Friday, 14 July 2017 10:06

Kaspersky response to spy claims misleading: infosec expert Featured

By

A former employee of the NSA claims Kaspersky Lab has provided misleading information while responding to a Bloomberg article that said emails it had obtained showed that the company had developed products for the Russian intelligence service FSB and also accompanied its agents on raids.

Jake Williams, who runs a company named Rendition Infosec, said in a blog post that some part of Kaspersky Lab's riposte to the Bloomberg story was accurate.

But, he added, it was incorrect to say that Kaspersky Lab could not provide "any government agencies, nor other parties, with information on location of people and doesn't gather 'identifying data from customers' computers' because it is technically impossible".

A few hours after the Bloomberg report appeared, the US government said it was removing Kaspersky Lab from a list of approved software suppliers for two government-wide purchasing contracts that are used to buy technology services.

Kaspersky Lab responded to the government move by saying that it had no ties to any government, and had never helped any government with their cyber-espionage efforts.

Williams said that whether Kaspersky Lab provided real-time intelligence to anyone else was left to be determined.

"But the Kaspersky claim that it is 'technically impossible' to 'gather identifying data from customers’ computers' is completely false," he said.

Williams said it could be true that Kaspersky software did not have any features built in for the sole purpose of gathering identifying data from customers.

"But anti-virus software collects lots of telemetry on malware activities," he pointed out. "Part of that telemetry involves the autorun registry keys used by malware to persist between reboots.

"In some cases, malware even stores exfiltration or configuration data in the registry and Kaspersky needs this data to be effective with their detection, quarantine, and removal of malware artefacts on infected machines.

"As a result, it seems highly unlikely that Kaspersky software does not have the ability to query arbitrary registry keys and return their contents back to Kaspersky operations centres."

He said that by querying the correct registry keys, Kaspersky Lab would be able to gather data such as:

  • The machine name and domain name;
  • The username of the currently logged on user;
  • The usernames of previously logged on users;
  • The email address of the Microsoft account linked to the local accounts (if any);
  • The Wi-Fi network the machine is currently connected to;
  • The names of saved Wi-Fi networks;
  • The Windows unique product ID;
  • The Kaspersky unique product ID;
  • Unique hardware information (processor serial number, etc.);
  • Recently typed URLs;
  • Recently opened document names; and
  • Recently executed programs.

Williams also pointed out that these details were only part of the information that could be enumerated from registry values alone – and Kaspersky software was sure to have this capability.

"This completely discounts the fact that Kaspersky can arbitrarily enable new capabilities in its software at will and deploy those capabilities only to specific machines, presumably those targeted by FSB," he added. "Please note that Rendition isn’t claiming Kaspersky is using these capabilities, but it’s ridiculous to think they don’t have them."

He said that neither side had been totally transparent in the back-and-forth of this affair. While it appeared that Kaspersky Lab appeared to have been more open, it was possible that the US government was more guarded in its comments due to a need to protect sources.

"If the US Government discloses information derived from sensitive sources, it may no longer be able to access those sources – like everything in intelligence (cyber threat intelligence included) there must be an intel gain/loss calculation performed," Williams added.

He was, however, sure that more information would come to light about the stoush soon: "with Kaspersky on the defensive and likely backlash against US companies in Russia and elsewhere, the intelligence community may be sharing more of it what it knows sooner than later".

iTWire has contacted Kaspersky Lab's local outlet for comment.

CHIEF DATA & ANALYTICS OFFICER BRISBANE 2020

26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more

DOWNLOAD NOW!

Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments