Honestly evaluating the Kaspersky debate

Rendition Infosec is a zero-FUD (fear, uncertainty, and doubt) firm.  We pride ourselves on offering balanced, honest views to our clients and the general public. So far, Rendition has posted on the Kaspersky debate twice.  In the first post, Rendition educated the public on why a software audit would not address the fears raised by the Senate.  The second post explained the damage that any antivirus software could perform in a network if its operation were taken over by a foreign government.  The second post is about more than just Kaspsersky – as Rendition made clear in the post, it could apply to any antivirus software.

Bloomberg’s reports previously unknown Kaspersky involvement with Russian government

Yesterday, Bloomberg wrote an article claiming that Kaspersky is far deeper involved with Russian intelligence than was publicly known.  At Rendition, we think parts of that reporting were careless, especially the interpretation of the words “active countermeasures.”  “Active countermeasures” is not an industry standard term, a pet peeve of Rendition’s founder Jake Williams, who has spoken on the topic at various industry events.  Bloomberg took the phrase “active countermeasures” to mean the following.

“Active countermeasures is a term of art among security professionals, often referring to hacking the hackers, or shutting down their computers with malware or other tricks.

We know of no such standard definition for “active countermeasures.”  Even if Bloomberg got this definition from an infosec expert, any expert worth quoting would have told Bloomberg that their definition was one of many and not “generally accepted” by the community.  That this wasn’t reported makes the whole article reek of bias – where there’s smoke, there’s usually fire.

Kaspersky responds to Bloomberg

Eugene Kaspersky posted a retort that addresses the Bloomberg article point by point. Kaspersky calls out some of the obvious problems with the article, including talking around the point made above.  But in his response, Kaspersky says something that is misleading if not outright false, and we think that needs to be addressed as well.

In the retort, Kaspersky claims that they do not provide real-time intelligence on hackers’ location to the FSB or other law enforcement.  This may or may not be true – we are left to take the word of Eugene Kaspersky against the anonymous Bloomberg source.  But the Kaspersky claim that it is “technically impossible” to “gather identifying data from customers’ computers” is completely false.

Why is that statement certainly false?

It may be true that there is no feature built into Kaspersky software for the sole purpose of “gathering identifying data” from customers.  But antivirus software collects lots of telemetry on malware activities.  Part of that telemetry involves the autorun registry keys used by malware to persist between reboots.  In some cases, malware even stores exfiltration or configuration data in the registry and Kaspersky needs this data to be effective with their detection, quarantine, and removal of malware artifacts on infected machines.  As a result, it seems highly unlikely that Kaspersky software does not have the ability to query arbitrary registry keys and return their contents back to Kaspersky operations centers.  By querying the correct registry keys, Kaspersky could determine data such as:

  • The machine name and domain name
  • The username of the currently logged on user
  • The usernames of previously logged on users
  • The email address of the Microsoft account linked to the local accounts (if any)
  • The wifi network the machine is currently connected to
  • The names of saved wifi networks
  • The Windows unique product ID
  • The Kaspersky unique product ID
  • Unique hardware information (processor serial number, etc.)
  • Recently typed URLs
  • Recently opened document names
  • Recently executed programs

The above entries are just some of the information that can be enumerated from registry values alone – a capability which Kaspersky software is sure to have.  This completely discounts the fact that Kaspersky can arbitrarily enable new capabilities in its software at will and deploy those capabilities only to specific machines, presumably those targeted by FSB.  Please note that Rendition isn’t claiming Kaspersky is using these capabilities, but it’s ridiculous to think they don’t have them.  Any centrally managed antivirus that can’t collect this sort of telemetry isn’t doing the best possible job for its customers.  Whether anyone at Kaspersky has used the capability to assist intelligence or law enforcement, the capabilities almost certainly exist – and not just in Kaspersky software. Eugene should be transparent about that and then explain that although the capabilities exist, they have not and will not be used to assist the Russian government.

Call for a balanced and informed discussion

So far, neither side in this exchange (US government vs. Kaspersky) has been 100% forthcoming with the facts surrounding their situation.  For its part, Kaspersky seems to have been more transparent in the discussion so far than the US government (USG).  Of course this assumes that we are taking Kaspersky at their word (they obviously have much to lose in this exchange).  However, in all fairness the USG regarding transparency, it is probably protecting sources and methods.  If the USG discloses information derived from sensitive sources, it may no longer be able to access those sources – like everything in intelligence (cyber threat intelligence included) there must be an intel gain/loss calculation performed.

The topic of intel gain/loss was perhaps best illustrated to the public in the movie “The Imitation Game” where the Allies had determine which enigma decrypted intelligence to act on in order to keep their capabilities secret.  The US intelligence community (IC) had their hand forced in the Kaspersky debate in what was apparently surprise questioning during seemingly unrelated US Senate testimony.  Given the way the information came to light, the IC may not have been ready to reveal what it knows of Kaspersky being influenced by the Russian government.  But with Kaspersky on the defensive and likely backlash against US companies in Russia and elsewhere, the IC may be sharing more of it what it knows sooner than later.

Tags: , ,