STE WILLIAMS

Hewlett Packard Enterprise handed over the source code for its ArcSight security platform to Russian investigators in exchange for being allowed to sell kit in the former Soviet Union.

That’s kinda awkward because the Pentagon is one of ArcSight’s most high-profile customers. The US military uses the software, which is designed to trawl through millions of log files looking for suspicious activity, in its Secret Internet Protocol Router Network, aka SIPRNet, that manages secure communications for the US intelligence services.

In other words, if there are any exploitable vulnerabilities in the ArcSight code, and therefore in SIPRNet, then the Russians may well also know about them, which would be very handy in snooping on American spies.

“It’s a huge security vulnerability,” Greg Martin, a former security architect for ArcSight, told Reuters. “You are definitely giving inner access and potential exploits to an adversary.”

Red panic: Best Buy yanks Kaspersky antivirus from shelves

READ MORE

Over the past three years, Russia has insisted that if Western companies want to sell their wares in the country, they have to hand over their blueprints, ostensibly to protect the nation and its citizens from backdoors that could be exploited by Western snoops. HP, Cisco, IBM, McAfee and SAP have all reportedly done so, although Symantec declined on security grounds.

HPE, which sold ArcSight and some other software companies to Micro Focus in May this year, confirmed that the code was revealed at one of its offices outside Russia, and that none of its source left the building. The Russian researchers found no “backdoor vulnerabilities,” according to HPE.

“Our source code and products are in no way compromised,” a spokeswoman for the enterprise IT goliath added.

She also said HPE “always ensures our clients are kept informed of any developments that may affect them.” A Pentagon spokeswoman said the IT titan had not mentioned the Russian source code examination to its military customers.

The Pentagon spokeswoman added that US military doesn’t check off-the-shelf code it buys from vendors, trusting the manufacturer to get the security of its systems right. According to an April report by the Pentagon’s logistics agency, ArcSight “software and hardware are so embedded,” that it would be impossible to remove it “absent an overhaul of the current IT infrastructure.”

The examination of ArcSight was carried out by Russian outfit Echelon, which works closely with Russia’s FSB spy agency. Echelon boss Alexey Markov said it was required to report any uncovered vulnerabilities to the Russian government, but always told vendors about any discovered bugs first.

“If a vulnerability is found, everyone is happy,” Markov said. “The developer is happy that a mistake was detected, since by fixing it the product will become better.”

Suffice to say, other nations have inspected source code of products from overseas suppliers – such as China and Microsoft. ®

Sponsored:
The Joy and Pain of Buying IT – Have Your Say

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/10/02/hpe_handed_over_source_code_for_pentagon_security_system_to_russia/