Kaspersky antivirus allegedly used by Russia to steal files

Here's a story I wasn't expecting to wake up to, but always wondered if it might happen: Kaspersky antivirus was caught stealing files and sending them back to Russia silently.

Yes, it sounds like something out of a dystopian novel, but I promise it's true. Multiple reports today say that while Israeli hackers broke into Kaspersky's corporate network (which is concerning on its own) and discovered the data collection before reporting it to the NSA — in 2014. 

Just a few weeks ago the US government ordered that Kaspersky antivirus be removed from government computers but it was unclear what triggered the decision with the Department of Homeland Security saying "the department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies."

This part of the story is most staggering:

Israeli intelligence officers informed the N.S.A. that in the course of their Kaspersky hack, they uncovered evidence that Russian government hackers were using Kaspersky’s access to aggressively scan for American government classified programs, and pulling any findings back to Russian intelligence systems. They provided their N.S.A. counterparts with solid evidence of the Kremlin campaign in the form of screenshots and other documentation, according to the people briefed on the events.

Today's news, however, is somewhat mortifying: Kaspersky is used on more than 400 million computers around the world and naturally requires full access to your entire system to function properly. In other words, it's entirely possible almost half a billion computers were compromised by a tool designed to do the exact opposite.

There's a ton of questions I have about this report that are likely to go unanswered, mostly revolving around whether or not the company was complicit. 

Kaspersky has said repeatedly it'd be corporate suicide to work with governments like this, but Russian experts (the company is based in Moscow) say a company can be compelled to work with spy agencies. A more likely scenario is that the company was infiltrated without its knowledge and used as a tool — given that a network intrusion from Israel wasn't detected for a year it's not unrealistic.

As the ever astute @swiftonsecurity pointed out, however, Kaspersky is a legitimate world-class company, "not just a lazy front for the Russian government." 

Here's the thing: now that both Windows and MacOS come with decent security tooling, including the ability to remote-revoke certificates for bad actors, is antivirus necessary? I'll hazard a guess that it's not, but most people have been trained for the last decade to feel unsafe without it.

What's scary about today's revelation is something I've privately wondered: if you're giving a third-party unfettered access to your entire machine can you really trust them? What is there to stop any antivirus company with such low-level access to millions of computers from being targeted by the NSA or GCHQ? Who says they aren't all compromised anyway?

This is perhaps the first time we've seen the scale of global spying's panopticon in action since Edward Snowden shone a light on the US government's activities. When something as crucial and widespread as antivirus is compromised, you can't assume anything else is safe (let's be honest here — if Juniper's internet-crucial routers secretly had a backdoor for years we were already screwed).

So — panic or just carry on? It's complicated and depends on your own threat model. You could worry (and probably should) about a random antivirus tool stealing files, but there's little hope of being sure all tools are safe. 

If anything, follow best practice, kill tools that are obviously hostile and do the basics like avoiding wide open WiFi networks. If your own threat model happens to include protecting against rogue governments, you may need a new plan.

As Snowden said in 2013 of the NSA and other spy agencies, "they are intent on making every conversation and every form of behaviour in the world known to them" and now we know how.

Other news
  • Masayoshi Son’s Grand Plan for SoftBank’s $100 Billion Vision Fund
    Softbank is huge and they're throwing their weight around when it comes to investing in startups across the world right now. This story covers their aspirations — and why they just dropped $164 million into mapping startup Mapbox.
  • Google just bought a podcast app
    Honestly, it seems like the only company that doesn't care about the potential of podcasts is Apple, the company that actually defined the category. 
  • Amazon's working on a door lock
    Because you totally trust FedEx to go right inside your home when delivering packages, right?
  • Dreamhost prevails: it won't have to identify anti-Trump visitors
    A warrant from the US Department of Justice demanded data on who visited a website hosted on the company's servers and used to organize protests against Donald Trump's inauguration — but the company fought the order. Today there's some good news: it doesn't have to identify visitors (but does need to hand over limited data).