[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Rick Ledgett Claims NSA’s Malware Isn’t Malware

I was beginning to be persuaded by all the coverage of Kaspersky Labs that they did something unethical with their virus scans.

Until I read this piece from former NSA Deputy Director Rick Ledgett. In it, he defines the current scandal as Kaspersky being accused of obtaining NSA hacking tools via its anti-virus.

Kaspersky Lab has been under intense fire recently for allegedly using, or allowing Russian government agents to use, its signature anti-virus software to retrieve supposed National Security Agency tools from the home computer of an NSA employee.

He then describes both Jeanne Shaheen’s efforts to prohibit KAV use on government computers, and Eugene Kaspersky’s efforts to defend his company. Ledgett than describes how anti-virus works, ending with the possibility that an AV company can use its filters to search on words like “secret” or “confidential” or “proprietary” (as if NSA’s hacking tools were only classified proprietary).

This all makes perfect sense for legitimate anti-virus companies, but it’s also a potential gold mine if misused. Instead of looking for signatures of malware, the software can be instructed to look for things like “secret” or “confidential” or “proprietary”—literally anything the vendor desires. Any files of interest can be pulled back to headquarters under the pretext of analyzing potential malware.

He then claims that’s what Kaspersky is accused of doing.

So that is what Kaspersky has been accused of doing: using (or allowing to be used) its legitimate, privileged access to a customer’s computer to identify and retrieve files that were not malware.

Except, no, it’s not.

The only things Kaspersky is accused of having retrieved are actual hacking tools. Which, if anyone besides the NSA were to use them, would obviously be called malware. As Kim Zetter explains KAV and other AV firms use silent signatures to search for malware.

Silent signatures can lead to the discovery of new attack operations and have been used by Kaspersky to great success to hunt state-sponsored threats, sometimes referred to as advanced persistent threats, or APTs. If a Kaspersky analyst suspects a file is just one component in a suite of attack tools created by a hacking group, they will create silent signatures to see if they can find other components related to it. It’s believed to be the method Kaspersky used to discover the Equation Group — a complex and sophisticated NSA spy kit that Kaspersky first discovered on a machine in the Middle East in 2014.

It’s unclear whether Kaspersky found the malware by searching on “TS/SCI,” actual tool names (which NSA stupidly uses in its code), or code strings that NSA reuses from one program to another.

“[D]ocuments can contain malware — when you have things like macros and zero-days inside documents, that is relevant to a cybersecurity firm,” said Tait, who is currently a cybersecurity fellow at the Robert S. Strauss Center for International Security and Law at the University of Texas at Austin. “What’s not clear from these stories is what precisely it was that they were looking for. Are they looking for a thing that is tied to NSA malware, or something that clearly has no security relevance, but intelligence relevance?”

If Kaspersky was searching for “top secret” documents that contained no malicious code, then Tait said the company’s actions become indefensible.

“In the event they’re looking for names of individuals or classification markings, that’s not them hunting malware but conducting foreign intelligence. In the event that the U.S. intelligence community has reason to believe that is going on, then they should … make a statement to that effect,” he said, not leak anonymously to reporters information that is confusing to readers.

Kaspersky said in a statement to The Intercept that it “has never created any detection in its products based on keywords like ‘top secret’, or ‘classified.’”

One thing no one has discussed is whether Kaspersky could have searched on NSA’s encryption, because that’s how Kaspersky has always characterized NSA’s tools, by their developers’ enthusiasm for encryption.

In any case, what’s clear is no one would ever find a piece of NSA malware by searching on the word “proprietary,” so we can be sure that’s a bogus accusation.

I asked Susan Hennessey on Twitter, and she confirms that NSA did a prepublication review of this, so any “new” news in this is either bullshit (as the claim Kaspersky searched on the word “proprietary” surely is) or “no[t] inadvertent declassification,” meaning NSA wanted Ledgett to break new news.

Which I take to mean that Ledgett is pretending that NSA’s malware is not malware but … Democracy Ponies or something like that. American exceptionalism, operating at the level of code.

Anyway, Ledgett goes on to suggest that Kaspersky can get beyond this taint by agreeing to let others spy on their malware detection to make sure it’s all legit. Except that is precisely what we’re all worried Russia did against Kaspersky, find malware as it transited from the TAO guy back to Kaspersky’s servers!

If Eugene Kaspersky really wanted to assuage the fears of customers and potential customers, he would instead have all communications between the company’s servers and the 400 million or so installations on client machines go through an independent monitoring center. That way evaluators could see what commands and software updates were going from Kaspersky headquarters to those clients and what was being sent back in response. Of course, the evaluators would need to sign non-disclosure agreements to protect Kaspersky’s intellectual property, but they would be expected to reveal any actual misuse of the software. It’s a bold idea, but it’s the only way anyone can be sure of what the company is actually doing, and the only real way to regain trust in the marketplace. Let’s see if he does it.

What are the chances that NSA would have this “independent monitoring center” pwned within 6 hours, if it really even operated independently of NSA?

Like I said, I was beginning to be persuaded that Kaspersky did something wrong. But this Ledgett piece leads me to believe this is just about American exceptionalism, just an attempt to protect NSA’s spying from one of the few AV companies that will dare to spy on it.

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Conflicting Homework Explanations in Three Kaspersky Stories

There are now three versions of the Kaspersky story from yesterday, reporting that a TAO employee brought files home from work and used them on his laptop running Kaspersky AV, which ultimately led to Russia getting the files. I’m interested in the three different explanations for why he brought the files home.

WSJ says he brought them home “possibly to continue working beyond his normal office hours.”

People familiar with the matter said he is thought to have purposely taken home numerous documents and other materials from NSA headquarters, possibly to continue working beyond his normal office hours.

WaPo (which has been reporting on this guy since last November) says he brought files he was working on to replace ones burned by Snowden.

The employee had taken classified material home to work on it on his computer,


The material the employee took included hacking tools he was helping to develop to replace ­others that were considered compromised following the breach of NSA material by former contractor Edward Snowden, said one individual familiar with the matter.

NYT says he brought files home to refer to as he worked on his resume.

Officials believe he took the material home — an egregious violation of agency rules and the law — because he wanted to refer to it as he worked on his résumé

While the WSJ and WaPo stories don’t conflict, they are different, with the poignant detail that NSA lost hacking files even as it tried to replace Snowden ones.

Meanwhile, none of these stories say this guy got any punishment besides removal from his job (from all his jobs? does he still work for the US government?). And while the NYT says prosecutors in Maryland are “handling” his case, they don’t believe he has been charged.

While federal prosecutors in Maryland are handling the case, the agency employee who took the documents home does not appear to have been charged.

But all of these stories go way too easy on this guy, as compared to the way sources would treat any other person (aside from James Cartwright) caught improperly handling classified information. As the WSJ makes clear, Admiral Rogers — not this guy — was supposed to lose his job as a result of this breach.

Then-Defense Secretary Ash Carter and then-Director of National Intelligence James Clapper pushed President Barack Obama to remove Adm. Rogers as NSA head, due in part to the number of data breaches on his watch, according to several officials familiar with the matter.

So I suspect there is a more complex story about why he had these files at home, if that’s in fact what he did.

Remember, NSA’s hackers don’t launch attacks sitting in Fort Meade. They launch the attacks from some other location. Both Shadow Brokers

We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons.

And WikiLeaks have said that’s how they got their US hacking files.

Recently, the CIA lost control of the majority of its hacking arsenal including malware, viruses, trojans, weaponized “zero day” exploits, malware remote control systems and associated documentation. This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA. The archive appears to have been circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.

In other words, I suspect at least part of this story is an attempt to package this compromise (which is not the Shadow Brokers source, but may be the same method) in a way that doesn’t make the NSA look totally incompetent.

Update: In this thread, Jonathan Nichols points out that the Vulnerabilities Equities Process has a big loophole.

Vulnerabilities identified during the course of federally-sponsored open and unclassified research, whether in the public domain or at a government agency, FFRDC, National Lab, or other company doing work on behalf of the USG need not be put through the process. Information related to such vulnerabilities, however, does require notification to the Executive Secretariat, which shall notify process participants for purposes of general USG awareness.

That is, one way to avoid the VEP process altogether (and therefore potential notice to companies) is to conduct the research to develop the systems on unclassified systems. Which would be an especially big problem if you were running KAV.

Which might also explain why none of the stories explaining how this guy’s files got compromised make sense.

Three Things: Killing Oil, Too Money, Kaspersky’s World

Too much going on here today but the existing threads are getting too deep and a couple are drifting off-topic. Here’s three quick things to chew on and an open thread.

~ 3 ~

The marketplace will bring death to oil long before the government. (Bloomberg). But will governments — US and oil-producing countries alike — get in the way of alternative energy in spite of the market demanding more alternatives to fossil fuels? With this trend away from combustion engines pressing on them, fossil fuel producers are shifting toward increased LNG for use in electricity production; this only shifts CO2 creation from vehicles to power plants. Will the market put an end to that, too?

~ 2 ~

There’s too much money out there if Delta can order multiple planes configured for all-first class service. I just spoke with a friend earlier today about round-trip fares from a major Midwest airport to major cities in Europe; they were quite high even with a departure date more than a month out, and higher than they had seen in a while. Fuel prices haven’t increased that much over the last year; low oil prices are threatening pipelines as financing construction costs more than the return on oil. Somewhere between slack fuel prices, firm fares and demand, Delta’s making enough money to build these let-them-eat-cake planes.

One could argue that if buyers have the money they can have whatever they want — except that taxpayers finance the infrastructure including essential safety regulatory system which will now protect the few and not the many while increasing congestion. Too money — somebody needs to pay more taxes to support the infrastructure they’re using.

~ 1 ~

Kaspersky Labs is releasing around the globe a free version of their antivirus software (Reuters). It won’t replace the paid version of their AV software, providing only very basic protection. I’m not using it, though, for two reasons: if it’s like Kaspersky’s existing free tool, it will send messages back to the parent company about infections it finds — and possibly more. Congress and the U.S. intelligence community may have concerns about Kaspersky Lab’s vulnerability to the Russian government; I’m more concerned about Kaspersky Lab having been breached at least once in 2015, compromising data in their systems. Your mileage may vary; use under advisement.

~ 0 ~

That’s it for now. This is an open thread. Behave.

P.S. The fight against attacks on the health care system isn’t over. Call your senator at (202) 224-3121. Other tools for your use in this post.

Cyber-spawn Duqu 2.0: Was Malware Infection ‘Patient Zero’ Mapped?

Cybersecurity_MerrillCollegeofJournalismKaspersky Lab reported this morning a next-generation version of Duqu malware infected the information security company’s network.

Duqu is a known reconnaissance malware. Its complexity suggests it was written by a nation-state. The malware appears closely affiliated with the cyber weapon malware Stuxnet.

WSJ reported this particular version may have been used to spy on the P5+1 talks with Iran on nuclear development. Dubbed ‘Duqu 2.0,’ the malware may have gathered audio, video, documents and communications from computers used by talk participants.

Ars Technica reported in depth on Kaspersky’s discovery of the malware and its attributes. What’s really remarkable in this iteration is its residence in memory. It only exists as a copy on a drive at the first point of infection in a network, and can be wiped remotely to destroy evidence of its occupation.

The infosec firm killed the malware in their networked devices by mimicking a power outage. They detached from their network suspect devices believed to contain an infecting copy.

Kaspersky’s Patient Zero was a non-technical employee in Asia. Duqu 2.0 wiped traces of its own insertion from the PC’s drive.

Neither WSJ or Ars Technica noted Kaspersky’s network must have been subject to a program like TREASUREMAP.

…Because the rest of the data remained intact on the PC and its security patches were fully up to date, researchers suspect the employee received a highly targeted spear phishing e-mail that led to a website containing a zero-day exploit. … (bold mine – source: Ars Technica)

How was a single non-technical point of contact in Asia identified as a target for an infected email? Read more

You Were Warned: Cybersecurity Expert Edition — Now with Space Stations

Over the last handful of days breathless reports may have crossed your media streams about Stuxnet infecting the International Space Station.

The reports were conflations or misinterpretations of cybersecurity expert Eugene Kaspersky’s recent comments before the Australian Press Club in Canberra. Here’s an excerpt from his remarks, which you can enjoy in full in the video embedded above:

[26:03] “…[government] departments which are responsible for the national security for national defense, they’re scared to death. They don’t know what to do. They do understand the scenarios. They do understand it is possible to shut down power plants, power grids, space stations. They don’t know what to do. Uh, departments which are responsible for offense, they see it as an opportunity. They don’t understand that in cyberspace, everything you do is [a] boomerang. It will get back to you.

[26:39] Stuxnet, which was, I don’t know, if you believe American media, it was written, it was developed by American and Israel secret services, Stuxnet, against Iran to damage Iranian nuclear program. How many computers, how many enterprises were hit by Stuxnet in the United States, do you know? I don’t know, but many.

Last year for example, Chevron, they agreed that they were badly infected by Stuxnet. A friend of mine, work in Russian nuclear power plant, once during this Stuxnet time, sent a message that their nuclear plant network, which is disconnected from the internet, in Russia there’s all that this [cutting gestures, garbled], so the man sent the message that their internal network is badly infected with Stuxnet.

[27:50] Unfortunately these people who are responsible for offensive technologies, they recognize cyber weapons as an opportunity. And a third category of the politicians of the government, they don’t care. So there are three types of people: scared to death, opportunity, don’t care.”

He didn’t actually say the ISS was infected with Stuxnet; he only suggested it’s possible Stuxnet could infect devices on board. Malware infection has happened before when a Russian astronaut brought an infected device used on WinXP machines with her to the station.

But the Chevron example is accurate, and we’ll have to take the anecdote about a Russian nuclear power plant as fact. We don’t know how many facilities here in the U.S. or abroad have been infected and negatively impacted as only Chevron to date has openly admitted exposure. It’s not a stretch to assume Stuxnet could exist in every manner of facility using SCADA equipment combined with Windows PCs; even the air-gapped Russian nuclear plant, cut off from the internet as Kaspersky indicates, was infected.

The only thing that may have kept Stuxnet from inflicting damage upon infection is the specificity of the encrypted payload contained in the versions released in order to take out Iran’s Natanz nuclear facility. Were the payload(s) injected with modified code to adapt to their host environs, there surely would have been more obvious enterprise disruptions.

In other words, Stuxnet remains a ticking time bomb threatening energy and manufacturing production at a minimum, and other systems like those of the ISS at worst case. Read more