Kaspersky – Trusted Antivirus Software or Spy Software from Russia?

Published by tinsleyNET Admin on

Kaspersky Anti Virus

The well known antivirus software made by Russian businessman Eugene Kaspersky is once again making news in it’s battle with the EU & USA, as it suspends collaboration with Europol and the NoMoreRansom initiative it was involved in setting up. But are the accusations against Kaspersky valid, and can you still trust it on your home or business computers?

The risks of using our software are purely hypothetical. Just as hypothetical as with any other cybersecurity software of any country. But the risk of becoming a victim of a genuine cyberattack is real – and extremely high. Ergo: EP’s political decision plays *for* cybercrime
Eugene Kaspersky on Twitter (@e-kaspersky) 13 Jun 2018 https://twitter.com/e_kaspersky/status/1006979244826746882

What’s the accusation?

There have been accusations that the company is working alongside the Kremlin in providing information to Russian intelligence from it’s customers around the world.

The Wall Street Journal published a report in October 2015 suggesting Kaspersky Lab antivirus software was involved in the theft of data from an American National Security Agency worker who had put classified files on his home computer.

“Hackers working for the Russian government stole details of how the U.S. penetrates foreign computer networks and defends against cyberattacks after a National Security Agency contractor removed the highly classified material and put it on his home computer, according to multiple people with knowledge of the matter.
The hackers appear to have targeted the contractor after identifying the files through the contractor’s use of a popular antivirus software made by Russia-based Kaspersky Lab”
Wall Street Journal

However, the report contained no evidence and only cited anonymous sources, hardly conclusive or verifiable, indeed Kaspersky posted a reply on September 6th identifying the lack of any evidence.

The New Your Times has gone on to make additional claims against Kaspersky, all of which have been rebuked by the company. (See Kaspersky’s responses below)

Ban on Kaspersky

USA

In July 2017, there was a proposed bill in the US to prohibit the use of Kaspersky Labs software, and in September The United States Department of Homeland Security ordered US agencies to replace Kaspersky software with other approved software by the end of November 2017.

They stated suspected links to Russian intelligence services and made reference to Russian law requiring communications companies to assist Russian intelligence in intercepting communications transiting Russian networks.

SEC. 1630B. PROHIBITION ON USE OF SOFTWARE PLATFORMS DEVELOPED BY KASPERSKY LAB.
(a) Prohibition. —No department, agency, organization, or other element of the Department of Defense may use, whether directly or through work with or on behalf of another organization or element of the Department or another department or agency of the United States Government, any software platform developed, in whole or in part, by Kaspersky Lab or any entity of which Kaspersky Lab has a majority ownership.
S.1519 – National Defense Authorization Act for Fiscal Year 2018 by Sen. John McCain https://www.congress.gov/bill/115th-congress/senate-bill/1519/text

“This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security.”
DHS Statement on the Issuance of Binding Operational Directive 17-01, September 2017, https://www.dhs.gov/news/2017/09/13/dhs-statement-issuance-binding-operational-directive-17-01

The US General Services Administration removed Kaspersky Labs from the list of approved vendors, and the US firm Best Buy removed Kaspersky Lab products from its shelves.

This was reinforced in mid-December when President Donald Trump signed the National Defense Authorization Act for FY2018.

Netherlands

The Dutch government announced that it has planned to phase out the use of Kaspersky anti-virus software as a precautionary measure, and it recommended that companies involved in the protection of critical infrastructure did the same.

Lithuania

In December 2017, the Lithuanian government also announced that it was going to ban the use of Kaspersky Lab’s products from computers used in critical infrastructure.

“At a meeting of the Government on December 20 it was recognised that Kaspersky Lab software is a potential national security threat and managers of critical information infrastructure and state information resources have to replace it with safe equivalents in a short while.”
Kaspersky Lab poses a potential national security threat, Ministry of National Defence, Republic of Lithuania, December 2017,  https://kam.lt/en/news_1098/current_issues/kaspersky_lab_poses_a_potential_national_security_threat_the_government_stated.html

UK

While not a ban on Kaspersky, the National Cyber Security Centre (Part of GCHQ) along with MI5 did warn against the use of Russian security products in systems involved with national security issues.

“In drawing this guidance to your attention today, it is our aim to enable departments to make informed, risk-based decisions on your choice of AV provider.  To that end, we advise that where it is assessed that access to the information by the Russian state would be a risk to national security, a Russia-based AV company should not be chosen.
In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used.
Departments with responsibility for critical infrastructure may also want to discuss with us what implications this has for their sector where there may be national security concerns.”
Letter to permanent secretaries regarding the issue of supply chain risk in cloud-based products, December 2017 https://www.ncsc.gov.uk/information/letter-permanent-secretaries-regarding-issue-supply-chain-risk-cloud-based-products

Twitter

Twitter took the decision to ban targeted adverts from Kaspersky citing the US Department for Homeland Security ban, and in a “short letter from an unnamed employee” told Kaspersky that “Kaspersky operates using a business model that inherently conflicts with acceptable Twitter Ads business practices” but they would allow Kaspersky to remain an ‘organic’ user on the platform.

The EU’s findings

On 13th June, a motion in the European Parliament on Cyber Defence was passed that identified Kaspersky as being ‘confirmed as malicious’

Public-private partnerships
76.  Calls on the EU to perform a comprehensive review of software, IT and communications equipment and infrastructure used in the institutions in order to exclude potentially dangerous programmes and devices, and to ban the ones that have been confirmed as malicious, such as Kaspersky Lab”
Motion for a European Parliament Resolution on Cyber Defence, June 2018 http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//TEXT+REPORT+A8-2018-0189+0+DOC+XML+V0//EN&language=en#title2

But again, there is no evidence given to support the claim that Kaspersky is a malicious tool or that information being gathered by the applications are being misused in any way. In a EU Parliamentary question, Polish MEP Anna Fotyga asked:

“More information has emerged from experts and in the media about Russia’s intelligence services monitoring anti-virus software produced by the company Kaspersky Lab, with the aim of gaining unauthorised access to information (including classified information). With that in mind has Kaspersky Lab software been used at the Commission or any other EU institutions or agencies? if so, to what extent? Have any assessments been made as to the possible risks associated with the use of the software by Russian intelligence to hack into IT systems and databases, and has a decision been taken — mirroring that, for example, of the US administration — to stop using this dangerous software?

Risks associated with the use of Kaspersky Lab software, Feb 2018 http://www.europarl.europa.eu/sides/getDoc.do?type=WQ&reference=P-2018-000603&language=EN

With the intriguing reply:

“The Commission takes concerns of compromised software being used as an entrypoint for unauthorised access seriously.
There has been very limited use of Kaspersky Lab software in the Commission. Analysts in the Computer Emergency Response Team for the EU institutions, bodies and agencies (CERT-EU) — an interinstitutional cybersecurity team hosted at the Commission — and in the Directorate-General for Human Resources and Security use, amongst numerous other anti-virus products, a Kaspersky anti-virus engine to analyse malware samples in a controlled off-line environment separated from the Commission networks and without any direct Internet connection. The risk of data exfiltration therefore would be minimal even if the software was in fact malicious. However, the Commission has no indication for any danger associated with this anti-virus engine.
As regards other EU institutions and agencies, choices of anti-malware and anti-spam tools are at the discretion of each organisation.”
Risks associated with the use of Kaspersky Lab software, Feb 2018 http://www.europarl.europa.eu/sides/getAllAnswers.do?reference=P-2018-000603&language=EN

However, the resolution was passed by a broad majority. This is not legally binding, but it will put a lot of emphasis on the anti virus software used by governments in critical areas, and if the ban is carried through, it could have far reaching implications on how private and public sectors work together.

Kaspersky’s responses

During these accusations, Kaspersky has responded in quite a measured way, citing the lake of any evidence, misrepresentation of Kaspersky Lab’s connections to the Kremlin, and misunderstanding of Russian law.

In the response to a New Your Times post, Kaspersky published a response identifying 7 inaccurate claims, debunking claims about ties to the Russian intelligence service, Eugene’s past relationship with the K.G.B and the Soviet military and the misrepresentation of Russian technical certifications for supplying products to the government.

Another article posted in the New York Times on January 3rd was also responded to, again citing a lack of any actual evidence .

Their response to the American Department of Homeland Security recommendations further emphasised the companies insistence that it was not in any way connected to the Russian intelligence service.

“Kaspersky Lab has never helped, nor will help, any government in the world with its cyberespionage or offensive cyber efforts, and it’s disconcerting that a private company can be considered guilty until proven innocent, due to geopolitical issues. The company looks forward to working with DHS, as Kaspersky Lab ardently believes a deeper examination of the company will substantiate that these allegations are without merit.”
Kaspersky Lab Response to Issuance of DHS Binding Operational Directive 17-01, September 2017 https://usa.kaspersky.com/about/press-releases/2017_kaspersky-lab-response-to-issuance-of-dhs-binding-operational-directive-17-01

In May 2018, after the US courts upheld the DHA prohibition on the use of Kaspersky products, Kaspersky released this statement.

Responding to the Wall Street Journal article from October 2017, Kaspersky pointed out that no evidence had been given to backup the claims that had been made in the article, and that Kaspersky had made offers to work alongside US authorities to address any concerns but that the offer had not yet been taken up. Damingly, they later published the results of their investigation into the incident which showed that the individual had first disabled Kaspersky, then installed a pirated copy of MS Office 2013, with an illegal Microsoft Office activation key generator that was infected with malware, then re-enabled Kaspersky. (Also mentioned in this press release)

In October 2017, Kaspersky reiterated its commitment to the global collaborative fight on cybercrime, and it’s sharing of resources with Interpol. The commitment looked to strengthen the existing relationship that had so far identified several large scale botnets including thousands of command and control servers, infected PCs and websites.

Global Transparancy InitiativeAlso in October 2017, the company launched it’s Global Transparency Initiative as a way of making the company more transparent. The initiative invited the information security community to verify the trustworthiness of its products and business operations. It also aims to make source code of it’s products available for independent review and assessment in order to prove its credentials and earn trust.

Another part of the initiative is to move part of the core infrastructure for Kaspersky Labs from Russia into Switzerland, including the customer data storage and processing for the EU and USA, threat detection updates and software assembly. Kaspersky have an independent third party supervising the move to keep in line with their transparency policy.

Then in November Kaspersky Lab signed an agreement, along with other leading technology companies like Apple, Deutsche Telekom, Facebook, Google, Microsoft, Orange and Telefónica, with the Council of Europe in a pledge to promote and open and safe internet.

However, in light of the EU decision to promote a ban on Kaspersky products, the company responded by saying it would suspend collaborative work with Europol and leave the NoMoreRansom programme which it helped setup to help victims of ransomware retrieve their encrypted data.

“Today, the European Parliament voted on a report in which Polish representative, MEP Fotyga included an amendment referencing Kaspersky Lab which is based on untrue statements. Although this report has no legislative power it demonstrates a distinct lack of respect for the company which has been a firm friend of Europe in the fight against cybercrime
Kaspersky Lab remains willing to meet with MEPs to address any questions about the business, its leadership, expertise, technologies and methodology that they may have”
Kaspersky Lab response to EU Parliament vote on Report on Cyber Defence, June 2019 https://www.kaspersky.com/about/press-releases/2018_kaspersky-lab-response-to-eu-parliament-vote

So is Kaspersky safe?

“Kaspersky Lab has, and will never, work on the behalf of Russian intelligence, or the espionage arm of any government.
If the Russian government comes to me and asks me to do anything wrong, or my employees, I will move the business out of Russia.
FSB in Russia is responsible for investigating high-profile cyber crime and for informational investigation. When there’s informational cyber crime including Russian gangs, the FSB is doing that job and of course we assist them. Kaspersky researchers provide Russian authorities with information about attackers and malware, as it does when working with other law enforcement agencies.
The truth is Kaspersky Lab is working with national and international law enforcement, including British. So you could replace Russia with the UK, because Kaspersky Lab is working with British intelligence because we’re investigating cyber crime”
Eugene Kaspersky speaking to journalists in London

We haven’t seen any evidence of wrongdoing by Kaspersky Lab, they are a big and well respected company in the information security community.

Some prominent cybersecurity industry experts are skeptical of the accusations against Kaspersky, especially since no evidence of wrongdoing has been provided and many decisions related to the company appear to be based on media reports.

The UK report was significant in that it doesn’t name Kaspersky as a specific ‘threat’ only ‘Russian companies’. It does have an interesting statement in it saying that the UK government is in talks with Kaspersky to see how they can work together. It’s obvious that the UK government are cautious to the actions from the EU but aware that they appear to be based on speculation and rumour.

“As well as keeping this guidance under review, we are in discussions with Kaspersky Lab, by far the largest Russian player in the UK, about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market.  In particular we are seeking verifiable measures to prevent the transfer of UK data to the Russian state.  We will be transparent about the outcome of those discussions with Kaspersky Lab and we will adjust our guidance if necessary in the light of any conclusions.”
Letter to permanent secretaries regarding the issue of supply chain risk in cloud-based products, December 2017 https://www.ncsc.gov.uk/information/letter-permanent-secretaries-regarding-issue-supply-chain-risk-cloud-based-products

It may be prudent for nations to keep a close eye on the ‘supply chain’ of their information security products. By their nature, they need to be able to access all the files a user can access to check them for infections. As part of the scanning process, the AV software may need to send bits of information back to their cloud servers for additional analysis, so having a transparent provider is a big tick in the security box.

Mikko Hypponen from F-Secure spoke to Security Week about the accusations made against Kaspersky and the issues faced with modern global information security platforms.

He affirmed Kaspersky’s comments that the stories reported in the Wall Street Journal and the New York Times were only speculation with no evidence to back them up. He also said that links between information security providers and law enforcement in different countries is quite commonplace and necessary for the fight against cybercrime.

He said that in order for someone at Kaspersky Labs to have been able to identify the files sent for analysis as containing top secret information, and then for them to be able to identity and target that individual to get more information from them, would have meant that the Kaspersky product was collecting additional personal data. If that was the case, it’s highly unlikely that it’s products would have survived the test of time, analysis of the data sent from the application back to the cloud servers would surely have picked up the additional information.

He clearly does not believe that Kaspersky Lab is guilty of any malicious behavior. “Why? Because that would be so short-sighted. If you do that and you get caught, your company is toast, and it should be toast. That’s a bad business decision. If it’s the Russian government using a local security company as their way of gaining access to information, that’s short-sighted too. Because Kaspersky Lab is the biggest software success story out of Russia since Tetris.

 

Categories: Anti-VirusSoftware
Tags:

0 Comments

What are your thoughts?

Related Posts

WorkFromHomeC19
Business Development

The Office (after Coronavirus)

The new normal doesn't have to be the old normal. With the benefits of working from home realised, your business can move to a more dynamic working arrangement with home office remote workers, a smaller office space and a greener future.

Skype 2019
Android

Using Skype during Covid-19 (coronavirus) lockdown

Using Skype to keep in touch with relatives and other loved ones while being socially isolated is going to require some planning. It's great to be able to use the phone and text messages to keep in contact, but it's a lot more reassuring and rewarding to be able to see your family and friends, and Skype is the way to do it.

Videocall
Video Messaging

Video Messaging

It's an unprecedented time, with people all around the world becoming isolated in their homes, we look at some of the best video communication platforms to make your isolation or social distancing a little less solitary.