Tag Archives: Kaspersky

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.


Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register


The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.


Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.


The NSA-Kaspersky Story Gets Even Stranger

In case you didn’t know whom or what to believe in the battle between Gene Kaspersky and the U.S. Government, it just got a little weirder.

You probably remember that the DoD told its people to remove Kaspersky’s software from it’s machines.  They didn’t say why.  But, no matter how this story plays out, that decision was the right decision.

Later it came out that an NSA employee was developing NSA  malware to replace malware that Snowden exposed; he removed that classified software from NSA facilities and took it home.  It was then thought that the software was compromised to the Ruskies because that employee had Kaspersky software on his computer and Kaspersky was working for the FSB.

Fast forward the story and Gene Kaspersky is fighting for his company’s very existence.  Never mind the fact that if the employee had followed both policy and the law, we would not be having this conversation.

Kaspersky has now revealed some more information about the situation.  Whether you believe him or not is up to you.  Our gov is being totally radio-silent on the situation, which likely means that it is at least, mostly accurate.  Probably.  No guarantee.

  1.  The NSA employee was running the Kaspersky software on his home computer.
  2. The employee had intentionally turned on the feature called Kaspersky Security Network, which, by design, forwards suspicious malicious software to Kaspersky’s labs for analysis.
  3. The employee disabled the Kaspersky software.  BECAUSE:
  4. The employee downloaded pirated software
  5. After the employee’s computer was infected, the employee turned the anti-virus software back on.
  6. When turned back on, the Kaspersky software scanned his computer and detected the new NSA malware as a variant of the Equation Group software that Snowden disclosed.  Since it was unknown and he had intentionally turned on the security network feature of Kaspersky’s software, it sent the malware (the software that he was developing) to Kaspersky’s labs for analysis.
  7. This LIKELY ties back to a 2015 breach of Kaspersky’s network (probably by the FSB) which has been well covered in the media.
  8. ALTERNATIVELY, the pirated software that he downloaded allegedly had a back door in it and if that is true, the Russian FSB could have stolen anything on his computer.

There are probably a bunch of potential variants here, but it seems reasonable that all of this could have easily happened if the alleged scenario happened.



Information for this post came from Ars Technica.

We May Now Know Why Trump Banned Kaspersky Anti Virus – And You Should Too

There have always been questions about connections between Gene Kaspersky’s company and the Russian spy agencies like the FSB, but not necessarily any hard proof.  Last month, President Trump ordered all federal agencies to remove Kaspersky anti virus software without any real explanation.  Some thought it was as retribution while others thought it was over-reaction.  I didn’t have a strong opinion about it, but thought that since there are U.S. products that are equally as good if not better, why use a Russian one, especially a Russian one that is tied to the FSB.

Well now, as Paul Harvey used to say, we may have “the rest of the story”.

The Washington Post is reporting that Russian hackers have stolen software from an NSA employee who took home classified material and put it on his personal laptop to work on it.

This time it is not a contractor, so Booz, Allen can breathe easier.  In fact, it is not a contractor at all, it is an employee.

The employee, who has not been named, is a U.S. National, born in Vietnam and works for the NSA’s TAO division.  TAO or Tailored Access Operations, is the group that NSA spies go to when they need something “special” to break into someone’s computer.

This person, apparently, was working on software to replace some tools that were disclosed by Snowden.  But now the Russians have it.

You would think that the NSA would train people not to take classified material home.  Apparently not.  At least no one is saying that he is a spy.  Just a fool.

Kaspersky, of course, is saying that it is not true.  One possibility, posited by Johns Hopkins Cryptographer Matthew Green is that Kaspersky’s software was horribly compromised.  Even Gene Kaspersky admitted that might be the case – because that would be less bad for business than admitting that he was working for the FSB.

In any case, as a prudent measure and without trying to figure out what the truth is, change to a different anti virus software.  Make sure that you completely uninstall the Kaspersky software.

While we don’t know that this is the reason Trump banned Kaspersky’s software, this seems like a pretty reasonable possibility.

Information for this post came from the Washington Post.

Is Kaspersky Software a Russian Spy Front?

Gene Kaspersky, CEO of Russian Software Firm Kaspersky Labs

Some in Congress and the Intelligence Services are concerned that Kaspersky’s security software could be co-opted by the Russian government and be used to spy on American companies who use the software.

Fundamentally, this is no different than concerns that people have that the U.S. spy agencies could or already have forced U.S. companies to insert back doors into their software to allow U.S. spies to use U.S. software to spy on people as well.

We already know that Yahoo did that by running all email through filters and feeding the data to the Intelligence Community.

The challenge in both cases – Russia and the United States – is that any efforts on the part of the respective spy agencies to do that would be highly classified and those agencies would not admit that they are doing so, even if they are.

Since it is the job of spy agencies to spy on people, it is not unreasonable to assume that they would do that if they could.

Some people, including me, have been concerned for a long time that Gene’s software could be used for no good.  Even though I think he makes good products, I find it hard to trust him.  He has had very close times to the KGB and FDB for a long time, including training him at a school run by the KGB.

Kaspersky’s software, they say, is used by 400 million people world wide, including many people in the United States.  There is a bill working it’s way through Congress right now that would ban the DoD from using it.  It is used in some places inside U.S. government agencies.

While suspicions have run wild for years, there has been no hard evidence.  Now a media outlet has found something unusual in a document that Russian companies need to have in order to operate in Russia.  This document has a military intelligence unit number attached to this document.  While some people are making a big deal of this, it could be legit – no different than, maybe, a U.S. defense contractor might have some ID numbers.  Some former spies say that this MI unit number is a pretty unusual thing.  Stay tuned.

Kaspersky has offered to let the government look at his source code to verify that there are no back doors.  Of course, no back doors today does not equal no back doors after the next update.

In the U.S. Verizon and AT&T shared call data with the intelligence community and there are thousands of FISA court orders issued every year.  Those are all classified so we have no clue what they might entail.

Kaspersky IS the company that paid General Flynn those consulting fees that he forgot to declare.

While I don’t know if his software has been compromised, my theory is that is isn’t worth the risk.  There are plenty of American and European software products that would see to me, on the face of it, less risky.

Listening to the rumblings of the U.S. Britain, Germany, France and others, I am not sure HOW much less risky, but probably at least somewhat less risky.

Information for this post came from MSN.


Psst! Want to Buy A Server? $6 Please

The Russian security firm Kaspersky Labs reported last week that they had found a dark web marketplace selling access to servers – possibly yours and mine – for as little as $6 and as much as $6,000.

The key benefit of these servers is that since they are not actually the hacker’s servers, if they are able to use them in a way that forwards thier illegal business, it is going to be hard to trace things back to them.  Obviously, if they access that server (to administrate it) from their Comcast Internet connection in their living room, the odds of them getting caught goes up.  A lot!

The web site, xDedic, brokers access to these hacked servers.  As of last week, Kaspersky had a list of around 70,000 servers that were available.

This week, a hundred thousand servers got added to that list, making the pool around 170,000.

In the grand scheme of things 170,000 servers is not that many, but xDedic is just one web site.

Interestingly, after the first list was released, Brazil and China were the top two countries for available servers.  After this new list came out this week, the top two countries are the U.S. and the U.K.  In some way, that makes sense, because there are a lot more servers here and the quality of the servers (in terms of performance and capacity) is likely better.

These servers are likely some of the ones used to promote male enhancement drugs and other spam, as well as to deliver malware.

From a business standpoint, if the volume of malicious content being served up by these servers is sufficient, it will gain the attention of groups like the Electronic Crimes Task Force run by the U.S. Secret Service and you may get a knock on the door from the men in black.

While there is some discussion on the ‘net about whether the second list – the one that added the 100,000 additional servers – is legit, no one seems to be arguing whether the first list of 70,000 servers is legit. And at least some news sources are now saying that second list is, in fact, real.

And, as servers are sold in this forum, their IP address comes off the list, so the 70,000 or 170,000 number may represent only servers that have not been sold yet.  How many servers churn through that web site in a month is unclear.

When hackers use these servers, it is their goal that you can still use it as well.  That gives them cover, so the smart ones will work real hard to make sure that they don’t interrupt your work.  This means that your server could be on the list and you would not even know it.  Not something that any reputable business wants to happen.  How many of these web sites there are selling hijacked access is also unknown.  Based on spam that I see, it is probably a large number.


Information for this post came from Computerworld.

NSA, GCHQ Hack Anti Virus Software Vendors

A newly published article in The Intercept says that the NSA and GCHQ hacked anti virus vendor’s software and networks in order to “neutralize the threat” posed by that software.  Based on newly released Edward Snowden documents, GCHQ obtained a warrant in 2008-2009 to  have legal permission to monitor web traffic, hack email and reverse engineer the software in order to find weaknesses (see article).

The NSA examined emails to anti virus vendors to find new malware and vulnerabilities.

One would assume that these agencies want to use these newly discovered vulnerabilities before they are patched.

According to the warrant request, GCHQ considered Kaspersky’s software an obstruction to its hacking operation and need to reverse engineer it to find ways to neutralize the problem.  They said that they needed to exploit Kaspersky’s software in order to prevent the detection of our activities.

The NSA discovered, back in 2008, according to the leaked documents, that Kaspersky’s software transmitted sensitive information back to the company’s servers.  Apparently, Kaspersky encodes information in the header of the request, like you often see on the command line in your browser, and that information allowed NSA to get information like serial numbers, the service plan paid for and configuration.  Sending this information in the header is often done, but is a bad security practice unless it is encrypted, which it typically is not.  The Intercept tested Kaspersky software last month and found that it did transmit some information back to Kaspersky’s servers unencrypted.  They, of all people, should know better.

Again according the released documents, NSA and GCHQ have targeted 25 or more non-American and non-British anti virus vendors. Missing from the list are McAfee and Sophos.  Whether the NSA and GCHQ did not think those were legitimate targets because they were not foreign companies (McAfee is a U.S. company, Sophos is British) or whether they were targeted under different authority is not clear.

Gene Kaspersky, in particular, has been a thorn in the side of the intelligence agencies over the years.  Just this month he revealed the attack, suspected to be from Israel, of the hotels hosting the Iran nuclear talks.

Not suprisingly, NSA and GCHQ declined to comment for the article.

From the NSA’s viewpoint, anti malware vendor’s are a threat to them – from uncovering the agency’s own malware to alerting about holes in software which the NSA and GCHQ would prefer to keep to themselves.

When U.S. Cyber Command was set up and placed until the control of the NSA, privacy advocates said that it was impossible for the NSA to serve two masters – protect U.S. citizens and hack foreign ones.  If they found a vulnerability, do they tell the vendor so that they can fix it and foreign hackers and intelligence agencies can’t use it against U.S. citizens and companies or do they keep it to themselves to use against their targets?  Historically, the NSA has been accused of not revealing bugs.

In fact, as recently as last year, the President confirmed the authority that the NSA has to not reveal security holes if they are useful for national security purposes (see article).   This should not come as a big surprise to anyone and foreign intelligence services are likely doing the same thing.  I am sure that, in some cases, the agencies trade vulnerabilities like the rest of trade MP3 files.

What this means to you and me is that we should not count on the government – ours or anyone else’s – to protect us from cyber threats – especially in those cases where the threat is counter to their own interests.