Sean Gallup/Getty Images/File 2017
NEW YORK — It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.
Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, Web browser, e-mail and file. There is good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.
By downloading security software, consumers also run the risk that an untrustworthy antivirus maker — or hacker or spy with a foothold in its systems — could abuse that deep access to track customers’ every digital movement.
“In the battle against malicious code, antivirus products are a staple,” said Patrick Wardle, chief research officer at Digita Security, a security company. “Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect.”
Wardle would know. A former hacker at the National Security Agency, Wardle recently succeeded in subverting antivirus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents.
Wardle’s curiosity was piqued by recent news that Russian spies had used Kaspersky antivirus products to siphon classified documents off the home computer of an NSA developer, and may have played a critical role in broader Russian intelligence gathering.
For years, intelligence agencies suspected that Kaspersky Lab’s security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward J. Snowden, the former NSA contractor, described a top-secret NSA effort in 2008 that concluded that Kaspersky’s software collected sensitive information off customers’ machines.
The documents showed Kaspersky was not the NSA’s only target. Future targets included nearly two dozen other foreign antivirus makers, including Checkpoint in Israel and Avast in the Czech Republic.
At the NSA, analysts were banned from using Kaspersky antivirus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding NSA headquarters at Fort Meade in Maryland, Kaspersky still managed to secure contracts with nearly two dozen US government agencies over the past few years.
In September, the Department of Homeland Security ordered all federal agencies to cease using Kaspersky products because of the threat that Kaspersky’s products could “provide access to files.”
In October, The New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014 and looked on for months as Russian government hackers scanned computers belonging to Kaspersky customers around the world for top secret US government classified programs.
In at least one case, US officials claimed Russian intelligence officials were successful in using Kaspersky’s software to pull classified documents off a home computer belonging to Nghia H. Pho, an NSA developer who had installed Kaspersky’s antivirus software on his home computer. Pho pleaded guilty in 2017 to bringing home classified documents and writings, and has said he only brought the files home in an attempt to expand his résumé.
Kaspersky continues to deny that it knew about the scanning for classified US programs or allowed its antivirus products to be used by Russian intelligence. Eugene Kaspersky, the company’s chief executive, has said he would allow the US government to inspect his company’s source code to allay distrust of its antivirus and security products.
But Wardle discovered, in reverse-engineering Kaspersky antivirus software, that a simple review of its source code would do nothing to prove its products have not been used as a Russian intelligence-gathering tool.
Wardle found that Kaspersky’s antivirus software is incredibly complex. Unlike traditional antivirus software, which uses digital “signatures” to look for malicious code and patterns of activity, Kaspersky’s signatures are easily updated, can be automatically pushed out to certain clients, and contain code that can be tweaked to do things such as automatically scanning for and siphoning off classified documents.
In short, Wardle found, “Antivirus could be the ultimate espionage spying tool.”
Wardle said it was relatively easy to use a vulnerability in Microsoft’s Windows software to manipulate the Kaspersky software. Because officials routinely classify top secret documents with the marking “TS/SCI”, which stands for “Top Secret/Sensitive Compartmented Information,” Wardle added a rule to Kaspersky’s antivirus program to flag any documents that contained the “TS/SCI” marker.
He then edited a document on his computer containing text from the Winnie the Pooh children’s book series to include the marking “TS/SCI” and waited to see whether Kaspersky’s tweaked antivirus product would catch it.
Sure enough, as soon as the Winnie the Pooh text was saved to his machine, Kaspersky’s antivirus software flagged and quarantined the document. When he added the same TS/SCI marker to another document containing the text, “The quick brown fox jumps over the lazy dog,” it too was flagged and quarantined by Kaspersky’s tweaked antivirus program.
“Not a whole lot of surprise that this worked,” Wardle said, “but still neat to confirm that an antivirus product can be trivially, yet surreptitiously, used to detect classified documents.”
The next question was: What happens to these files once they are flagged? Wardle stopped short of hacking into Kaspersky’s cloud servers, where suspicious files are routinely uploaded.
However, he noted that antivirus customers, including Kaspersky’s, agree by default to allow security vendors to send anything from their machine back to vendors’ servers for further investigation.
There are legitimate reasons for this: By uploading these items to Kaspersky’s cloud, security analysts can evaluate whether they pose a threat, and update their signatures as a result.
Kaspersky Lab said Wardle’s research did not reflect how the company’s software works. “It is impossible for Kaspersky Lab to deliver a specific signature or update to only one user in a secret, targeted way because all signatures are always openly available to all our users; and updates are digitally signed, further making it impossible to fake an update,” the company said in a statement.
The closure of the Cambridge Sears could help an even larger project that would include office space and housing where the store and the mall’s garage now stand.Continue reading »
Many nurses, including some in the union, worry about loss of flexibility on the job if a ballot measure passes Nov. 6.Continue reading »
The venerable news kiosk sold the magazine that sparked Microsoft co-founder’s inspirational moment. Now it’s threatened with closure.Continue reading »
For two months, lawmakers and Governor Baker have been in a standoff over legislation — passed in the waning hours of the 2018 session — to tax and regulate short-term rentals.Continue reading »
One Los Angeles rental had excellent reviews and a host who had so impressed Airbnb that he was ranked as a “super host.” Then the nightmare began.Continue reading »
Researchers are using AI techniques similar to spam filters to weed out fake news.Continue reading »
The added space would be enough to house around 2,000 employees.Continue reading »
The Massachusetts biotechnology sector is growing so fast that employers are offering increasingly generous — and almost unheard of — benefits to attract and keep workers.Continue reading »
High office rents and soaring home prices get the attention, but Greater Boston’s industrial market is also on fire right now.Continue reading »