Slashdot Mirror
'Very High Level of Confidence' Russia Used Kaspersky Software For Devastating NSA Leaks (yahoo.com)
bricko shares a report from Yahoo Finance: Three months after U.S. officials asserted that Russian intelligence used popular antivirus company Kaspersky to steal U.S. classified information, there are indications that the alleged espionage is related to a public campaign of highly damaging NSA leaks by a mysterious group called the Shadow Brokers. In August 2016, the Shadow Brokers began leaking classified NSA exploit code that amounted to hacking manuals. In October 2017, U.S. officials told major U.S. newspapers that Russian intelligence leveraged software sold by Kaspersky to exfiltrate classified documents from certain computers. (Kaspersky software, like all antivirus software, requires access to everything stored on a computer so that it can scan for malicious software.) And last week the Wall Street Journal reported that U.S. investigators "now believe that those manuals [leaked by Shadow Brokers] may have been obtained using Kaspersky to scan computers on which they were stored." Members of the computer security industry agree with that suspicion. "I think there's a very high level of confidence that the Shadow Brokers dump was directly related to Kaspersky ... and it's very much attributable," David Kennedy, CEO of TrustedSec, told Yahoo Finance. "Unfortunately, we can only hear that from the intelligence side about how they got that information to see if it's legitimate."
If Kaspersky are indeed behind this, they are doing what their company is supposed to do: find malware and make it public. Without their help, NSA's malware would be still in the wild.
The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
Donald Trump is still shielding Russia from accountability for its multiple attacks on our country.
He won't even admit that Russia hacked into our election equipment!
Had my new Win10 machine, decided to put the latest version on. Kas put a man in the middle SSL scanner so it could scan SSL streams. After I told it not too and even disabled it, it still tried to scan all my SSL traffic and would block my browser. It just would not leave my SSL traffic alone even after specifically disabling web protection. This was the scanner only, i did not install the full protection suite.
So I uninstalled it. Rebooted, and it still left the SSL middleware installed. WTF is this amateur behavior at Kaspersky.
No idea wtf is going over there at Kaspersky, but its gone to hell. I don't care if one of the fastest, very low cpu usage, and great anti-virus detection. These stupid games like MITM SSL without my permission is downright unforgivable.
There is no reason to doubt our esteemed intelligence community. When they implore us to trust them because the evidence is too dangerous to show to the public, it is every patriotic citizen's duty to trust them. Spies are lurking in every corner, even on our beloved Slashdot, so we must remain vigilant against efforts to undermine faith in government. Faith keeps us strong, strength crushes enemies. Have faith.
your thin skin doesn't make me a troll
Mic drop.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
The amazing part is that someone actually runs a closed source virus suite from a Russian vendor. Insane.
...What I want to know are the names of the people responsible for running a foreign COTS A/V on 'net-connected PCs and placing Classified/Top Secret data on those computers and what legal actions/charges are pending against them, and if no legal actions/charges are pending and/or they refuse to identify who they are, why not.
*THOSE* are the questions we should be asking very, very loudly and demanding and the people who should be spending time at Club Fed. Given that level of cavalier handling of such highly-classified and top-secret data, Kaspersky/Putin/FSB et al were likely the very LAST bad-actors to get the data.
How about we figure out how to plug the hole in the lifeboat first before we start holding hearings on where to place the blame?
Strat
Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
Very embarrassing for Obama and the Democrats.
Haha.
Is it fair to hold your CEO accountable for every action you or even your team takes at your job? Sure, sometimes you do something because of a policy or general culture set by upper management, but sometimes you take a course of action because that simply what you wanted to do.
Not everything that a Federal Government does during an administration is the direct responsibility of the administration and/or ruling party.
I stole this Sig
Looking only at motivation, one must note that Kaspersky was a financially successful company with a bright future in an increasingly critical industry. They owed that to a growing reputation (and a lowered reputation for some competitors). What incentive would motivate them to sell out to any government? The only thing I can think of is (1) A death threat, or (2) a greater amount of money than their expected future profits. I doubt either 1 or 2 and I think it illogical for Kaspersky to break trust that was so valuable to them.
But what about the motivation of the US government? They look bad with so much failure to deal with leaks and malware. And what does any government do to deflect blame? They find a scapegoat! Kaspersky looks like an easy target, especially with the Russia scare. And the American public loves to jump on that sort of bandwagon.
...omphaloskepsis often...
.
Not only were there the usual viruses associated with stolen code from MS, but also this stuff from NSA which was picked up as it had the signature of a nasty - because it IS. If the Russians got ahold of it because they had already penetrated Kaspersky...then Kaspersky didn't actually do this - they were an unwitting "useful idiot" at most.
But we have to hate them? Want to bet that's because they refused to back down about putting bugs into their code to "not notice" TLA code, when all other AV's agreed to do that?
.
OK Occam's razor - find another reason that makes sense all around. GoodLuckWithThat. I've yet to see reasonable evidence that the shadow brokers are even russian - they might be, but who knows? Attribution is hard. CIA's leaked tools show their tricks for leaving a false trail, for example (and this is yet another reason not to give any of these guys an encryption backdoor they promise to keep safe - they can't even keep their own stuff safe).
Why guess when you can know? Measure!
The surprise is they're running Windows and not some hardened Linux or an OS written by Canadian hacker Theo de RaaBSD
Not to defend Kaspersky, but this seems to be the trend with most security (or perhaps it's even more general than that) software. A new product comes out that's free of cruft, relatively easy to use, and works effectively. Eventually it turns to shit and it becomes as bloated and craptastic as the other software that it replaced some years ago. Fortunately, there's a new product that has just come out . . .
Stop smearing Kaspersky, it's the only company not in bed with the NSA.
Shit probably got stolen by one of the 50 Intel backdoors anyway.
"High level of confidence" means "We got nothing but we'll smear someone anyway"
Unless that thing supports a particular narrative, in which case it "starts at the top".
Beware of the Leopard.
I refuse to install more propitiatory crapware on my computers. I've got enough of it as it is at low levels. We need to cut the crap out and move away from Intel/AMD and other chipsets from companies that won't provide a *complete* set of source code. None of this "open source" non-sense where you only provide half the code or some code wrapped around a proprietary blob. No. I want a *COMPLETE* set of source code that is needed to operate the device. It blows my mind countries don't mandate in law that a complete set of source code be released under a set of free software licenses before said country will allow a products sale within the country- or at least to government or contractors working for government or critical industry sectors thereof.
Comment removed based on user account deletion
Comment removed based on user account deletion
Are these the same sources that attributed the Mirai botnet to Russia-sponsored actors?
We don't have a good track record of attributing these actions of late.
Russia is not the big bad enemy. This is all a distraction to keep our attention away from the US government and it's misdeeds.
Support your local school shooter, give them your firearms.
Bringing the thread back on topic, my experience at work shows how Kaspersky would have accidentally "hacked" this material.
For my day job I write software tools which scan networks, checking to see if any computers on the customers' network are vulnerable to any known vulnerabilities. Occasionally the antivirus/anti-malware that is mandated by corporate flags our on tools as likely malware. That makes sense, because our code looks a lot like malware code - we seek out vulnerable hosts, checking each to see if it's actually vulnerable. After that, our system reports to the customer where their vulnerabilities are, but to anti-virus / anti-malware systems our code resembles a threat. Our code also closely resembles some of the NSA code, which was basically malware. Our company has to conform to certain security standards, and those standards require all desktops and laptops to have anti-virus / anti-malware, so we aren't supposed to just disable it, even though it's troublesome when it flags our own files. Right or wrong, bureacracy requires that our systems have this protection.
The anti-malware vendors program their software so that when it detects a new strain of likely malware, it sends a copy back to the vendor so they can learn about the new malware. That's typical so they can provide better service by continually adding new detection for new malware varieties.
If, due to bureacratic fiat or any other reason, anti-malware were installed on an NSA system which had a copy of the NSA kit, I'd expect the anti-malware would detect a few of those tools as being possible malware infecting the system. (It is basically malware, after all). Standard practice would be for the anti-malware system to send samples back to Kaspersky, so they can update and improve their detection. Some low-level analyst at Kaspersky would receive several new zero days all "infecting" one computer. Since there are several and they are new, they'd alert their boss and Kaspersky would/should take a look at this customer system that contains several new zero days. Maybe look at the folder the zero days were in to see if more new threats are there. In the same folder the zero days came from, they'd find the NSA manual on how.yo use them. Suddenly Kaspersky would have the NSA kit without ever doing anything more than doing their job as expected.
The policy that would cause this to happen - without any malice by anyone, would be a rule that "all NSA desktops must have anti-malware installed", combined with choosing Kaspersky, a foreign company, as their vendor.
Are you sure? (y/Y)
Mike @ The Geek Pub. Let's Make Stuff!
Every skilled malware maker would know to use man in the middle to see if their new effort was been detected in real time?
Who knows what NSA work looks like when its still been created?
Good behavioral analysis by any quality AV would see a change to the OS, new code, strange code in a new place and report it as it would any new malware.
Domestic spying is now "Benign Information Gathering"
So... you have a report written by ... someone... that says something based on evidence we can't look at? Well, it's in the NYT, it has to be true! Except for that one time a reporter made up stories whole cloth for a few years, but that doesn't count. Solid evidence like someone saying that a report says something based on data we don't have is good enough for me!
We all know they won't show us that because they know how badly the Trend Micro and Crowdstrike reports were crapped on when more competent people found all the stuff they "missed" ... like the fact that an old version of a crappy freeware program named P.A.S. was being used or that most of the IPs were just Tor exit nodes.
Why don't you give us something we can actually research and corroborate? Giving us random hearsay from a report doesn't qualify as "evidence" to a normal person.
> Eugene Kaspersky himself said that happened
Ah, thanks - I hadn't seen that. It certainly makes sense though - someone was trying to be safe by using Kaspersky, and Kaspersky was trying to do their job by taking notice of new malware on their customer's computer.
> and he told them to immediately delete all copies of the files.
> Someone perhaps didn't?
I'm not sure I would have deleted *all* copies if I were in that situation. :)
Found it.
https://www.theguardian.com/te...
The OP specifically turned off the "web protection" (which should have stopped the program scanning web traffic, encrypted or otherwise)
We know from the Snowden leaks that the NSA bragged about being able to piggyback on others exploits and 3rd party security software, so of course the Russians would do the same. You have to bear in mind that any kind of approach they are using must be tested for being undetectable by all known antivirus programs anyway, so hijacking these programs in the first place is a reasonable approach. Whether Kaspersky colluded with Russian intelligence to facilitate that is unknown, but it seems reasonable to assume that Kaspersky are willing to and also couldn't decline even if they wanted.
grep for operations that copy memory, then laugh at their complete failure when doing what should be simple arithmetic. mem corruption and memory leaks everwhere (read: code execution).
Fine, and did you send them a patch to fix the problems ? or at least submit an issue on their tracker ?
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
I remember a militaristic superpower lying to its own citizens about hidden weapons, metal tubes, babies being pulled from incubators, etc all to start a $1T+ war. Same guys.
Show me proof or fuck off.
In a properly run secure computing facility, classified materials are NEVER, EVER allowed to exist on computers connected to insecure networks. That's not a suggestion, that's a formal requirement, at least for the programs I used to work on. OS updates, antivirus software, everything was air-gapped from the Internet. No exceptions. For the exfiltration to happen as described, the NSA must be routinely violating basic infosec procedures in ways that would get any contractor fired, fined, and possibly imprisoned.
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
'Very High Level of Confidence' Russia Used Kaspersky Software'.
So what does that mean? Is "We heard it from two people" very high? For all I know the "Very high" still means that they THINK it is the case, but are not sure. The amount of "Very High Level of Confidence" as finding WMD's in Iraq? Because we know what that ended up to be.
What I see is that the NSA does not want us to use it. So what does that mean in the best case scenario? Only the Russians have access to data IF you use Kasperski.
What does it mean in the worst case scenario? The NSA does NOT have access if you use Kasperski, but besides that everybody, including the NSA has access. So if you use any other Anti Virus program, they still have access.
Because how do you know the Russians don't have access when you use anything else?
Don't fight for your country, if your country does not fight for you.
You can't just copy secret material to your home laptop and take it to a bar to work on it. There are strict controls in place
Those controls are enacted by humans, who can either accidentally or intentionally work around the controls.
"Don't copy this to a CD and walk out of the SCIF" is such a control. That control is not infallible.
Comment removed based on user account deletion
So, you installed just the web protection and then disabled the SSL traffic scanner? Even though 50% of traffic is encrypted now?
Financial and health data is among the SSL-encrypted traffic. If you don't want something seeing those things, then you either need to exempt your bank/healthcare sites or disable the SSL scanner entirely. Enterprise proxies usually offer this out of the box---most US organizations will not decrypt traffic to these destinations.
And besides, it's up to him as to whether he wants SSL decryption at all. The feature should be configurable.
Odds are good that you disabling the SSL middleware means the uninstaller didn't realize it was there and didn't uninstall it.
Shit application, shit installer. There is no reason an application cannot keep track of which modules are installed regardless of whether a user disables them.
Meanwhile, Comodo wants to keep resetting Chrome to use Yahoo "for web protection" and repeatedly reinstalls a Yahoo Search extension if you delete it.
They have a deal with Yahoo, and they value Yahoo's money over your express wishes. That should tell you all you need to know about your security vendor.
Antivirus programs are getting to be a bit pointless these days. If you have good security measures, you won't get hit by the kind of crap they can find in the first place.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
Pho is facing 10 years for copying that information. Yes, there are rules and procedures---and he broke them. No sympathy, really.
So how can Russia use software that isn't supposed to be exposed to secret information, to steal secret information?
Did you miss the part where a dumbass contractor copied the files and then put them on his computer at home? It was a courier delivery by Air Retard.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
If one of my customers' machines were infected with multiple new zero days, I'd expect to find more information about the infection, and maybe another zero-day or two, by looking in that folder. I'd "tell* the client-side agent to send me the entire folder. I'd be thinking "this customer is going to love me for finding this really nasty infection" and I'd get as much information about it as I could.
I've found a LOT of infected machines, mostly web servers, and I've never had a customer complain that I got too much information for them about what's going on. When I call or email them they want to know "how badly infected is the system? How did the bad guys get in? How long has the infection been there?" They'll hold on the phone anxiously awaiting more answers while I dig through their system, so based on my experience over 20 years I'd expect the customer to want me to dig up as much information as I can.