Anti-Virus Products" or "Government Malware Source Code Sent To Kaspersky By Incompetent Moron But CEO Orders It Deleted Immediately".
Call me crazy but isn't detecting malware exactly what you have a malware detector to do? And don't they generally send samples of suspicious shit to the mothership?
Logic dictates to hold off assumptions and assbackwardness.
See subject & read my post you replied to - unless I see FACT that Kaspersky is DIRECTLY spying, not others using things in it that are vulnerable (tons of AntiVirus progs have been hit thus, & it's WHY I say their complexity works against them & yes, you too)? I'll stick by that.
Especially in this case: Afaik & have seen thusfar? The NSA stooge f'd up & left a setting on that SUBMITS to Kaspersky servers what it finds (data & all).
* I've had 9 antivirus companies FALSELY FLAG my ware as "malware" & had Malwarebytes' folks help me disprove that (& I did successfully) https://www.virustotal.com/en/file/e01211ca36aa02e923f20adee0a3c4f5d5187dc65bdf1c997b3da3c2b0745425/analysis/1433430542/ so, it proves they make mistakes - I wouldn't call what they did here a malicious blunder, OR even what they did to me I overturned...
(Again, @ least not until I know, FOR SURE, they are up to "no good" & I don't right now (& would say they're not)).
APK
P.S.=> On the note of blocking Kaspersky servers? I don't agree w/ it (@ this point so far) & I don't use their ware, but there is no guarantee they use hostnames (possibly yes, but also possibly no - Take Microsoft for example (or any big company) - they own HUGE blocks of the net & PAY BIG "$" for it on IP address blocks - Kaspersky may also, but I am not sure either way (host-domain name vs. IP address use in their work))... apk
WSJ (citing US govt sources or "people familiar") says that Kaspersky virus scans include a keyword search which was triggered by the existence of the words"Top Secret" presumably and implicitly IN A FILE. (whether that means a folder/directory name, a file name, or actually encoded (how??) in a file isn't crystal clear to me). Kaspersky claims innocence but also claims that no specific accusations have been made. Well, gee, I'd call reacting to "Top Secret" pretty specific. There seem to be two or three possibilities. 1. The software installed on the PC and/or running locally flagged malware, sent it to Kaspersky and it was intercepted - unknown by Kaspersky - by Russian Intelligence. 2; Same as 1, but Kaspersky is aware of Russian Intelligence's penetration of their network (how could they possibly expect that the government isn't monitoring all of their traffic???) 3. Kaspersky has actively aided Russian Intelligence's exploits of their network. 4. The software on the local PC flagged non-code data (text) and sent the file containing, which was otherwise innocuous, to Kaspersky.#3 & #4 are clearly violations of trust, and #2 would appear to indicate that Kaspersky can't be trusted to do the right thing - like keeping non-Russian data out of Russia, if the gov't is likely snooping.(same with non-USA data- it should be kept out of the USA if NSA (etc.) is able to snoop (with or without warrant). Of course, there's a gray area: if a text string (data) occurs in malware, then it's logical for Kaspersky to flag that string (data). That might in and of itself justify sending the containing file to Moscow. (or is it St. Pete?). This isn't complicated stuff. It seems to me that if it was as straight-forward as the WSJ claims then almost anyone could create a text file named Top Secret, and another containing the text "Top Secret" and see what an AV scan did with them. But then again, I have no idea how to build anti-malware so this is probably totally wrong.
Nice non- technical click bait title.
Aryeh Goretsky/ESET/NOD32: hosts = good security http://it.slashdot.org/comments.pl?sid=7442373&cid=49747129/
Oliver Day (SYMANTEC/SECURITYFOCUS) http://www.securityfocus.com/columnists/491/ "Host file accessing the Internet - particularly browsing the Web - is actually faster... Spybot Search & Destroy offer lists of known malicious servers to add a layer of defense against trojans & other forms of malware"
OReilly hosts security -> http://oreilly.com/pub/a/windows/2004/03/30/hosts.html/ & hosts speed -> http://www.oreillynet.com/pub/a/network/excerpt/winxphacks_chap1/index1.html?page=3/
Steve Gibson endorses hosts https://www.grc.com/sn/sn-045.htm/
Brocke Wilders of WILDERS' SECURITY does inferior clone of MY work http://www.wilderssecurity.com/threads/hosts-block.378901/
ZD NET "How to use a Hosts file to improve your internet experience" http://www.zdnet.com/article/how-to-use-a-hosts-file-to-improve-your-internet-experience/
APK
P.S.=> Want more? Ask... apk
So to protect yourself from the NSA , run Kaspersky ?
You still have to prove the most-likely hypothesis is correct. And a less-likely (more complicated) hypothesis can still turn out to be the correct one.
Rational people assume the most-likely until reasonable evidence proves otherwise.
The problem with all conspiracy theories, which to me is when the people employing them work their way backwards, picking and choosing what they accept, and miraculously, it just so happens to align with their world view. They will even manage to deny it when Kaspersky admits they accessed the idiot's computer.
So this is what happened, So this is how it was found, This is who did it, this is how it happened, and the people who did it admitted they did it.
The only thing left is that somehow the person heading up the company didn't do what his training instructed him to do, which is pass it up the line. And that makes so little sense as to be completely dismissible.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
In the era when literally everything is networked and you can crash a country's economy or power grid with the right cyber weapon, they are the WMD of the modern era, and we did execute the Rosenbergs for stealing US nuclear bomb technology for the Russians.
If you disagree, please post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like