The United States’ National Security Agency (NSA) and the UK’s Government Communications Headquarters (GCHQ) have been attacking antivirus and other security software since at least 2008, The Intercept reported Monday.
The aim is to infiltrate networks and track users.
The agencies apparently have reverse-engineered security and antivirus software, sometimes under dubious legal authority, and monitored the vendors’ Web and email traffic to subvert their products.
One of their main targets has been Kaspersky Lab, headquartered in Moscow, as indicated by this 2008 GCHQ application for the renewal of a warrant.
Kaspersky recently was hit by the Duqu 2.0 malware.
“As noted during the recent Duqu 2.0 nation-state sponsored attack, we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries and are actively working to subvert security software that is designed to keep us all safe,” Kaspersky Lab said in a statement provided to TechNewsWorld by spokesperson Stephen Russell.
“We are closely reviewing and investigating the information disclosed today in order to assess the potential level of risk it may pose to our infrastructure and how to effectively mitigate it.”
Turning on the Flock
Why are our security agencies spying on our citizens instead of tracking potential terrorists? Or do they consider every citizen a potential terrorist?
This January 2014 policy paper from International Security states The NSA’s bulk surveillance program contributed only minimally to investigations that led to 225 people recruited by terrorist organizations and charged in the U.S. with an act of terrorism since 9/11, according to International Security, a program of the New America Foundation.
The NSA’s repeated claims that the surveillance prevented 50 or so attacks on Americans have been proven false.
What the Agencies Did
The GCHQ apparently reverse-engineered Kaspersky’s software.
The NSA in 2008 discovered it could intercept user information Kaspersky software was transmitting to the company’s servers.
The information, contained in the user-agent strings in the headers of HTTP requests, could uniquely identify Kaspersky customers’ computers, among other things.
Information in its “User-Agent” strings is depersonalized, Kaspersky Lab told The Intercept, and cannot be attributed to a specific user or company. The data is strongly encrypted.
However, “cryptoOCDrob” in 2012 tweeted that Kaspersky was sending clear text over port 443 for its website reputation service, and Christopher Lowson tweeted a similar complaint in 2014, The Intercept pointed out, .
The Intercept last month performed tests on a trial copy of Kaspersky Small Business Security 4, in which a detailed report of the host server’s hardware configuration and installed software was transmitted to Kaspersky unencrypted. Kaspersky later told the publication it couldn’t reproduce that action.
The NSA reportedly examined security software vendors’ incoming emails that flagged new viruses and flaws.
The GCHQ, at least, admitted in its warrant renewal application that its conduct could be unlawful and amount to copyright infringement or breach of contract.
“At the end of the day, antivirus is software — and just like any other software package is susceptible to vulnerabilities,” said Ken Westin, security analyst for Tripwire.
Security and antivirus software packages are targeted because they run with escalated privileges, they need to be disabled or tricked for malware to operate, and they are widespread and usually come preinstalled on laptops, Westin told TechNewsWorld.
Is Security Software Useless?
Given that the NSA and FBI have demanded vendors install backdoors in their computer hardware and software, and given the NSA’s involvement in the creation of sophisticated malware such as Stuxnet and Duqu, its persistent attempts to break iOS security, and now these latest revelations, the question of whether companies should even bother to encrypt their data arises.
“The implication that government agencies have deep internal knowledge of how to bypass antivirus products is not new and does not change anything,” said Tim McElwee, chairman of Proficio.
“Anti-malware software alone is never enough,” he told TechNewsWorld, adding that in-depth defense is required.