Outpost

Level 5
Verified
CIA and NSA always play an important role in espionage and counterintelligence. No wonder they were checking out his own business associates. Since the early postwar period, they've also been checking "friendly" countries. Just look at the history of Crypto AG, for example.
 
F

ForgottenSeer 823865

It doesn't really matter who is the victim.
The file shouldn't be automatically uploaded (if it is) without the consent but asking consent in a case by case basis, like after a scan. This is simple logic.
If they cared to do this, Kaspersky won't be in such a bad situation. Instead of whatever Eula or warnings, most people don't even read.
 
F

ForgottenSeer 823865

I agree that the AV should ask, but it's kinda odd that Kaspersky was the only one being called out on this when they weren't even the worst offenders at user-privacy data gathering.
Because they had the sample from a State-Sponsored malware which shouldn't have been collected in the first place, whatever it was intentional or not.
From the reported Kaspersky investigation, his researchers went to him and asking what they should do with it. They obviously suspected this sample to be more than just a piece of malware created by a guy in his basement... they knew it was NSA tools and and they just deleted it, instead of warning the agency...big mistake...

You know it is like you ended up with a bag of cocain you found in your garden and throw it in a trashbin while people are watching you instead of reporting to the authorities...

Kaspersky CEO admits knowing about secret documents from NSA contractor
One really fascinating detail is that Eugene Kaspersky himself came to know about secret documents on the NSA contractor's computer because he was alerted by an analyst.

But how and why did this happen if Kaspersky wasn't secretly trying to steal this information for the Russian government?

The answers come in a 10-question Q&A around what Kaspersky saw and why the company saw it, plus what happened next:

Q4: Was there actually classified information found on the system inadvertently?

A4: What is believed to be potentially classified information was pulled back because it was contained within an archive that fired on an Equation specific malware signatures. Besides malware, the archive also contained what appeared to be source code for Equation malware and four Word documents bearing classification markings.

Q5:
If classified information was pulled back, what happened to said data after? Was it handled appropriately?

A5: After discovering the suspected Equation malware source code and classified documents, the analyst reported the incident to the CEO. Following a request from the CEO, the archive was deleted from all of our systems. With the archive that contained the classified information being subsequently removed from our storage locations, only traces of its detection remain in our system (i.e., statistics and some metadata). We cannot assess whether the data was “handled appropriately” (according to US government norms) since our analysts have not been trained on handling US classified information, nor are they under any legal obligation to do so.

Q6: Why was the data pulled back in the first place? Is the evidence this information was passed on to “Russian hackers” or Russian intelligence?

A6: The information was pulled back because the archive fired on multiple Equation malware signatures. We also found no indication the information ever left our corporate networks. Transfer of a malware file is done with appropriate encryption level relying on RSA+AES with an acceptable key length, which should exclude attempts to intercept such data anywhere on the network between our security software and the analyst receiving the file.


Kaspersky investigation report:


Worth noticing

Upon further inquiring about this event and missing files, it was later discovered that at the direction of the CEO, the archive file, named “[undisclosed].7z” was removed from storage. Based on description from the analyst working on that archive, it contained a collection of executable modules, four documents bearing classification markings, and other files related to the same project. The reason we deleted those files and will delete similar ones in the future is two-fold; We don’t need anything other than malware binaries to improve protection of our customers and secondly, because of concerns regarding the handling of potential classified materials. Assuming that the markings were real, such information cannot and will not consumed even to produce detection signatures based on descriptions.

This concern was later translated into a policy for all malware analysts which are required to delete any potential classified materials that have been accidentally collected during anti-malware research or received from a third party. Again to restate: to the best of our knowledge, it appears the archive files and documents were removed from our storage, and only individual executable files (malware) that were already detected by our signatures were left in storage. Also, it is very apparent that no documents were actively “detected on” during this process. In other words, the only files that fired on specific Equation signatures were binaries, contained within an archive or outside of it. The documents were inadvertently pulled back because they were contained within the larger archive file that alerted on many Equation signatures. According to security software industry standards, requesting a copy of an archive containing malware is a legitimate request, which often helps security companies locate data containers used by malware droppers (i.e. they can be self-extracting archives or even infected ISO files).

and


And from this Kaspersky report, we can suppose it wasn't some kind of conspiracy made to discredit Kaspersky, like some here claim...
 
Last edited by a moderator:

Parsh

Level 25
Verified
Trusted
Malware Hunter
... i said collection of files without user consent is privacy breach, not talking about the collection mechanism itself ! damn, learn to read dude !
Hitman Pro upload files as well, so do WD, every knows that and you are here explaining how it works LOL.
I believe you said the underlined as a general statement, and not pointing out to Kaspersky. because during installation, when you agree to KSN Network usage (optional), the user is agreeing to partial or full submission of various files
381524e9-03b8-4101-8ec1-5c5220beed08.png
In Kaspersky's career, there has only been, this case, that in my opinion, if someone is guilty,
It is the contractor, when he takes work home with a PC, full of crack or pach or whatever.
"It is said that you cannot throw all the stew for a bad chickpea."
At the time, a theory prevailed that NSA had directed the whole scenario of the contractor taking one of their weapons (or a dummy) to his home to make this thing happen. Some authority from US wanted the govt to entirely rid of Kaspersky (not that they could not have done it otherwise) and defame it to reduce Kaspersky's might in allied countries where it had been prominent.
On the other hand, we can neither fully dismiss nor take it on face value, the argued charge that strings of digital code that Kaspersky used, that operate in stealth to find malware, could also be written to search computers for potential classified documents, using keywords or acronyms (as stated in my previous post link).

It doesn't really matter who is the victim.
The file shouldn't be automatically uploaded (if it is) without the consent but asking consent in a case by case basis, like after a scan. This is simple logic.
If they cared to do this, Kaspersky won't be in such a bad situation. Instead of whatever Eula or warnings, most people don't even read.
Comodo does it automatically (once the option is selected) and so does Kaspersky and a few others. I agree that it may be a sensitive matter. However, showing an option to user whether to upload or not, every time a suspicious/unknown file is encountered in real-time can be tedious ... as compared to showing that option every time after an initiated scan. Maybe they brought into practicality or hunger for more data.
Screenshot (181).png

Because they had the sample from a State-Sponsored malware which shouldn't have been collected in the first place, whatever it was intentional or not.
From the reported Kaspersky investigation, his researchers went to him and asking what they should do with it. They obviously suspected this sample to be more than just a piece of malware created by a guy in his basement... they knew it was NSA tools and and they just deleted it, instead of warning the agency...big mistake...

You know it is like you ended up with a bag of cocain you found in your garden and throw it in a trashbin while people are watching you instead of reporting to the authorities...
You know the first sentence can attract a long debate.
In the NSA leak case, the drug addict and the authorities would be the same


Kaspersky investigation report:


Worth noticing

and


And from this report we can see it wasn't some kind of conspiracy like few here said...
I had read the SecureList article earlier and it works to clear speculations of Russian conspiracy at least.
One is expected to not argue, after agreeing to KSN usage, upload of those suspicious/malicious samples from Kaspersky users because Kaspersky proposes that they need it for analysis, but what concerns more is that classified documents were uploaded too. And it may be hard to believe for some - that Eugene did get them just tossed away.
EDIT: As per Kaspersky's statement, the classified non-executable files were compressed with the actual malware inside of a 7zip document, which was subsequently uploaded from user's computer because auto file upload option as per KSN clause was on. That doesn't directly imply that they also upload individual documents to their servers - just staying a fact, on an unbiased note.
 
Last edited:
F

ForgottenSeer 823865

I believe that you say the underlined as a general statement, and not pointing out to Kaspersky. because during installation, when you agree to KSN Network usage (optional), the user is agreeing to partial or full submission of various files
yes general statement, i dont care who, just the principle itself.

At the time, a theory prevailed that NSA had directed the whole scenario of the contractor taking one of their weapons (or a dummy) to his home to make this thing happen. Some authority from US wanted the govt to entirely rid of Kaspersky (not that they could not have done it otherwise) and defame it to reduce Kaspersky's might in allied countries where it had been prominent.
On the other hand, we can neither fully dismiss nor take it on face value, the argued charge that strings of digital code that Kaspersky used, that operate in stealth to find malware, could also be written to search computers for potential classified documents, using keywords or acronyms (as stated in my previous post link).
When you see the report from Kaspersky, it doesn't look very organized or planified, and more like a chain of unfortunate circumstances.


Comodo does it automatically (once the option is selected) and so does Kaspersky and a few others. I agree that it may be a sensitive matter. However, showing an option to user whether to upload or not, every time a suspicious/unknown file is encountered in real-time can be tedious ... as compared to showing that option every time after an initiated scan. Maybe they brought into practicality or hunger for more data.
just an option at the end of a scan would have been enough .

You know the first sentence can attract a long debate.
i know, i know.

but what concerns more is that classified documents were uploaded too. And it may be hard to believe for some - that Eugene did get them just tossed away.
And that is the whole issue, some uninformed people claimed ii is only binaries, but NO, as your screenshot above shown, all kind of files can be uploaded without individual consents and a cloud scanner can be modified to cherry-pick particular files...THIS is the real issue most fails to understand.
Imagine the implication in a corporate environment (intellectual properties and prototypes plans uploaded) that can easily become a valid case of espionage.
 
Last edited by a moderator:

Burrito

Level 23
@Parsh Thanks for the link to the article.
My question to more seasoned members of this forum: I have always taken these allegations with a fairly large grain of salt. Now I know that WSJ published the initial scoop, should i take these Kaspersky allegations more seriously?
Yeah, there is fire behind the smoke.

In this case though, if you don't have national security nor sensitive industrial materials on your computer, it does not make much of a difference to you. Unless you feel violated by having your computer searched for 'other stuff' not related to malware.

Often, the NYT is sourced better than the WSJ.
 

Cortex

Level 22
Verified
Yeah, there is fire behind the smoke.

In this case though, if you don't have national security nor sensitive industrial materials on your computer, it does not make much of a difference to you. Unless you feel violated by having your computer searched for 'other stuff' not related to malware.

Often, the NYT is sourced better than the WSJ.
Interesting thread & info: I was one that believed the Kaspesky issue was unfounded, my point of view has changed somewhat - Might also explain why Kaspersky are giving up to 75% of their licences whereas you need to sell an organ to afford a single ESET etc licence? Interesting thanks !
 

motox781

Level 9
Verified
@bribon77
In Kaspersky's career, there has only been, this case, that in my opinion, if someone is guilty,
It is the contractor, when he takes work home with a PC, full of crack or pach or whatever.
"It is said that you cannot throw all the stew for a bad chickpea."



I see where everyone is coming from with their opinions, but I kinda agree with this statement above. Kaspersky has been in business for a long time. Their track record has been top notch. All of a sudden (during a political firestorm), they get accused. In a strange way I might add: Assuming a highly educated. highly paid contractor gets caught with top secret company files at home AND supposively has bootleg software on his PC...very very sloppy...you can't make this stuff up. What was this guy thinking, no matter what kind of setup he had at home?

The way it was also presented to the public, was pretty much none existent. Kaspersky is probably the most tested and watched software on the planet after those accusations, but nothing else solid came up after the incident.
 
Last edited:
F

ForgottenSeer 85911

this topic broke 2+ years ago it is dead issue
yet still dramas over it on sec forums
says much about peoples on sec forums

Finnish govt can compel F-Secure to subvert user sysetms
Romanian govt can compel Bitdefender to subvert user sysetms
US govt can compel Microsoft to subvert everybody

Don't use your enemy's software on your govt and defense systems
common sense that every child knows
 

bribon77

Level 33
Verified
this topic broke 2+ years ago it is dead issue
yet still dramas over it on sec forums
says much about peoples on sec forums

Finnish govt can compel F-Secure to subvert user sysetms
Romanian govt can compel Bitdefender to subvert user sysetms
US govt can compel Microsoft to subvert everybody

Don't use your enemy's software on your govt and defense systems
common sense that every child knows
Strongly agree, the United States is a country with great technology to use AV from other countries.
Another thing is a normal user, who has nothing confidential that can compromise him or his country.
 

RejZoR

Level 14
Verified
this topic broke 2+ years ago it is dead issue
yet still dramas over it on sec forums
says much about peoples on sec forums

Finnish govt can compel F-Secure to subvert user sysetms
Romanian govt can compel Bitdefender to subvert user sysetms
US govt can compel Microsoft to subvert everybody

Don't use your enemy's software on your govt and defense systems
common sense that every child knows
The problem is normal people still think MUH BAD RUSSIA did it. Because all they heard were manufactured stories made for clearing NSA's cockups. It's not even security forums. Normies are still believing that nonsense after all this time.
 
F

ForgottenSeer 85911

The problem is normal people still think MUH BAD RUSSIA did it. Because all they heard were manufactured stories made for clearing NSA's cockups. It's not even security forums. Normies are still believing that nonsense after all this time.
that is all Russia bashing then counter-USA bashing
that needs to be taken to Facebook or Twitter, not here
 
F

ForgottenSeer 85911

One thing is bashing, another, simply revealing the truth. And the truth is, Kaspersky is not a bad guy here. Then take whatever you want from this story.
I think a lot of people here have an anti-US axe to grind
so that is why these discussions keep continuing on about an issue that is long since irrelevant and inappropriate to this forum
 

RejZoR

Level 14
Verified
I think a lot of people here have an anti-US axe to grind
so that is why these discussions keep continuing on about an issue that is long since irrelevant and inappropriate to this forum
How is "inappropriate"? Do you seriously believe we are alone in here and that no one from outside ever crosses these posts? Or that new users never join that have never participated in these discussions?
 

Cortex

Level 22
Verified
I think a lot of people here have an anti-US axe to grind
so that is why these discussions keep continuing on about an issue that is long since irrelevant and inappropriate to this forum
I don't feel there is anti-US feeling on here, or Russian for that matter. When a major AV vendor has potentially been involved to some degree untoward politics it's interesting - None of the above will change my feelings that Kaspesky is among the best AV there is - However, it's still of interest especially when more information comes to light. If someone doesn't want to discuss issues to do with AV, maybe your in the wrong forum?
 
F

ForgottenSeer 823865

All this is just a chain of incidents provoked by a feature that shouldn't be accepted the way it works, also uploading non-executables files really?
There is other AVs with cloud lookup, they don't need to automatically upload every single files they found suspicious...
And putting a technico-babbling warning/EULA that Average Joe will barely understand (if he even read it), is just ludicrous.

Kaspersky deserved it, i'm glad they get this huge backfire, maybe now some in the industry will start thinking before implementing privacy intrusive feature.
 
Top