Friday, 14 July 2017 10:06

Kaspersky response to spy claims misleading: infosec expert Featured

By

A former employee of the NSA claims Kaspersky Lab has provided misleading information while responding to a Bloomberg article that said emails it had obtained showed that the company had developed products for the Russian intelligence service FSB and also accompanied its agents on raids.

Jake Williams, who runs a company named Rendition Infosec, said in a blog post that some part of Kaspersky Lab's riposte to the Bloomberg story was accurate.

But, he added, it was incorrect to say that Kaspersky Lab could not provide "any government agencies, nor other parties, with information on location of people and doesn't gather 'identifying data from customers' computers' because it is technically impossible".

A few hours after the Bloomberg report appeared, the US government said it was removing Kaspersky Lab from a list of approved software suppliers for two government-wide purchasing contracts that are used to buy technology services.

Kaspersky Lab responded to the government move by saying that it had no ties to any government, and had never helped any government with their cyber-espionage efforts.

Williams said that whether Kaspersky Lab provided real-time intelligence to anyone else was left to be determined.

"But the Kaspersky claim that it is 'technically impossible' to 'gather identifying data from customers’ computers' is completely false," he said.

Williams said it could be true that Kaspersky software did not have any features built in for the sole purpose of gathering identifying data from customers.

"But anti-virus software collects lots of telemetry on malware activities," he pointed out. "Part of that telemetry involves the autorun registry keys used by malware to persist between reboots.

"In some cases, malware even stores exfiltration or configuration data in the registry and Kaspersky needs this data to be effective with their detection, quarantine, and removal of malware artefacts on infected machines.

"As a result, it seems highly unlikely that Kaspersky software does not have the ability to query arbitrary registry keys and return their contents back to Kaspersky operations centres."

He said that by querying the correct registry keys, Kaspersky Lab would be able to gather data such as:

  • The machine name and domain name;
  • The username of the currently logged on user;
  • The usernames of previously logged on users;
  • The email address of the Microsoft account linked to the local accounts (if any);
  • The Wi-Fi network the machine is currently connected to;
  • The names of saved Wi-Fi networks;
  • The Windows unique product ID;
  • The Kaspersky unique product ID;
  • Unique hardware information (processor serial number, etc.);
  • Recently typed URLs;
  • Recently opened document names; and
  • Recently executed programs.

Williams also pointed out that these details were only part of the information that could be enumerated from registry values alone – and Kaspersky software was sure to have this capability.

"This completely discounts the fact that Kaspersky can arbitrarily enable new capabilities in its software at will and deploy those capabilities only to specific machines, presumably those targeted by FSB," he added. "Please note that Rendition isn’t claiming Kaspersky is using these capabilities, but it’s ridiculous to think they don’t have them."

He said that neither side had been totally transparent in the back-and-forth of this affair. While it appeared that Kaspersky Lab appeared to have been more open, it was possible that the US government was more guarded in its comments due to a need to protect sources.

"If the US Government discloses information derived from sensitive sources, it may no longer be able to access those sources – like everything in intelligence (cyber threat intelligence included) there must be an intel gain/loss calculation performed," Williams added.

He was, however, sure that more information would come to light about the stoush soon: "with Kaspersky on the defensive and likely backlash against US companies in Russia and elsewhere, the intelligence community may be sharing more of it what it knows sooner than later".

iTWire has contacted Kaspersky Lab's local outlet for comment.

BUSINESS WORKS BETTER WITH WINDOWS 1O. MAKE THE SHIFT

You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer

Timezones

QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.

REGISTER!

ADVERTISE ON ITWIRE NEWS SITE & NEWSLETTER

iTWire can help you promote your company, services, and products.

Get more LEADS & MORE SALES

Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]

OR CLICK HERE!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments