Home Open Sauce US media claims on Kaspersky short on essential detail

Author's Opinion

The views in this column are those of the author and do not necessarily reflect the views of iTWire.

Have your say and comment below.

US media claims on Kaspersky short on essential detail

In October, the three biggest mainstream newspapers in the US carried stories about Kaspersky Lab that effectively ensured there would be no second thoughts about the company's deals with the US Government. Examined carefully, these stories are short on essential detail. They are full of holes.

Nobody questioned these reports. They were taken as gospel – after all, the target was a Russian company and for more than a year anything from that country has been considered the spawn of the devil. There are many infosec professionals in the US but they all kept silent.

The New York Times ran a story that claimed Israeli government crackers had witnessed Russian hackers searching for the codenames of NSA exploits on computers around the world. Where it was not specified.

The article omitted this essential detail. (It is known that Israeli government crackers broke into Kaspersky's network in 2015 – the company only discovered it in 2016).

This implies that Russian government hackers had access to Kaspersky Lab systems and also that they had access to the the company's source code. The Kaspersky Security Network is the component of Kaspersky A-V that uploads suspicious files from a device that is being scanned to a KSN server somewhere around the globe for analysis later.

With the home version of Kaspersky A-V, the user has to opt in to the KSN; the corporate product will query the KSN (by sending a MD5 hash and the file size), but nothing is uploaded. There is no option for businesses to upload files.

For anyone to divert suspicious files elsewhere, they would need to have access to the KSN source code in order to change the addresses to which the files would be sent. Such addresses would be hardcoded in the source.

The NYT did not bother about this detail but they claimed that, "What additional American secrets the Russian hackers may have gleaned from multiple agencies, by turning the Kaspersky software into a sort of Google search for sensitive information, is not yet publicly known."

So how did the Russians get hold of the source code? No detail was offered by the newspaper. Mud was thrown and it stuck.

For the story to hold water, the Russians would have had to get hold of the Kaspersky source code for the home version, recompile it with the URLs pointing to their own servers, then remove the A-V running on whichever computer they found NSA files, install the modified version, and opt in to KSN. They would then have had to run a scan else no files would be exfiltrated.

All this under the nose of the computer user without attracting any suspicion. It takes a bit of faith to believe this.

The Washington Post story skipped over one essential detail – how did NSA exploits, which it claimed were found in Kaspersky's network, get into the possession of the Russian government as claimed?

The Wall Street Journal article also hinted that the source code of Kaspersky software had been made available to the Russian government which had modified it to search for NSA exploits around the world. How this happened is a little detail over which the newspaper skipped over.

There is mention in the stories of a NSA worker who was working on office material at home; he is known to have had malware on his machine through the use of key generation software to obtain a valid key for the version of Microsoft Office he was using. This man is suspected to be Nghia Hoang Pho, a Vietnamese American, who pleaded guilty recently to taking NSA material home to work on it.

It is said that NSA files on his machine were exfiltrated by Russian government hackers. But the question arises: if these hackers had broken into his machine, why did they not use something simple like SCP to send the files where they wanted, rather than mess with the Kaspersky software? All they would have to do was install a simple SCP client like PuTTY.

When Kaspersky issued two blog posts with its version of what had happened, it concentrated on the WSJ story. The explanation offered holds together, at least from a technical point of view.

But both the US media and Kaspersky Lab cannot be dealing with facts. One side is being somewhat parsimonious with the truth.

The legendary Middle East correspondent of the Independent, Robert Fisk, once described the Los Angeles Times as "official sources said". He was poking fun at the newspaper, which uses this term very often to float yarns that favour the US Government's point of view.

With all the holes in the Kaspersky stories run by the three big papers, it looks like this is another case of "official sources said".


Did you know: 1 in 10 mobile services in Australia use an MVNO, as more consumers are turning away from the big 3 providers?

The Australian mobile landscape is changing, and you can take advantage of it.

Any business can grow its brand (and revenue) by adding mobile services to their product range.

From telcos to supermarkets, see who’s found success and learn how they did it in the free report ‘Rise of the MVNOs’.

This free report shows you how to become a successful MVNO:

· Track recent MVNO market trends
· See who’s found success with mobile
· Find out the secret to how they did it
· Learn how to launch your own MVNO service


Sam Varghese

website statistics

A professional journalist with decades of experience, Sam for nine years used DOS and then Windows, which led him to start experimenting with GNU/Linux in 1998. Since then he has written widely about the use of both free and open source software, and the people behind the code. His personal blog is titled Irregular Expression.