Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
Surveying 17 Anti-Virus Firms on Their Security PracticesIn Kaspersky Lab Saga's Wake, Here's How AV Firms Have Responded - Or Not
Allegations that Russian intelligence agents somehow co-opted Kaspersky Lab's anti-virus software, enabling them to search PCs for intelligence, raise questions not just about the security of the Moscow-based security firm's products, but all anti-virus products.
To recap: Israeli intelligence allegedly hacked into Kaspersky Lab's network and found Russian intelligence was already monitoring the company's communications with endpoints, as well as running searches for interesting-looking files on customers' PCs. Cue questions about whether Moscow-based Kaspersky Lab knew or abetted those intelligence efforts.
The allegations are a reminder that all anti-virus software is designed to run at a deep level on a PC, which is required to ensure it can excise malicious code. But such capabilities could be misused. In a process known as telemetry, anti-virus software typically sends hashes of known malware samples back to the vendor, so they can geographically track outbreaks. In some cases, anti-virus software also sends copies of suspicious-looking files back to the vendor, so its malware researchers, often working with their peers in other security firms, can study the malware and create signatures. These signatures then get pushed out to all endpoints to better protect them.
All Software Has Flaws
Despite the allegations leveled against Kaspersky Lab, many security experts say that anti-virus software likely has enough exploitable vulnerabilities in it that a security firm would not need to be co-opted (see Yes Virginia, Even Security Software Has Flaws).
And as Dubai-based incident response expert Matt Suiche has noted, any security vendor might be targeted by intelligence agencies seeking easy access to targets' PCs.
Kaspersky's network being hacked, raises more questions about other security vendors being under threat of further nation state attackers.— Matthieu Suiche (@msuiche) October 11, 2017
When it comes to Kaspersky Lab, we'll probably never know what happened. "I don't think you can ever prove beyond a reasonable doubt that Kaspersky colluded as an organization with any government. It would have been much easier to simply breach Kaspersky, look for reports from the product that might contain material of interest to the intelligence community and then zero in on those machines," says Alan Woodward, a computer science professor at the University of Surrey.
If one takes Kaspersky Lab at its word - that it is innocent - that raises the question of how the company's ability to monitor and communicate with endpoints might be abused. It also raises the question of whether other security firms are similarly at risk - and what they're doing to protect their operations and customers.
What Defenses In Place?
To understand the defenses that anti-virus firms have in place to prevent these types of hack attacks or other misuse, Information Security Media Group reached out to 17 firms that develop anti-virus software for endpoints and posed detailed questions.
So far, 10 firms have responded. Avira (Germany), Bitdefender (Romania), Emsisoft (New Zealand), ESET (Slovakia), F-Secure (Finland), Kaspersky Lab (Russia) and Panda (Spain) offered detailed responses to my questions.
Meanwhile, Trend Micro (Japan) declined to field the questions. So did Webroot (United States), with the company saying that doing so would involve "giving away sensitive and competitive information or commenting on competitors in the space." But Chad Bacher, Webroot's senior vice president of product and technology alliances, lauded market competition. "All endpoint security companies utilize different approaches to keep their customers safe, which benefits consumers by bringing a healthy competition to the market."
Microsoft also declined to comment. "Unfortunately we are unable to accommodate your request at this time," a spokeswoman tells ISMG.
The Sound of Silence
Since first querying the 17 firms - multiple times if necessary, beginning on Oct. 6, except for Malwarebytes and Sophos, first queried on Oct. 11 - the following firms have not responded to the posed questions or a definitive "no comment":
- Avast (Czech Republic)
- Bullguard (United Kingdom)
- Malwarebytes (United States)
- McAfee (United States)
- Sophos (United Kingdom)
- Symantec (United States)
- VIPRE (United States)
6 Anti-Virus Questions
Here are the questions ISMG posed to all 17 anti-virus firms:
- What steps do you take to secure suspicious file samples when they are transmitted from a user's PC to your researchers? For example, are all such communications encrypted?
- Could outside attackers eavesdrop on those communications, and if so, how? What defenses are in place to prevent this?
- Do you ever share copies of these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign?
- For a user, is sharing suspicious files with your researchers optional? If so, do users "opt in" - or must they "opt out"?
- Do you anonymize the source of suspicious files, and if so, how (and at which point[s] in the submission chain)?
- Has your firm engaged in any marketing that suggests that Kaspersky Lab products are not reliable, and does it have any hard evidence - aside from U.S. media reports - that cite anonymous sources) to back up these assertions?
"In view of the weaknesses we have seen in the supply chain in recent months, one might want to pay particular attention to what anti-virus software vendors say about how their back-end systems are protected," Woodward says.
Some firms, including Avira and F-Secure, note that they publish policies that spell out how they handle threat data and some of the above questions.
But here are the detailed responses received so far.
Avira says it encrypts all communications between endpoints and its back-end systems, including encrypted file transfer to submit suspicious files for real-time analysis. Company spokeswoman Olivia Ciubotariu says all this analysis is done using "dedicated and secured networks for the analysis" because every file sample is presumed to be malicious, and that users can opt out of this analysis. Avira says it has never shared these files with VirusTotal, law enforcement agencies, or intelligence agencies domestic or foreign, and that all user data is anonymized.
"We anonymize all personal information before sending them to our database," Ciubotariu says. "The only purpose of Avira Protection Cloud is to protect our customers against widespread threats, and without violating data privacy."
When users install anti-virus software from Bitdefender, the software asks if they want suspicious files to be sent to the vendor for review, Damase Tricart, global communications director at Bitdefender, tells ISMG. Unless users opt out, "the files are sent via a TLS link, using industry-grade encryption for all of the communication," he says, adding that "there is no known way to decrypt TLS traffic," at least to date.
Any files shared in this manner "are clearly labeled as NDA - do not distribute - in our internal malware zoo," he says."Bitdefender does not - nor have we ever - shared suspicious files originating from customers with third parties."
All collected information gets anonymized so it cannot be traced back to a user. "Our entire telemetry is heavily anonymized before it is reported to the Bitdefender cloud," Tricart says. "For enterprise customers, the anonymization process is even more thorough, as they have the option to run the Bitdefender products completely segregated from the internet. The business solutions can get their intelligence from an update server deployed on the premises and updates are fed manually by the system administrators on a voluntary basis."
Tricart says privacy remains his business's paramount concern. "As a European Union company with our headquarters in the EU, consumer privacy surpasses any other business decision," he says. "We do not exchange customer information or threat intelligence received from the end users with commercial or government entities."
Emsisoft says that by default, it does not transfer any suspicious files from a user's system to its cloud-based servers for analysis, but instead only transfers hashes of the file. This process is anonymous and active by default. "Any submissions of hashes are not linked with personal user information at any time, as the systems are separated," says Emsisoft's Holger Keller. "Users can opt out from participating in the Emsisoft Anti-Malware Network, which is our malware information cloud."
Users can, however, manually submit a suspicious file to Emsisoft, which triggers an SSL-only file transfer and creates a service ticket so that the company can respond to the user with its verdict on the file.
"[If] the user's computer is not compromised in the first place - i.e. with manipulated SSL certificate roots - we would consider transfers relatively safe," Keller tells ISMG. "Emsisoft intentionally does not make use of local SSL traffic interception, which seems to be a major security problem for a number of anti-virus vendors these days," he says (see Lenovo Slammed Over Superfish Adware).
File transfers are not anonymous, because Emsisoft needs to respond to the customer, although Keller says a user could provide fake contact details. "We have never shared any suspected malware files with any law enforcement or intelligence agencies," he adds.
ESET says that by default, its products don't send any user files to the cloud for scanning, but instead send hashes of suspect files. "However, if the user decides to send files/items for analysis, this option is also available in our products," a spokesman tells ISMG. "In such cases all of the processed information is encrypted, including metadata."
Users can opt in to sharing suspect files during software installation. Even so, only suspicious files will be submitted, and numerous files types, including documents, "are excluded from submission by default," ESET says. All suspicious files are submitted to ESET anonymously and are not connected to any license information, it says.
The company says it does not share files with VirusTotal, or for that matter law-enforcement agencies or intelligence agencies, but notes that "in the case of a legitimate request we follow standard procedures required by [EU or national] legislation."
F-Secure says it makes heavy use of encryption and anonymization. "All queries regarding file (hashes) or URL reputation made to our 'security cloud' are encrypted," Sean Sullivan, security adviser at F-Secure, tells ISMG. "Files/samples uploaded/submitted to us by our customers are also encrypted. All customer submissions are flagged as confidential in our sample management system. They are only re-categorized if we can see through our partnerships and threat intelligence that the files are in the wild."
Sullivan says F-Secure does not submit files to VirusTotal, although it does share samples with "trusted partners," but only for samples "which are classified as nonconfidential." Information on a suspect file on a PC, meanwhile, pings the company's cloud security gateway, which will respond if the required information is in its cache. If not, a database handling ID gets dispatched and a back-end query made, thus obscuring the origin of the request.
Sullivan says that in general, one must "opt out" of sharing data with F-Secure, but says this is possible with all products, including its free online scanner. He also says the company does not save IP addresses, but discards this information immediately, localizing to the country level, to help analysts trace malware outbreaks and infection counts at a regional level. Before files get submitted, path names get normalized, usernames changed to "username" or the equivalent and file path metadata cleaned.
Some intelligence and analysis does get shared with CERT-FI - the computer emergency response team for Finland - that may disseminate the information to law enforcement agencies Sullivan says. "To my best knowledge, law enforcement agencies share with us, seeking our analysis, not the other way around," Sullivan says. He adds that says any information shared with CERT-FI is anonymized and tends to focus on malware command-and-control information and "analysis of malware targeting specific targets within a country," rather than sample sharing.
Panda says it makes extensive use of encryption, which should block any attempt to eavesdrop on communications with endpoints. "The information sent is encrypted, and all communications are encrypted (HTTPS)," says Luis Corrons, technical director of PandaLabs, the firm's anti-malware laboratory.
"We only share malware files with other security companies, but that does not include files that have been found at a customer," Corrons says. "We do not have any share agreements with law enforcement or any intelligence agencies."
Kaspersky Lab's Response
A Kaspersky Lab spokeswoman tells ISMG that its Kaspersky Security Network is "an advanced cloud-based system that automatically processes cyber threat-related data received from millions of devices owned by Kaspersky Lab users across the world, who have voluntarily opted to use this system." It says this cloud-based approach is the one typically taken by larger IT security vendors.
"All communications between clients and Kaspersky Lab infrastructure are reliably encrypted," the spokeswoman says. "The company uses strong encryption, including algorithm RSA 2048 handshake and AES 256 data encryption."
The company says it makes extensive use of encryption, digital certificates, segregated storage and strict data access policies. Anonymization is widespread. "Actions to achieve this include deleting account details from transmitted URLs, obtaining hash sums of threats instead of the exact files, obscuring user IP addresses, etc." The company says it regularly reviews these practices to ensure they comply with legal rules and privacy regulations, such as the EU's General Data Protection Regulation.
Users can opt out of at least some types of information sharing. "Depending on the product, users have the option to switch it off (for corporate solutions) or to limit the amount of data sent through the security cloud (for home solutions)," Kaspersky Lab says.
From a privacy standpoint, the security firm says that for any collected information:
- "The information is used in the form of aggregated statistics;
- "Logins and passwords are filtered out from transmitted URLs, even if they are stored in the initial browser request from the user;
- "When we process possible threat data, by default we do not use the suspicious file. Instead we use hash-sum, which is a one-way math function that provides a unique file identifier;
- "Where possible, we obscure IP addresses and device information from the data received;
- "The data is stored on separated servers with strict policies regarding access rights, and all the information transferred between the user and the cloud is securely encrypted."
Kaspersky Lab says it "routinely assists law enforcement agencies and governments by providing technical expertise on malware and cyberattacks," and it may share malware samples gathered by KSN with law enforcement agencies, at their request. "The sharing of samples with law enforcement agencies is dictated by the local laws by which Kaspersky Lab strictly abides," it says. "We don't share user data with any third party; the industrywide exchange is limited to malicious samples and aggregated statistics."
All but one of the security firms that offered answers to ISMG's questions say they do not share virus samples with Google's VirusTotal malware-scanning service.
Emsisoft says that "we exchange files and file information with VirusTotal if the source of a file doesn't generally object to that."
Comments: Allegations Against Kaspersky Lab
Avira, Bitdefender, Emsisoft, ESET and F-Secure declined to comment on the allegations against Kaspersky Lab.
Panda, however, noted that "there is no real proof that Kaspersky Lab has been involved in any malicious activity" and said while Russia might attempt to security firm's product or cloud network, "it is a really unlikely scenario, although if there is some open conflict among both countries it could happen."
Emsisoft's Keller commented in more general terms, noting that "the conceptual problem of submitting files for deeper automated analysis doesn't only affect Kaspersky, but basically all anti-virus vendors." As malware grows more complicated, advanced analysis must typically be carried out on the server side. This can necessitate moving a copy of the file from a client onto a cloud-based server for analysis. "As those clouds are generally closed systems, nobody can tell for sure whether any files are redirected to intelligence services or just kept for statistical analysis as promised," he says.
To help mitigate any threats, Keller says, "sensitive data should be encrypted at all times" when interacting with cloud environments of any kind.
Who to Trust?
To be clear, posing questions to anti-virus firms doesn't mean that their software or back-end servers might not be co-opted now or in the future.
But the willingness of some firms to answer these types of questions may well become a factor for consumers and businesses around the world as they research which anti-virus firms they will trust to secure their systems (see Anti-Virus: Don't Stop Believing).
Oct. 23: Bitdefender answers added.
Oct. 26: Microsoft says it declines to comment.
Oct. 27: ESET answers added.
This report will be further updated as more security firms respond.