{"id":593,"date":"2017-10-05T22:05:06","date_gmt":"2017-10-05T22:05:06","guid":{"rendered":"https:\/\/securitycurve.com\/?p=593"},"modified":"2017-10-05T22:05:06","modified_gmt":"2017-10-05T22:05:06","slug":"meanwhile-in-russia-kaspersky","status":"publish","type":"post","link":"https:\/\/securitycurve.com\/?p=593","title":{"rendered":"Meanwhile in Russia, Kaspersky"},"content":{"rendered":"<p><img decoding=\"async\" class=\"alignright size-large\" src=\"https:\/\/i.chzbgr.com\/full\/8053313792\/h222E303E\/\" width=\"500\" height=\"378\" \/>It&#8217;s funny&#8230;\u00a0 I was meaning to comment on Kaspersky for a while, but I kept putting it off.\u00a0 I put it off so long that a whole news cycle came around to which the draft I was putting together seems maybe useful again.\u00a0 And\u00a0<em>voil\u00e0<\/em>&#8230; today&#8217;s post about Kaspersky.<\/p>\n<p>As of today, we have <a href=\"https:\/\/www.nbcnews.com\/news\/investigations\/russian-hackers-stole-nsa-tools-contractor-who-used-kaspersky-software-n808101\">anonymous reports saying that Russia obtained NSA information<\/a> (like, remember the <a href=\"https:\/\/securitycurve.com\/shadowbroker-notice-probably-want-to-pay-attention\/\">ShadowBrokers thing<\/a>) using a copy of Kaspersky.\u00a0 It&#8217;s unclear whether or not Kaspersky (the company, not the software) was specifically and purposefully involved in obtaining the information.\u00a0 But in truth, it&#8217;s probably not good for their business either way.<\/p>\n<p>This thing with Kaspersky has been <a href=\"https:\/\/securitycurve.com\/kaspersky-goes-under-the-bus\/\">going on for a while<\/a>\u00a0as folks might remember &#8211; back in July, for example, you might recall that the GSA removed Kaspersky from the list of approved products for US Government use because of suspected connections between the company and Russian intelligence. \u00a0Then,\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Jeanne_Shaheen\">\u00a0Jeanne Shaheen<\/a> (Senior Granite State Senator) has said publicly that extensive ties exist and has introduced legislation that would <a href=\"https:\/\/www.theregister.co.uk\/2017\/09\/06\/banning_kaspersky_from_us_govt_computers\/\">prevent the use of Kaspersky products<\/a> on US Government computers.<\/p>\n<p>My opinion?\u00a0 Look, I&#8217;m not into the conspiracy theories, but here&#8217;s the deal.\u00a0 Remember that time that the <a href=\"https:\/\/en.wikipedia.org\/wiki\/RSA_BSAFE#Dual_EC_DRBG_backdoor\">NSA paid RSA 10 million dollars to use the known-weak Dual_EC_DRBG as the default<\/a> in BSAFE?\u00a0 I do.\u00a0 If the NSA can get under the covers of RSA and manipulate them (a crypto company started by friggin mathematicians) to set <del>extreme foolishness<\/del> a potentially weak algorithm as the default, I feel pretty confident that Russia could get old Eugene to pull some shenanigans on his consumer AV product.\u00a0 Sound far fetched?\u00a0 Maybe.\u00a0 But let&#8217;s not forget that Eugene Kaspersky graduated from KGB school.\u00a0 He served with Soviet military intelligence and met his wife at a KGB resort. Is it far fetched to think that someone might convince him to maybe accidentally-on-purpose make a string manipulation error in the software that&#8217;s easily exploited?\u00a0 You could make this kind of thing look like an accident &#8211; to the point that even a code review (which he&#8217;s offered to do) might either not catch it or might look like an unintentional error.\u00a0 If the NSA can get RSA to do it, I feel like someone could lean on Eugene enough (particularly if he knows them) to get him to do something similar.<\/p>\n<p>As for me, I myself have always been a bit ambivalent about using Kaspersky.\u00a0 Like, IMHO, if you want to pay some vendor instead of using something free, more power to you.\u00a0 But I always figured people went into using Kaspersky with their eyes open, you know?\u00a0 Eugene has been pretty open about his background &#8211; he&#8217;s made no attempt to hide his connections to Russian intelligence.\u00a0 So I sort of figured it was a given that there&#8217;s a backdoor potential.\u00a0 It&#8217;s hard to read one way or the other, because on the one hand he&#8217;s been pretty open with offering to provide source code for inspection&#8230;on the other hand, KGB.<\/p>\n<p>Would I use it?\u00a0 No&#8230; but again, not because I&#8217;m worried about Russian intelligence (as demonstrated by EternalBlue, if they want in and target you, chances are good they can get in).\u00a0 Instead, it&#8217;s a no because I&#8217;m not interested in paying somebody money for what I can get for free elsewhere. AV is fungible, so I&#8217;m going with free.<\/p>\n<p>Would I use it for a government contractor?\u00a0 This is a different question.\u00a0 From an abundance of caution standpoint, I guess I&#8217;d have to say I probably wouldn&#8217;t.\u00a0 But the root cause of &#8220;no&#8221; in that case probably has more to do with me not wanting someone to armchair quarterback the decision down the road vs. being actively worried about nation-state attackers.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It&#8217;s funny&#8230;\u00a0 I was meaning to comment on Kaspersky for a while, but I kept putting it off.\u00a0 I put it off so long that a whole news cycle came around to which the draft I was putting together seems maybe useful again.\u00a0 And\u00a0voil\u00e0&#8230; today&#8217;s post about Kaspersky. As of today, we have anonymous reports [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","footnotes":""},"categories":[4],"tags":[],"class_list":["post-593","post","type-post","status-publish","format-standard","hentry","category-security"],"_links":{"self":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/593","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=593"}],"version-history":[{"count":0,"href":"https:\/\/securitycurve.com\/index.php?rest_route=\/wp\/v2\/posts\/593\/revisions"}],"wp:attachment":[{"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=593"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=593"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/securitycurve.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=593"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}