Evening Reading: Kaspersky Lab, Spying, & the Risks of Telemetry
by Ryan Smith on October 13, 2017 8:30 PM EST- Posted in
- Software
In a little bit of cross-site synergy for the evening, Paul Wagenseil from our sister site Tom’s Guide has put together an interesting report discussing the recent developments surrounding Kaspersky Lab and the company’s antivirus software, which in recent days has been accused of spying on behalf of Russia’s intelligence services. Software & services is not really in AnandTech’s editorial purview, but I thought this was an interesting article that was worth sharing.
As a bit of background, Kaspersky Lab has been under the proverbial microscope off and on over the past half-decade or so due to concerns about close ties to the Russian government amidst ongoing geopolitical issues. More recently, on October 5th, the Wall Street Journal published an article claiming that Russian identified files from the United States National Security Agency (NSA) using Kaspersky Lab’s antivirus software, then using that information to steal said files. This has in turn called into question just how complicit Kaspersky Lab may have been in the endeavor, and whether their antivirus software is safe to use on consumer systems.
Writing for Tom’s Guide, Wagenseil reached out to a number of experts in the security field, ranging from the Electronic Frontier Foundation to former NSA staffers in order to get a broad look at the issue. Due to a lack of direct evidence in the matter – all of the major stories written so far have been based off of anonymous sources in the US government – there’s little in the way of hard facts to deal with. However across all of Wagenseil’s respondents, both named and unnamed, most agreed that people and businesses working in sensitive matters should not use Kaspersky Lab’s software, essentially taking a “why risk it?” stance on the matter. Things are a little less obvious for consumers however; some respondents recommended against the software entirely, while others noted that consumers probably aren’t the target of Russian signals intelligence efforts.
One notable and broad point that was made, however, is that regardless of Kasperksy Lab’s involvement, similar risks exist with all antivirus software. All modern AV software includes telemetry for reporting on new software as a means to more rapidly detect new forms of malware, and due to the deep reach of AV scanners, those telemetry processes can access virtually any piece of software or documents. So for the paranoid – or even just the privacy minded – disabling telemetry can help to reduce the risk at least somewhat by terminating regular reporting to AV software vendors, which in the case of Kasperksy Lab, is how the attack was believed to be carried out.
In any case, you can find more on this interesting matter and on the security experts’ responses over at Tom’s Guide.
Source: Tom's Guide
Facebook
Twitter
RSS
61 Comments
View All Comments
ddriver - Sunday, October 15, 2017 - link
Nope, standard equipment and standard protocols are extremely vulnarable, literally riddled with vulnerabilities. The only solution is a full software reimplementation running on invulnarable hardware. Of course, expecting a mediocre dummy like you to get it is pushing it, which also explains your inability to get the "sense" and operational principle.Reflex - Sunday, October 15, 2017 - link
Standard protocols are published and open. Please define the standard protocols you are referring to and point out a vulnerability that would impact a common user of a desktop OS. Given what you are proposing and what you claim to have done, this should be a trivial ask.Manch - Monday, October 16, 2017 - link
That is the most nonsensical comment I've ever seen you post!!!! LOL It's two people typing on a KB/NCIS bad!Drazick - Sunday, October 15, 2017 - link
@Reflex, could you elaborate on easy methods to know if your computer is infected with something which allows 3rd party access?Thank You.
Reflex - Sunday, October 15, 2017 - link
Easy is a relative term, but for those who are very worried about it here are a couple of tools that are doable by people with a reasonable amount of experience -1) Wireshark. Set that up on your PC and you can monitor all traffic on any interface. You can find the free version here: https://www.wireshark.org/download.html
2) Use pfSense as your boundary firewall/NAT solution. pfSense is based on the open source FreeBSD, and has a large number of plugins that will permit you to thoroughly analyze inbound and outbound traffic to your network. I strongly recommend Snort as a good start, but when you look through the library of available plugins you will find several more that are relevant. You will need compatible hardware for this.
pfSense download: https://www.pfsense.org/download/
Protectli hardware: https://www.amazon.com/dp/B072ZTCNLK/
Those two items will take you to a position where you are 99% certain of what is going on with your network with a high degree of both detection and prevention. That extra 1% is also achievable, but it would require a lot more time and money investment than is probably worth it if you are not storing classified data. If you want to go there as well, we can talk about internal network firewall rules, traffic routing, and intrusion detection appliances, but that is overkill for even me.
BrokenCrayons - Sunday, October 15, 2017 - link
Pretty much this stuff. Intrusion detection systems on passive taps (start simple in network security) can pick up on most odd or unusual activity leaving the network from local systems that might be compromised. Yeah, the easy-to-get and easy-to-implement IDS hardware is mostly pattern-based, but you can setup your own scanning and reporting rules. Products like TippingPoint or SourceFire are the start. You can build a DIY IDS as well without a lot of effort and there's always gathering up the activity logs of your core routers and servers for analysis.Basically, if something on a network like say a Windows OS or an AV suite is phoning home or permitting backdoor access for a government actor, someone somewhere will figure it out and blow the lid off it as a huge conspiracy since a lot of IT employees are just drooling over being at the heart of some big hushy-hush secret. If a company like Microsoft was actually up to that sorta thing and that was discovered, it'd screw their reputation badly. They can't afford to risk that kind of thing or allowing a cache of zero day holes continue to exist so an alphabet agency can exploit them.
Honestly ddriver, you really don't have the background or knowledge to comment on this sort of thing with any authority. I know you're here posting so you can feel like you're affirming your notion that you're somehow more intelligent than anyone else, but at least if you're going to do that, stick to hardware. Anyone can learn that and present themselves as if they're an expert to impress other people.
ddriver - Monday, October 16, 2017 - link
Your mediocrity is mind-boggling. Still resorting to the flimsy mainstream solutions, which is the best people like you can do.Here is news for you - there are vectors of attack that bypass software and hardware alike, and hijack systems at a low level you don't have ANY access to.
The only way to secure against those is at electrical signal level.
Seriously, how many times do I have to repeat until you get it? Just because YOU can't make sense of something doesn't mean it is nonsense. You just lack the knowledge to make sense of it.
BrokenCrayons - Monday, October 16, 2017 - link
Reading comprehension is as limited as your understanding of system security, I see.ddriver - Monday, October 16, 2017 - link
Whatever helps you feel better about yourself ;)Reflex - Monday, October 16, 2017 - link
I am eagerly awaiting your highlighting of the specific holes you have identified in standard protocols. Furthermore, I'm mildly curious how you expect to create 'custom' PHY's and protocols that can still communicate with the actual internet, which relies on standard protocols.