Friday, 14 July 2017 10:06

Kaspersky response to spy claims misleading: infosec expert Featured

By

A former employee of the NSA claims Kaspersky Lab has provided misleading information while responding to a Bloomberg article that said emails it had obtained showed that the company had developed products for the Russian intelligence service FSB and also accompanied its agents on raids.

Jake Williams, who runs a company named Rendition Infosec, said in a blog post that some part of Kaspersky Lab's riposte to the Bloomberg story was accurate.

But, he added, it was incorrect to say that Kaspersky Lab could not provide "any government agencies, nor other parties, with information on location of people and doesn't gather 'identifying data from customers' computers' because it is technically impossible".

A few hours after the Bloomberg report appeared, the US government said it was removing Kaspersky Lab from a list of approved software suppliers for two government-wide purchasing contracts that are used to buy technology services.

Kaspersky Lab responded to the government move by saying that it had no ties to any government, and had never helped any government with their cyber-espionage efforts.

Williams said that whether Kaspersky Lab provided real-time intelligence to anyone else was left to be determined.

"But the Kaspersky claim that it is 'technically impossible' to 'gather identifying data from customers’ computers' is completely false," he said.

Williams said it could be true that Kaspersky software did not have any features built in for the sole purpose of gathering identifying data from customers.

"But anti-virus software collects lots of telemetry on malware activities," he pointed out. "Part of that telemetry involves the autorun registry keys used by malware to persist between reboots.

"In some cases, malware even stores exfiltration or configuration data in the registry and Kaspersky needs this data to be effective with their detection, quarantine, and removal of malware artefacts on infected machines.

"As a result, it seems highly unlikely that Kaspersky software does not have the ability to query arbitrary registry keys and return their contents back to Kaspersky operations centres."

He said that by querying the correct registry keys, Kaspersky Lab would be able to gather data such as:

  • The machine name and domain name;
  • The username of the currently logged on user;
  • The usernames of previously logged on users;
  • The email address of the Microsoft account linked to the local accounts (if any);
  • The Wi-Fi network the machine is currently connected to;
  • The names of saved Wi-Fi networks;
  • The Windows unique product ID;
  • The Kaspersky unique product ID;
  • Unique hardware information (processor serial number, etc.);
  • Recently typed URLs;
  • Recently opened document names; and
  • Recently executed programs.

Williams also pointed out that these details were only part of the information that could be enumerated from registry values alone – and Kaspersky software was sure to have this capability.

"This completely discounts the fact that Kaspersky can arbitrarily enable new capabilities in its software at will and deploy those capabilities only to specific machines, presumably those targeted by FSB," he added. "Please note that Rendition isn’t claiming Kaspersky is using these capabilities, but it’s ridiculous to think they don’t have them."

He said that neither side had been totally transparent in the back-and-forth of this affair. While it appeared that Kaspersky Lab appeared to have been more open, it was possible that the US government was more guarded in its comments due to a need to protect sources.

"If the US Government discloses information derived from sensitive sources, it may no longer be able to access those sources – like everything in intelligence (cyber threat intelligence included) there must be an intel gain/loss calculation performed," Williams added.

He was, however, sure that more information would come to light about the stoush soon: "with Kaspersky on the defensive and likely backlash against US companies in Russia and elsewhere, the intelligence community may be sharing more of it what it knows sooner than later".

iTWire has contacted Kaspersky Lab's local outlet for comment.

LEARN HOW TO REDUCE YOUR RISK OF A CYBER ATTACK

Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments