Posted by Kevin on June 23, 2015.
The Intercept yesterday published an article titled Popular Security Software Came Under Relentless NSA and GCHQ Attacks. I am one who in the past has wondered about the relationship between the spy agencies and the anti-virus industry (see, for example, AV and the NSA: is the anti-virus industry in bed with the NSA – why do CIPAV, FinFisher and DaVinci still defeat AV?). The following article was written by a security expert with a close knowledge of AV, and a different view to mine…
The Intercept has published an article – Popular Security Software Came Under Relentless NSA And GCHQ Attacks – with documents relating to claims that:
The National Security Agency and its British counterpart, Government Communications Headquarters, have worked to subvert anti-virus and other security software in order to track users and infiltrate networks.
My first thought on reading this was to wonder whether this would put an end to all the questions about whether anti-virus companies are in bed with the NSA and its friends. If that was the case, why would those same intelligence services need to engage in surreptitious reverse engineering? That said, the article does include a quote from a security consultant who makes the interesting assertion that:
Anti-virus products, with only a few exceptions, are years behind security-conscious client-side applications like browsers or document readers.
That seems to suggest that the tradition of mistrust of the anti-malware industry on the part of other sectors of the security industry and the media is alive and well. Even though the Kaspersky viewpoint was generously represented in the Intercept piece by quotes from a long blog article by founder Eugene Kaspersky about his (and his company’s) alleged relationship with the FSB, there were also copious references to reports of weaknesses and vulnerabilities in the company’s software. (One of those reports being – apparently – an NSA document.) Still, you’d think that the story would at least stop some of the speculation as to whether vendors whitelist government spyware on request. (Actually, several companies were very clear at the time that they denied any such complicity, but speculation has persisted.)
Forbes, however, implied a connection – NSA Spied On Non-American Anti-Virus Companies – with older stories naming companies that hadn’t responded to the Bits of Freedom request – close to a demand, frankly, complete with deadline – for information on AV company policies and their relationships with government agencies.
While I understood and was not unsympathetic to BoF’s concerns, I felt at the time that the group was somewhat cavalier in its demands, giving the impression of an authority that it didn’t possess. I’m certainly not in a position to comment on the existence of any relationship between companies named by Dark Reading and elsewhere as not having responded to the BoF letter, and the government agencies named in the latest stories. Nor do I have any insider knowledge as to why several major companies apparently chose not to answer some or any of the questions posed by Bits of Freedom, but they had every right to make that choice, and I think it’s inappropriate to jump to conclusions.
However, the Forbes piece makes that point that:
…for reasons not outlined in the leaks or by the agencies themselves, notable US and UK anti-virus providers were seemingly left untouched, despite being used across the world.
It’s true that ‘The NSA’s list of Project CAMBERDADA “targets”’ as shown in the article is notably lacking in US or UK vendors. (Though it also lists one vendor twice, once under its real name and once under the name of one of its products, which doesn’t suggest a thoroughly researched and finalized target list.)
So what? Well, Forbes doesn’t draw any explicit argumentum ex silentio conclusions about the reasons for this absence, preferring to leave an innuendo hovering in the air. Unfortunately, I suspect that we’re probably in for another round of useless, unverifiable and potentially misleading speculation from less cautious sources. In fact, I’ve already seen a blog claiming that ‘The list of companies hacked by the intelligence agencies is long and includes prestigious names like Kaspersky Lab, F-Secure, ESET, Avast, BitDefender, AVG, and Checkpoint.’
Really? Well, it may be that intelligence agencies have been reverse engineering security products in the same way that the gangs who write and distribute malware do, but how many people will read that as meaning that those products have been directly compromised and modified?