Tag Archives: Kaspersky

Cybersecurity News for the Week Ending March 18, 2022

Incident and Ransomware Reporting Requirement in Just Passed Spending Bill

President Biden signed a bill that requires critical infrastructure operators to report significant cyber incidents to CISA within 72 hours after they reasonably believe an incident has occurred and within 24 hours of making a ransomware payment. The ransomware reporting requirement applies even if it is not connected to a covered incident. Critical infrastructure and federal agencies that do not report on time may be subpoenaed. Failure to comply with the subpoena risks contempt of court. Credit: CSO Online and The Record

Germany Warns Against Using Kaspersky Products

Germany’s Office of Information Security is warning users to find alternatives as the antivirus company could be required to spy for Mother Russia. Kaspersky says, of course, that won’t happen. And I believe in the Easter Bunny too. The U.S. government banned Kaspersky’s software in government offices in 2017, but there are plenty of companies that still use it. I agree with Germany. Credit: SC Magazine

Deep Fake Videos Enters Ukraine Invasion

No doubt you have heard about deep fake videos where a video seems to be of someone, usually famous, saying something or doing something that they never did. Often these videos are pornographic in nature, but a new video is part of the Russian invasion of Ukraine. The video is of Ukraine’s President Zelenskyy saying that he was surrendering to Russia. He never said that and he did not surrender. Even so, a lot of people saw the video because the hackers hacked a Ukrainian TV channel and broadcast it. The new world of war. Credit: Metacurity

Hacking is a Business

Just like other modern businesses, the hacking business is optimizing its processes. Google’s Threat Analysis Group exposed a new Initial Access Broker, related to Russian hacking gangs, whom they are calling Exotic Lily. All these folks do is figure out how to break into your organization. They don’t steal anything or do any damage. They do, however, sell that access to the highest bidder and those folks do the crime. Credit: The Hacker News

Russia Jamming GPSS and Satellites, Imperiling Airplanes, etc.

The EU Aviation Safety Agency and CISA say someone is jamming satellite navigation systems in eastern Europe, including parts of Finland, Cyprus, Turkey, Lebanon and Israel, among others. Depending on the situation, a plane that is using the satellite for navigation might go in the wrong direction or fly into a war zone. Planes trying to land could crash into the ground or be forced to land at a different airport. Aviation authorities are telling pilots to make sure that backup navigation tools are working. Credit: Threatpost

Security News for the Week Ending June 21, 2019

Asus Was Not Alone

I wrote about the Asus supply chain attack in March (search for Asus in the blog search box).  Attackers, somehow, compromised the development environment, injected malware and allowed the system to compile, digitally sign and distribute it through the software update process.  Hundreds of thousands of clients were infected as a result.

Now we are learning that Asus was not alone.  Kaspersky Labs, the Russian antivirus firm that the U.S. Government loves to hate, says that there were more.

In all cases, the development process was compromised and infected software was distributed – including:

  • game maker Electronics Extreme
  • Innovative Extremist, a web and IT company
  • Zepetto
  • Plus at least three other companies

All of these companies are current or former game makers and all had their internal development environments compromised to the level that hackers were able to get them to distribute digitally signed malware.  Source: Kaspersky.

 

Samsung warns Users To Check Their TVs for Viruses – Then Unwarns

Last Sunday Samsung put out a notice on Twitter:

“Scanning your computer for malware viruses is important to keep it running smoothly,” the message warned. “This also is true for your QLED TV if it’s connected to Wi-Fi! Prevent malicious software attacks on your TV by scanning for viruses on your TV every few weeks. Here’s how:”

Then they deleted the message as if someone figured out that if users thought their TVs were breeding grounds for bad stuff, they might not buy  new TV.  When Samsung was asked about it, the reporter got no reply.

YOU DO scan your smart TV for malware every few weeks, don’t you?  Source: The Register

 

The Consequences of A Data Breach

By now everyone is aware of the data breach reported by Quest Labs and Labcorp, among others.  But there is another part of the story.

As I have reported, the source of the breach was a third party vendor – American Medical Collection Agency –  the vendor cyber risk management problem.

Now that the breach has become public, customers are fleeing from AMCA like the proverbial rats and the sinking ship.

As a result of that, the lawsuits already filed and to be filed and the regulators snooping around, AMCA’s parent company, Retrieval-Masters Creditors Bureau, Inc. ,has filed for bankruptcy.

It seems the company’s future is pretty cloudy.  Source: CNN.

 

Your Tax Dollars At Work

A Florida city has taken the opposite tactic that Baltimore did and decided to pay a hacker’s ransom demand instead of rebuilding from scratch.

Rivieria Beach, Florida, population 34,000, was hit by a ransomware attack three weeks ago.  Like many cities and towns, Riveria Beach likely didn’t prioritize IT spending very high and crossed it’s fingers.

The Baltimore hacker asked for about $95,000, which the city refused to pay.  They have now agreed to implement a number of IT projects that have been ignored for years and spending $18 million.

In this case, the hacker was bolder, asking for $600,000, which if the city has typically poor IT practices, was the only way to get their data back.

The reason why we hear about all of these attacks on cities is that their budget project is legally much more public.  If a private company pays a ransom, there is, most of the time, no legal requirement to disclose it.  Source: CBS.

 

The NSA-Kaspersky Story Gets Even Stranger

In case you didn’t know whom or what to believe in the battle between Gene Kaspersky and the U.S. Government, it just got a little weirder.

You probably remember that the DoD told its people to remove Kaspersky’s software from it’s machines.  They didn’t say why.  But, no matter how this story plays out, that decision was the right decision.

Later it came out that an NSA employee was developing NSA  malware to replace malware that Snowden exposed; he removed that classified software from NSA facilities and took it home.  It was then thought that the software was compromised to the Ruskies because that employee had Kaspersky software on his computer and Kaspersky was working for the FSB.

Fast forward the story and Gene Kaspersky is fighting for his company’s very existence.  Never mind the fact that if the employee had followed both policy and the law, we would not be having this conversation.

Kaspersky has now revealed some more information about the situation.  Whether you believe him or not is up to you.  Our gov is being totally radio-silent on the situation, which likely means that it is at least, mostly accurate.  Probably.  No guarantee.

  1.  The NSA employee was running the Kaspersky software on his home computer.
  2. The employee had intentionally turned on the feature called Kaspersky Security Network, which, by design, forwards suspicious malicious software to Kaspersky’s labs for analysis.
  3. The employee disabled the Kaspersky software.  BECAUSE:
  4. The employee downloaded pirated software
  5. After the employee’s computer was infected, the employee turned the anti-virus software back on.
  6. When turned back on, the Kaspersky software scanned his computer and detected the new NSA malware as a variant of the Equation Group software that Snowden disclosed.  Since it was unknown and he had intentionally turned on the security network feature of Kaspersky’s software, it sent the malware (the software that he was developing) to Kaspersky’s labs for analysis.
  7. This LIKELY ties back to a 2015 breach of Kaspersky’s network (probably by the FSB) which has been well covered in the media.
  8. ALTERNATIVELY, the pirated software that he downloaded allegedly had a back door in it and if that is true, the Russian FSB could have stolen anything on his computer.

There are probably a bunch of potential variants here, but it seems reasonable that all of this could have easily happened if the alleged scenario happened.

AND NONE OF WHICH WOULD HAVE HAPPENED IF THE NSA COULD GET IT EMPLOYEES TO FOLLOW THE LAW.

HUMAN BEINGS, ONE MORE TIME, ARE THE WEAK LINK IN THE CHAIN.

Information for this post came from Ars Technica.

We May Now Know Why Trump Banned Kaspersky Anti Virus – And You Should Too

There have always been questions about connections between Gene Kaspersky’s company and the Russian spy agencies like the FSB, but not necessarily any hard proof.  Last month, President Trump ordered all federal agencies to remove Kaspersky anti virus software without any real explanation.  Some thought it was as retribution while others thought it was over-reaction.  I didn’t have a strong opinion about it, but thought that since there are U.S. products that are equally as good if not better, why use a Russian one, especially a Russian one that is tied to the FSB.

Well now, as Paul Harvey used to say, we may have “the rest of the story”.

The Washington Post is reporting that Russian hackers have stolen software from an NSA employee who took home classified material and put it on his personal laptop to work on it.

This time it is not a contractor, so Booz, Allen can breathe easier.  In fact, it is not a contractor at all, it is an employee.

The employee, who has not been named, is a U.S. National, born in Vietnam and works for the NSA’s TAO division.  TAO or Tailored Access Operations, is the group that NSA spies go to when they need something “special” to break into someone’s computer.

This person, apparently, was working on software to replace some tools that were disclosed by Snowden.  But now the Russians have it.

You would think that the NSA would train people not to take classified material home.  Apparently not.  At least no one is saying that he is a spy.  Just a fool.

Kaspersky, of course, is saying that it is not true.  One possibility, posited by Johns Hopkins Cryptographer Matthew Green is that Kaspersky’s software was horribly compromised.  Even Gene Kaspersky admitted that might be the case – because that would be less bad for business than admitting that he was working for the FSB.

In any case, as a prudent measure and without trying to figure out what the truth is, change to a different anti virus software.  Make sure that you completely uninstall the Kaspersky software.

While we don’t know that this is the reason Trump banned Kaspersky’s software, this seems like a pretty reasonable possibility.

Information for this post came from the Washington Post.

Is Kaspersky Software a Russian Spy Front?

Gene Kaspersky, CEO of Russian Software Firm Kaspersky Labs

Some in Congress and the Intelligence Services are concerned that Kaspersky’s security software could be co-opted by the Russian government and be used to spy on American companies who use the software.

Fundamentally, this is no different than concerns that people have that the U.S. spy agencies could or already have forced U.S. companies to insert back doors into their software to allow U.S. spies to use U.S. software to spy on people as well.

We already know that Yahoo did that by running all email through filters and feeding the data to the Intelligence Community.

The challenge in both cases – Russia and the United States – is that any efforts on the part of the respective spy agencies to do that would be highly classified and those agencies would not admit that they are doing so, even if they are.

Since it is the job of spy agencies to spy on people, it is not unreasonable to assume that they would do that if they could.

Some people, including me, have been concerned for a long time that Gene’s software could be used for no good.  Even though I think he makes good products, I find it hard to trust him.  He has had very close times to the KGB and FDB for a long time, including training him at a school run by the KGB.

Kaspersky’s software, they say, is used by 400 million people world wide, including many people in the United States.  There is a bill working it’s way through Congress right now that would ban the DoD from using it.  It is used in some places inside U.S. government agencies.

While suspicions have run wild for years, there has been no hard evidence.  Now a media outlet has found something unusual in a document that Russian companies need to have in order to operate in Russia.  This document has a military intelligence unit number attached to this document.  While some people are making a big deal of this, it could be legit – no different than, maybe, a U.S. defense contractor might have some ID numbers.  Some former spies say that this MI unit number is a pretty unusual thing.  Stay tuned.

Kaspersky has offered to let the government look at his source code to verify that there are no back doors.  Of course, no back doors today does not equal no back doors after the next update.

In the U.S. Verizon and AT&T shared call data with the intelligence community and there are thousands of FISA court orders issued every year.  Those are all classified so we have no clue what they might entail.

Kaspersky IS the company that paid General Flynn those consulting fees that he forgot to declare.

While I don’t know if his software has been compromised, my theory is that is isn’t worth the risk.  There are plenty of American and European software products that would see to me, on the face of it, less risky.

Listening to the rumblings of the U.S. Britain, Germany, France and others, I am not sure HOW much less risky, but probably at least somewhat less risky.

Information for this post came from MSN.

 

Psst! Want to Buy A Server? $6 Please

The Russian security firm Kaspersky Labs reported last week that they had found a dark web marketplace selling access to servers – possibly yours and mine – for as little as $6 and as much as $6,000.

The key benefit of these servers is that since they are not actually the hacker’s servers, if they are able to use them in a way that forwards thier illegal business, it is going to be hard to trace things back to them.  Obviously, if they access that server (to administrate it) from their Comcast Internet connection in their living room, the odds of them getting caught goes up.  A lot!

The web site, xDedic, brokers access to these hacked servers.  As of last week, Kaspersky had a list of around 70,000 servers that were available.

This week, a hundred thousand servers got added to that list, making the pool around 170,000.

In the grand scheme of things 170,000 servers is not that many, but xDedic is just one web site.

Interestingly, after the first list was released, Brazil and China were the top two countries for available servers.  After this new list came out this week, the top two countries are the U.S. and the U.K.  In some way, that makes sense, because there are a lot more servers here and the quality of the servers (in terms of performance and capacity) is likely better.

These servers are likely some of the ones used to promote male enhancement drugs and other spam, as well as to deliver malware.

From a business standpoint, if the volume of malicious content being served up by these servers is sufficient, it will gain the attention of groups like the Electronic Crimes Task Force run by the U.S. Secret Service and you may get a knock on the door from the men in black.

While there is some discussion on the ‘net about whether the second list – the one that added the 100,000 additional servers – is legit, no one seems to be arguing whether the first list of 70,000 servers is legit. And at least some news sources are now saying that second list is, in fact, real.

And, as servers are sold in this forum, their IP address comes off the list, so the 70,000 or 170,000 number may represent only servers that have not been sold yet.  How many servers churn through that web site in a month is unclear.

When hackers use these servers, it is their goal that you can still use it as well.  That gives them cover, so the smart ones will work real hard to make sure that they don’t interrupt your work.  This means that your server could be on the list and you would not even know it.  Not something that any reputable business wants to happen.  How many of these web sites there are selling hijacked access is also unknown.  Based on spam that I see, it is probably a large number.

 

Information for this post came from Computerworld.