STE WILLIAMS

With Moscow-based Kaspersky Lab under the gun for its software reportedly helping Russian cyberspies steal classified US data, some security experts say the same sort of theft the company is alleged to have enabled could have been pulled off using any other antivirus software, and without any vendor participation.

The Wall Street Journal on Wednesday cited knowledgeable sources as saying that Kaspersky Lab actively modified its anti-virus system so Russian agents could use it as a tool to search through and steal from computers running the vendor’s software.

The WSJ report was the latest twist to a rapidly evolving and sometimes, bizarre, story involving Kaspersky Lab, Israeli intelligence agents, Russian cyber spooks, and the US government. The WSJ was the first to break the story when it reported last week that in 2015 Russian agents had used Kaspersky Lab systems’ and network to steal highly classified material from the computer of a contractor who worked for the US National Security Agency (NSA)

In separate subsequent reports, the WSJ, New York Times, and Washington Post said the Russian hackers had used Kaspersky Lab’s systems and network to search through computers worldwide that had the AV vendor’s software installed on them. The Russian cyberspies were apparently looking to see if they could find and pilfer from systems containing data on classified US government programs.

Those searches, which involved the use of specific keywords such as “Top Secret” and “Classified,” eventually led them to an Internet-connected home computer of an NSA contractor that happened to be running Kaspersky’s antivirus software. The home computer contained highly sensitive data on NSA penetration testing and cyber offense tools stored in complete violation of the agency’s rules. It remains unclear at this point if the Russian spies succeeded in finding and stealing additional classified US government information from any other computers running Kaspersky’s AV software.

None of the stories make it explicitly clear if the Russians cyberspies gained access to Kaspersky’s network by breaking into it, or if the Russian government coerced the vendor into granting them access, or if the vendor helped voluntarily.

Many believe it is easily possible the Russian government forced Kaspersky Lab to provide access to its platform. It wouldn’t be the first time that a government has done something like this: Most famously, the NSA itself is alleged to have paid $10 million to RSA so it could install backdoors in the vendor’s encryption technology.

Interestingly, the NSA data theft and the Russian hacker activity on Kaspersky’s network was first spotted by a team of Israeli intelligence agents who had also managed to silently infiltrate the security vendor’s network sometime in 2014. When the Israeli agents observed what was going on with Kaspersky’s network, they tipped off US officials about it sometime in 2015 and warned about classified NSA data ending up in the hands of Russian intelligence.

That tip-off is believed to have eventually led to the US government’s decision earlier this year to remove Kaspersky Lab from its approved list of IT vendors and to ban government agencies from using the company’s software altogether. It is unclear if the mushrooming scandal around the company’s technologies could now prompt US businesses and even consumers to start ditching the company’s software, which has consistently ranked among the top AV products for several years.

Kaspersky Lab itself discovered the Israeli intrusion in mid-2015. In a June 2015 report, the company said it was the victim of a highly sophisticated attack by a threat actor very similar to the one that had carried out the Stuxnet campaign on Iran’s uranium processing facility in Natanz. Kaspersky Lab did not specifically identify Israeli agents as being behind the attack, but said it appeared designed to steal data about the company’s technologies and ongoing research.

The security company has emphatically denied it has anything to do with the Russian hacking activity on its networks and has suggested the company is the victim of a hyper-charged geo-political environment.

“Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question,” the vendor said in a statement responding to Wednesday’s WSJ story about its alleged complicity in the data theft. “The company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.”

Meanwhile, Kaspersky Lab on Thursday announced an extension to its work with Interpol, with the signing of a threat-sharing agreement with the global law enforcement agency. The agreement strengthens an existing relationship between the two organizations and will result in Kaspersky sharing even more threat intelligence with law enforcement authorities worldwide in their fight against cybercrime, the company said.

The company’s previous engagements with Interpol included participation in an operation that led to the takedown of nearly 9,000 botnet command and control servers and hundreds of compromised websites.

AV Software Has ‘Carte Blanche’

The reality is the sort of data theft in the Kaspersky Lab case would have been possible with any AV vendor if an attacker had managed to surreptitiously gain privileged access to the AV vendor’s network.

Antivirus tools and their vendors pretty much have carte blanche access to files and data on any computer on which the software is installed, says Srinivas Mukkamala, CEO of RiskSense. “It is checking all your binaries, your files, your memory. It is looking at your registry and diagnosing everything on your system in a privileged mode.”

Systems running AV software routinely get updates from update servers and push files out to the AV vendor’s cloud for inspection, without any checks or inspection at all, he says. Technically at least, someone that wanted to abuse the tool could do anything including search for and exfiltrate data from systems with little risk of being caught, Mukkamala says.

In Kaspersky Lab’s case, for instance, if someone had managed to gain privileged access to the company’s update server farm they would have been able to do the sort of searching, querying, and stealing that the company is suspected of enabling. Given enough time, the intruders would have been able to scan end user systems running Kaspersky’s software and pilfer data from them without needing any help from the vendor, he says.

The same thing would be true in any situation where attackers can get privileged and persistent access to an antivirus software vendors network, he says. Of course, a vendor like Kaspersky Lab can either by choice or through coercion make such data theft easier, Mukkmala says.  

With time and the necessary skills, an adversary would have been able to exploit any AV vendor’s network in the same way without necessarily being detected by the vendor.

“If Kaspersky was compromised by the Russian government, then it might be possible, technically, for Russian collection from Kaspersky to go undetected,” says Malcolm Harkins, chief security and trust officer at Cylance. “We don’t know if that is what happened.” 

Harkins notes the speculation in media reports about Kaspersky Lab allegedly modifying its software in order to make things easier for the Russian agents on its network. “Again, we don’t know if this is accurate,” he notes.

“In general, AV companies are attractive targets for compromise by foreign intelligence services partly because, in theory at least, modifications aren’t really necessary,” Harkins said. “AV companies are often already looking for exactly the kind of data that would be attractive to intelligence services.”

Scott Petry, CEO of and founder of Authentic8, says the whole incident has exposed a fundamental weakness in current approaches to cybersecurity. When someone signs up with an AV vendor, they are essentially agreeing to have that vendor scan all files on their network and send information back to the vendor.

“A security vendor is inventorying all the data on a user’s system,” he says. Sharing all that sensitive information with the vendor is dangerous, he says. “Scanning files is required. Sharing a manifest of scanned files with the vendor for better security is asinine,” Petry says.

Related Content:

• Russian Hackers Pilfered Data from NSA Contractor’s Home Computer: Report
• Trump Orders Removal of Kaspersky Products from Federal Systems
• Kaspersky Lab Faces More U.S. Scrutiny Over Potential Russian Govt. Influence
• 8 Notorious Russian Hackers Arrested in the Past 8 Years

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year … View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/kaspersky-lab-and-the-av-security-hole/d/d-id/1330116?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recently, ransomware like WannaCry or Petya has generated dramatic headlines around the globe. The pernicious online threats have become a shooting star among malware vectors, gaining notoriety and troubling millions of businesses and individuals alike. However, another cyberthreat lurking beneath the surface and causing even greater damage is business email compromise (BEC).

Unlike most other cybercrime activity, BEC entirely depends upon social engineering. It involves a faked email from a co-worker or corporate executive that short-cuts internal processes and asks the finance department to make a payment. A ploy that appears to be fairly simple-minded turns out to be both surprisingly effective and lucrative.

Perpetrators typically begin their campaign with reconnaissance. This includes scouting the company’s hierarchy, corporate executives, and employees. While life for the bad guys was much more difficult — perhaps next to impossible — in the good old days, the advent of social media has turned things upside down. With introductions to the leadership team on the target’s website, along with their profiles published on Facebook, Google+, LinkedIn, and so on, perpetrators can hardly believe their luck. Gathering information has never been easier. BEC has literally become the land of milk and honey for cybercriminals.

Emails Bypass Most Security Tools
What then usually follows is a faked email, supposedly sent from the CEO or another corporate official, urgently requesting that the recipient pay a business partner or supplier. The beneficiary’s back account is often abroad and held by cybercriminals or their intermediaries. Laundering techniques and “money mules” worldwide drain the funds into other accounts that are difficult to trace.

These BEC campaigns primarily target large organizations, and many of them have fallen victim including Facebook and Google, as reported by Fortune Magazine. Despite all the corporate policies and safeguarding the firms have put in place, the success rate of the fake messages is astonishing — a 1,300% increase since Jan 2015, representing damages surpassing those of ransomware, according to the FBI in a press release. Since these emails don’t contain malware or suspicious links, they can often bypass security tools and permeate an organization.

Damages on the Rise
The Internet Crime Complaint Center (IC3) — an alliance between the FBI, the U.S. Department of Justice, and the National White Collar Crime Center — reports that $5.3 billion was stolen due to BEC-related fraud between October 2013 and December 2016, as highlighted in Cisco’s 2017 Midyear Cybersecurity Report (registration required). This corresponds to an average of $1.7 billion per year, the report notes. By way of comparison, ransomware exploits pocketed about $1 billion in 2016, according to the report.

“The ability of these criminal groups to compromise legitimate business email accounts is staggering — they are experts at deception,” Special Agent Martin Licciardo, a veteran organized-crime investigator at the FBI’s Washington field office, noted in the press release. “The FBI takes the BEC threat very seriously, and we are working with our international partners to identify these perpetrators and dismantle their organizations.”

Combating BEC fraud has little to do with technology. It all boils down to process improvements and policy enforcement, awareness, and education. For example, payments shouldn’t be made outside the official approval process and without applying the “four-eye principle,” a requirement that two individuals approve some action before it can be taken. Never rely on e-mail alone. An out-of-the-ordinary request for an out-of-country transfer should immediately sound alarm bells.

To effectively combat BEC, the FBI issued a one-pager that recommends organizations use  corporate email accounts only, and avoid free web-based accounts; that companies carefully consider what’s posted to their social media and corporate websites; that employees be suspicious of requests for secrecy or pressure to take action quickly; the separation of computer devices from Internet of Things (IoT) devices; and disabling of the Universal Plug and Play protocol (UPnP) on corporate routers.

Related Content:

• Ransomware, BEC, ICS Top Midyear Security Concerns
• 7 Tips to Fight Gmail Phishing Attacks
• Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Marc Wilczek is an entrepreneur and senior executive with more than 20 years of leadership experience within the ICT space. He’s passionate about all things #digital with emphasis on cloud, big data and IoT services. Before serving as VP portfolio, innovation … View Full Bio

Article source: https://www.darkreading.com/perimeter/ransomware-grabs-headlines-but-bec-may-be-a-bigger-threat-/a/d-id/1330088?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Recently, ransomware like WannaCry or Petya has generated dramatic headlines around the globe. The pernicious online threats have become a shooting star among malware vectors, gaining notoriety and troubling millions of businesses and individuals alike. However, another cyberthreat lurking beneath the surface and causing even greater damage is business email compromise (BEC).

Unlike most other cybercrime activity, BEC entirely depends upon social engineering. It involves a faked email from a co-worker or corporate executive that short-cuts internal processes and asks the finance department to make a payment. A ploy that appears to be fairly simple-minded turns out to be both surprisingly effective and lucrative.

Perpetrators typically begin their campaign with reconnaissance. This includes scouting the company’s hierarchy, corporate executives, and employees. While life for the bad guys was much more difficult — perhaps next to impossible — in the good old days, the advent of social media has turned things upside down. With introductions to the leadership team on the target’s website, along with their profiles published on Facebook, Google+, LinkedIn, and so on, perpetrators can hardly believe their luck. Gathering information has never been easier. BEC has literally become the land of milk and honey for cybercriminals.

Emails Bypass Most Security Tools
What then usually follows is a faked email, supposedly sent from the CEO or another corporate official, urgently requesting that the recipient pay a business partner or supplier. The beneficiary’s back account is often abroad and held by cybercriminals or their intermediaries. Laundering techniques and “money mules” worldwide drain the funds into other accounts that are difficult to trace.

These BEC campaigns primarily target large organizations, and many of them have fallen victim including Facebook and Google, as reported by Fortune Magazine. Despite all the corporate policies and safeguarding the firms have put in place, the success rate of the fake messages is astonishing — a 1,300% increase since Jan 2015, representing damages surpassing those of ransomware, according to the FBI in a press release. Since these emails don’t contain malware or suspicious links, they can often bypass security tools and permeate an organization.

Damages on the Rise
The Internet Crime Complaint Center (IC3) — an alliance between the FBI, the U.S. Department of Justice, and the National White Collar Crime Center — reports that $5.3 billion was stolen due to BEC-related fraud between October 2013 and December 2016, as highlighted in Cisco’s 2017 Midyear Cybersecurity Report (registration required). This corresponds to an average of $1.7 billion per year, the report notes. By way of comparison, ransomware exploits pocketed about $1 billion in 2016, according to the report.

“The ability of these criminal groups to compromise legitimate business email accounts is staggering — they are experts at deception,” Special Agent Martin Licciardo, a veteran organized-crime investigator at the FBI’s Washington field office, noted in the press release. “The FBI takes the BEC threat very seriously, and we are working with our international partners to identify these perpetrators and dismantle their organizations.”

Combating BEC fraud has little to do with technology. It all boils down to process improvements and policy enforcement, awareness, and education. For example, payments shouldn’t be made outside the official approval process and without applying the “four-eye principle,” a requirement that two individuals approve some action before it can be taken. Never rely on e-mail alone. An out-of-the-ordinary request for an out-of-country transfer should immediately sound alarm bells.

To effectively combat BEC, the FBI issued a one-pager that recommends organizations use  corporate email accounts only, and avoid free web-based accounts; that companies carefully consider what’s posted to their social media and corporate websites; that employees be suspicious of requests for secrecy or pressure to take action quickly; the separation of computer devices from Internet of Things (IoT) devices; and disabling of the Universal Plug and Play protocol (UPnP) on corporate routers.

Related Content:

• Ransomware, BEC, ICS Top Midyear Security Concerns
• 7 Tips to Fight Gmail Phishing Attacks
• Equifax Data Breach Prompts Calls For Tougher Security Requirements On Data Aggregators

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Marc Wilczek is an entrepreneur and senior executive with more than 20 years of leadership experience within the ICT space. He’s passionate about all things #digital with emphasis on cloud, big data and IoT services. Before serving as VP portfolio, innovation … View Full Bio

Article source: https://www.darkreading.com/perimeter/ransomware-grabs-headlines-but-bec-may-be-a-bigger-threat-/a/d-id/1330088?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Berkelely, Calif. – The Olympic Games in the coming years are likely to face far more serious cyberattacks and ones that will be more difficult to detect, according to a report released this week by the UC Berkeley Center for Long-Term Cybersecurity (CLTC).

And although the Summer Olympics don’t roll into Los Angeles until 2028, US officials are already considering the cybersecurity threats for the high-profile event. The Los Angeles Organizing Committee for the 2028 Olympic Games provided support for the CLTC report.

The concern is understandable. During the 2008 Beijing Olympics, security officials fielded 11 million to 12 million daily alerts, with roughly a half dozen falling into the imminent threat category, according to the report. And in the 2012 Summer Olympics in London, six major security incidents – five of which involved DDoS-related attacks – were brought to the attention of the event’s CIO. Last year, at the conclusion of the Rio Olympic Games, Russian hackers pilfered medical records of athletes from the World Anti-Doping Agency.

While most of the threats that have emerged at the Olympics have largely fallen into the categories of reputational harm and financial harm. Cybercriminals ran ticket scams, manipulated websites, pilfered payment information, and attacked maintenance systems, but even more serious attacks are likely in the future, said Betsy Cooper, CLTC executive director, who presented the findings during a panel session here at the University of California at Berkeley this week.

Threats to Grow Darker

While most of the past attacks on sporting events center on IT systems at stadiums and ticket sales and operations, future cyberattacks at the Olympics may occur in eight key areas, says Cooper.

The areas include cyberattacks to facilitate terrorism and kidnappings and panic-induced stampedes; altering scoring systems; changing photo and video replay equipment; tampering with athlete care food dispensing systems; infiltrating monitoring equipment; tampering with entry systems; and interfering with transportation systems.

“I was surprised to learn there are instances where human decisions are overridden by technology,” Cooper said, in reference to a growing reliance on using technology to make the first call in a sporting event, rather than a human referee.

She pointed to the reliance of electronic line-calling technology Hawk-Eye that is used in such sports as tennis. The Association of Tennis Professionals (ATP) plans to fully use electronic line-calling technology at its Next Gen Finals match, reports Tennis.com.

“Increasingly technology is being used to assist with referee calls,” Cooper said, noting the potential of hackers breaking into such systems and altering the outcome of the scoring systems. “With more automation, there are more potential vectors of attack.”

These type of attacks not only have the potential to alter the outcome of which athletes become gold-medal winners at the Olympics, but also detection of this type of hacking may be more difficult to detect, she added.

If an electronic referee is called into action multiple times over the course of an athlete’s performance, a hacker could occasionally slip in to alter the results just enough to tip the win in the target’s favor.

Athletes could also face physical harm if cybercriminals were to tamper with automated food systems that dispense such items as protein drinks that have specific nutrients doled out for each athlete. An Olympic swimmer who is allergic to gluten, for example, could get a protein drink laced with gluten after a cybercriminal, or nation-state, seeks to take that athlete out of the games, according to Cooper.

Such attackers are likely to be cybercriminals looking to make money by betting on certain teams or players and altering the results to win, or a nation-state or patriotic national wanting to rig the game so their home team wins, said Doug Arnot, chairman of the Broadstone Group and a panelist at the Olympics cybersecurity panel.

Missy Franklin, a five-time Olympic medalist swimmer and panel member, said as an athlete she is first and foremost worried about physical security, and then secondly, cybersecurity threats that can alter the outcome of a game.

“It’s intimidating and threatening,” Franklin said, noting technology is used to determine the swimmer who touches the wall first when deciding the outcome of a game.

That said, however, Franklin noted that human referees are also used to make calls on the way a swimmer makes a lap turn or whether they start the race prematurely.

Keeping a Level Playing Field

CLTC made several recommendations to minimize the attack surface at the Olympic Games. One is to balance opportunity and risk by questioning the need to add new technology at the risk of enlarging the attack surface.

Another suggestion is to have a human as a backup to any technology, and to give human referees the ability to verify that the technology used in the games is producing the correct results.

Cybersecurity training on such issues as phishing to social engineering should be provided to all Olympic staff members and officials, according to the report.

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Related Content:

• Staying Cyber Safe At The Olympics
• CA: Presidential Race, Olympics Targets in ’08
• Hacktivists Take Aim At Olympics Broadcast Service
• 10 Ways to Prevent Your Mobile Devices From Becoming Bots

Dawn Kawamoto is an Associate Editor for Dark Reading, where she covers cybersecurity news and trends. She is an award-winning journalist who has written and edited technology, management, leadership, career, finance, and innovation stories for such publications as CNET’s … View Full Bio

Article source: https://www.darkreading.com/informationweek-home/olympic-games-face-greater-cybersecurity-risks-/d/d-id/1330107?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple