The IT Nerd

Kaspersky has been accused of aiding the Russian government in its espionage of other countries and foreign companies. Being that the company makes security software, you can see how this would be seen as a potential threat to many.  Despite if the claims are true or not, people are not choosing Kaspersky software due to its connection with Russia, and the Russian government does have a trend of getting involved in its companies. Companies with sensitive information are not using the software. Which is why Kaspersky is moving core infrastructure to Swizerland in the hopes that people will trust them again. From Security Week:

It is to maintain or regain trust that is behind Kaspersky’s Global Transparency Initiative, announced in October 2017.

“The new measures,” the firm announced, “comprise the move of data storage and processing for a number of regions, the relocation of software assembly and the opening of the first Transparency Center,” which will be in Zurich. 

The measures in question include customer data storage and processing for most regions; and software assembly including threat detection updates. Transparency will be provided by making the source code available for review by responsible stakeholders in a dedicated Transparency Center. 

The company said that by the end of 2018, its products and threat detection rule databases (AV databases) “will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide.”

The firm is going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit organization able to assume this responsibility not just for itself, but for other partners and members who wish to join.

To me, moving to Switzerland doesn’t seem to fix this issue. I say that because all it will take is a request for the CEO to send or “Backup” their data to a Russian Data center, or to an 3rd party data-center that Russia may have access too. Assuming that Russia doesn’t just plug themselves into this environment that they’re building in Switzerland. Thus while this might be good PR, it really won’t solve the fact that people don’t trust Kaspersky.

Researchers from Kaspersky Lab have discovered a new type of malware that they have dubbed “Slingshot”. Here’s what you need to know about it:

While analysing an incident which involved a suspected keylogger, we identified a malicious library able to interact with a virtual file system, which is usually the sign of an advanced APT actor. This turned out to be a malicious loader internally named ‘Slingshot’, part of a new, and highly sophisticated attack platform that rivals Project Sauron and Regin in complexity.

The initial loader replaces the victim´s legitimate Windows library ‘scesrv.dll’ with a malicious one of exactly the same size. Not only that, it interacts with several other modules including a ring-0 loader, kernel-mode network sniffer, own base-independent packer, and virtual filesystem, among others.

While for most victims the infection vector for Slingshot remains unknown, we were able to find several cases where the attackers got access to Mikrotik routers and placed a component downloaded by Winbox Loader, a management suite for Mikrotik routers. In turn, this infected the administrator of the router.

We believe this cluster of activity started in at least 2012 and was still active at the time of this analysis (February 2018).

They key thing to note about “Slingshot” is that Kaspersky believes that a nation state was behind it and was likely used for espionage purposes. It can capture functions like logging to network, accessing the data on an infected machine’s hard drive or internal memory due to the ability to access an operating system’s kernel level. And it can avoid detection in some very clever ways. Finally, it might have been out there since 2012. That’s kind of scary. If you use the Mikrotik router (for the record, they’re a Latvian based company), updating your firmware is the best defense. Though 100 victims of “Slingshot” located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania have been identified and it appears that they were targeted by this unknown nation state.

You can fully expect to see more attacks like these pop up into the wild.

This should be interesting to watch.

Last week, President Donald Trump signed legislation banning Kasperky and its products from use across civilian and military agencies. Now I was going to write about that, but something told me that there would be a “part 2” to that story. And today, it comes in the form of a lawsuit from Kaspersky arguing that the American government has deprived it of due process rights by banning its software from U.S. government agencies. Though given everything that has gone on to date, even if they win, which won’t happen by the way, how much of a future do they have in the US? Nobody trusts them at the moment and I don’t see that changing. Thus this has to be an attempt to keep themselves afloat in the US, or a way to grab some cash if they win. Which they won’t.

All I have to say is good luck to Kaspersky. They’re going to need it.

The ongoing saga of under siege antivirus maker Kaspersky continues. When we last talked about this, the company had put out a report that said that it accidentally swiped NSA documents off a staffer’s computer. Well, they’ve now released a report that basically tries to paint a story that it wasn’t them who did the swiping. While you can read the report for the full details, the company now claims that Russian hackers installed software on the computer in question to access and steal sensitive data. On top of that, the company claims that the user of this computer disabled his Kaspersky antivirus software to install pirated software which led to additional pwnage. Thus the implication is that the US are mad at the wrong group of Russians.

I am really not sure this is going to make this issue go away as I have to think that their reputation is completely destroyed at this point. Thus while this report might make for some interesting reading for a bit, it won’t change anyone’s mind in terms of how the company is viewed.

Well, this doesn’t look good.

Kaspersky who is under siege because they are allegedly working with Russian spies, and who have spent months denying that had to admit to something that will make them look like they are working with Russian spies. They have admitted that it obtained the source code of National Security Agency (NSA) hacking tools via anti-virus software running on a PC in the US. They put out a statement that detailed what they found when they looked into the claims that they were responsible for stealing these tools. In short, they found that they did steal these tools because the Kaspersky AV software running on the PC in question thought it was a new and different strain of the Equation malware source code. So it promptly scooped it up and sent it back to Mother Russia for analysis.

The bottom line from the company: We did it but it was accidental.

I’m not sure that’s going to calm the waters here seeing as this plays into part of the narrative that Kaspersky are the bad guys. So I suspect that if they want to get people to trust them again, they are likely going to need to do better than this.

With the revelation that Russian spies have been using the beleaguered Kaspersky anti-virus software for years to troll for secrets, the question is, should you uninstall it from your computer or is it safe to leave on your system.

My answer would be to uninstall it. Instructions on how to do that can be found here.

Here’s my logic. Despite the company’s repeated denials of any connection to the Russian government, it doesn’t make sense to have this potentially dangerous piece of software on any system that you own given what we now know. Now let me be clear, the chances are low that Russian spies are going to be targeting you. But why take that chance? Dump it and be safer.

Besides, there’s a ton of other AV software that’s out there. If you run Windows 10. For Windows 7, look at downloading Microsoft Security Essentials. If you run Windows 8 or later, you get Windows Defender as part of the OS. On the Mac side, macOS does come with rudimentary malware protection. But I tend to recommend Sophos Home For Mac as that is pretty lightweight and provides great protection.

Oh, by the way, all the above won’t cost you anything more than your time as they are all free.

The fact is that given what we now know about this situation, you have to assume the worst and protect yourself accordingly. Perhaps this is paranoia at work here. But these days you can never be too careful.

This isn’t going to be good news for Kaspersky who has been battling accusations that their anti-virus software is used by Russian spies to spy on the west. According to the New York Times, Israel pwned Kaspersky. In the process of doing that, they discovered that Russian spies were using the anti-virus software as a gateway to pwn others:

The Russian operation, described by multiple people who have been briefed on the matter, is known to have stolen classified documents from a National Security Agency employee who had improperly stored them on his home computer, on which Kaspersky’s antivirus software was installed. What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known.

How do we know that it was Israel? Well, there’s this:

Kaspersky Lab did not discover the Israeli intrusion into its systems until mid-2015, when a Kaspersky engineer testing a new detection tool noticed unusual activity in the company’s network. The company investigated and detailed its findings in June 2015 in a public report.

The report did not name Israel as the intruder but noted that the breach bore striking similarities to a previous attack, known as “Duqu,” which researchers had attributed to the same nation states responsible for the infamous Stuxnet cyberweapon. Stuxnet was a joint American-Israeli operation that successfully infiltrated Iran’s Natanz nuclear facility, and used malicious code to destroy a fifth of Iran’s uranium centrifuges in 2010.

Kaspersky reported that its attackers had used the same algorithm and some of the same code as Duqu, but noted that in many ways it was even more sophisticated. So the company researchers named the new attack Duqu 2.0, noting that other victims of the attack were prime Israeli targets.

Among the targets Kaspersky uncovered were hotels and conference venues used for closed-door meetings by members of the United Nations Security Council to negotiate the terms of the Iran nuclear deal — negotiations from which Israel was excluded. Several targets were in the United States, which suggested that the operation was Israel’s alone, not a joint American-Israeli operation like Stuxnet.

If this report is accurate, then Kaspersky is done like dinner in most places on planet Earth. There’s no way that anyone will install their software. Though I will say that the employee who got pwned by Russian spies needs a kick in the you know where for allowing this to happen.

There’s also one other thing. Since a nation state or anyone else pwning anti-virus software so that they can use it as a bride to pwn a network has gone from being theory to fact, anti-virus vendors are going to let a lot less people look at their code. Symantec was the first to do this with its CEO Greg Clark telling Reuters this week it will no longer let governments inspect its source code. That will help, but seeing as the Russians and Israelis were in the Kaspersky network for up to 2 years, it cannot be the only line of defense.

Meanwhile, let us watch the fall of Kaspersky as I cannot see a scenario at this point where they survive this.

The ongoing battle between the US Government and Kaspersky software took a new turn today. The Washington Post is reporting that the latter has been banned from the US government over fears of espionage:

Acting Homeland Security Secretary Elaine Duke ordered that Kaspersky Lab software be barred from federal government networks while giving agencies a timeline to get rid of it, according to several officials familiar with the plan who were not authorized to speak publicly about it. Duke ordered the scrub on the grounds that the company has connections to the Russian government and its software poses a security risk.

“The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks,” the department said in a statement. “The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”

Now this has been going on for months as evidenced by these posts on the subject. But this is a major escalation. And one that is sure to get a response from not just the software company, but the Russian government too. In terms of the former, this is what they had to say:

In a statement to The Washington Post on Wednesday, the company said: “Kaspersky Lab doesn’t have inappropriate ties with any government, which is why no credible evidence has been presented publicly by anyone or any organization to back up the false allegations made against the company. The only conclusion seems to be that Kaspersky Lab, a private company, is caught in the middle of a geopolitical fight, and it’s being treated unfairly even though the company has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts.

“Kaspersky Lab has always acknowledged that it provides appropriate products and services to governments around the world to protect those organizations from cyberthreats, but it does not have unethical ties or affiliations with any government, including Russia,” the firm said.

I would recommend watching this story as it’s going to get interesting. Very interesting.