A newly published article in The Intercept says that the NSA and GCHQ hacked anti virus vendor’s software and networks in order to “neutralize the threat” posed by that software. Based on newly released Edward Snowden documents, GCHQ obtained a warrant in 2008-2009 to have legal permission to monitor web traffic, hack email and reverse engineer the software in order to find weaknesses (see article).
The NSA examined emails to anti virus vendors to find new malware and vulnerabilities.
One would assume that these agencies want to use these newly discovered vulnerabilities before they are patched.
According to the warrant request, GCHQ considered Kaspersky’s software an obstruction to its hacking operation and need to reverse engineer it to find ways to neutralize the problem. They said that they needed to exploit Kaspersky’s software in order to prevent the detection of our activities.
The NSA discovered, back in 2008, according to the leaked documents, that Kaspersky’s software transmitted sensitive information back to the company’s servers. Apparently, Kaspersky encodes information in the header of the request, like you often see on the command line in your browser, and that information allowed NSA to get information like serial numbers, the service plan paid for and configuration. Sending this information in the header is often done, but is a bad security practice unless it is encrypted, which it typically is not. The Intercept tested Kaspersky software last month and found that it did transmit some information back to Kaspersky’s servers unencrypted. They, of all people, should know better.
Again according the released documents, NSA and GCHQ have targeted 25 or more non-American and non-British anti virus vendors. Missing from the list are McAfee and Sophos. Whether the NSA and GCHQ did not think those were legitimate targets because they were not foreign companies (McAfee is a U.S. company, Sophos is British) or whether they were targeted under different authority is not clear.
Gene Kaspersky, in particular, has been a thorn in the side of the intelligence agencies over the years. Just this month he revealed the attack, suspected to be from Israel, of the hotels hosting the Iran nuclear talks.
Not suprisingly, NSA and GCHQ declined to comment for the article.
From the NSA’s viewpoint, anti malware vendor’s are a threat to them – from uncovering the agency’s own malware to alerting about holes in software which the NSA and GCHQ would prefer to keep to themselves.
When U.S. Cyber Command was set up and placed until the control of the NSA, privacy advocates said that it was impossible for the NSA to serve two masters – protect U.S. citizens and hack foreign ones. If they found a vulnerability, do they tell the vendor so that they can fix it and foreign hackers and intelligence agencies can’t use it against U.S. citizens and companies or do they keep it to themselves to use against their targets? Historically, the NSA has been accused of not revealing bugs.
In fact, as recently as last year, the President confirmed the authority that the NSA has to not reveal security holes if they are useful for national security purposes (see article). This should not come as a big surprise to anyone and foreign intelligence services are likely doing the same thing. I am sure that, in some cases, the agencies trade vulnerabilities like the rest of trade MP3 files.
What this means to you and me is that we should not count on the government – ours or anyone else’s – to protect us from cyber threats – especially in those cases where the threat is counter to their own interests.