nav search
Data Center Software Security Transformation DevOps Business Personal Tech Science Emergent Tech Bootnotes BOFH

back to article
Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim

Anonymous Coward

"It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them."

Even if it's true we know other antivirus packages have also had many known holes. It's only an issue if in someway the hack was enabled because Kaspersky is a Russian company or if Kapersky actively assisted. Both of which are unlikely imo.

19
0
Anonymous Coward

This all sounds like more of "a big Ruskie kid did it, and ran away". Because EVERYTHING is the fault of the Russians, these days. And equally NOTHING is ever the fault of the good ole US of A.

Not that I have any illusions about what a bunch of brutal bastards the Russians are, I have worked there.

44
3
Anonymous Coward

"It is alleged"

Err... what is the effing proof.

It is alleged that CIA never tried to kill Castro. Or any other world leaders. Really. Telling the truth here. Honest. Cross my heart.

On a more serious note, if Kaspersky AV is the route for this hilarious one off, then we can assume that all of USA state secrets have been swiped by the Chinese 20 times by now. Simply on the basis of prevalence of Chinese made gadgets vs prevalence of Kaspersky AV.

25
2
Silver badge
Headmaster

Re: "It is alleged"

It is alleged that CIA never tried to kill Castro. Or any other world leaders. Really. Telling the truth here. Honest. Cross my heart.

Well played! Casting doubt in the negative to strengthen the positive - which you haven't actually proven to be true.

It is alleged that you didn't know what you were doing.

3
7
Silver badge

Re: "It is alleged"

"It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark's computer and extract its contents. The software maker is denying any wrongdoing."

So, this sounds very similar to the stuff that the US Gov does to US companies.

8
0
Anonymous Coward

Re: "It is alleged"

If the NSA had told companies about their security weaknesses instead of exploiting them then this could have blown up in their faces.

If they hadn't let someone take home their nasty tool-kit either.....

And as for this being the bad Russian company... pull the other one, it's got red bells on it!

2
1
Holmes

But look, obviously either the Russians did it or the Chinese did, and perhaps it's the Russians turn this time 'round ? After all, nothing that goes wrong in the USA can possibly be due to problems or people native to that Shining City on a Hill....

Reminds me of an old Japanese saying I learned there more than half a century ago :

郵便ポストが赤い

電信柱が高い

皆僕の悪いです。。。。

Henri

0
0
Flame

FTFY

The strong ties between Senator Jeanne Shaheen (D-NH) and Kim Jun Un are extremely alarming and have been well documented for some time, it's astounding and deeply concerning that the North Korean government continues to have this tool at their disposal to harm the United States.

Hey, it is just as well documented as Kasperskey's supposed ties to the Kremlin.

30
7
Silver badge
Facepalm

US intelligence source make stuff up ..

"Russian government spies extracted NSA exploits from a US government contractor's home PC using Kaspersky Lab software, anonymous sources have claimed."

In other words, we're just making this shit up. Lets just call it what it is, certain US commercial interests want to deny market share to Kaspersky under the pretext of national security.

"The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky's antivirus"

Listen, no self respecting hacker would keep 'classified code' on a computer connected to the Internet that requires anti-virus software. and no self respecting spook would be caught using Microsoft Windows to do their spying.

28
11
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

Given that almost 90% of all desktops these days are still under Redmond's rule, I don't see how you can realistically avoid using Windows all the time.

Now, a spook should know better than to use a Windows machine for work, I'd think, but the real problem here stems from the very probable fact that, spook or no, management will be using Windows and management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff.

Compound that with the natural human tendency to be lazy - especially in the geek arena - and you have a contractor bringing work from a secure environment to an environment where security is an afterthought because who wants National Security-level hassle on one's private network ? To go on Youtube ? Nah, no need.

Add a zest of overconfidence (I got a super strong password on my wifi router) and willful ignorance (hey, it's me, nobody's interested in what I'm doing anyway) and here we are today, learning that Russia can read stuff on your PC via an anti-virus program.

The basic mistake here is a contractor leaving the NSA building with confidential documents and no oversight. I work regularly at various client sites (banks, insurance companies, ...) as a contractor ; do you have any idea how many places I can slip a USB key in the slot and copy files onto it ? Zero. I have complete access to server files, sometimes I even have admin access to the server itself, but USB ? Forget it.

Why is this even possible at a site that is practically the brain of National Security ?

I don't get it.

16
5
Anonymous Coward

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

"Now, a spook should know better than to use a Windows machine"

Other options may be worse:

https://www.theregister.co.uk/2017/01/03/android_tops_2016_vuln_list_with_523_bugs/

"with 523 vulnerabilities landing a CVE number in 2016, Android carried nearly double the patch-load of Adobe Flash (which had 266 and was number four on the list).

It's worth noting that while Debian Linux (319 CVEs) and Ubuntu Linux (278 CVEs) landed second and third places"

9
15

This post has been deleted by its author

Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

For the thousandth time, counting CVEs does not indicate relative security levels. Different companies handle them differently. Apple for instance applies for a CVE number for every single issue they find, even those discovered internally. Most companies do not, and only get CVEs assigned for threats found by outsiders. Also, if you find five different issues in a certain module, some companies will have a single CVE assigned, others will have five assigned.

Finally, Linux has a ton more software included than Windows does. Not only that, but Linux often includes multiple versions (i.e. MySQL, SQlite, and so on...) If you count CVEs in Windows you won't end up counting CVES found in SQL Server, and if you add those in that's only one SQL package.

A company that does a good job of looking for and fixing security issues will look relatively worse than one that doesn't do any investigation on its own, and relies only on outsiders to find and report threats.

Counting CVEs to compare security is sort of like comparing automobile deaths per capita as a way of assessing how safe drivers are in different countries. It completely ignores more important stuff like what percentage of the population drives a car, how many miles the average person drives, the age/safety of the typical car, etc.

21
3
Anonymous Coward

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

.. with 523 vulnerabilities landing a CVE number in 2016, Android carried nearly double the patch-load of Adobe Flash (which had 266 and was number four on the list)

So, a single program, intended for playing animations and cute cat videos, has managed to rack up more than 50% of vulnerabilities of a complete O/S, including the kernel, UI, as well as full communications and multimedia stacks - so that it can play the said cat video as well. Thank you for reminding me what an utter PoS Flash was.

20
0
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

"the very probable fact that, spook or no, management will be using Windows and management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff."

Management should be using what the organisation's security bods specify which, you'd hope, would be something more like Open BSD. LibreOffice will run quite nicely on BSDs so I can't see any problems with the sorts of management stuff you mention.

7
2
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

"For the thousandth time, counting CVEs does not indicate relative security levels."

Doug, there's no point in trying to explain things to A/Cs spouting the MS party line. They're only doing what they're told. You don't expect them to actually understand any of it do you?

12
2
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

> management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff.

Stuff of that nature nowadays just presents a web user interface for the users. Unless their designers are total dolts, such interfaces normally also run in the browsers available on Linux and BSD. (OK; in old organizations, such software may be old and windows-only or needing ActiveX controls (yuck!)- but if so, stepping to more modern technology has also other benefits beside making the tools Linux-friendly).

7
0
Anonymous Coward

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

>Stuff of that nature nowadays just presents a web user interface for the users.

For timesheets and expenses I still use the Excel spreadsheet - being mobile, I can reliably enter data wherever and whenever it is convenient, also for similar reasons it is much easier to get a printout of the completed expense form (it has to be physically signed and enclosed with receipts).

My attitude being that thick client app's aren't that difficult to design and build; but that might be because I've spent a large part of my life designing and specifying systems to work in environments where unreliable communications are normal...

3
0
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

"Given that almost 90% of all desktops these days are still under Redmond's rule, I don't see how you can realistically avoid using Windows all the time."

Plus, if you are going to write a compromise for windows (reason: see first clause of quote), best to test it, doncha think?

I keep telling our clever young things that they are never as clever as they think they are and to measure twice before cutting code. I even have our own very messy crash-and-burn example to point to. But there are a couple just one USB drive from doing something stupid who won't listen.

Used to be three but one shut his dick in the door last month and now he's gone.

3
0
Anonymous Coward

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

@pascal and " haven't heard of a lot of Linux versions of the products that handle that"

Are you suggesting that there are no linux office/report products or that you have so little knowledge of that you are unaware that they exist?

Why not instead post "I know this is yet another windows problem but lets have a go at linux because that pays your bills"

These were windows exploits to be used as weapons by the NSA, if they have been copied by what is clearly considered a enemy power then one would hope that your beloved Microsoft/NSA would be rushing patch out,so removing the issues associated with handing your enemy your weapon. I wouldn't hold my breath though.

5
2
Bronze badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

Oh, an Anonymous Coward, (what ya hiding for), expounds claims that microsoft pay people to praise their products.

Really? What fucking company does that? I mean, it's retarded.

But if they do such a thing, where can I sign up? Do they pay enough that I can quit work and spend all my time developing what I want at home, posting on forums and stuff in between? Are there any extra benefits? New computer, fibre connection, or do I need to use what I have? Will they give me a company car too?

Man, I'd love to be paid by Microsoft to post on forums, I'd quit my job to do that this second, just tell me where do I sign up? Do I need to send a speculative email? You must know someone who does the job to know it exists? Maybe you did it yourself? Then you can definitely help me!!

Please, please, please, please tell me how to get paid for posting on forums. I'll show them my special Vulture badge and everything....

2
1
Anonymous Coward

@ soulrideruk

Funny story, back when BT were running phorm they were kicking people off their forums for posting the truth about the implications of allowing a company associated with malware, access to user's data without their knowledge. A shill posted with his real name and sure enough he listed his phorm involvement on his linkedin profile where he was boasting of being their marketing droid. After posting a copy of his public linkedin profile he attempted to get me banned from the forums however since google had cached it then I was able to prove that after he had deleted his profile that the information was in the public domain and so they had to reinstate my account, for a bit longer anyway.

As to your bronze badge, I am sure I could have one too but then again I would need to post with my account name which, since I am not a shill actually means something to me. Being as I only have the one

For those who genuinely want to become a shill and cannot get into marketing otherwise then I suggest setting up your own product review website, post up some bogus replies supporting your opinions and then contact manufacturers asking for products to test and review. One guy I saw on Amazon did just this with his review there being exactly the same as on his website but without the bit where he admitted that he had got the item in exchange for his review. If enough people believe your spiel then advertising and direct bribes are presumably the next step.

Most people here have, I presume, been around long enough to understand that not every post or review is unbiased and so I would imagine they, like myself, will make their own minds up about what they read.

3
1
Silver badge

Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

> For timesheets and expenses I still use the Excel spreadsheet

OK. If you prefer that, LibreOffice can do it just as well (and even save the results in an Excel-compatible file). I suppose there may be things that Excel can do and LibreOffice cannot, but adding columns of numbers is not one of them.

2
0

Re: US intelligence source make stuff up ..

"In other words, we're just making this shit up. Lets just call it what it is, certain US commercial interests want to deny market share to Kaspersky under the pretext of national security." Even if it did happen, all it means is that NSA subcontractors are terrible at opsec and should be prohibited.

The contract put top secret exploits on his personal computer --- WTF? Additionally Kepersky is not approved for use on top-secret systems. If true this subcontractor is going to be fired and maybe go to jail for mishandling classified material.

0
0
Anonymous Coward

The tag line

is what I regularly say to the wife. It is one of the more useful idiomatic phrases that I have learned.

Essentially it means: don't make a mountain out of a molehill.

3
0
Silver badge

Re: The tag line

It is the wrong tag line. The right tag line would be:

Если бы, да кабы, во рту выросли грибы, так был бы не рот, а целый огород.

Or even better one:

В Америке знешь, клюква у них такая развесистая...

No, I am not going to translate either, they are not translatable as each will take half a page to explain (and the translation will result in a meaningless jumble).

3
4
Silver badge

Re: The tag line

The first one is roughly analogous to: "If my Aunt were a man she would be my Uncle." and assorted other idioms puncturing excuses of the form: "We would have succeeded if not for [something absolutely fundamental]".

The second is an jab at foreigners misconceptions and misrepresentations of Russia, ironically referencing the image of a "towering, majestic Cranberry Tree" when such a thing is an absurdity since cranberries come from small bushes.

8
0
Silver badge

Re: The tag line

>No, I am not going to translate either, they are not translatable as each will take half a page to explain

Not one to turn down a challenge...

Google search and translate are your friends - other search engines and translation services are available. There is a rich seam of resources written by people passionate about making the Russian language more understandable and accessible to native English speakers.

From my research, I would say they are all translatable and more easily translatable than many Japanese sayings, however you are right they all need an explanation of what the literal translation means because they are local sayings or proverbs, and thus are best understood by being translated into your locally equivalent saying/proverb.

4
0
Silver badge

Re: The tag line

"towering, majestic Cranberry Tree"

Good try. What you missed is the history of the phrase. Russian cranberry is a bush half a foot tall (tops), growing in swamps (and very tasty too). American cranberry is different species - it is larger. Hence, when the first Russian colonists came back from what is today Northern California with tales of American cranberries nobody believed their tales about the New World and that is exactly where the "towering majestic Cranberry Tree" etymology from is. It originally stood for "Odious American Bullshit". Over time, the American has dropped out of it and it just stands for Odious Bullshit.

So as you see - your take on the translation failed. It is not just "absurd". The full meaning has American in it - from the days when California had French in the south, Russians in the north and not a yank in sight.

7
0
Anonymous Coward

Re: The tag line

... from the days when California had French in the south, Russians in the north ...

I believe you'll find is was (and in many ways still is) Spanish in the south. The French have mostly puttered about along the east coast - although the French Métis have for a while controlled the trade through most of the Canadian mid-latitudes, coast to coast.

1
0
Silver badge

Re: The tag line

"No, I am not going to translate either, they are not translatable as each will take half a page to explain"

True that. Some of those old proverbs have a long string of cultural (or historical) context attached. Without knowing the context they'd be rather bland.

Second issue: if the proverb relies on a wordplay,it may be nearly impossible to reproduce it in another language. Like this little gem:

"Можно ли хуем дрова колоть?"

"Можно, если хуй дубовый, а дуб хуёвый."

Or this joke that is relying on different uses of word 'чем':

Сидят рядом армянин и грузин.

Армянин бубнит себе под нос: "Армяне лучше чем грузины, армяне лучше чем грузины."

Грузин станет хмурым, но молчит.

Армянин опять: "Армяне лучше чем грузины."

Грузин уже не может вытерпить и орёт: "Ну чем лучше? Чем?!"

"Чем грузины."

/fwiw, apologies to English-speaking readers/

3
0
Silver badge

Re: The tag line

I believe you'll find is was (and in many ways still is) Spanish in the south.

Oh it is. Just during the period I am referring to (from when is this idiom) Spain did not exist as a state. The French have kind'a ... eaten it :) Late 18th early 19th century in fact. After that Russia left the colonies wither to the point where selling Fort Ross to Sutter was not really voluntary. If it was not sold, he (or someone else) would have taken it.

2
0
Anonymous Coward

Let me see if I get this right..

- The US has credible evidence that the Russians have hacked the election: no real action.

- There is credible evidence that their own President has quite serious ties with Russia to the point of handing them intelligence: nah. Not interested.

- There is only an unconfirmed rumour that Kaspersky, who happens to be Russian, allegedly collaborates with Moscow, which would be a major change from not whitelisting *anyone's* spyware (which is probably why they are *really* pissed off): major alert, shut all the networks and have Congressional debates about it.

Boy, they must be smoking some heavy shit over there.

33
2
Silver badge
Big Brother

Re: Let me see if I get this right..

The election and presidency are just show for the benefit of the electorate. An alleged attack on the deep government is serious stuff.

4
0
Silver badge

"The men and women of the US Intelligence Community are patriots;"

That's uncalled for. I have issues with some of the stuff they get up to, but labeling them all vicious scoundrels is going a bit too far.

20
2

There is so much spying going on that you can't really avoid being spied upon. You can only choose who will spy on you by picking either US-made, or Russian-made, or Chinese-made software.

I'd rather be spied upon by foreigners, who have little interest in what I'm doing, than by a domestic government, who has all kinds of legal and illegal powers to do things against me. And this is probably true for most other people too.

Ordinary people in Russia should choose US-made software. And ordinary Americans should choose Russian-made software. This way they would at least be safer from surveillance by their own government.

It all depends on who has the least interest in you.

29
1

In my humble opinion this is the paragraph of the week:

"I'd rather be spied upon by foreigners, who have little interest in what I'm doing, than by a domestic government, who has all kinds of legal and illegal powers to do things against me. And this is probably true for most other people too."

Says much about the state of the UK nowadays...

I'll stick with Kaspersky.

4
0
Silver badge
Black Helicopters

Hiding in Plain Sight

What better way to perform the protracted and resource hogging task of scanning every file on the computer for something of interest, than to hide in plain sight under the guise of an anti-virus application.

Whether or not Kaspersky were responsible in this case, you can guarantee one such application is doing it somewhere.

4
8
Silver badge
Unhappy

More proof that the NSA should stop hoarding exploits...

Yes, I know I am a broken record on this one, but whether or not Kaspersky, Russian intelligence or anyone else was involved, we all get to suffer the consequences of more of the NSA's bag of dirty tricks getting out into the wild.

18
0
Bronze badge

it is unlikely to be a "conspiracy" theory.

I complained to "bitdefender" because with their new enforced fucking "cloud" system, not only can they "snag" files. (never used to happen with the standalone version, which they discontinued)

But they can and DO identify personal information , which is then uploaded to their servers.

Because I have seen my personal information ON their server in the "cloud" log files associated with MY account.

This includes "fullpaths" of any files they consider infected.

So yes totally believable story,, since the guy was working on infection code

AV system identifies "code", then they upload it to do an analysis.

Consider the power of this "tool", you get something from a government agency (spying), file name etc.....

Then you upload a "hash" to a "pet" AV company, the AV company then identifies EVERY computer

the same "hash" appears on.

Great way to "out" spies or people with a connection to a file you are interested in.

Or consider it from a "peado" catching system. get the AV to search the computers of millions of people without a search warrant, just based on "hash" values.

8
4
Silver badge

I complained to "bitdefender" because with their new enforced fucking "cloud" system, not only can they "snag" files. (never used to happen with the standalone version, which they discontinued)

I believe Bitdefender are a UK company. Assuming you're also in the UK invoke your rights under the DPA or, better still, wait till next June & hit them with the new, GPDR-enabled Act. And in the meantime, don't use them. "Cloud" should have been a warning to stop right there.

7
1

Bitdefender is Romanian.

1
0
Bronze badge

Possible ???

Hi,

My interpretation is that this is plausible.

If i wanted to locate people working for a government agency, then i would attempt to access Google analytics systems, to see which phones were located near the location of government installations, and use the relevant data to determine their online identity, and home location too.

The systems collecting data from us are so prevalent and leaky, then why wouldn't you be able to easily locate specific individuals and target them ?

Am i being too naive in thinking it is easy to find this data ?

In 2007 i recall that Nortons Anti Virus was sending my e-mails to their servers before they were downloaded to my e-mail client.

Everyone is at it ???

Regards,

Shadmeister.

5
2
Silver badge

Re: Possible ???

Well given all the location tracking, I wouldn't be surprised if some companies have very good idea of who works and live where... Bring back the Nokia 6310i !

6
0
Silver badge

Re: Possible ???

My interpretation is that the antivirus tool was doing its job.

Contractor takes home "classified code" (specifically, NSA malware) and runs it on his home computer. Security software detects malware behaviour and sends code back to home base for analysis.

That's called "working as expected". The fact that it's being reported as "Kaspersky being nefarious" says more about the current legislative and propaganda agenda than anything else.

It suits everyone to paint Kaspersky specifically as villains because they're fishing for donations from Symantec et al. And it suits the Democrats doubly so, because Kaspersky are Russians and being rabidly anti-Russian is a thing right now for them, because (they've just noticed, apparently) Putin is as big a thug as Trump.

21
0

Re: Possible ???

>>Everyone is at it ???

Of course they are all at it. The difference is that Kaspersky is in Russia - which means they don’t have to comply with secret NSA orders to force them to hand over your data. That is the reason for the USA’s campaign against them.

There is no such thing as data privacy or safety when you start talking about government spies. All of them have some sort of ability to force the companies within their own borders to give up whatever details the government wants without you or I ever knowing about it.

19
0
Anonymous Coward

Re: Possible ???

access Google analytics systems, to see which phones were located near the location of government installations,

Put some coin in Zuckbergs palm and there is an API for you to use entirely at your leisure.

5
0
Anonymous Coward

Re: Possible ???

Putin is as big a thug as Trump.

Putin is competent and gets results. Nothing is quite as scary to a bunch of overpaid, failed, gossiping, and generally useless consultants / political wonks than competent people.

Google wikileaks for the "Pied Piper Strategy" - Hillary's team of Special Brainiacs probably helped Donald Trump more that Putin did!

8
1
Silver badge

Re: Possible ???

"Am i being too naive in thinking it is easy to find this data ?"

No. Our last telecommunications act shifted the ownership of call records from the customers to the telecoms industry. Lots of good data to be mined there. Never mind cell phone locations, if I can get a list of people that call the company switchboard (calling in sick, etc.) I can get a list of employees. And much of this information has moved offshore, beyond the reach of US laws governing sensitive material. When I call the phone company's customer service line, I usually hear a thick Hindi accent.

Anecdote: Back before the Internet was invented by Al Gore, I worked for Boeing. Lots of gov't stuff going on there in addition to commercial aircraft. We had (paper) company phone books which were updated about once every three months. And quite a few people took one home, in case they were off sick and needed to call in. All approved by management. When the new phone books came out, the old ones were just tossed into the trash. At home or at work. Free for the dumpster divers. The phone books had names, company phone numbers and organization/project numbers. So anyone with a keypunch, old school mainframe and time on their hands could have easily reverse engineered the companies entire project assignment structure. Given that we had quite a few domain experts working for us (and the KGB had dossiers on them and their skills as well), it would be pretty easy to figure out if a new group was being assembled for a particular task. And get a good idea whet they were up to. Absolutely no clue as to security on both Boeing's as well as the Pentagon's part.

In a subsequent job, which did involve high level clearances, I was told not to reveal even the name of the company I worked for. My CV is just a black hole for that period.

4
0

Re: Possible ???

When the new phone books came out, the old ones were just tossed into the trash. At home or at work. Free for the dumpster divers.

Kevin Mitnick started his 'hacker's' career that way.

Not that he was a dumpster driver :)

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

The Register - Independent news and views for the tech community. Part of Situation Publishing