Kaspersky Anti Virus
The well known antivirus software made by Russian businessman Eugene Kaspersky is once again making news in it’s battle with the EU & USA, as it suspends collaboration with Europol and the NoMoreRansom initiative it was involved in setting up. But are the accusations against Kaspersky valid, and can you still trust it on your home or business computers?
Eugene Kaspersky on Twitter (@e-kaspersky) 13 Jun 2018 https://twitter.com/e_kaspersky/status/1006979244826746882
What’s the accusation?
There have been accusations that the company is working alongside the Kremlin in providing information to Russian intelligence from it’s customers around the world.
The Wall Street Journal published a report in October 2015 suggesting Kaspersky Lab antivirus software was involved in the theft of data from an American National Security Agency worker who had put classified files on his home computer.
The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
Wall Street Journal
However, the report contained no evidence and only cited anonymous sources, hardly conclusive or verifiable, indeed Kaspersky posted a reply on September 6th identifying the lack of any evidence.
The New Your Times has gone on to make additional claims against Kaspersky, all of which have been rebuked by the company. (See Kaspersky’s responses below)
Ban on Kaspersky
USA
In July 2017, there was a proposed bill in the US to prohibit the use of Kaspersky Labs software, and in September The United States Department of Homeland Security ordered US agencies to replace Kaspersky software with other approved software by the end of November 2017.
They stated suspected links to Russian intelligence services and made reference to Russian law requiring communications companies to assist Russian intelligence in intercepting communications transiting Russian networks.
(a) Prohibition. —No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.
S.1519 – National Defense Authorization Act for Fiscal Year 2018 by Sen. John McCain https://www.congress.gov/bill/115th-congress/senate-bill/1519/text
DHS Statement on the Issuance of Binding Operational Directive 17-01, September 2017, https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01
The US General Services Administration removed Kaspersky Labs from the list of approved vendors, and the US firm Best Buy removed Kaspersky Lab products from its shelves.
This was reinforced in mid-December when President Donald Trump signed the National Defense Authorization Act for FY2018.
Netherlands
The Dutch government announced that it has planned to phase out the use of Kaspersky anti-virus software as a precautionary measure, and it recommended that companies involved in the protection of critical infrastructure did the same.
Lithuania
In December 2017, the Lithuanian government also announced that it was going to ban the use of Kaspersky Lab’s products from computers used in critical infrastructure.
Kaspersky Lab poses a potential national security threat, Ministry of National Defence, Republic of Lithuania, December 2017, https://kam.lt/en/news_1098/current_issues/kaspersky_lab_poses_a_potential_national_security_threat_the_government_stated.html
UK
While not a ban on Kaspersky, the National Cyber Security Centre (Part of GCHQ) along with MI5 did warn against the use of Russian security products in systems involved with national security issues.
In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.
Departments with responsibility for critical infrastructure may also want to discuss with us what implications this has for their sector where there may be national security concerns.”
Letter to permanent secretaries regarding the issue of supply chain risk in cloud-based products, December 2017 https://www.ncsc.gov.uk/information/letter-permanent-secretaries-regarding-issue-supply-chain-risk-cloud-based-products
Twitter took the decision to ban targeted adverts from Kaspersky citing the US Department for Homeland Security ban, and in a “short letter from an unnamed employee” told Kaspersky that “Kaspersky operates using a business model that inherently conflicts with acceptable Twitter Ads business practices” but they would allow Kaspersky to remain an ‘organic’ user on the platform.
The EU’s findings
On 13th June, a motion in the European Parliament on Cyber Defence was passed that identified Kaspersky as being ‘confirmed as malicious’
76. Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab”
Motion for a European Parliament Resolution on Cyber Defence, June 2018 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A8-2018-0189+0+DOC+XML+V0//EN&language=en#title2
But again, there is no evidence given to support the claim that Kaspersky is a malicious tool or that information being gathered by the applications are being misused in any way. In a EU Parliamentary question, Polish MEP Anna Fotyga asked:
Risks associated with the use of Kaspersky Lab software, Feb 2018 http://www.europarl.europa.eu/sides/getDoc.do?type=WQ&reference=P-2018-000603&language=EN
With the intriguing reply:
There has been very limited use of Kaspersky Lab software in the Commission. Analysts in the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) — an interinstitutional cybersecurity team hosted at the Commission — and in the Directorate-General for Human Resources and Security use, amongst numerous other anti-virus products, a Kaspersky anti-virus engine to analyse malware samples in a controlled off-line environment separated from the Commission networks and without any direct Internet connection. The risk of data exfiltration therefore would be minimal even if the software was in fact malicious. However, the Commission has no indication for any danger associated with this anti-virus engine.
As regards other EU institutions and agencies, choices of anti-malware and anti-spam tools are at the discretion of each organisation.”
Risks associated with the use of Kaspersky Lab software, Feb 2018 http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=P-2018-000603&language=EN
However, the resolution was passed by a broad majority. This is not legally binding, but it will put a lot of emphasis on the anti virus software used by governments in critical areas, and if the ban is carried through, it could have far reaching implications on how private and public sectors work together.
Kaspersky’s responses
During these accusations, Kaspersky has responded in quite a measured way, citing the lake of any evidence, misrepresentation of Kaspersky Lab’s connections to the Kremlin, and misunderstanding of Russian law.
In the response to a New Your Times post, Kaspersky published a response identifying 7 inaccurate claims, debunking claims about ties to the Russian intelligence service, Eugene’s past relationship with the K.G.B and the Soviet military and the misrepresentation of Russian technical certifications for supplying products to the government.
Another article posted in the New York Times on January 3rd was also responded to, again citing a lack of any actual evidence .
Their response to the American Department of Homeland Security recommendations further emphasised the companies insistence that it was not in any way connected to the Russian intelligence service.
Kaspersky Lab Response to Issuance of DHS Binding Operational Directive 17-01, September 2017 https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-to-issuance-of-dhs-binding-operational-directive-17-01
In May 2018, after the US courts upheld the DHA prohibition on the use of Kaspersky products, Kaspersky released this statement.
Responding to the Wall Street Journal article from October 2017, Kaspersky pointed out that no evidence had been given to backup the claims that had been made in the article, and that Kaspersky had made offers to work alongside US authorities to address any concerns but that the offer had not yet been taken up. Damingly, they later published the results of their investigation into the incident which showed that the individual had first disabled Kaspersky, then installed a pirated copy of MS Office 2013, with an illegal Microsoft Office activation key generator that was infected with malware, then re-enabled Kaspersky. (Also mentioned in this press release)
In October 2017, Kaspersky reiterated its commitment to the global collaborative fight on cybercrime, and it’s sharing of resources with Interpol. The commitment looked to strengthen the existing relationship that had so far identified several large scale botnets including thousands of command and control servers, infected PCs and websites.
Also in October 2017, the company launched it’s Global Transparency Initiative as a way of making the company more transparent. The initiative invited the information security community to verify the trustworthiness of its products and business operations. It also aims to make source code of it’s products available for independent review and assessment in order to prove its credentials and earn trust.
Another part of the initiative is to move part of the core infrastructure for Kaspersky Labs from Russia into Switzerland, including the customer data storage and processing for the EU and USA, threat detection updates and software assembly. Kaspersky have an independent third party supervising the move to keep in line with their transparency policy.
Then in November Kaspersky Lab signed an agreement, along with other leading technology companies like Apple, Deutsche Telekom, Facebook, Google, Microsoft, Orange and Telefónica, with the Council of Europe in a pledge to promote and open and safe internet.
However, in light of the EU decision to promote a ban on Kaspersky products, the company responded by saying it would suspend collaborative work with Europol and leave the NoMoreRansom programme which it helped setup to help victims of ransomware retrieve their encrypted data.
Kaspersky Lab remains willing to meet with MEPs to address any questions about the business, its leadership, expertise, technologies and methodology that they may have”
Kaspersky Lab response to EU Parliament vote on Report on Cyber Defence, June 2019 https://www.kaspersky.com/about/press-releases/2018_kaspersky-lab-response-to-eu-parliament-vote
So is Kaspersky safe?
If the Russian government comes to me and asks me to do anything wrong, or my employees, I will move the business out of Russia.
FSB in Russia is responsible for investigating high-profile cyber crime and for informational investigation. When there’s informational cyber crime including Russian gangs, the FSB is doing that job and of course we assist them. Kaspersky researchers provide Russian authorities with information about attackers and malware, as it does when working with other law enforcement agencies.
The truth is Kaspersky Lab is working with national and international law enforcement, including British. So you could replace Russia with the UK, because Kaspersky Lab is working with British intelligence because we’re investigating cyber crime”
Eugene Kaspersky speaking to journalists in London
We haven’t seen any evidence of wrongdoing by Kaspersky Lab, they are a big and well respected company in the information security community.
Some prominent cybersecurity industry experts are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.
The UK report was significant in that it doesn’t name Kaspersky as a specific ‘threat’ only ‘Russian companies’. It does have an interesting statement in it saying that the UK government is in talks with Kaspersky to see how they can work together. It’s obvious that the UK government are cautious to the actions from the EU but aware that they appear to be based on speculation and rumour.
Letter to permanent secretaries regarding the issue of supply chain risk in cloud-based products, December 2017 https://www.ncsc.gov.uk/information/letter-permanent-secretaries-regarding-issue-supply-chain-risk-cloud-based-products
It may be prudent for nations to keep a close eye on the ‘supply chain’ of their information security products. By their nature, they need to be able to access all the files a user can access to check them for infections. As part of the scanning process, the AV software may need to send bits of information back to their cloud servers for additional analysis, so having a transparent provider is a big tick in the security box.
Mikko Hypponen from F-Secure spoke to Security Week about the accusations made against Kaspersky and the issues faced with modern global information security platforms.
He affirmed Kaspersky’s comments that the stories reported in the Wall Street Journal and the New York Times were only speculation with no evidence to back them up. He also said that links between information security providers and law enforcement in different countries is quite commonplace and necessary for the fight against cybercrime.
He said that in order for someone at Kaspersky Labs to have been able to identify the files sent for analysis as containing top secret information, and then for them to be able to identity and target that individual to get more information from them, would have meant that the Kaspersky product was collecting additional personal data. If that was the case, it’s highly unlikely that it’s products would have survived the test of time, analysis of the data sent from the application back to the cloud servers would surely have picked up the additional information.
He clearly does not believe that Kaspersky Lab is guilty of any malicious behavior. “Why? Because that would be so short-sighted. If you do that and you get caught, your company is toast, and it should be toast. That’s a bad business decision. If it’s the Russian government using a local security company as their way of gaining access to information, that’s short-sighted too. Because Kaspersky Lab is the biggest software success story out of Russia since Tetris.”
0 Comments