back to article Russian spies used Kaspersky AV to hack NSA staffer, swipe exploit code – new claim

Russian government spies used Kaspersky Lab software to extract top-secret software exploits from an NSA staffer's home PC, anonymous sources have claimed. The clumsy snoop broke regulations by taking the classified code, documentation, and other materials home to work on using his personal computer, which was running …

  1. Anonymous Coward
    Anonymous Coward

    "It is alleged Kremlin hackers exploited the security package in one way or another to identify those sensitive files and exfiltrate them."

    Even if it's true we know other antivirus packages have also had many known holes. It's only an issue if in someway the hack was enabled because Kaspersky is a Russian company or if Kapersky actively assisted. Both of which are unlikely imo.

    1. Anonymous Coward
      Anonymous Coward

      This all sounds like more of "a big Ruskie kid did it, and ran away". Because EVERYTHING is the fault of the Russians, these days. And equally NOTHING is ever the fault of the good ole US of A.

      Not that I have any illusions about what a bunch of brutal bastards the Russians are, I have worked there.

      1. mhenriday
        Holmes

        But look, obviously either the Russians did it or the Chinese did, and perhaps it's the Russians turn this time 'round ? After all, nothing that goes wrong in the USA can possibly be due to problems or people native to that Shining City on a Hill....

        Reminds me of an old Japanese saying I learned there more than half a century ago :

        郵便ポストが赤い

        電信柱が高い

        皆僕の悪いです。。。。

        Henri

    2. Anonymous Coward
      Anonymous Coward

      "It is alleged"

      Err... what is the effing proof.

      It is alleged that CIA never tried to kill Castro. Or any other world leaders. Really. Telling the truth here. Honest. Cross my heart.

      On a more serious note, if Kaspersky AV is the route for this hilarious one off, then we can assume that all of USA state secrets have been swiped by the Chinese 20 times by now. Simply on the basis of prevalence of Chinese made gadgets vs prevalence of Kaspersky AV.

      1. Cynical Observer
        Headmaster

        Re: "It is alleged"

        It is alleged that CIA never tried to kill Castro. Or any other world leaders. Really. Telling the truth here. Honest. Cross my heart.

        Well played! Casting doubt in the negative to strengthen the positive - which you haven't actually proven to be true.

        It is alleged that you didn't know what you were doing.

        1. Sir Runcible Spoon

          Re: "It is alleged"

          "It is also possible, under Russian law, the Kremlin instructed staff within Kaspersky to hijack the mark's computer and extract its contents. The software maker is denying any wrongdoing."

          So, this sounds very similar to the stuff that the US Gov does to US companies.

          1. Anonymous Coward
            Anonymous Coward

            Re: "It is alleged"

            If the NSA had told companies about their security weaknesses instead of exploiting them then this could have blown up in their faces.

            If they hadn't let someone take home their nasty tool-kit either.....

            And as for this being the bad Russian company... pull the other one, it's got red bells on it!

  2. Donn Bly
    Flame

    FTFY

    The strong ties between Senator Jeanne Shaheen (D-NH) and Kim Jun Un are extremely alarming and have been well documented for some time, it's astounding and deeply concerning that the North Korean government continues to have this tool at their disposal to harm the United States.

    Hey, it is just as well documented as Kasperskey's supposed ties to the Kremlin.

  3. Anonymous Coward
    Facepalm

    US intelligence source make stuff up ..

    "Russian government spies extracted NSA exploits from a US government contractor's home PC using Kaspersky Lab software, anonymous sources have claimed."

    In other words, we're just making this shit up. Lets just call it what it is, certain US commercial interests want to deny market share to Kaspersky under the pretext of national security.

    "The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky's antivirus"

    Listen, no self respecting hacker would keep 'classified code' on a computer connected to the Internet that requires anti-virus software. and no self respecting spook would be caught using Microsoft Windows to do their spying.

    1. Pascal Monett Silver badge

      Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

      Given that almost 90% of all desktops these days are still under Redmond's rule, I don't see how you can realistically avoid using Windows all the time.

      Now, a spook should know better than to use a Windows machine for work, I'd think, but the real problem here stems from the very probable fact that, spook or no, management will be using Windows and management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff.

      Compound that with the natural human tendency to be lazy - especially in the geek arena - and you have a contractor bringing work from a secure environment to an environment where security is an afterthought because who wants National Security-level hassle on one's private network ? To go on Youtube ? Nah, no need.

      Add a zest of overconfidence (I got a super strong password on my wifi router) and willful ignorance (hey, it's me, nobody's interested in what I'm doing anyway) and here we are today, learning that Russia can read stuff on your PC via an anti-virus program.

      The basic mistake here is a contractor leaving the NSA building with confidential documents and no oversight. I work regularly at various client sites (banks, insurance companies, ...) as a contractor ; do you have any idea how many places I can slip a USB key in the slot and copy files onto it ? Zero. I have complete access to server files, sometimes I even have admin access to the server itself, but USB ? Forget it.

      Why is this even possible at a site that is practically the brain of National Security ?

      I don't get it.

      1. Anonymous Coward
        Anonymous Coward

        Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

        "Now, a spook should know better than to use a Windows machine"

        Other options may be worse:

        https://www.theregister.co.uk/2017/01/03/android_tops_2016_vuln_list_with_523_bugs/

        "with 523 vulnerabilities landing a CVE number in 2016, Android carried nearly double the patch-load of Adobe Flash (which had 266 and was number four on the list).

        It's worth noting that while Debian Linux (319 CVEs) and Ubuntu Linux (278 CVEs) landed second and third places"

        1. Anonymous Coward
          Anonymous Coward

          Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

          For the thousandth time, counting CVEs does not indicate relative security levels. Different companies handle them differently. Apple for instance applies for a CVE number for every single issue they find, even those discovered internally. Most companies do not, and only get CVEs assigned for threats found by outsiders. Also, if you find five different issues in a certain module, some companies will have a single CVE assigned, others will have five assigned.

          Finally, Linux has a ton more software included than Windows does. Not only that, but Linux often includes multiple versions (i.e. MySQL, SQlite, and so on...) If you count CVEs in Windows you won't end up counting CVES found in SQL Server, and if you add those in that's only one SQL package.

          A company that does a good job of looking for and fixing security issues will look relatively worse than one that doesn't do any investigation on its own, and relies only on outsiders to find and report threats.

          Counting CVEs to compare security is sort of like comparing automobile deaths per capita as a way of assessing how safe drivers are in different countries. It completely ignores more important stuff like what percentage of the population drives a car, how many miles the average person drives, the age/safety of the typical car, etc.

          1. Doctor Syntax Silver badge

            Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

            "For the thousandth time, counting CVEs does not indicate relative security levels."

            Doug, there's no point in trying to explain things to A/Cs spouting the MS party line. They're only doing what they're told. You don't expect them to actually understand any of it do you?

        2. Anonymous Coward
          Anonymous Coward

          Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

          .. with 523 vulnerabilities landing a CVE number in 2016, Android carried nearly double the patch-load of Adobe Flash (which had 266 and was number four on the list)

          So, a single program, intended for playing animations and cute cat videos, has managed to rack up more than 50% of vulnerabilities of a complete O/S, including the kernel, UI, as well as full communications and multimedia stacks - so that it can play the said cat video as well. Thank you for reminding me what an utter PoS Flash was.

      2. This post has been deleted by its author

      3. Doctor Syntax Silver badge

        Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

        "the very probable fact that, spook or no, management will be using Windows and management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff."

        Management should be using what the organisation's security bods specify which, you'd hope, would be something more like Open BSD. LibreOffice will run quite nicely on BSDs so I can't see any problems with the sorts of management stuff you mention.

        1. MacroRodent

          Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

          > management wants their time sheets, planning, expense reports etc done on time. I haven't heard of a lot of Linux versions of the products that handle that, so you'll be most likely using Windows for all that stuff.

          Stuff of that nature nowadays just presents a web user interface for the users. Unless their designers are total dolts, such interfaces normally also run in the browsers available on Linux and BSD. (OK; in old organizations, such software may be old and windows-only or needing ActiveX controls (yuck!)- but if so, stepping to more modern technology has also other benefits beside making the tools Linux-friendly).

          1. Anonymous Coward
            Anonymous Coward

            Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

            >Stuff of that nature nowadays just presents a web user interface for the users.

            For timesheets and expenses I still use the Excel spreadsheet - being mobile, I can reliably enter data wherever and whenever it is convenient, also for similar reasons it is much easier to get a printout of the completed expense form (it has to be physically signed and enclosed with receipts).

            My attitude being that thick client app's aren't that difficult to design and build; but that might be because I've spent a large part of my life designing and specifying systems to work in environments where unreliable communications are normal...

            1. MacroRodent

              Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

              > For timesheets and expenses I still use the Excel spreadsheet

              OK. If you prefer that, LibreOffice can do it just as well (and even save the results in an Excel-compatible file). I suppose there may be things that Excel can do and LibreOffice cannot, but adding columns of numbers is not one of them.

      4. Stevie

        Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

        "Given that almost 90% of all desktops these days are still under Redmond's rule, I don't see how you can realistically avoid using Windows all the time."

        Plus, if you are going to write a compromise for windows (reason: see first clause of quote), best to test it, doncha think?

        I keep telling our clever young things that they are never as clever as they think they are and to measure twice before cutting code. I even have our own very messy crash-and-burn example to point to. But there are a couple just one USB drive from doing something stupid who won't listen.

        Used to be three but one shut his dick in the door last month and now he's gone.

      5. Anonymous Coward
        Anonymous Coward

        Re: "no self respecting spook would be caught using Microsoft Windows to do their spying"

        @pascal and " haven't heard of a lot of Linux versions of the products that handle that"

        Are you suggesting that there are no linux office/report products or that you have so little knowledge of that you are unaware that they exist?

        Why not instead post "I know this is yet another windows problem but lets have a go at linux because that pays your bills"

        These were windows exploits to be used as weapons by the NSA, if they have been copied by what is clearly considered a enemy power then one would hope that your beloved Microsoft/NSA would be rushing patch out,so removing the issues associated with handing your enemy your weapon. I wouldn't hold my breath though.

        1. This post has been deleted by its author

          1. Anonymous Coward
            Anonymous Coward

            @ soulrideruk

            Funny story, back when BT were running phorm they were kicking people off their forums for posting the truth about the implications of allowing a company associated with malware, access to user's data without their knowledge. A shill posted with his real name and sure enough he listed his phorm involvement on his linkedin profile where he was boasting of being their marketing droid. After posting a copy of his public linkedin profile he attempted to get me banned from the forums however since google had cached it then I was able to prove that after he had deleted his profile that the information was in the public domain and so they had to reinstate my account, for a bit longer anyway.

            As to your bronze badge, I am sure I could have one too but then again I would need to post with my account name which, since I am not a shill actually means something to me. Being as I only have the one

            For those who genuinely want to become a shill and cannot get into marketing otherwise then I suggest setting up your own product review website, post up some bogus replies supporting your opinions and then contact manufacturers asking for products to test and review. One guy I saw on Amazon did just this with his review there being exactly the same as on his website but without the bit where he admitted that he had got the item in exchange for his review. If enough people believe your spiel then advertising and direct bribes are presumably the next step.

            Most people here have, I presume, been around long enough to understand that not every post or review is unbiased and so I would imagine they, like myself, will make their own minds up about what they read.

    2. WorBlux

      Re: US intelligence source make stuff up ..

      "In other words, we're just making this shit up. Lets just call it what it is, certain US commercial interests want to deny market share to Kaspersky under the pretext of national security." Even if it did happen, all it means is that NSA subcontractors are terrible at opsec and should be prohibited.

      The contract put top secret exploits on his personal computer --- WTF? Additionally Kepersky is not approved for use on top-secret systems. If true this subcontractor is going to be fired and maybe go to jail for mishandling classified material.

  4. Anonymous Coward
    Anonymous Coward

    The tag line

    is what I regularly say to the wife. It is one of the more useful idiomatic phrases that I have learned.

    Essentially it means: don't make a mountain out of a molehill.

    1. Voland's right hand Silver badge

      Re: The tag line

      It is the wrong tag line. The right tag line would be:

      Если бы, да кабы, во рту выросли грибы, так был бы не рот, а целый огород.

      Or even better one:

      В Америке знешь, клюква у них такая развесистая...

      No, I am not going to translate either, they are not translatable as each will take half a page to explain (and the translation will result in a meaningless jumble).

      1. Lysenko

        Re: The tag line

        The first one is roughly analogous to: "If my Aunt were a man she would be my Uncle." and assorted other idioms puncturing excuses of the form: "We would have succeeded if not for [something absolutely fundamental]".

        The second is an jab at foreigners misconceptions and misrepresentations of Russia, ironically referencing the image of a "towering, majestic Cranberry Tree" when such a thing is an absurdity since cranberries come from small bushes.

        1. Voland's right hand Silver badge

          Re: The tag line

          "towering, majestic Cranberry Tree"

          Good try. What you missed is the history of the phrase. Russian cranberry is a bush half a foot tall (tops), growing in swamps (and very tasty too). American cranberry is different species - it is larger. Hence, when the first Russian colonists came back from what is today Northern California with tales of American cranberries nobody believed their tales about the New World and that is exactly where the "towering majestic Cranberry Tree" etymology from is. It originally stood for "Odious American Bullshit". Over time, the American has dropped out of it and it just stands for Odious Bullshit.

          So as you see - your take on the translation failed. It is not just "absurd". The full meaning has American in it - from the days when California had French in the south, Russians in the north and not a yank in sight.

          1. Anonymous Coward
            Anonymous Coward

            Re: The tag line

            ... from the days when California had French in the south, Russians in the north ...

            I believe you'll find is was (and in many ways still is) Spanish in the south. The French have mostly puttered about along the east coast - although the French Métis have for a while controlled the trade through most of the Canadian mid-latitudes, coast to coast.

            1. Voland's right hand Silver badge

              Re: The tag line

              I believe you'll find is was (and in many ways still is) Spanish in the south.

              Oh it is. Just during the period I am referring to (from when is this idiom) Spain did not exist as a state. The French have kind'a ... eaten it :) Late 18th early 19th century in fact. After that Russia left the colonies wither to the point where selling Fort Ross to Sutter was not really voluntary. If it was not sold, he (or someone else) would have taken it.

      2. Roland6 Silver badge

        Re: The tag line

        >No, I am not going to translate either, they are not translatable as each will take half a page to explain

        Not one to turn down a challenge...

        Google search and translate are your friends - other search engines and translation services are available. There is a rich seam of resources written by people passionate about making the Russian language more understandable and accessible to native English speakers.

        From my research, I would say they are all translatable and more easily translatable than many Japanese sayings, however you are right they all need an explanation of what the literal translation means because they are local sayings or proverbs, and thus are best understood by being translated into your locally equivalent saying/proverb.

      3. Solmyr ibn Wali Barad

        Re: The tag line

        "No, I am not going to translate either, they are not translatable as each will take half a page to explain"

        True that. Some of those old proverbs have a long string of cultural (or historical) context attached. Without knowing the context they'd be rather bland.

        Second issue: if the proverb relies on a wordplay,it may be nearly impossible to reproduce it in another language. Like this little gem:

        "Можно ли хуем дрова колоть?"

        "Можно, если хуй дубовый, а дуб хуёвый."

        Or this joke that is relying on different uses of word 'чем':

        Сидят рядом армянин и грузин.

        Армянин бубнит себе под нос: "Армяне лучше чем грузины, армяне лучше чем грузины."

        Грузин станет хмурым, но молчит.

        Армянин опять: "Армяне лучше чем грузины."

        Грузин уже не может вытерпить и орёт: "Ну чем лучше? Чем?!"

        "Чем грузины."

        /fwiw, apologies to English-speaking readers/

  5. Anonymous Coward
    Anonymous Coward

    Let me see if I get this right..

    - The US has credible evidence that the Russians have hacked the election: no real action.

    - There is credible evidence that their own President has quite serious ties with Russia to the point of handing them intelligence: nah. Not interested.

    - There is only an unconfirmed rumour that Kaspersky, who happens to be Russian, allegedly collaborates with Moscow, which would be a major change from not whitelisting *anyone's* spyware (which is probably why they are *really* pissed off): major alert, shut all the networks and have Congressional debates about it.

    Boy, they must be smoking some heavy shit over there.

    1. Paul Hovnanian Silver badge
      Big Brother

      Re: Let me see if I get this right..

      The election and presidency are just show for the benefit of the electorate. An alleged attack on the deep government is serious stuff.

  6. Lysenko

    "The men and women of the US Intelligence Community are patriots;"

    That's uncalled for. I have issues with some of the stuff they get up to, but labeling them all vicious scoundrels is going a bit too far.

  7. Nick Z

    There is so much spying going on that you can't really avoid being spied upon. You can only choose who will spy on you by picking either US-made, or Russian-made, or Chinese-made software.

    I'd rather be spied upon by foreigners, who have little interest in what I'm doing, than by a domestic government, who has all kinds of legal and illegal powers to do things against me. And this is probably true for most other people too.

    Ordinary people in Russia should choose US-made software. And ordinary Americans should choose Russian-made software. This way they would at least be safer from surveillance by their own government.

    It all depends on who has the least interest in you.

    1. Keith 12

      In my humble opinion this is the paragraph of the week:

      "I'd rather be spied upon by foreigners, who have little interest in what I'm doing, than by a domestic government, who has all kinds of legal and illegal powers to do things against me. And this is probably true for most other people too."

      Says much about the state of the UK nowadays...

      I'll stick with Kaspersky.

  8. druck Silver badge
    Black Helicopters

    Hiding in Plain Sight

    What better way to perform the protracted and resource hogging task of scanning every file on the computer for something of interest, than to hide in plain sight under the guise of an anti-virus application.

    Whether or not Kaspersky were responsible in this case, you can guarantee one such application is doing it somewhere.

  9. Anonymous Coward
    Unhappy

    More proof that the NSA should stop hoarding exploits...

    Yes, I know I am a broken record on this one, but whether or not Kaspersky, Russian intelligence or anyone else was involved, we all get to suffer the consequences of more of the NSA's bag of dirty tricks getting out into the wild.

  10. razorfishsl

    it is unlikely to be a "conspiracy" theory.

    I complained to "bitdefender" because with their new enforced fucking "cloud" system, not only can they "snag" files. (never used to happen with the standalone version, which they discontinued)

    But they can and DO identify personal information , which is then uploaded to their servers.

    Because I have seen my personal information ON their server in the "cloud" log files associated with MY account.

    This includes "fullpaths" of any files they consider infected.

    So yes totally believable story,, since the guy was working on infection code

    AV system identifies "code", then they upload it to do an analysis.

    Consider the power of this "tool", you get something from a government agency (spying), file name etc.....

    Then you upload a "hash" to a "pet" AV company, the AV company then identifies EVERY computer

    the same "hash" appears on.

    Great way to "out" spies or people with a connection to a file you are interested in.

    Or consider it from a "peado" catching system. get the AV to search the computers of millions of people without a search warrant, just based on "hash" values.

    1. Doctor Syntax Silver badge

      I complained to "bitdefender" because with their new enforced fucking "cloud" system, not only can they "snag" files. (never used to happen with the standalone version, which they discontinued)

      I believe Bitdefender are a UK company. Assuming you're also in the UK invoke your rights under the DPA or, better still, wait till next June & hit them with the new, GPDR-enabled Act. And in the meantime, don't use them. "Cloud" should have been a warning to stop right there.

      1. Mahhn

        Bitdefender is Romanian.

  11. This post has been deleted by its author

    1. Roland6 Silver badge

      Re: Possible ???

      Well given all the location tracking, I wouldn't be surprised if some companies have very good idea of who works and live where... Bring back the Nokia 6310i !

    2. veti Silver badge

      Re: Possible ???

      My interpretation is that the antivirus tool was doing its job.

      Contractor takes home "classified code" (specifically, NSA malware) and runs it on his home computer. Security software detects malware behaviour and sends code back to home base for analysis.

      That's called "working as expected". The fact that it's being reported as "Kaspersky being nefarious" says more about the current legislative and propaganda agenda than anything else.

      It suits everyone to paint Kaspersky specifically as villains because they're fishing for donations from Symantec et al. And it suits the Democrats doubly so, because Kaspersky are Russians and being rabidly anti-Russian is a thing right now for them, because (they've just noticed, apparently) Putin is as big a thug as Trump.

      1. Anonymous Coward
        Anonymous Coward

        Re: Possible ???

        Putin is as big a thug as Trump.

        Putin is competent and gets results. Nothing is quite as scary to a bunch of overpaid, failed, gossiping, and generally useless consultants / political wonks than competent people.

        Google wikileaks for the "Pied Piper Strategy" - Hillary's team of Special Brainiacs probably helped Donald Trump more that Putin did!

    3. Bob Dole (tm)

      Re: Possible ???

      >>Everyone is at it ???

      Of course they are all at it. The difference is that Kaspersky is in Russia - which means they don’t have to comply with secret NSA orders to force them to hand over your data. That is the reason for the USA’s campaign against them.

      There is no such thing as data privacy or safety when you start talking about government spies. All of them have some sort of ability to force the companies within their own borders to give up whatever details the government wants without you or I ever knowing about it.

    4. Anonymous Coward
      Anonymous Coward

      Re: Possible ???

      access Google analytics systems, to see which phones were located near the location of government installations,

      Put some coin in Zuckbergs palm and there is an API for you to use entirely at your leisure.

    5. Paul Hovnanian Silver badge

      Re: Possible ???

      "Am i being too naive in thinking it is easy to find this data ?"

      No. Our last telecommunications act shifted the ownership of call records from the customers to the telecoms industry. Lots of good data to be mined there. Never mind cell phone locations, if I can get a list of people that call the company switchboard (calling in sick, etc.) I can get a list of employees. And much of this information has moved offshore, beyond the reach of US laws governing sensitive material. When I call the phone company's customer service line, I usually hear a thick Hindi accent.

      Anecdote: Back before the Internet was invented by Al Gore, I worked for Boeing. Lots of gov't stuff going on there in addition to commercial aircraft. We had (paper) company phone books which were updated about once every three months. And quite a few people took one home, in case they were off sick and needed to call in. All approved by management. When the new phone books came out, the old ones were just tossed into the trash. At home or at work. Free for the dumpster divers. The phone books had names, company phone numbers and organization/project numbers. So anyone with a keypunch, old school mainframe and time on their hands could have easily reverse engineered the companies entire project assignment structure. Given that we had quite a few domain experts working for us (and the KGB had dossiers on them and their skills as well), it would be pretty easy to figure out if a new group was being assembled for a particular task. And get a good idea whet they were up to. Absolutely no clue as to security on both Boeing's as well as the Pentagon's part.

      In a subsequent job, which did involve high level clearances, I was told not to reveal even the name of the company I worked for. My CV is just a black hole for that period.

      1. Honest Scoundrel

        Re: Possible ???

        When the new phone books came out, the old ones were just tossed into the trash. At home or at work. Free for the dumpster divers.

        Kevin Mitnick started his 'hacker's' career that way.

        Not that he was a dumpster driver :)

  12. pomegranate

    Who leaked the leak?

    The Wall Street Journal chose to publish information about the NSA's knowledge of the FSA's acquisition of specific secrets, and of the method they used.

    Whether or not the anonymous people who leaked this are telling the truth, the Wall Street Journal editors are responsible for the consequences.

    Not only that, but the anonymous leakers who gave this info to the press have chosen to undermine the NSA secrecy. To harm the NSA? To retroactively the security efforts of the Obama administration? To punish Kaspersky?

    Whatever the reason, it's insufficient justification. We seem to be engaged in a tail-recursive divide-and-conquer strategy.

  13. Anonymous Coward
    Anonymous Coward

    I agree with ‘what’s her name’ declassify what they have against Kaspersky, because this ‘he said, she said’ crap is annoying.

    I do think Kaspersky ‘flashing’ their source code to everyone is a problem. Especially, when it’s just to govt spy’s rather than the entire security community.

    1. Orv Silver badge

      Source code doesn't really prove anything unless you can compile it and demonstrate the compiled version is binary-identical to the shipped one. Even that method has its downfalls -- see also "Reflections On Trusting Trust" by Ken Thompson.

      1. Roland6 Silver badge

        And all the methods fall down in this case, as the issue as people had noted isn't necessarily a 'trojan' in the source code, but the use of a system to detect particular files and upload them.

        I suspect many Cloud AV products can be commanded on seeing a particular file signature to upload the associated file and suspect that this legitimate operation can be misused by a piece of shell script in the AV Cloud to request the client to upload all files:

        While Client finds files to hash Do

        Client to Cloud: Here's a file hash

        Cloud to Client: Please upload file for deeper inspection

        Enddo

    2. Bob Dole (tm)

      >> I agree with ‘what’s her name’ declassify what they have against Kaspersky, because this ‘he said, she said’ crap is annoying.

      That’ll never happen. For two possible reasons. The first is that they don’t actually have any evidence and this is just an easy way to trash the name of a company that won’t play ball with the NSA. The second reason is that - if it actually is true - they wouldn’t want to make public any details that could possibly be used to determine how that information got out.

      From the NSA’s perspective ithis type of “anonymous” leak is perfect.

  14. DCFusor
    Unhappy

    This is stupid

    The leak is the guy who stole the stuff from work and brought it home, against the law.

    Now they want to blame someone else? Maybe it was Kaspersky this time, maybe next time it's some other AV or a hack, maybe even one written by "our boys in the alphabet".

    Blame shifting - they are themselves to blame for mishandling their secrets, a goodly portion of which probably should never have been created - by them, we can remember - in the first place.

    They're always whining that national security is harmed by this. In fact, it's their reputation being harmed, and their rice bowl is under threat. They themselves are a bigger threat to my and most other people's security than the Russians or Chinese are. We know it already - See FISA rubber stamping everything.

    See their own leaks. OPM...did the Russians do Deloitte? A simple cross reference there would point out who's good to be bribed. It's the guys who collect all this crap on us that are risking our safety and security - they're leakier than a gossipy old lady with nothing better to do.

  15. doug_bostrom

    It would be nice to believe Kaspersky's strident denials. But: given that in other arenas there is virtually no separation between the Russian government objectives and "private" enterprise, with private enterprise alternately stroked and smacked by the government depending on requirements and the level of enthusiasm for government shown by private enterprise, how likely is it that Kaspersky exists in a magic bubble, strangely immune to threats of "taxation problems" and all the other useful levers available to the government?

    1. tom dial Silver badge

      Those who are quick to accuse US AV providers of being NSA tools often seem as quick, or nearly so, to dismiss the possibility that Kaspersky stands in quite the same relation to the Russian FAPSI.

      1. Roo
        Windows

        "Those who are quick to accuse US AV providers of being NSA tools"... Are wrong, because AV providers are in fact just tools.

    2. This post has been deleted by its author

  16. Anonymous Coward
    Anonymous Coward

    FAKE NEWS

    NEWS IS FAKE

    - Vladimir

  17. Anonymous Coward
    Anonymous Coward

    Something to Consider

    Selling a cure for a problem you created is an old political ploy that still works quite well. It is a tactic well suited for situations where a government or a government agency wants new or greater powers.

  18. JakeMS
    Black Helicopters

    Irony?

    Okay so..

    NSA in cooperation with the United States creates dangerous exploits in software which can be used to exploit hundreds of computers.

    The NSA store these exploits instead of getting them fixed without telling anyone and allow employees to take them home for use on their personal computers.

    Russia obtains said exploits from an NSA workers personal computer - NSA say this is bad as a foreign security agency should not be allowed or able to use such exploits as it posses a serious security risk to hundreds of computers.

    America blames Russia and a Russian company for these exploits becoming exploitable against any company world-wide.

    Surely all this could of been avoided if the NSA had simply had the exploits fixed instead of of storing them? I mean they are a security agency right? Wouldn't that be in their interest?

    In my opinion NSA keeps the blame, it was them after all who are/was using them for malicious purposes instead of fixing them. They are no better than Russia.

    Being American doesn't make you exempt from being a bad guy and it doesn't not make you any better than any other spying agency.

    How many Russian computers have NSA exploited to steal Russian found exploits? Heck some of the stolen exploits could have originated from Russia anyway as NSA may have lifted them from a Russian computer using their other exploits.

  19. Anonymous Coward
    Anonymous Coward

    I'm still trying to work out what the problem is here?

    The software did it's job, it spotted something malicious and took it for further inspection.

    What exactly did they expect it to do?

    Moral of the story: Don't put all you eggs in one basket containing an egg checker.

  20. Anonymous Coward
    Boffin

    Get real

    Same reason we won't use Checkpoint, back doored by Mossad.

  21. jimdandy

    Eh, what? Dids't thou bring to the table a truly anointed pig? Or did yon fuggering of the world bring us only a joint or two of recently roasted hog?

    Bugger and fugger as you will, the reality of online "life" will continue to be a sham and a shadow of the real world. The actual knives and cutlasses in this world will continue to cross, slash, and occasionally stab a few of their enemies/friends.

    It is only when that kid's game of Zork actually runs the world that we will all be subject to a sad and lifeless chance to pick an avatar, one who may actually give us (or leave to us) a chance to play the game.

    Life is not a game, no matter what the Children of the Corn think.

    All you dumbasses who think that Life is but a Game, are about to find out that Life will not only bite you in the ass, but take away your families and your loved ones, all in the name of the game.

  22. Anonymous Coward
    Anonymous Coward

    The Russians ate my homework

    "The clumsy snoop broke regulations by taking the classified code, documentation and other materials home to work on using his personal computer, which was running Kaspersky's antivirus, sources told the Wall Street Journal".

    Given the known reliability of the WSJ and its anonymous "sources", we can be quite sure that all this is entirely true.

    What it shows, I suppose, is that the NSA is utterly incompetent and shouldn't be entrusted with the security of a whelk stall.

    And I am always mildly surprised when I am told that people who proved so incompetent that they couldn't prevent their software from being hacked nevertheless are clever enough to know exactly who did the hacking.

    1. Anonymous Coward
      Anonymous Coward

      Re: The Russians ate my homework

      The US spooks were probably testing their exploits against various AV as they have to in order to use them in the wild, they failed to hide it from Kaspersky, or a recent update of same. The bit about guy taking it home is probably WSJ (written salacious junk) used to detract readers.

      Not sure if the US news sources are aiming specifically at low IQ's or they really believe this stuff (or both).

      1. Roland6 Silver badge

        Re: The Russians ate my homework

        >The US spooks were probably testing their exploits against various AV as they have to in order to use them in the wild

        You've picked up a rather important point. I discover an exploit - how do I determine if it really is an undiscovered and thus viable zero day exploit?

        There is only one way, to try the exploit on other computers running various security suites. In the (recent) past, such suites used a local DB, hence if my exploit isn't blocked and/or detected then I'm potentially good to go and I've not accidentially alerted anyone to my finding and work. I may rerun the tests at regular intervals, just to confirm the exploit is still 'undiscovered'.

        Today however, with online security suites, the first thing a local AV will do is to obtain a hash of my expliot file and upload it, on discovering that it is new, the next action will be to upload the complete executable for deeper inspection.

        Thus it would not surprise me, if it was discovered that various cloud services already contain hashes and perhaps archived example executables of "top secret" NSA exploits; just that there has been nothing to cause them to be flagged.

        However, by combining metadata from the security upload, specifically IP address and system id, with metadata from other sources, I suspect it would be possible to identify through the known exploits many as yet unknown exploits and thus raise the flag on these currently hidden trojans...

        I would assume that NSA would have thought of the above and more and hence it has influenced the final rationale for banning Kaspersky from government systems. Interestingly, it also means the US government can't use any security software who's cloud service is outside of the US and thus accessible to foreign agencies...

        1. An nonymous Cowerd

          Re: The Russians ate my homework

          Yes R6, the famous room with 43 pc's running all versions of all available AV, tweak your code till it passes then Whooooosh . . . quickly deploy that cryptolocker apparently from criminalz.

          But if any particular vendor-Z is now vendor-non-grata in country X (because vendor-Z's cloud-based Structured Threat Information expressions can potentially catch Malware Y)

          this implies a few further things,

          a) those paranoid should orthogonally run both CIA & KGB based threat detection (as was always suggested) &

          b) if country X is banning vendor-Z AV from being widely deployed in country X, then just who is country X aiming their malware at? who is their target! Eh?

      2. Florida1920

        Re: The Russians ate my homework

        @Powernumpty

        The bit about guy taking it home is probably WSJ (written salacious junk) used to detract readers.

        Use the "media" to propagandize the people? Back in the late 60s, when Nixon was president, he was known to be on good terms with the publisher of Readers Digest, which you'd hardly have called liberal or progressive. Yet, during that same time, before Nixon resigned in disgrace, RD ran several "true story" articles about how the Internal Revenue Service had destroyed peoples' lives over innocent mistakes on their tax returns. Oh, those horrible IRS agents! People lost EVERYTHING!

        My friends said I was a paranoid delusional for thinking RD was publishing those "true stories" to scare people into not cheating one cent on their taxes.

        The greatest trick the Devil ever pulled was to convince the world he didn't exist.

  23. Doctor Syntax Silver badge

    "The Washington Post says the contractor ... worked for the NSA's ace hacking team"

    As I posted in another thread, it just shows that the attackers aren't good at defending. If you want good advice about defence don't take it from your attack team. What do the attack team advise? Back doors.

    1. Anonymous Coward
      Anonymous Coward

      Thats a mighty broad brush your sweeping with there. I have some certification and experience in the attack side of things, and also the same from the blue arena, and I have never ever advocated back dooring anything. In fact I've worked to have them removed from bits of infrastructure and devices in the past when others were wondering "why don't we repurpose that..." I carefully explain to them that if I put a backdoor into something that can be used but makes my life easier, so can anyone else, and they can also use mine if they find it. Post test exploit cleanup should always remove all of your tools and code used to perform the exploitation leaving nothing behind to indicate you were there.

      I don't think anyone really competent down in the trenches with the right amount of experience thinks its a good idea, its just someones idea to save effort higher up.

  24. Anonymous Coward
    Anonymous Coward

    This just goes to show no matter how strong your passwords, up to date your OS patches etc your data is only ever as secure as the people who are accessing it. If your going to allow it to be put onto a USB stick it IS going to leave your premises. I used to work at a place that used to check people in and out with metal detectors to try and stop anyone taking out unauthorised items. The amount of stuff you could get out was astonishing as the security staff were low paid and had to deal with 100s of people in an out at the same time. They would just take your word that it was your belt buckle or loose change that set off the detector. This was in the says when 1GB USB memory stick was as big as you could get and now you can fit 400GB on a micro SD card which would be very easy to hide and you could liberate years worth of data at a time.

  25. Cuddles

    Not much of a denial

    "Kaspersky Lab has not been provided any evidence substantiating the company’s involvement"

    "does not have inappropriate ties to any government"

    "similar levels of access and privileges to the systems they protect as any other popular security vendor"

    In other words, yes, they absolutely were involved. They don't even try to deny it - "you haven't shown us how you know we did it" does not even come close to denying having done it, while "similar levels of access as everyone else" and "no "inappropriate" ties" is simply pointing out that everyone else does exactly the same. It makes the news quite a bit that the US government demands lots of information from the likes of Google, Facebook and ISPs, but you'd have to be pretty special to believe that other governments aren't doing exactly the same, or that other companies with useful information aren't also targeted.

  26. scrubber

    Regardless of Veracity of Russian Involvement

    I sure am glad the NSA (and GCHQ) keep these vulnerabilities secret rather than getting the hardware and software companies to patch their systems, makes me feel much more secure.

  27. trisul

    Complicit

    "It's likely that the Kaspersky detection of NSA tools was somehow responsible for FSB targeting the contractor's home computer, but it doesn't mean the company was complicit,"

    Except that Kaspersky detects NSA tools in the wild, but does not detect FSB tools in the wild.

    Come on people, let's be realistic about this, for all practical purposes Kaspersky IS FSB, just as the Russian Mafia IS Putin, although they are both formally separate and unrelated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Complicit

      I prefer to be spied upon by the Russians and the Chinese, it is much safer: Because they won't have me extradited to a secret rubber-hosing facility over "terrorism", they can't put me on no-fly lists, they can't seize my assets or interrupt SWIFT transfers, they won't drone my house over me getting the old mobile number of that Kebab-shop dude that went to Syria, they won't send their rent-boys in my local law enforcement to impress tact and decency on me over something I said -- and so on and so forth.

      Putin, Russia and China have so few powers regarding "normal people", living outside China and Russia's influence, that it hardly matters to anyone what they do.

      If they screw over the NSA, of the DOD it has Zero impact on anyone except the people with eggs on their faces.

      1. Anonymous Coward
        Anonymous Coward

        Re: Complicit

        Oh? What about steal your secrets so as to steal your business via fronts and shills?

        1. Anonymous Coward
          Anonymous Coward

          Re: Complicit

          The vastly bigger threat to any business comes from local scammers a.k.a: de-regulated financial services and metrics-driven policing, meaning when one does get ripped off, police will do fuck all about any of it because the "resources per conviction" persecuting fraud screws up their KPI's!

          1. Charles 9

            Re: Complicit

            What makes you think the local guys aren't just fronts for the foreign ones, though?

            As for the police, what about threatening to vote in a new city council to clean them up if they won't cooperate?

  28. Richard Wharram

    Wouldn't surprise me either way

    Maybe Kaspersky was a knowing actor in this under their obligations as a Russian company or maybe not. It wouldn't be that hard for the FSB to get hold of it without Kaspersky's help. The big issue is the contractor moving highly sensitive info onto their personal laptop on a personal internet connection. Software that dials home of any origin is just the icing on the cake. A determined foreign agency could have found a way to get that info in some manner. That's the problem.

    I'm not sure what they hope to gain by washing dirty laundry in public.

  29. Alistair
    Windows

    Having grown up through the 70's I recall the "OMG Japanese car makers" shit

    1. Richard Wharram

      I remember stuff like that used to get referred to as Jap-crap.

      Ironic when you consider the quality of British cars in the 70s.

  30. FIA Silver badge

    So....

    What it boils down to is if you want the NSA's secrets you bribe a contractor?

    This is the third leak in recent history isn't it? All of them carried out by contractors; in this case a contractor hired to clear up after that contractor that nicked all the shit.

    Whilst my hacking skills aren't up to much I do offer an excellent contracted barn door repair service if the NSA are still hiring.

  31. JaitcH
    Thumb Down

    Name One Reason Why The NSA, US Government or The WSJ (Murdoch) Should Be . . .

    believed? The whole bunch are totally untrustworthy. Even the Orange Dotard in the White House gave away Israeli intelligence to the Russians.

    The Wall Street Journal, of all newspapers, is the least trustworthy and simply spreads propaganda that suits that senile Murdoch.

    If the USA is too cheap to employ it's own security employees, rather than using commercial entities, it has only itself to blame.

    Kaspersky Lab has previously done excellent malware research and published it's findings widely. Why, all of a sudden, should Kaspersky do things that could damage it's reputation?

    This is just another attempt by the US government to bring business back to the USA rather than having foreign entities make profits.

    1. Charles 9

      Re: Name One Reason Why The NSA, US Government or The WSJ (Murdoch) Should Be . . .

      "Why, all of a sudden, should Kaspersky do things that could damage it's reputation?"

      Because this time the Russian state is involved, and you don't say no to them, especially if you LIVE there. That includes denying denials if necessary.

  32. Rob D.
    Thumb Down

    So little evidence, so little time to investigate

    Since when did El Reg become a mouthpiece for the unquestioning propagation of the US political agenda?

    I wouldn't trust Russia as far as I could throw Lavrov and Kislyak at the same time, but rather than serving up a toilet-paper thin excuse for Russian bashing why not go investigate a bit, get some facts and come back with a story.

  33. oneeye

    It's a Matter of Integrity

    If Kaspersky was playing fair, then where are all its discoveries of Russian Malware?

    I've researched this issue several times in the past. And I have never found one single time where Kaspersky broke the news about Russian Malware. They have always written about it after the fact, as others have been the ones to make these disclosures. So, I don't see why people are defending them, unless, they just hate the US that much. Which, most only show their hypocrisy, and lack of self-awareness. All I'm saying is, that Kaspersky lacks a certain credibility in this struggle between two countries. And that alone, is cause for concerns.

    Now, if Kaspersky were located outside either country, or reported on Russia as much as US intelligence works, then, he might have saved himself from the wrath of those he tattled on. Did he think it smart to expose US Intel publically, without privately disclosing first, what he discovered? Isn't that how it usually is done with others?

    And escalation is only going to make it harder to detect these Intel intrusions. Because, they will be forced to up their game out of necessity.

    1. Mahhn

      Re: It's a Matter of Integrity

      are you kidding? at least 1/4 of the banking malware and crypto lockers they've busted were Russian. You've done no homework.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a Matter of Integrity

        PROVABLY Russian...or possible False Flags to pin the blame on Russia?

    2. This post has been deleted by its author

  34. Mahhn

    They outed Russian spyware redoctober.

  35. Aodhhan

    Wow... a lot of ignorance.

    Just because the file was on his home system doesn't mean he was actively using it.

    Show of hand all you developers...

    How many of you have taken any of your work coding home so you can...

    ...reference from it in the future?

    ...keep a copy of 'your' work to show prospective employers?

    ...collect work you're especially proud of?

    ....etc.?

    Yep, about what I thought, 100%

    Just because someone works for the government, doesn't mean they're intelligent. Just Google, Hillary Clinton.

  36. Florida1920
    Alert

    Meanwhile

    Fox News reported today that Russian agents got an American NSA contractor drunk, causing the contractor to divulge Top Secret information regarding Trump's tax cheating American security. Sen. Mitch McDufus (R-KY) immediately called on congress to ban the importation of Russian vodka. "The Russian distilling industry is out to destroy our kleptocracy democracy!," McDufus exclaimed.

    "Besides," he went on, "If Americans want to get drunk and spill secrets, there's plenty of Kentucky bourbon to go around."

  37. nerfdump
    Holmes

    Pre-US election Kaspersky malware infection

    Has anyone else found Kaspersky system drivers on their pc, or a client's, installed covertly and not as part of any software package dated to October last year? I've never used Kaspersky so I'm wondering how they ended up on my pc a month before the US election.

    I started having BSOD crashes recently due to klflt.sys, part of 'System Interceptors PDK' a Kaspersky product, and upon investigation found several other Kaspersky files in my Windows/System 32/Drivers folder like klim.sys, klif.sys, and klim6.sys. Ironically the Kaspersky removal tool for Endpoint Security managed to delete them under safe mode. No more BSODs.

    Then I read the NSA story and now I'm wondering how many computers have Kaspersky covertly installed their software onto? Am I justifiably paranoid or just paranoid?

    1. This post has been deleted by its author

    2. This post has been deleted by its author

    3. Destroy All Monsters Silver badge

      Re: Pre-US election Kaspersky malware infection

      Then I read the NSA story and now I'm wondering how many computers have Kaspersky covertly installed their software onto? Am I justifiably paranoid or just paranoid?

      No you are using Windows.

  38. This post has been deleted by its author

  39. This post has been deleted by its author

    1. Destroy All Monsters Silver badge

      Re: Oh those NASTY Russians!

      Enough said.

      Not yet. You still need to show the click-through rates to the advertisers. Then you profit.

  40. Destroy All Monsters Silver badge
    Windows

    Anti-Russky Discrimination is starting to become a thing now

    But the NYT is ok with this as it's not anti-${GOODETHNICITY}:

    Via It's Avigdor Lieberman's World ...

    From the NYT … With news of the hacking and influence campaigns escalating all year, the Russian immigrant community of Silicon Valley, which numbers in the tens of thousands, is in a strange new position. Some Russian venture capitalists said start-ups were more wary about taking their funding, while several Russian-born engineers said they were being treated differently socially and in their companies. Lawyers also said some tech firms were installing tighter security measures restricting what data foreign-born coders can see.

  41. Destroy All Monsters Silver badge
    Big Brother

    Another Russia Story. Pavlovian Dog Training. The Dog is you btw.

    We have reached levels of government/nepotistic-capitalistic incompetence and craveness unheard of since the good old times of Caligula, That gaslighting packages are being dumped on the public, whose IQ levels seem to be steadily declining if they haven't been hoovered up totally into "mobile phones". This serie of packages just happens to have Russian flags stickers all over it, directly from unnamed TLA sources to the "journalist/pravdaist" desk. It's then repeated ad nauseam by churnalists, twitter-ratties and assorted rifraf.

    It will be over soon and we don't even have a Mustapha Mond type guy actually running the idiobot show from behind the curtained office.

    Go ahead, El Reg. "Curate" this comment.

  42. rchop

    Kaspersky Independent of any Government?

    A highly successful Russian company that is immune to Putin's control? Seriously?

    And the problem with ANY comment that is favorable to Kaspersky is that it could be Russians paid to back whatever Putin wants people to think. To paraphrase a famous quote: "on the internet no one can tell you are a dog (or a Russian (or Chinese) for that matter)". The problem with Russian (and Chinese) successes in cyber warfare against the West is that it brings doubt to EVERYTHING anyone says on the internet. Those using the internet can be divided into two camps; those who take what they read online at face value and those who now doubt the validity of anything they read. If the internet is a world group mind, at this stage, Russians (and other parties waging cyber warfare) are driving that group mind crazy.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like