Allegations that Russian intelligence agents somehow co-opted Kaspersky Lab's anti-virus software, enabling them to search PCs for intelligence, raise questions not just about the security of the Moscow-based security firm's products, but all anti-virus products.
To recap: Israeli intelligence allegedly hacked into Kaspersky Lab's network andfound Russian intelligencewas already monitoring the company's communications with endpoints, as well as running searches for interesting-looking files on customers' PCs. Cue questions about whether Moscow-based Kaspersky Lab knew or abetted those intelligence efforts.
The allegations are a reminder that all anti-virus software is designed to run at a deep level on a PC, which is required to ensure it can excise malicious code. But such capabilities could be misused. Anti-virus software typically also sends copies of suspicious-looking files back to the vendor, so its malware researchers, often working with their peers in other security firms, can study the malware and create signatures. These signatures then get pushed out to all endpoints to better protect them.
All Software Has Flaws
Despite the allegations leveled against Kaspersky Lab, many security experts say that anti-virus software likely has enough exploitable vulnerabilities in it that a security firm would not need to be co-opted (seeYes Virginia, Even Security Software Has Flaws).
And as Dubai-based incident response expert Matt Suiche has noted, any security vendor might be targeted by intelligence agencies seeking easy access to targets' PCs.
When it comes to Kaspersky Lab, we'll probably never know what happened. "I don't think you can ever prove beyond a reasonable doubt that Kaspersky colluded as an organization with any government. It would have been much easier to simply breach Kaspersky, look for reports from the product that might contain material of interest to the intelligence community and then zero in on those machines," says Alan Woodward, a computer science professor at the University of Surrey.
If one takes Kaspersky Lab at its word - that it is innocent - that raises the question of how the company's ability to monitor and communicate with endpoints might be abused. It also raises the question of whether other security firms are similarly at risk - and what they're doing to protect their operations and customers.
What Defenses In Place?
To understand the defenses that anti-virus firms have in place to prevent these types of hack attacks or other misuse, Information Security Media Group reached out to 17 firms that develop anti-virus software for endpoints and posed detailed questions.
So far, seven firms have responded. Avira (Germany), Emsisoft (New Zealand), F-Secure (Finland), Kaspersky Lab (Russia) and Panda (Spain) offered detailed responses to my questions.
Meanwhile, Trend Micro (Japan) declined to field the questions. So did Webroot (United States), with the company saying that doing so would involve "giving away sensitive and competitive information or commenting on competitors in the space." But Chad Bacher, Webroot's senior vice president of product and technology alliances, lauded market competition. "All endpoint security companies utilize different approaches to keep their customers safe, which benefits consumers by bringing a healthy competition to the market."
The Sound of Silence
Since first querying the 17 firms - multiple times if necessary, beginning on Oct. 6, except for Malwarebytes and Sophos, first queried on Oct. 11 - the following firms have not responded to the posed questions:
Avast (Czech Republic)
Bullguard (United Kingdom)
Malwarebytes (United States)
McAfee (United States)
Microsoft (United States)
Sophos (United Kingdom)
Symantec (United States)
VIPRE (United States)
6 Anti-Virus Questions
Here are the questions ISMG posed to all 17 anti-virus firms:
What steps do you take to secure suspicious file samples when they are transmitted from a user's PC to your researchers? For example, are all such communications encrypted?
Could outside attackers eavesdrop on those communications, and if so, how? What defenses are in place to prevent this?
Do you ever share copies of these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign?
For a user, is sharing suspicious files with your researchers optional? If so, do users "opt in" - or must they "opt out"?
Do you anonymize the source of suspicious files, and if so, how (and at which point[s] in the submission chain)?
Has your firm engaged in any marketing that suggests that Kaspersky Lab products are not reliable, and does it have any hard evidence - aside from U.S. media reports - that cite anonymous sources) to back up these assertions?
"In view of the weaknesses we have seen in the supply chain in recent months, one might want to pay particular attention to what anti-virus software vendors say about how their back-end systems are protected," Woodward says.
Some firms, includingAviraandF-Secure, note that they publish policies that spell out how they handle threat data and some of the above questions.
But here are the detailed responses received so far.
Avira says it encrypts all communications between endpoints and its back-end systems, including encrypted file transfer to submit suspicious files for real-time analysis. Company spokeswoman Olivia Ciubotariu says all this analysis is done using "dedicated and secured networks for the analysis" because every file sample is presumed to be malicious, and that users can opt out of this analysis. Avira says it has never shared these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign, and that all user data is anonymized.
"We anonymize all personal information before sending them to our database," Ciubotariu says. "The only purpose of Avira Protection Cloud is to protect our customers against widespread threats, and without violating data privacy."
Emsisoft says that by default, it does not transfer any suspicious files from a user's system to its cloud-based servers for analysis, but instead only transfers hashes of the file. This process is anonymous and active by default. "Any submissions of hashes are not linked with personal user information at any time, as the systems are separated," says Emsisoft's Holger Keller. "Users can opt out from participating in the Emsisoft Anti-Malware Network, which is our malware information cloud."
Users can, however, manually submit a suspicious file to Emsisoft, which triggers an SSL-only file transfer and creates a service ticket so that the company can respond to the user with its verdict on the file.
"[If] the user's computer is not compromised in the first place - i.e. with manipulated SSL certificate roots - we would consider transfers relatively safe," Keller tells Information Security Media Group. "Emsisoft intentionally does not make use of local SSL traffic interception, which seems to be a major security problem for a number of anti-virus vendors these days," he says (seeLenovo Slammed Over Superfish Adware).
File transfers are not anonymous, because Emsisoft needs to respond to the customer, although Keller says a user could provide fake contact details. "We have never shared any suspected malware files with any law enforcement or intelligence agencies," he adds.
F-Secure says it makes heavy use of encryption and anonymization. "All queries regarding file (hashes) or URL reputation made to our 'security cloud' are encrypted," Sean Sullivan, security adviser at F-Secure, tells ISMG. "Files/samples uploaded/submitted to us by our customers are also encrypted. All customer submissions are flagged as confidential in our sample management system. They are only re-categorized if we can see through our partnerships and threat intelligence that the files are in the wild."
Sullivan says F-Secure does not submit files to VirusTotal, although it does share samples with "trusted partners," but only for samples "which are classified as nonconfidential." Information on a suspect file on a PC, meanwhile, pings the company's cloud security gateway, which will respond if the required information is in its cache. If not, a database handling ID gets dispatched and a back-end query made, thus obscuring the origin of the request.
Sullivan says that in general, one must "opt out" of sharing data with F-Secure, but says this is possible with all products, including itsfree online scanner. He also says the company does not save IP addresses, but discards this information immediately, localizing to the country level, to help analysts trace malware outbreaks and infection counts at a regional level. Before files get submitted, path names get normalized, usernames changed to "username" or the equivalent and file path metadata cleaned.
Some intelligence and analysis does get shared with CERT-FI - the computer emergency response team for Finland - that may disseminate the information to law enforcement agencies Sullivan says. "To my best knowledge, law enforcement agencies share with us, seeking our analysis, not the other way around," Sullivan says. He adds that says any information shared with CERT-FI is anonymized and tends to focus on malware command-and-control information and "analysis of malware targeting specific targets within a country," rather than sample sharing.
Panda says it makes extensive use of encryption, which should block any attempt to eavesdrop on communications with endpoints. "The information sent is encrypted, and all communications are encrypted (HTTPS)," says Luis Corrons, technical director of PandaLabs, the firm's anti-malware laboratory.
"We only share malware files with other security companies, but that does not include files that have been found at a customer," Corrons says. "We do not have any share agreements with law enforcement or any intelligence agencies."
Kaspersky Lab's Response
A Kaspersky Lab spokeswoman tells ISMG that its Kaspersky Security Network is "an advanced cloud-based system that automatically processes cyber threat-related data received from millions of devices owned by Kaspersky Lab users across the world, who have voluntarily opted to use this system." It says this cloud-based approach is the one typically taken by larger IT security vendors.
"All communications between clients and Kaspersky Lab infrastructure are reliably encrypted," the spokeswoman says. "The company uses strong encryption, including algorithm RSA 2048 handshake and AES 256 data encryption."
The company says it makes extensive use of encryption, digital certificates, segregated storage and strict data access policies. Anonymization is widespread. "Actions to achieve this include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc." The company says it regularly reviews these practices to ensure they comply with legal rules and privacy regulations, such as the EU'sGeneral Data Protection Regulation.
Users can opt out of at least some types of information sharing. "Depending on the product, users have the option to switch it off (for corporate solutions) or to limit the amount of data sent through the security cloud (for home solutions)," Kaspersky Lab says.
From a privacy standpoint, the security firm says that for any collected information:
"The information is used in the form of aggregated statistics;
"Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user;
"When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier;
"Where possible, we obscure IP addresses and device information from the data received;
"The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted."
Kaspersky Lab says it "routinely assists law enforcement agencies and governments by providing technical expertise on malware and cyberattacks," and it may share malware samples gathered by KSN with law enforcement agencies, at their request. "The sharing of samples with law enforcement agencies is dictated by the local laws by which Kaspersky Lab strictly abides," it says. "We don't share user data with any third party; the industrywide exchange is limited to malicious samples and aggregated statistics."
All but one of the security firms that offered answers to ISMG's questions say they do not share virus samples with Google's VirusTotal malware-scanning service.
Emsisoft says that "we exchange files and file information with VirusTotal if the source of a file doesn't generally object to that."
Comments: Allegations Against Kaspersky Lab
Avira, Emsisoft and F-Secure declined to comment on the allegations against Kaspersky Lab.
Panda, however, noted that "there is no real proof that Kaspersky Lab has been involved in any malicious activity" and said while Russia might attempt to security firm's product or cloud network, "it is a really unlikely scenario, although if there is some open conflict among both countries it could happen."
Emsisoft's Keller commented in more general terms, noting that "the conceptual problem of submitting files for deeper automated analysis doesn't only affect Kaspersky, but basically all anti-virus vendors." As malware grows more complicated, advanced analysis must typically be carried out on the server side. This can necessitate moving a copy of the file from a client onto a cloud-based server for analysis. "As those clouds are generally closed systems, nobody can tell for sure whether any files are redirected to intelligence services or just kept for statistical analysis as promised," he says.
To help mitigate any threats, Keller says, "sensitive data should be encrypted at all times" when interacting with cloud environments of any kind.
Who to Trust?
To be clear, posing questions to anti-virus firms doesn't mean that their software or back-end servers might not be co-opted now or in the future.
But the willingness of some firms to answer these types of questions may well become a factor for consumers and businesses around the world as they research which anti-virus firms they will trust to secure their systems (seeAnti-Virus: Don't Stop Believing).
This report will be updated as more security firms respond.
Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.