Euro Security Watch with Mathew J. Schwartz

Anti-Malware , Breach Preparedness , Data Breach

Anti-Virus: Don't Stop Believing 'Devil You Know' Is Better Than No Anti-Virus At All, Security Expert Warns
Anti-Virus: Don't Stop Believing

Will all of the anonymously lobbed U.S. government allegations against Moscow-based security vendor Kaspersky Lab send anti-virus users running for the hills?

See Also: How to Scale Your Vendor Risk Management Program

To recap the Kaspersky Lab saga, the White House has accused the security firm's anti-virus software of functioning as the equivalent of a search engine for Russian intelligence, scouring PCs worldwide for useful intelligence on the United States. That information reportedly came via Israeli intelligence agents who hacked into Kaspersky Lab's network and found that Russian intelligence was already there. White House officials, meanwhile, have suggested that the security software company must have known what was going on (see Will Kaspersky Lab Survive the Russia Hacking Scandal?).

"If you like to develop cyber weapons on your home computer, it would be quite logical to turn [Kaspersky Security Network] off." 

The Russian security firm makes an easy scapegoat for lawmakers and intelligence officials who failed to block Moscow's interference in the 2016 U.S. presidential elections. No evidence has been produced that might substantiate Kaspersky Lab's culpability into this alleged campaign, and it's not clear that the U.S. view is widespread. Germany's BSI federal cyber agency last week told Reuters that "there are no plans to warn against the use of Kaspersky products since the BSI has no evidence for misconduct by the company or weaknesses in its software."

Hacking Scenario

Security experts say the much more likely - and straightforward - explanation is that the Russian government hacked into the security firm. "I don't think you can ever prove beyond a reasonable doubt that Kaspersky colluded as an organization with any government - it would have been much easier to simply breach Kaspersky, look for reports from the product that might contain material of interest to the intelligence community and then zero in on those machines," Alan Woodward, a professor of computer science at the University of Surrey, tells me (see Surveying 17 Anti-Virus Firms on Their Security Practices).

Kaspersky Lab had also warned that it had been hacked. "Kaspersky admitted that the Israelis had been in their network, so it's quite conceivable others were too," Woodward says. "And to be fair, reporting malware is what the AV software does, and it's not really supposed to be a secret - the fact that Kaspersky picked up an NSA exploit on a home device says more about NSA's operational security than Kaspersky's likely involvement with the Russian government."

A "plain talk" blog post published by Kaspersky Lab offers a pro tip: Its software can be deactivated at any time, via the "protection settings" menu, so it doesn't send samples to its Kaspersky Security Network for analysis. "If you like to develop cyber weapons on your home computer, it would be quite logical to turn KSN off - otherwise your malicious software will end up in our anti-virus database and all your work will have been in vain," the security firm advises. It adds that its corporate product offers a feature that involves never sending any samples to Kaspersky's network.

'God Mode' for PCs

The Kaspersky Lab saga is a reminder that software that the anti-virus software many people now take for granted by necessity runs with the equivalent of a "god mode" for PCs. To stop malware, anti-virus software needs to go deep into the kernel. It also has the ability to grab a copy of suspect files and send them back to malware researchers at the vendor for analysis, so they can write signatures to detect and block the malware on site for all users.

While such capabilities are necessary, they could also be misused. So the question comes down to: Who do you trust?

"This is a real case of better the devil you know," Woodward says. "If you stop using anti-virus it's going to propel us back decades. ... I can't see how you can change anti-virus from accessing everything and reporting home - that's at the core of how it operates. All you can do is use one that you trust."

Not using anti-virus would make it much easier for anyone with malicious intent to hack a wider range of systems. "Of course, the intelligence agencies might actually welcome a decline in malware detection if malware is a key means of gathering intelligence," he says. "However, any such thought would be remarkably shortsighted as the criminal bonanza would make any national intelligence advantage pale into insignificance."

Caveat Emptor

Woodward recommends that buyers of security products do what they should have always been doing: Subject potential vendors to careful analysis and use the most reputable products. "By all means, look to see if there is anything in the public domain that might incline you to consider one more reputable than another," he says.

Many firms, including Avira, F-Secure and Kaspersky Lab, publish clear cloud security policies that spell out how they handle and secure such data.

"In view of the weaknesses we have seen in the supply chain in recent months, one might want to pay particular attention to what anti-virus software vendors say about how their back-end systems are protected," Woodward says.



About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network