U.S. Orders Federal Agencies to Remove Kaspersky Software Over Security Concerns!
Discussion topics – Do you think Kaspersky is a Scapegoat?
Headlines news told that Eugene Kaspersky trained by former USSR KGB. For some potential reason predicted that his antivirus product design intend to collect the computer privacy thus doing the surveillance activities. From my personal opinion is that defendant Kaspersky might not engaged such treason activities. My stand points are shown below:
Allegation of their design mechanism similar as a Russian proxy
Below details highlights is the investigation team by US government written on incident report.
US investigators believe the contractor's use of the software alerted Russian hackers to the presence of files that may have been taken from the NSA, according to people with knowledge of the investigation. Experts said the software, in searching for malicious code, may have found samples of it in the data the contractor removed from the NSA. But how the antivirus system made that determination is unclear, such as whether Kaspersky technicians programed the software to look for specific parameters that indicated NSA material. Also unclear is whether Kaspersky employees alerted the Russian government to the finding.
My bold hypothesis to object above speculations
We known the well-known names such as Symantec, McAfee and AVG may contains inherent risks and letting hackers and criminals secretly access your PC. What is the inherent risks will be encountered? Let’s take a quick closer look see whether you can find hints in this regard.
I. Design limitation and defense mechanism
a. Vulnerability (Design limitation)
For instance, Symantec anti-virus products found multiple vulnerabilities by Google researcher. The flaws affected both Mac and Windows PCs, and could be triggered simply by emailing a file to someone or sending them a link to a malicious website. The historical records are displayed below:
May 2016 – Symantec/Norton Antivirus ASPack Remote Heap/Pool memory corruption Vulnerability CVE-2016-2208 (see below url for reference)
Jan 2017 – Google Security Researcher Finds Serious Vulnerability In Kaspersky’s TLS Interception Tool
Hacker wants to intercept mail.google.com traffic, for which the 32bit key is 0xdeadbeef. Step 1: Hacker sends you the real leaf certificate for mail.google.com, which Kasperksy validates and then generates its own certificate and key for. Step 2: On the next connection, hacker sends you a colliding valid certificate with key 0xdeadbeef, for any commonName (lets say Scapegoat.com) Step 3: Now hacker redirects DNS for mail.google.com to Scapegoat.com, Kaspersky starts using their cached certificate and the attacker has complete control of mail.google.com. Step 4: vulnerability occurred
b. Defense mechanism
Since a kernel hook method so called kernel hook bypassing engine.
- Attacker can use the system call instruction directly without calling of Windows API
- Malicious code can be passed to the AntiVirus through the hooks functions for analysis and as soon as it bypass the security checks.
In order to avoid this rootkit or antivirus bypassing incident occurs, anti-virus manufacturer better stand in front of any boot loader processes. And therefore it will using so called in proper hook technique to governance the overall activities. As a result antivirus program including build in IDP, malware detector will be received more privileges. From technical point of view, it is not possible to do it if anti-virus itself not hook to all core kernel process.
This is the major concerns of many informaiton security experts. But be reminded that such design feature not the only one make by Kaspersky. Other anti-virus vendors are using the same design of mechanism.
From general principal of common law system, benefit of the doubt goes to defendant.
II. The company not loyal to Russia in regards to past cyber detection behaviors
a. Detection of Russia area APT activities
Above APT Trends report Q2 2017 statistic diagram issued by KASPERSKY. We did not seen the company intend to hide cyber security attacks given by Russia area. Meanwhile, the report highlight that the second quarter of 2017 has seen multiple incidents involving Russian-speaking threat actors. Topping the list of ‘attention grabbers’ were the Sofacy and Turla threat actors. Should you have interest, please feel free to review the specify report in below url
b. Russia arrests top cyber security expert amid allegations of treason
There is not require for me to mention of this matter, for more detail please refer below headline news posted by telegraph.co.uk.
Russia arrests Kasperky cyber security expert amid allegations of treason
My observation cannot guarantee will be generated false positive (incorrect) on this matter, however above items of evidence looks that the company is a Scapegoat!