Info Security Firms and Their Antivirus Software Monitored (Hacked?) by NSA, GCHQ

[NSA slide indicated info sec AV firms targeted for surveillance]

[NSA slide indicated info sec AV firms targeted for surveillance]

Let’s call this post a work in progress. I’m still reading through a pile of reporting from different outlets to see if it’s all the same information but rebranded, or if there’s a particular insight one outlet picked up, missed by the rest. Here are a few I’ve been working on today:

7:03 am – Popular Security Software Came Under Relentless NSA and GCHQ Attacks (The Intercept)

7:12 am – US and British Spies Targeted Antivirus Companies (WIRED)

9:48 am – Spies are cracking into antivirus software, Snowden files reveal (The Hill)

12:18 pm – GCHQ has legal immunity to reverse-engineer Kaspersky antivirus, crypto (Ars Technica-UK)

12:57 pm*  – US, UK Intel agencies worked to subvert antivirus tools to aid hacking [Updated] (Ars Technica)(*unclear if this is original post time or time update posted))

~3:00 pm – NSA Has Reverse-Engineered Popular Consumer Anti-Virus Software In Order To Track Users (TechCrunch)
(post time is approximate as site only indicates rounded time since posting)

The question I don’t think anyone can answer yet is whether the hack of Kaspersky Lab using Duqu 2.0 was part of the effort by NSA or GCHQ, versus another nation-state. I would not be surprised if the cover over this operation was as thin as letting the blame fall on another entity. We’ve seen this tissue paper-thin cover before with Stuxnet.

For the general public, it’s important to note two things:

— Which firms were not targeted (that we know of);

— Understand the use of viruses and other malware that already threaten and damage civilian computing systems only creates a bigger future threat to civilian systems.

Once a repurposed and re-engineered exploit has been discovered, the changes to it are quickly shared, whether to those with good intentions or criminal intent. Simply put, criminals are benefiting from our tax dollars used to help develop their future attacks against us.

There’s a gross insufficiency of words to describe the level of shallow thinking and foresight employed in protecting our interests.

And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us.

EDIT — 5:55 pm EDT —

And yes, I heard about the Polish airline LOT getting hit with a DDoS, grounding their flights. If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.

But if I were to hear about electrical problems on airlines over the next 24-48 hours, I wouldn’t automatically attribute it to hacking. We’re experiencing effects of a large solar storm which may have caused/will cause problems over the last few hours for GPS, communications, electricals systems, especially in North America.

EDIT — 1:15 am EDT 23JUN2015 —

At 2:48 pm local time Christchurch, New Zealand’s radar system experienced a “fault” — whatever that means. The entire radar system for the country was down, grounding all commercial flights. The system was back up at 4:10 pm local time, but no explanation has yet been offered as to the cause of the outage. There were remarks in both social media and in news reports indicating this is not the first such outage; however, it’s not clear when the last fault was, or what the cause may have been at that time.

It’s worth pointing out the solar storm strengthened over the course of the last seven hours since the last edit to this post. Aurora had been seen before dawn in the southern hemisphere, and from northern Europe to the U.S. Tuesday evening into Wednesday morning. It’s possible the storm affected the radar system — but other causes like malware, hacking, equipment and human failure are also possibilities.

14 replies
  1. P J Evans says:

    SpeaceWeather says:
    SEVERE GEOMAGNETIC STORM IN PROGRESS: A severe G4-class geomagnetic storm is in progress on June 22nd. This follows a series of rapid-fire CME strikes to Earth’s magnetic field during the past 24 hours. Magnetic fields in the wake of the latest CME are strongly coupled to Earth’s own magnetic field. This is a condition that could sustain the geomagnetic storm for many hours to come. High- and mid-latitude sky watchers should be alert for auroras tonight, especially during the hours around local midnight.

    • Rayne says:

      I can’t wait for after dark, best chance for aurora viewing during summer in as long as I can recall. I think you might even have a chance at viewing them where you are, PJ, given how strong the storm is. Hope the skies are clear there–they just cleared up here after a rainy afternoon.

      EDIT — 9:34 pm — Dammit, it cleared up after a storm, and then another storm rolled in. We’re going to miss aurora here. But there’s still an offhand chance norther IN and OH may see aurora if thunderstorm drifts northeast and not just east.

  2. jo6pac says:

    If as the airline’s spokesman is correct and LOT has recent, state-of-the-art systems, this is only the first such attack.

    I know nothing of Poland but the chance of the above being true are 0.

    • Rayne says:

      I haven’t heard/read anything yet to suggest Poland’s LOT lags on computing & network equipment. Attaching to scheduling as used by major airlines requires some minimums, can’t believe they’re like XP in a Win10 world, as an example.

      If I had to come up with a suspect, I’d think nation-state like Russia, in retaliation for the recent report about US parking some equipment there as an ostensible show of support for Ukraine.

  3. wallace says:

    qotte”And unfortunately, the private sector cannot move fast enough to get out in front of this massive snowball of shite rolling towards it and us. “unquote

    What a massive generalization..Meanwhile a few people in this country are putting their lives and future on the proverbial line in the 2nd Amendment sand to prove to the collectivist bureaucrats who would steal your liberty, stating once and for all that… “WE WILL NOT COMPLY with UN-constitutional laws and dictates of those who serve the coming Deep Surveillance State and its goals.

  4. arbusto says:

    Of some interest was the crash of multi ipads in many American Airlines aircraft. The ipad has been a major labor saving device for anything from enroute and approach plates to systems reverence and emergency procedures in lieu of 50 lbs of paper per pilot. No clue on the crashes.

    In another sign of the wonders of computers in modern aircraft is the case of the errant Boeing 888, arguably the most advanced airliner in the world. Seems the FAA has mandated a hard reset of all computer systems annually. The reset involves powering down all systems and disconnection of all batteries and backup power, not a simple task.

    Can I catch a flight on a DC6?

    • Rayne says:

      The higher the altitude, the greater the exposure to radiation from solar storms. Wonder how Apple devices respond to greater than average x-ray and other radiation? Seems like iPhones would have problems as well as iPads. Sure hope it dawns on somebody to check this.

      Geomagnetic storm level reached G4 on 23JUN2015(22JUN2015 EDT), was first or second largest event this year, one of the strongest for this solar maximum. Wonder if more Apple and other devices were affected yesterday/today? So far no negative news about airlines — I will take as good news.

      And still no info about cause of NZ radar outage, either.

  5. bloopie2 says:

    Solar storms causing network outages? Hmm … maybe someone has found a way to harness the power of the sun in a new and useful(?) manner.

  6. Stephen says:

    It’s not just the NSA and GCHQ which are targetting antivirus software. Months ago I uncovered evidence that my computer’s (non-Kaspersky) antivirus software had been penetrated by Chinese hackers.
    Strictly speaking, the evidence I uncovered was not for the antivirus software itself but for the software the antivirus software used to download updates from the antivirus software maker. What I found was that the software was trying to download those updates via a Chinese IP address using what I suppose to be a man-in-the-middle type approach!
    The very fact the antivirus software did not detect the intrusion and alert me does, however, suggest that it too had been compromised.
    Moral of the story: don’t put too faith in antivirus software to defend your computer against intruders, a point Symantec, a leading antivirus product maker, itself reportedly told the WSJ back in May 2014. See:

    • Rayne says:

      Thanks, Stephen. Chinese attempt like that of any Five Eyes country very likely.

      But it’s also important to remember IP addresses can be spoofed. Any nation-state/criminal can incriminate other entity by way of spoofing. Ultimately doesn’t matter who did it; private sector/private individuals have lost all privacy.

Comments are closed.