Kaspersky, Russia, and the Antivirus Paradox

[ikalugin]

Noone said that it would be easy.

Though I guess US, especially back in 2015, felt that it didn't need to do arms control due to how significant their advantage was (and still is), in additional to soft operations (data gathering and influence) we could remember OG/stuxnet.

[Skybird]

No, not "not easy". Impossible. And I mean it. Impossible. No control can be imagined that is capable to overwatch such a treaty or law. Missile silos can be checked. Biological research centres can be had an eye on. Chemical facilities can be monitored. Weapon factories can be observed. But when all it takes for your task to get accomplished, can be carried in a suitcade home, can be done in the basement of your house, can be done on just any computer device in the world, than control is not "not easy", but impossible.

[CaptainHaplo]

From a professional perspective, Kaspersky is no more "risky" to use than Symantec or McAfee. While there is a LOT of political noise in the US over "Russia", the fact is that every AV product out there is (by security professionals) seen as both a pivotal security barrier AND a source of failure.

When a product is evaluated, its activities (both active and passive) are closely monitored, tested, prodded and as much as possible, reverse engineered. No application that is as complex as modern AV (especially those that focus on "real time protection) is going to be error free. The same is the case for modern operating systems. This is why every build of every significant security package is put through the wringer.

If you go digging deep enough into the subject of the supposed Kaspersky "hack" - the answer of what occurred - and how - is actually simple and very likely would be found on the major players in AV here in the US. It actually just "did its job"....

Let me give a quick synopsis:
Kaspersky, like most other AV software packages, can heuristically detect activity (or the potential activity) that other software may take. If a piece of software is scanned and noted to be designed to take certain actions (such as inject code), yet it does not match any known virus signature, it is deemed an "unknown" threat. Just like McAfee, Symantec and most other packages, Kaspersky AV will (assuming it is set up to do it) send a copy of the suspect code to its maker for in depth analysis. This is what allows AV makers to update virus definitions to protect against emerging threats. It is NO different than any other well respected AV maker practices.

Now - the claim was (and I do not doubt it) that certain "tools" originating from within the US NSA were what was found on Kaspersky's network. Given that such tools would have been designed to perform tasks like code injections, memory reads and modification, elevated privilege executions, etc. - these "tools" would have by their very nature been "flagged" for being suspect. Symantec and McAfee would likely (and probably have - but we aren't checking THEIR networks) have done the same thing. And when suspect code is found, a copy gets transmitted "home" for analysis. So basically Kaspersky software did its job - and that somehow turned it into a "spy" company?

Nope.

The greater concern was the requirement by the Russian government for all software source code. That does allow intelligence arms with highly technical resources to look for exploitable vulnerabilities - and that has apparently been used with Kaspersky. A problem? Yes. However, Kaspersky has (apparently) done its best to mitigate security holes when found - and the Russian intelligence arms aren't the only ones finding those.

Did it make sense for the US government to stop using Kaspersky based on this - yes. Then again - it made sense that they shouldn't allow code samples to be transmitted by computers that might have "tools" on it that are (for all intents and purposes) forms of malware - regardless of the AV maker.

That does NOT make it a "bad" AV package or one that normal people should avoid.

In fact - if you want to use the argument that it is - perhaps you should stop using Windows. After all - M$ has been providing Windows OS (and Server OS) source code to the US Government since 2003 (check the WSJ for info). The only surprise to me that Russia wanted to get away from M$ was that it took them 13 years to figure out that they should.

The reality is that outside of governmental use, Kaspersky remains a highly respected AV package with great testing results. Facts should outweigh the political spin that is used to push a specific perspective.

I am no fan of Putin or the Russian government. I spent 8 years identifying silhouettes of red equipment just so I could help kill it. But being in the security field, I don't much care to see a good company with a good product - a product that did exactly what it was designed to do - get cratered because it is politically expedient.

I'll touch on Skybird's concerns in my next post...

[CaptainHaplo]

Board level chip programming is a esoteric art in some ways. Yes, there is cause for great concern should unknown vulnerabilities be "built in" to chips. However, while it is a real threat, it is one that is not only known - but one that has been exploited - as we saw years back with Stuxnet. Most professionals agree that Stuxnet was a joint project between the US and Israel. Even if the US did not play a role in its creation, US intelligence DID see the results. So it is safe to say that the US intelligence apparatus is well aware of how PLC's can be a source of vulnerability.

Does that mean we are secure? No. In the technology world, there is no "guarantee" of security any longer (really never has been - threats have changed and are MUCH more pervasive today though). However, when you know of a vulnerable spot in your armor, you examine it and find ways to "harden" it. Rest assured that PLC firmware revisions across entire industries and sectors are generally examined with a fine tooth comb. Again - no "guarantee" - but IC chips are not the unguarded back door that some people fear.

Skybird's point on the dangers of "suitcases", portable high power technology and ultimately, miniature weaponized items (whether IED's, chemical or bio weapons and small "dirty bombs") are much more serious and infinitely more difficult to control.

After all - to be successful the intelligence arms have to be right 100% of the time - the bad guys only have to "get lucky" once.

With that said - that does not mean that government should put security above the rights of its people.

[Skybird]

Another prominent example, are concerns about HDs. These devices have inbuilt hardware controllers, drivers stored on a ROM. The concern is that from factory on these drivers build onto and into the hardware, may be corrupted and provide backdoors. Another example are chips on mainboards who hold drivers and operate on such a profound level that they simply would evade any detection software like virus scanners and the likes.

The problem thus is already the factory. It may have been attacked and infiltrated, or it may obey secret government orders. You maybe get you hardware already corrupted right out of the factory, you must no longer catch up an infection or malware attack. You already bought the malware as an intentional design feature of the hardware.

---

If it would be so easy to detect vulnerabilties in foreign-made chips that maybe are used in control boards of missile warheads or in a fighter radar, then you would not need to buy these chips from another rivalling nation, becasue then you would have needed to understand that chip architecture so thoroughly that actually you could have build and produced it yourself. Money, cheaper production of military chips in China than in the US, I do not buy as an argument here. No more.