Kaspersky Admits To Reaping Hacking Tools From NSA Employee PC

Kaspersky has acknowledged that code belonging to the US National Security Agency (NSA) was lifted from a PC for analysis but insists the theft was not intentional. From a report: In October, a report from the Wall Street Journal claimed that in 2015, the Russian firm targeted an employee of the NSA known for working on the intelligence agency's hacking tools and software. The story suggested that the unnamed employee took classified materials home and operated on their PC, which was running Kaspersky's antivirus software. Once these secretive files were identified -- through an avenue carved by the antivirus -- the Russian government was then able to obtain this information. Kaspersky has denied any wrongdoing, but the allegation that the firm was working covertly with the Russian government was enough to ensure Kaspersky products were banned on federal networks. There was a number of theories relating to what actually took place -- was Kaspersky deliberately targeting NSA employees on behalf of the Kremlin, did an external threat actor exploit a zero-day vulnerability in Kaspersky's antivirus, or were the files detected and pulled by accident? According to Kaspersky, the latter is true. On Wednesday, the Moscow-based firm said in a statement that the results of a preliminary investigation have produced a rough timeline of how the incident took place. It was actually a year earlier than the WSJ believed, in 2014, that code belonging to the NSA's Equation Group was taken.

Beleivable

[AmiMoJo]

Their version of events is much more believable than the others offers so far. Guy takes home the NSA malware, disables Kaspersky to install some warez and then realizes his machine has been p0wned, so does multiple full scans. The NSA malware is picked up during those scans and automatically submitted for analysis (the default behaviour). During this time his machine had an open backdoor.

What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details. Failure to do so is far worse than simply sharing it with the Russian government, who I'd assume already had copies anyway given how leaky the NSA is.

Re: Beleivable

[Baron_Yam]

>Not that I care if the NSA figures out my porn preferences

You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.

Even though you and I are likely so unimportant to the state and they're unlikely to use what they find against you, just on general principles you should want privacy from the government as a general rule whenever it is practical.

When the three letter agencies have access to everyone's secrets, they're no longer serving the public since they have the power to control those who are supposed to be in power.

Re:Beleivable

[mangastudent]

What really worries me here is that Kaspersky apparently deleted the NSA malware and source code once they realized what it was. They should have analyzed it, generated signatures and published details.

Doing that with Officially Classified materials has legal consequences. For example, I assume employees of Kaspersky want to be able to travel outside of Russia without getting arrested and imprisoned. And to be able to travel to the US for security conferences.

Re:Beleivable

[Train0987]

Doing that with Officially Classified materials has legal consequences. .

Unless you're Hillary Clinton, of course.

Re: Beleivable

[Ol+Olsoc]

>Not that I care if the NSA figures out my porn preferences

You should, so long as there are people out there who would punish you for them. There's a seemingly unending supply of sanctimonious people out there who will outright ruin your life if they find something about you personally distasteful.

In a twist of irony, those selfsame people will as likely as not have much more interesting porn records than anything a normal person has. Its projection, and we see it time and time again, from Jimmy Swaggert's television set top wanking while a hooker does God knows what, to that creep preacher in Colorado who railed on about them thar homos, but enjoyed screwing his male masseuse, to better than the rest of us Josh Duggar who has some very interesting and illegal preferences. Brings new meaning to family values.

I just say something about Shemale midget scat porn and watch their eyes light up.......

Re:Beleivable

[mangastudent]

More generally a member of our Ruling Class. See for example John Deutch per Wikipedia:

Soon after Deutch's departure from the CIA [as Director] in 1996 it was revealed that classified materials had been kept on several of Deutch's laptop computers designated as unclassified. In January 1997, the CIA began a formal security investigation of the matter. Senior management members at the CIA declined to fully pursue the security breach. More than two years after his departure, the matter was referred to the Department of Justice, where Attorney General Janet Reno declined to prosecute. She did, however, recommend an investigation to determine whether Deutch should retain his security clearance. President Clinton issued a Presidential pardon on his last day in office.

Very specifically, according to local newspaper reports (I was living in the D.C. area at the time), he took materials out of a Sensitive Compartmented Information Facility, the sort of thing that you swear each time you enter one not to do, and did the above with one or more computers he used at home that were attached to the Internet, as I recall, even emailed stuff based on this Top Secret material.

More recently, many of Hillary's retinue did the same or worse, e.g. with raw NSA intercepts, and of course nothing happened to them.

Re:Beleivable

[mangastudent]

Sandy Berger as a Clinton insider who actually got some real punishments, albeit wrist slaps aside from losing his law license, doesn't do a good job of making my greater point that there's a Ruling Class that's essentially not subject to the Rule of Law we peons in theory live under.

On the other hand, he's a good example of how this crosses nominal party lines, this particular crime of his was done while Team Bush was at least nominally running the Executive, they should have nailed him to the wall.

Re:Beleivable

[LeftCoastThinker]

Both parties cover for each other in the hope that when out of power they will be protected as a courtesy from the other party. This is the textbook reason why special prosecutors should always be used when there is evidence of criminal activity (as opposed to the Trump Russia investigation, where there is a lot of innuendo, but no actual allegation or evidence of criminal activity, ask a real prosecutor, they will tell you).

As far as Sandy Berger, the guy was on camera stuffing classified documents into his pants the day before Clinton left office... That is what is known as evidence.

The AV software was configured as such

No surprise here,
Source: https://arstechnica.com/information-technology/2017/10/worker-who-snuck-nsa-secrets-home-had-a-backdoor-on-his-pc-kaspersky-says/?comments=1

Direct quote:
The NSA worker's computer ran a home version of Kaspersky AV that had enabled a voluntary service known as Kaspersky Security Network. When turned on, KSN automatically uploads new and previously unknown malware to company Kaspersky Lab servers. The setting eventually caused the previously undetected NSA malware to be uploaded to Kaspersky Lab servers, where it was then reviewed by a company analyst.

Data trail

[YrWrstNtmr]

NSA->employee->Home system->Kaspersky AV->Kaspersky Lab servers --------> Russian Govt?

If Kaspersky isn't working with the Russian govt, how did their Lab data end up with the Russian govt?

Oh, and the NSA dude needs some jail time as well.

Re: Data trail

[guruevi]

Nobody has ever said the Russians had the malware. Russian government involvement is a red herring spun to distract you from the Russia-Clinton-Obama inconvenience.

Re: Data trail

[Solandri]

That's the problem with you conspiracy kooks. Occams razor tells us otherwise.

I see people making this mistake a lot. Occam's razor isn't a law. It doesn't "tell us" anything. It doesn't say "The simplest explanation is the correct one."

It actually goes: "The simplest explanation tends to be the correct one." Occam's razor merely suggests what is the most probable answer. It doesn't prove or tell us anything, it simply lets you organize hypotheses into, lacking any other evidence, the most likely order of plausibility. You still have to prove the most-likely hypothesis is correct. And a less-likely (more complicated) hypothesis can still turn out to be the correct one.

Why not disclose it?

[Deathlizard]

So it looks like what happened is what I suspected, that Kaspersky's Heuristic analysis found the file and submitted it for analysis. Which is fine since that's what it's supposed to do.

The real question is why wouldn't Kaspersky submit it to other AV Firms or even Microsoft for analysis instead of just deleting it? From what it sounds like they had full source code on a virus. I would think that would be the equivalent of striking gold in the AV community regardless of the virus's source, Unless Kaspersky was afraid that the US would Pressure the heck out of them if they disclosed, which is not much different from what's happening now.

Overreaction to business as usual

[cloud.pt]

So basically, commercial software, namely an antivirus, proceeded as intended (detected malicious/suspicious code). Nothing new.

Then the Russian gov., just like the US or the UK govs. pulled that software/information based on the principle of screwing anyone's privacy (especially foreigners) over national security concerns (which when you look at it from an impartial point of view, like me (someone who literally stands between both countries in western Europe), it's a contextually solid argument, even though I am completely opposed to this relegation of privacy to second place. This is also not new, and the US knows this happens frequently. They know it because they also do it. How many Sillicon Valley corps. are sueing the US gov. to prevent just that? (Well, Microsoft just dropped it because, well, the government had a bad case and decided to pull back).

At least they're not loading Linksys hardware with trojans for deployment to China and Russia's top tier installations.

Seems like a very plausible explanation from Kaspersky, clearly not at fault, and will be a clear case of hypocrisy by whichever government decides to slander private business of the company. Not only is the government at fault (that was bad BAD behavior from the employee, unless he was whistleblowing something, like Snowden), but they also do this.

Demand local servers, just like Brasil did to Facebook, if you are worried about your info being offshored to jurisidictions you can't control the full chain of behavior.

In their defense of deleting the files

[FeelGood314]

After discovering the suspected Equation malware source code, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all our systems. The archive was not shared with any third parties.

To be fair, this puts them in a bind. They acquired NSA malware source code but they got it because their product uploaded it to them. If they keep it and use it they are breaching the trust of their client. I trust and give Kaspersky permission to scan for viruses and pull their executables. I don't give them permission to look through various source code on my computer. This isn't about saving or shielding the NSA, it's about the integrity of their contract with their users. Screw the NSA but Kaspersky showed more integrity here than the NSA has ever shown in its entire existence.

Willing to bet KGB employee

[ripvlan]

I'm willing to bet that Kaspersky had an employee who was also an unknown intelligence spy on the payroll.

The intelligence agency figured out the US Govt was using software - submitted resume for spy to open job - and spy reported to work as instructed. Aren't we worried that the NSA is asking Google/Apple/ISP (cough AT&T) to open the door a crack?

Isn't this the fear of many in security? - that an unknown group could change the C compiler source code to ignore or replace certain instructions. Then modify the encryption software with a backdoor that matches the pattern the compiler is looking for - and thus inject a backdoor? Said backdoor is not visible/obvious in the encryption software.

And the method to do this is have spies report to work at legitimate businesses. with external orchestration of their activities.

Also possible that said spy figured out the zero-day which was put to use from another group outside. OR coded said backdoor or side-channel vector.

Is it Executive IT Syndrome?

[ErichTheRed]

Here's another thought about why it happened -- is it possible that NSA treats some of their more brilliant analysts the same way companies treat executives? Everywhere I've worked, security policies apply to absolutely everyone except the C-level and senior VP ranks. Execs just tell IT to plug whatever new shiny thing they got at a conference or Best Buy into the network, override password policy so they don't have to log in to their machines, and a whole bunch of other things that would get ordinary workers fired. Maybe if you're a super-brilliant borderline autistic cybersecurity genius, the NSA decides it's not worth it to try to enforce policy?

I'm sure a lot of the safeguards around classified information are the equivalent of "security theatre" but I'm kind of surprised NSA would let their analysts casually walk out the door with unreleased exploit code and bring it home with them. People I know who work for defense contractors on much more mundane stuff can't even mount USB drives on their computers read-only, let alone copy files, but it seems like they just let things like this happen once you get a certain level of access beyond the perimeter. Some of the things I've heard described are totally security theatre, like covering whiteboards when the janitor comes through or insisting that every piece of garbage be burned _and_ shredded...but at least they have the common sense to prohibit employees from taking confidential data home and employees I've spoken with are well-trained to not talk about exactly what they're working on. I have a feeling we'd never know about this if it hadn't gotten to a machine without Internet access.

Almost all companies work like this too -- once you're inside everything is trusted and can talk to everything else. That's absolutely the wrong thing to do, but rebuilding the network and walling things off to an "assumed-compromised" posture is super expensive and hard to implement. Lots of companies don't even have internal PKI right yet so port-level authentication on network gear isn't even possible. And the app landscape is so vast and much of it is so old that totally locking down some things would take tons of research and effort...all of which the company won't pay for. You would think NSA would be all over that though, given what they work on.