So, if I understand this right... some NSA TAO employee was doing work on their home computer (???), where they installed Kaspersky AV (reasonable), and Kaspersky promptly identified the malware they were working on as malware and uploaded it?
And then Israel hacked Kaspersky 'cause that's what they do or something, found the NSA development malware, and was like "Hey NSA, you should figure out how this got here"?
This seems like a very different story from any of the Kaspersky stuff I've been hearing. I'm sort of surprised Kaspersky had servers vulnerable to Israel, but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines. I merely work in algorithmic trading, and everyone in the industry is paranoid about code leaving the building (at least one employer I know of straight-up doesn't have a VPN at all, from what I've heard). How is the NSA not as paranoid here?
>Kaspersky promptly identified the malware they were working on as malware and uploaded it?
If the news story is to be believed, Kaspersky was scanning for classified data using US intelligence codewords as a selector.
>I'm sort of surprised Kaspersky had servers vulnerable to Israel
I'm not, everyone's servers are vulnerable. Intelligence agencies can buy exploits. If they want in, they get in.
>but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines.
I don't believe it is allowed. That said controlling access to data is hard, lots of people probably do work at home with classified stuff when they are told they shouldn't.
> If the news story is to be believed, Kaspersky was scanning for classified data using US intelligence codewords as a selector.
Assuming you mean the linked article, it doesn’t say that. It says that Kaspersky uses “silent signatures”, which are supposed to be indicators of malware, but could hypothetically be adapted to search for classified data instead. But it doesn’t allege Kaspersky was actually doing that.
(edit2: But the NYT report [2] does seem to allege that! This reporting is such a mess…)
Apparently, silent signatures are a technique to test new signatures where instead of blocking files with the signature, the AV reports the finding back to a server, allowing the vendor to identify false positives before fully deploying the signature. The question is what exactly Kaspersky is/was reporting to their server. I googled ‘silent signature’ and found a patent [1], issued to Kaspersky, which describes sending only hashes of the executable with the signature. But this article seems to suggest that they were sending the executable in full - at least if the leak of NSA tools occurred via that mechanism. (The article doesn’t say it did, but it sounds like a plausible route for a customer’s executable to find its way to Kaspersky’s network.) If this is the case, it sounds extremely troubling from a privacy perspective even without any intelligence services getting involved.
edit: Actually, I think the body of the patent does disclose sending the whole file to a server, which isn’t mentioned in the summary. The text is a little vague, though.
> If no threat is detected in step 720, statistics regarding the executable file and the frequency of launches of the executable file are collected in step 740. Then, in step 750, the file is downloaded and sent for a further analysis in step 760. After the analysis, either a white list or black list can be updated with a signature of this executable file.
Why the heck is a file that says "TOP SECRET//COMINT//NOFORN" on anyone's personal laptop? Isn't that, like, not just a firing offense but also a criminal offense?
Again, in my industry I'm not allowed to take code home with me; I have to remote into work and edit it on my work desktop. And the worst-case scenario of code leaking is basically that a competitor makes money that we would otherwise have made. Can't people who literally have (in their belief, at least) the fate of the free world in their hands be at least this careful?
Pretty much all AV products do this, for "suspicious" files too. Doesn't even need a signature to get collected. This includes non-executables such as docs or pdfs, since those are common 0day vectors.
They also have huge catalogs of 0-days and unreleased exploits, probably, in addition to human intelligence sources within major AV, infrastructure tech companies.
>>I can think of at least 1 reason why Israel would hack Kaspersky...
Reason 4512F : Hamas leader uses Kasperky
and so on and on. AVs are in tens of millions of computers and have "license" to go looking for files, to take files out of the computer (talk back to the server) and firewalls let them through because you installed it. What more can you want?
Perhaps he was doing the bidding of his employers in order to test a theory that Kaspersky was an attack vector?
I mean, this is exactly how you tell if your data has been breached or your source code leaked -- you put fake but unique records in your database then watch the dark webs for folks selling dumps containing those values; and plausible but bogus code containing unique constants then check competitors' binaries against those values.
No, it's strictly forbidden to access classified information from an unclassified machine. I'm not saying it didn't doesn't happen, I'm saying it's highly against protocol (and the law).
They probably didn't hack anything, they just have people who receive these AV samples as malware researchers. Any intelligence agency worth their money should.
And yes, this is the gist of what's behind all the Kaspersky hysteria. The NSA trying to obscure another extremely embarrassing leak.
Every AV software uploads new detections for analysis. It just so happened that this fool used Kaspersky. It's abundantly clear that behind all the make believe is a mostly incompetent agency that can't keep it's secrets any better than Equifax.
Read the original New York Times story, it gives a lot more technical details on the hack than this one[0]. Assuming the Israeli and NYT accounts are to be believed, this was a very deliberate hack. Israel watched in real-time as Kaspersky sent out searches for NSA codename programs on all computers with Kaspersky AV installed (this was related to the whole Duqu 2.0 intrusion into Kaspersky's network that Kaspersky blogged about 2 years ago). And the NSA tools were some of the files reeled in from those searches.
That said, it's still extremely embarrassing. Why is someone from TAO taking this kind of work home?
It's the NYT for crying out sake! Unless you believe they have the knowledge on staff to do any sort of original reporting on this, this story is exactly what a "government official speaking on the condition of anonymity" has whispered to them. It's the fricking party line.
It's right there in the article:
The current and former government officials who described the episode spoke about it on condition of anonymity because of classification rules.
There are two options here, obviously. Someone revealed actual classified information, in which case apparently multiple government workers committed a felony to tell the NYT about a story that is entirely flattering for the employer they just betrayed. Or, and given the incidence of "government officials .. spoke on the condition of anonymity" in NYT stories the far more likely option, the press office of the NSA called the NYT, whispered some dangerous words about "off the record" and then delivered the official press release that for some reason they just didn't get to put on NSA website just yet.
This is the NYT writing a government press release into a bad thriller guided not by independently verified facts (how could you) but sheer ideology to fill in the gaps.
> Israel watched in real-time as Kaspersky sent out searches for NSA codename programs on all computers with Kaspersky AV installed
That happened _after_ Kaspersky identified the "NSA codename programs" as malware. That is exactly what an anti-malware application should do: look for instances of known malware.
Security services are completely unreliable and release these things for their own benefit. The question with this is why are the Israelis pushing this now?
The NYT has a poor record on this stuff as does pretty much everyone.
I've seen what now looks like state sponsored bullshit blogs posing as tin foil hatters being posted to HN saying Kaspersky is part of the Russian intelligence apparatus, and that's why the US government pressured stores to remove Kaspersky AV from store shelves, etc etc etc.
Most likely, they did their job, and they did it correctly. The NSA can't really defeat competent AV researchers who aren't even looking at the NSA in the first place.
Whatever the "bullshit blogs" might be (I haven't noticed these stories, but maybe you can provide links?), they're in good company now, because that's more or less the story the NYT, WSJ, and WaPo have developed.
There's not a lot of attribution going on here, though. Take the WaPo story, they just tell us what's possible and leave us to draw conclusions ourselves -
“That’s the crux of the matter,” said one industry official who received the briefing. “Whether Kaspersky is working directly for the Russian government or not doesn’t matter; their Internet service providers are subject to monitoring. So virtually anything shared with Kaspersky could become the property of the Russian government.”
Late last month, the National Intelligence Council completed a classified report that it shared with NATO allies concluding that the FSB had “probable access” to Kaspersky customer databases and source code. That access, it concluded, could help enable cyberattacks against U.S. government, commercial and industrial control networks.
Kaspersky is pretty well known to have a close relationship with the Russian government, though. Hell, Kaspersky himself used to work for Soviet military intelligence. There's several articles cited here: https://en.wikipedia.org/wiki/Kaspersky_Lab#Allegations_of_t...
I'm not saying Kaspersky is a part of the Russian intelligence apparatus, but I wouldn't trust them to report on Fancy Bear campaigns, nor would I trust their AV software if I were a particularly juicy target.
> The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.
To be fair, that is kind of their job. I don't suppose their precept says that they should be paranoid and believing in conspiracy theories - in those exact words. But, that seems to be how it is manifest.
And then Israel hacked Kaspersky 'cause that's what they do or something, found the NSA development malware, and was like "Hey NSA, you should figure out how this got here"?
This seems like a very different story from any of the Kaspersky stuff I've been hearing. I'm sort of surprised Kaspersky had servers vulnerable to Israel, but I'm really surprised it was acceptable for NSA TAO employees to do work on their personal machines. I merely work in algorithmic trading, and everyone in the industry is paranoid about code leaving the building (at least one employer I know of straight-up doesn't have a VPN at all, from what I've heard). How is the NSA not as paranoid here?