Russian Source Code Reviews of SAP, Symantec and McAfee

Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Russian Source Code Reviews of SAP, Symantec and McAfee
thegoldwater.com: Russian Source Code Reviews of SAP... Wait... What?


By Steve Dellar | 01-25-2018 News
Photo credit: Drserg | Dreamstime.com

Russian Source Code Reviews of SAP... Wait... What?
To maximize sales, technology providers such as SAP, Symantec and McAfee let Russian authorities look for vulnerabilities in their software, thus exposing code that is deeply embedded in US government agencies.

U.S. lawmakers and security experts now believe that the security of computer networks in at least a dozen federal agencies could have been breached.

Products of those companies are currently protecting the following US departments: the Pentagon, NASA, the State Department, the FBI and the intelligence community.

Given the sophistication that Russian cyber experts have shown in the past years, many fear that a complete overhaul of all these programs might be necessary.

In a response letter to Senator Jeanne Shaheen, the Pentagon admitted that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products."

Ms Shaheen claims: "I fear that access to our security infrastructure, whether it be overt or covert, by adversaries may have already opened the door to harmful security vulnerabilities."

Global tech companies that want access to Russia's large market need to seek certification for their products from Russian agencies, and that is where the sticking point lies, as those include both the FSB security service and Russia’s Federal Service for Technical and Export Control (the FSTEC).

Other US companies state they would never let the Russians look at the source code though. Mr Steve Quane, VP for network defense at Trend Micro, provides programs for the US military and claimed that: “Even letting people look at source code for a minute is incredibly dangerous,”

“We know there are people who can do that because we have people like that who work for us.”

Source:

uk.businessinsider.com/tech-firms-russia-probe-softwaremany-us-government-agencies-compromised-2018-1?r=US&IR=T

__________________________________

- uh oh! never seen, nothing stops progress...
 
  • Like
Reactions: Lightning_Brian, ZeroDay, Vasudev and 6 others
Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
  • Major global technology providers allowed Russian authorities to probe their software, which is deeply embeded across the US government.
  • The practice may have jeopardized the security of at least a dozen federal agencies.
  • The potential risks to the US government from Russian involvement in the systems is widespread, the Reuters investigation found.
read on Business Insider: Tech firms allowed Russia to probe their software, and now many US government agencies could be compromised
Tech firms allowed Russia to probe their software, and now many US government agencies could be compromised
  • Dustin Volz, Joel Schectman and Jack Stubbs, Reuters
__________________________________

WASHINGTON/MOSCOW (Reuters) - Major global technology providers SAP <SAPG.DE>, Symantec <SYMC.O> and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers. (Graphic: tmsnrt.rs/2sZudWT)

But those same products protect some of the most sensitive areas of the U.S government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise <HPE.N> software known as ArcSight, used to help secure the Pentagon's computers, had been reviewed by a Russian military contractor with close ties to Russia's security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department's intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.
Graphic: http://tmsnrt.rs/2C30rp8
http://fingfx.thomsonreuters.com/gfx/rngs/USA-CYBER-RUSSIA/010060650E3/cyber.jpg
 
  • Like
Reactions: ZeroDay, harlan4096, Vasudev and 3 others
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Prorootect said:
Russian Source Code Reviews of SAP, Symantec and McAfee
thegoldwater.com: Russian Source Code Reviews of SAP... Wait... What?


By Steve Dellar | 01-25-2018 News
Photo credit: Drserg | Dreamstime.com

Russian Source Code Reviews of SAP... Wait... What?
To maximize sales, technology providers such as SAP, Symantec and McAfee let Russian authorities look for vulnerabilities in their software, thus exposing code that is deeply embedded in US government agencies.

U.S. lawmakers and security experts now believe that the security of computer networks in at least a dozen federal agencies could have been breached.

Products of those companies are currently protecting the following US departments: the Pentagon, NASA, the State Department, the FBI and the intelligence community.

Given the sophistication that Russian cyber experts have shown in the past years, many fear that a complete overhaul of all these programs might be necessary.

In a response letter to Senator Jeanne Shaheen, the Pentagon admitted that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products."

Ms Shaheen claims: "I fear that access to our security infrastructure, whether it be overt or covert, by adversaries may have already opened the door to harmful security vulnerabilities."

Global tech companies that want access to Russia's large market need to seek certification for their products from Russian agencies, and that is where the sticking point lies, as those include both the FSB security service and Russia’s Federal Service for Technical and Export Control (the FSTEC).

Other US companies state they would never let the Russians look at the source code though. Mr Steve Quane, VP for network defense at Trend Micro, provides programs for the US military and claimed that: “Even letting people look at source code for a minute is incredibly dangerous,”

“We know there are people who can do that because we have people like that who work for us.”

Source:

uk.businessinsider.com/tech-firms-russia-probe-softwaremany-us-government-agencies-compromised-2018-1?r=US&IR=T

__________________________________

- uh oh! never seen, nothing stops progress...
Click to expand...
Those dummies in government offices should just get a life and learn how to use AppGuard.
 
  • Like
Reactions: harlan4096, Lightning_Brian and Prorootect
L

Lightning_Brian

Level 15
Verified
Top Poster
Content Creator
Sep 1, 2017
743
Well this is a sad sad day....Why on earth would anyone in their right minds do this?! Wow! I cannot think of any really great valid reason to let go of source code and have others be given total access to it even for a few minutes. Indeed, I said minutes - mainly due to a fact that people can write a script to copy it all. I'm happy to have multiple layers of security on my computer. Shame on these AVs for releasing the source code. I'm not very happy about this 'bright idea' that people had. For me, this goes against everything I believe in when it comes to great security. Hopefully, this will be a rude awakening to others to never release raw source code for others to view, manipulate, or even circumvent security. Not everyone is an ethical hacker. I may end up changing my security levels or maybe even programs on my computer.

Anyone else think this is very dangerous or am I just super paranoid and thinking too hard about this one? I’d like to know your thoughts too.

@shmu26 I couldn't agree more with your post! (y)

@Prorootect thank you for posting this! A true eye opener of an article!

~Brian
 
  • Like
Reactions: shmu26 and Prorootect
Prorootect

Prorootect

Level 69
Thread author
Verified
Nov 5, 2011
5,855
Lightning_Brian said:
Well this is a sad sad day....Why on earth would anyone in their right minds do this?! Wow! I cannot think of any really great valid reason to let go of source code and have others be given total access to it even for a few minutes. Indeed, I said minutes - mainly due to a fact that people can write a script to copy it all. I'm happy to have multiple layers of security on my computer. Shame on these AVs for releasing the source code. I'm not very happy about this 'bright idea' that people had. For me, this goes against everything I believe in when it comes to great security. Hopefully, this will be a rude awakening to others to never release raw source code for others to view, manipulate, or even circumvent security. Not everyone is an ethical hacker. I may end up changing my security levels or maybe even programs on my computer.

Anyone else think this is very dangerous or am I just super paranoid and thinking too hard about this one? I’d like to know your thoughts too.

@shmu26 I couldn't agree more with your post! (y)

@Prorootect thank you for posting this! A true eye opener of an article!

~Brian
Click to expand...
@Lightning_Brian, thank you!

-----------------------------------------------
BREAKING NEWS:
Trump: Pray For Sophia Maria Campa-Peters: posted in Latest Amazing World News here: Latest Amazing World News
 
You must log in or register to reply here.

Similar threads

oldschool
    • Like
    • Wow
    • HaHa
  • Locked
Security News US charges Russian military officers for unleashing wiper malware on Ukraine
Replies
11
Views
1,900
Security News
Marko :)
Marko :)
Gandalf_The_Grey
    • Like
    • +Reputation
HelloKitty ransomware source code leaked on hacking forum
Replies
1
Views
1,754
News Archive
cruelsister
cruelsister
vtqhtr413
    • Like
    • HaHa
Security News Microsoft overhaul treats security as ‘top priority’ after series of failures
Replies
1
Views
1,301
Security News
TairikuOkami
TairikuOkami

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top