{"id":60164,"date":"2015-06-29T12:00:15","date_gmt":"2015-06-29T11:00:15","guid":{"rendered":"https:\/\/www.transcend.org\/tms\/?p=60164"},"modified":"2015-06-24T14:01:34","modified_gmt":"2015-06-24T13:01:34","slug":"popular-security-software-came-under-relentless-nsa-and-gchq-attacks","status":"publish","type":"post","link":"https:\/\/www.transcend.org\/tms\/2015\/06\/popular-security-software-came-under-relentless-nsa-and-gchq-attacks\/","title":{"rendered":"Popular Security Software Came Under Relentless NSA and GCHQ Attacks"},"content":{"rendered":"

22 Jun 2015 – <\/em>The National Security Agency and its British counterpart, Government Communications Headquarters, have worked to subvert anti-virus and other security software in order to track users and infiltrate networks, according to documents from NSA whistleblower Edward Snowden.<\/p>\n

\"Shutterstock\"<\/a>

Shutterstock<\/p><\/div>\n

The spy agencies have reverse engineered software products, sometimes under questionable legal authority, and monitored web and email traffic in order to discreetly thwart anti-virus software and obtain intelligence from companies about security software and users of such software. One security software maker repeatedly singled out in the documents is Moscow-based Kaspersky Lab, which has a holding registered in the U.K., claims more than 270,000 corporate clients, and says it protects more than 400 million people with its products.<\/p>\n

British spies aimed to thwart Kaspersky software in part through a technique known as software reverse engineering, or SRE, according to a top-secret warrant renewal request. The NSA has also studied Kaspersky Lab\u2019s software for weaknesses, obtaining sensitive customer information by monitoring communications between the software and Kaspersky servers, according to a draft top-secret report. The U.S. spy agency also appears to have examined emails inbound to security software companies flagging new viruses and vulnerabilities.<\/p>\n

The efforts to compromise security software were of particular importance because such software is relied upon to defend against an array of digital threats and is typically more trusted by the operating system than other applications, running with elevated privileges that allow more vectors for surveillance and attack. Spy agencies seem to be engaged in a digital game of cat and mouse with anti-virus software companies; the U.S. and U.K. have aggressively probed for weaknesses in software deployed by the companies, which have themselves exposed sophisticated state-sponsored malware.<\/p>\n

Anti-virus software is an ideal target for a would-be attacker, according to Joxean Koret, a researcher with Coseinc, a Singapore-based information security consultancy. \u201cIf you write an exploit for an anti-virus product you\u2019re likely going to get the highest privileges (root, system or even kernel) with just one shot,\u201d Koret told The Intercept<\/em> in an email. \u201cAnti-virus products, with only a few exceptions, are years behind security-conscious client-side applications like browsers or document readers. It means that Acrobat Reader, Microsoft Word or Google Chrome are harder to exploit than 90 percent of the anti-virus products out there.\u201d<\/p>\n

(Disclosure: One of the authors of this report, Morgan Marquis-Boire, spoke at a Kaspersky Lab\u00a0event<\/a> in Puerto Rico in 2013 and at another<\/a> in London in 2014<\/a>. He was not paid for either event, but the cost of his travel and accommodation were covered by the company.)<\/p>\n

Reverse engineering Kaspersky software<\/strong><\/p>\n

According to a top-secret GCHQ warrant renewal request<\/a> written in 2008 and published today by The Intercept<\/em>, the British spy agency viewed Kaspersky software as an obstruction to its hacking operations and needed to reverse engineer it to find ways to neutralize the problem. Doing so required obtaining a warrant.<\/p>\n

\u201cPersonal security products such as the Russian anti-virus software Kaspersky continue to pose a challenge to GCHQ\u2019s CNE [Computer Network Exploitation] capability and SRE is essential in order to be able to exploit such software and to prevent detection of our activities,\u201d the warrant renewal request said. \u201cExamination of Kaspersky and other such products continues.\u201d The warrant renewal request also states that GCHQ reverse engineers anti-virus programs to assess their fitness for use by government agencies.<\/p>\n

The requested warrant, provided under Section 5 of the U.K.\u2019s 1994 Intelligence Services Act, must be renewed by a government minister every six months. The document published today is a renewal request for a warrant valid from July 7, 2008 until January 7, 2009. The request seeks authorization for GCHQ activities that \u201cinvolve modifying commercially available software to enable interception, decryption and other related tasks, or \u2018reverse engineering\u2019 software.\u201d<\/p>\n

Software reverse engineering, or \u201creversing,\u201d is a collection of techniques for deciphering and analyzing how a program operates. The process can be as simple as observing the flow of data into and out of the program, or as complex as analyzing the machine code \u2014 1s and 0s \u2014 to look into the software\u2019s inner workings, including portions of the code that are not explained in the manual or other program documentation. Put simply, it often means taking thousands of commands that instruct the computer exactly what to do and working backwards to translate them into a format that\u2019s more intelligible to a human being.<\/p>\n

Reversing is a common, often benign practice among software developers that can be used to enable software from different companies to interoperate or to identify security vulnerabilities before they can be exploited by third parties. Software makers, fearing piracy, hacking and intellectual property theft, often forbid the practice in licensing agreements and sometimes protect the most sensitive inner workings of their software with encryption. Governments have passed laws, with digital media in mind, that strictly circumscribe tampering with this encryption. Software companies have also sued to block reverse engineering as copyright infringement, arguing that it is illegal to make a copy of a program in violation of their restrictions on such copying.<\/p>\n

GCHQ felt it needed legal cover to conduct reverse engineering, writing in the warrant renewal application that the practice could otherwise be \u201cunlawful\u201d and amount to \u201ca copyright infringement or breach of contract.\u201d As we explore in a related story today, the warrant is legally questionable on several grounds, in\u00a0that it applies ISA section 5 to intellectual property for the first time, and GCHQ may be applying ISA section 5 to certain categories of domestic policing.<\/p>\n

It is unclear what GCHQ accomplished in its analysis of Kaspersky software, but GCHQ has repeatedly reverse engineered software to discover vulnerabilities. Rather than report the vulnerabilities to the companies, spy agencies have quietly stockpiled<\/a> numerous exploits for a wide range of commercial hardware and software, using\u00a0them to hack adversaries.<\/p>\n

Collecting leaky data<\/strong><\/p>\n

The NSA, like GCHQ, has studied Kaspersky Lab\u2019s software for weaknesses. In 2008, an NSA research team discovered that Kaspersky software was transmitting sensitive user information back to the company\u2019s servers, which could easily be intercepted and employed to track users, according to a draft of a top-secret report<\/a>.<\/p>\n

The information was embedded in \u201cUser-Agent\u201d strings included in the headers of Hypertext Transfer Protocol, or HTTP, requests. Such headers are typically sent at the beginning of a web request to identify the type of software and computer issuing the request.<\/p>\n

\"nsa<\/a><\/p>\n

According to the draft report, NSA researchers found that the strings could be used to uniquely identify the computing devices belonging to Kaspersky customers. They determined that \u201cKaspersky User-Agent strings contain encoded versions of the Kaspersky serial numbers and that part of the User-Agent string can be used as a machine identifier.\u201d They also noted that the \u201cUser-Agent\u201d strings may contain \u201cinformation about services contracted for or configurations.\u201d Such data could be used to passively track a computer to\u00a0determine if a target is running Kaspersky software and thus potentially susceptible to a particular attack without risking detection.<\/p>\n

In a statement emailed to The Intercept<\/em>, Kaspersky Lab denied that its \u201cUser-Agent\u201d strings could be used against its customers. \u201cThe information is depersonalized and cannot be attributed to a specific user or company,\u201d the statement read. \u201cWe take all possible measures to protect this data from being compromised, for example through strong encryption.\u201d<\/p>\n

But Kaspersky\u2019s measures sometimes appear to fall short. In 2012, Twitter user @cryptoOCDrob posted a screenshot<\/a> of Kaspersky software leaking unencrypted data while checking website reputation. Two years later, another Twitter user, Christopher Lowson, claimed<\/a> that his email address, license key and other details were being sent by Kaspersky without encryption.<\/p>\n

Testing performed by The Intercept<\/em> last month on a trial copy of \u201cKaspersky Small Business Security 4\u201d determined that, while some traffic was indeed encrypted, a detailed report of the host\u2019s hardware configuration and installed software was relayed back to Kaspersky entirely unencrypted. By\u00a0the time of publication, Kaspersky told\u00a0The Intercept\u00a0<\/em>via email,\u00a0it was\u00a0unable to reproduce these results.<\/p>\n

\"Screenshot<\/a>

Screenshot of unencrypted communication between Kaspersky\u2019s anti-virus software and remote Kaspersky servers<\/p><\/div>\n

Email surveillance<\/strong><\/p>\n

Another way the NSA targets foreign anti-virus companies appears to be to monitor their email traffic for reports of new vulnerabilities and malware. A 2010 presentation on \u201cProject CAMBERDADA<\/a>\u201d shows the content of an email flagging a malware file, which was sent to various anti-virus companies by Fran\u00e7ois Picard of the Montr\u00e9al-based consulting and web hosting company NewRoma. The presentation of the email suggests that the NSA is reading such messages to discover new flaws\u00a0in anti-virus software.<\/p>\n

Picard, contacted by The Intercept<\/em>, was unaware his email had fallen into the hands of the NSA. He said that he regularly sends out notification of new viruses and malware to anti-virus companies, and that he likely sent the email in question to at least two dozen such outfits. He also said he never sends such notifications to government agencies. \u201cIt is strange the NSA would show an email like mine in a presentation,\u201d he added.<\/p>\n

The NSA presentation goes on to state that its signals intelligence yields about 10 new \u201cpotentially malicious files per day for malware triage.\u201d This is a tiny fraction of the hostile software that is processed.\u00a0Kaspersky says it detects 325,000 new malicious files every day, and an internal GCHQ document indicates that its own system \u201ccollect[s] around 100,000,000 malware events per day<\/a>.\u201d<\/p>\n

After obtaining the files, the NSA analysts \u201c[c]heck Kaspersky AV to see if they continue to let any of these virus files through their Anti-Virus product.\u201d The NSA\u2019s Tailored Access Operations unit \u201ccan repurpose the malware,\u201d presumably before the anti-virus software has been updated to defend against the threat.<\/p>\n

\"tao-540x242<\/a><\/p>\n

The Project CAMBERDADA presentation lists 23 additional AV companies from all over the world under \u201cMore Targets!\u201d Those companies include Check Point software, a pioneering maker of corporate firewalls based Israel, whose government is a U.S. ally. Notably omitted are the American anti-virus brands McAfee and Symantec and the British company Sophos.<\/p>\n

\"moar-targets-540x405<\/a><\/p>\n

There is a certain logic to monitoring reports flowing into anti-virus companies. Such reports include new malware, which can potentially be re-purposed, and intelligence about hostile actors. What\u2019s more, information about security vulnerabilities in the AV software itself can be harvested. Anti-virus companies commonly, though not always, respond slowly to such reports, leaving a window in which spy agencies can potentially exploit these flaws. A 2012 report<\/a> from Google security engineer\u00a0Tavis Ormandy documented how, after alerting Sophos to multiple security vulnerabilities in its anti-virus software, the firm estimated it would require six months to patch all of the bugs. That estimate was later revised down 60 days for the entire set of fixes, according to Ormandy.<\/p>\n

It\u2019s not clear exactly how many reports like Ormandy\u2019s have been piling up at anti-virus companies. But Koret, the security researcher, suggests that most AV companies have serious problems in this area. \u201cDuring a period of ~1 year I researched more or less 17 AV\u00a0engines,\u201d he wrote in an email. \u201cI found vulnerabilities in 14 AV engines.\u201d<\/p>\n

Anti-virus firms vs. intelligence agencies<\/strong><\/p>\n

As government spies have sought to evade anti-virus software, the anti-virus firms themselves have exposed malware created by government spies. Among them, Kaspersky appears to be the sharpest thorn in the side of government hackers. In the past few years, the company has proven to be a prolific hunter of state-sponsored malware, playing a role in the discovery and\/or analysis of various pieces of malware reportedly linked to government hackers, including the superviruses Flame<\/a>, which Kaspersky flagged in 2012; Gauss<\/a>, also detected in 2012; Stuxnet<\/a>, discovered by another company in 2010; and Regin<\/a>, revealed by Symantec<\/a>. In February, the Russian firm announced its biggest find yet: the \u201cEquation Group<\/a>,\u201d an organization that has deployed espionage tools widely believed to have been created by the NSA and hidden on hard drives from leading brands, according to Kaspersky. In a report, the company called it \u201cthe most advanced threat actor we have seen\u201d and \u201cprobably one of the most sophisticated cyber attack groups in the world.\u201d<\/p>\n

Hacks deployed by the Equation Group operated undetected for as long as 14 to 19 years, burrowing into the hard drive firmware of sensitive computer systems around the world, according to Kaspersky. Governments, militaries, technology companies, nuclear research centers, media outlets and financial institutions in 30 countries were among those reportedly infected. Kaspersky estimates that the Equation Group could have implants in tens of thousands of computers, but documents published<\/a> last year by The Intercept<\/em> suggest the NSA was scaling up their implant capabilities to potentially infect millions of computers with malware.<\/p>\n

Kaspersky\u2019s adversarial relationship with Western intelligence services is sometimes framed in more sinister terms; the firm has been accused of working too closely<\/a> with the Russian intelligence service FSB. That accusation is partly due to the company\u2019s apparent success in uncovering NSA malware, and partly due to the fact that its founder, Eugene Kaspersky, was educated by a KGB-backed school in the 1980s before\u00a0working for the Russian military.<\/p>\n

Kaspersky has repeatedly denied the insinuations and accusations. In a recent blog post<\/a>, responding to a Bloomberg article<\/a>, he complained that his company was being subjected to \u201csensationalist \u2026 conspiracy theories,\u201d sarcastically noting that \u201cfor some reason they forgot our reports\u201d on\u00a0an array of malware that trace back to Russian developers.<\/p>\n

He continued, \u201cIt\u2019s very hard for a company with Russian roots to become successful in the\u00a0U.S., European and other markets. Nobody trusts us \u2014 by default.\u201d<\/p>\n

Kaspersky Lab openly cooperates with multiple international law enforcement agencies on cybercrime cases, but no inappropriate links to the FSB have ever been proven.\u00a0Meanwhile, cozy<\/a> relationships<\/a> with<\/a> intelligence agencies are not uncommon among Western technology companies. The CIA-backed venture capital firm In-Q-Tel has helped build over 200 tech start-ups, including cybersecurity firms FireEye and ReversingLabs and big data intelligence firms Palantir and Recorded Future. Previous reporting<\/a> from the Snowden archive has shown that Microsoft, Google, Yahoo, Facebook, Apple, AOL and PalTalk all actively participated<\/a> in the NSA\u2019s PRISM surveillance program.<\/p>\n

No stranger to targeted cyberattacks, Kaspersky Lab\u00a0announced<\/a>\u00a0earlier this month that it\u00a0had been the victim of a sophisticated intrusion. In an email, Kaspersky Lab told The Intercept<\/em>, \u201dIt is extremely worrying that government organizations would be targeting us instead of focusing resources against legitimate adversaries, and working to subvert security software that is designed to keep us all safe. However, this doesn\u2019t come as a surprise. We have worked hard to protect our end users from all types of adversaries. This includes both common cyber-criminals or nation state-sponsored cyber-espionage operations.\u201d<\/p>\n

When asked for comment, the NSA and GCHQ declined to respond on the record to the specifics of this story.<\/p>\n

______________________________<\/p>\n

Documents published with this article:<\/em><\/p>\n