back to article WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday. Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said: Digital certificates …

  1. macjules

    Standby for another WannaCry.

    As if Saint Julian of BroomCupboard could give a toss.

  2. thames
    Black Helicopters

    FInally the other shoe has dropped

    Now we know why the US government were in a panic to get their own ministries and major businesses to stop using Kaspersky anti-virus. They knew that this was going to become public, and they didn't know if enough was going to be released to allow third parties to do the same thing they had been doing.

    They couldn't give their real reason, as that would be admitting to what they had been doing to an innocent third party. So instead, they had to make vague accusations as justification.

    The Americans have stolen digital certs before, when they physically broke into offices in Taiwan to steal the signing keys belonging to Taiwanese companies to use with Stuxnet.

    It's another example of what seems to be a common pattern. If you want to know what the CIA/NSA/etc have been doing, just look at what they are accusing someone else of doing. It's like when they had been spreading fud about how the Chinese might be hiding spy implants in Huawei networking hardware. They were never able to point to an actual example. It turned out though that it was actually the CIA doing doing it to Cisco gear on a large scale.

    It's certainly something to look out for in future. When the CIA/NSA/etc. start warning about another country doing something but offer no tangible proof, it's time to start looking for their own sticky fingers all over something related to it.

  3. Version 1.0 Silver badge

    Caveat emptor

    Note that the general opinion seems to be that the code released is outdated and no longer in use - it's all been replaced. Some of these toys may look shiny and cause a few little problems but the real actors have all moved on.

    1. phuzz Silver badge
      Facepalm

      Re: Caveat emptor

      And fortunately nobody runs an out-of-date OS, or one that's not fully patched.

      Except about half of the general public of course, but who cares about them eh?

  4. NonSSL-Login

    This release will not lead to another Wannacry like the professor is babbling about as the release is only code for the control centre part of the malware. No exploits, just the front end and communication stuff.

    The media and 'experts' love to make it out to be worse than it is.

  5. Anonymous Coward
    Anonymous Coward

    Alice in Wonderland

    Expert says "Not targetted against Kaspersky" ... how so?

    The US bans Kaspersky for being another agent of the Russian state - with no conclusive evidence that I can identify - evidence is probably a secret. Then it transpires that the CIA are using the tool that they accuse of being a tool for a foreign power, as a tool of a foreign power (if you're not a U.S. citizen) ... truly down the rabbit hole stuff.

    I guess what you can't do is trust whatever any intelligence service says, because if you could, they wouldn't be doing their job.

    1. Old Coot

      down the rabbit hole stuff

      Have a look at the story "Memoirs found in a bathtub" by Stanislas Lem for a satirical look at just how far such a thing might go. Spy vs. spy from Mad Magazine, if you're old enough to remember that.

      1. sitta_europea Silver badge

        Re: down the rabbit hole stuff

        "... Spy vs. spy from Mad Magazine, if you're old enough to remember that."

        I'm even older than that.

        I'm old enough to remember when governments had scruples.

        1. Anonymous Coward
          Anonymous Coward

          Re: down the rabbit hole stuff

          Political-economy is my fave social science and, yes, I don't break it down into the categories/fields. It's all the same from different perspectives. Sorry, I digress. Governments have never had scruples. Ever. It's a shame that so much of the history and analysis of past events are analyzed by the winners. What's worrying is that our present President lacks them entirely. Previous Presidents did have stopping lines. For another example, Teddy Roosevelt.

        2. Mark 85

          Re: down the rabbit hole stuff

          I'm old enough to remember when governments had scruples.

          So you're several thousand years old? I'm not sure any government, ever had scruples.

        3. This post has been deleted by its author

        4. Doctor Syntax Silver badge

          Re: down the rabbit hole stuff

          I'm old enough to remember when governments had could convincingly pretend to have scruples.

          FTFY

        5. mhenriday
          Boffin

          Re: down the rabbit hole stuff

          I'm old enough to remember when governments had scruples.
          Pretty sure you're not that old, sitta europea - the first governments formed several thousands of years ago and which of them ever had scruples ?...

          Or perhaps you meant to write that you were old enough to remember when governments could convince the more naive of their citizens that they had scruples ?...

          Henri

        6. Anonymous Coward
          Anonymous Coward

          Re: down the rabbit hole stuff

          @sitta-europea So, more than 5000 years old then??

    2. katrinab Silver badge

      Re: Alice in Wonderland

      It’s not attacking genuine Kaskersky software, and you are more likely to be affected if you don’t have their AV installed, as it might have a better chance of detecting fake signatures.

  6. John G Imrie

    FTFY

    Independent experts reckon the CIA used Kaspersky because it's a widely known vendor.

    Independent experts reckon the CIA used Kaspersky because it's a Russian vendor.

  7. Spacedinvader
    WTF?

    US Gov - "Do Not Use Kaspersky!"

    because we're faking their certificates...?

  8. Bob Dole (tm)
    Coffee/keyboard

    Another Day Another Lie

    I've been led to the following Truths:

    - If a department in the government of the USA is accusing an external company or country of something - it's because the USA is doing it.

    - If a political party in the USA is accusing the other political party of something - it's because the accuser is neck deep in that thing. Or, it's because they've set the other party up.

    I hope I'm not alone in my complete disgust with the state of my government.

    1. DCFusor

      Re: Another Day Another Lie

      You are hardly alone. The problem is that such a small percentage pay attention to what's going on before it's too late to effect a change. Some could even argue that it's already too late - no doubt the agencies have plenty of dirt on those who write the laws and paychecks already. Or nowadays, can make it up so well no one could tell anyway. If we ever had it, there is now no doubt we've completely lost control of our government by now.

      Personally, I'm tired of having to apologize for being American in my contacts with those who aren't.

      Those of us who are awake and care are too few to do anything. The vast majority don't care yet.

    2. Mark 85

      Re: Another Day Another Lie

      Given the history of the world, you could replace "USA" with any country/government back to pre-civilization. SSDD applies.

      *SSDD -- same shit, different decade.

    3. Ropewash

      Re: Another Day Another Lie

      The government cries out in pain as it strikes you.

      1. Sir Runcible Spoon

        Re: Another Day Another Lie

        Nothing surprising about agencies accusing others of what they are doing themselves, it's just human nature..

        https://en.wikipedia.org/wiki/Psychological_projection

        It's even covered in The Bible..

        "And why beholdest thou the mote that is in thy brother's eye, but considerest not the beam that is in thine own eye?"

        "You therefore have no excuse, you who pass judgment on another. For on whatever grounds you judge the other, you are condemning yourself, because you who pass judgment do the same things."

  9. Anonymous Coward
    Anonymous Coward

    Probably just because they needed a widely used name...

    Yeah, this has nothing to do with how many decades of cold war and the neo-cold war that is starting up again.

    Let's face it the only thing that the Russian's are guilty of is not falling in line in regards to the global agenda the US has laid out. When any government publicly demonizes a foreign nation it's because that foreign nation won't let itself be exploited.

  10. Anonymous Coward
    Anonymous Coward

    HTTPS much?

    Some people want you to believe that when HTTPS is used you're fully secure. Guess not.

    This is exactly one of the reasons why I believe that the pressing for HTTPS by browsers only works counter productive: it creates a false sense of safety while in fact there's no added security at all. In most cases someone already needed physical access to intercept your web traffic, and if they got that then even HTTPS doesn't have to stop them, as we can see here.

    1. patrickstar

      Re: HTTPS much?

      This has nothing to do with browser security. It's the cert used by the backdoor when it's phoning home. If someone tried serving up a HTTPS web site using it, the browser would rightly flag the cert as being invalid.

      The only purpose is to look a bit better if someone sniffs the traffic. Unless you actually verify the cert - which network monitoring tools typically don't - it'll look like it's just a Kaspersky AV product phoning home.

      While I agree that TLS in general and the entire CA security model in particular is fundamentally flawed, unfortunately it's the only universal thing we have for encrypting HTTP traffic for the foreseeable future. Even just using self-signed certs is many, many times better than sending the traffic unencrypted, since at the very least you now need an active attack as opposed to passive traffic sniffing to see it. Plus you get forward secrecy if the proper TLS magic is supported by both parties.

  11. Anonymous Coward
    Anonymous Coward

    USA

    I am so ashamed of my government, I can't even post under my name.

  12. Anonymous Coward
    Anonymous Coward

    Impersonation <> properly signed (by the CA) certificate. How are they getting around this? How are they signing the cert such that client is accepting it without a security warning? Surely that is the most interesting bit here?

    Anyone can issue a cert for any site, getting that cert trusted by the client is the hard bit.

    1. Nick Kew
      WTF?

      Thank you for asking the critical question. Has the CIA infiltrated trust lists such as those of browsers, and/or "real" CAs?

      The followup to your question is, why did El Reg not address it?

  13. Reliance

    Who do you trust?

    Has the CIA admitted or denied the attack?

    Do I have a reason to trust Wikileaks?

    Do I have a reason to trust the CIA?

    Does the CIA have enemies?

    Does Assange have my interests at heart?

    1. Anonymous Coward
      Anonymous Coward

      Re: Who do you trust?

      Trust No One

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like