Kaspersky Lab’s 400 million users worldwide can’t be happy about recent news linking the company’s antivirus products to spying. The Russian government reportedly used the Moscow-based company’s software to steal sensitive information from American intelligence agents.
The incidents remind us that the security products we trust to protect our PCs have more or less full access. “Every cloud-based anti-virus has the potential and the ability to delete files, to modify files,” said Jake Williams, Founder and President of Rendition Infosec. “They have the ability to launch new processes as well as terminate existing processes.”
It’s bad if someone hacks your computer. If someone hacks your computer and uses your own antivirus software to take over, that’s a disaster. “Looking at all of this together,” Williams concluded, “It becomes clear that if whoever’s running your anti-virus doesn’t have your best interests at heart they can definitely do some damage.”
Now that we know Kaspersky antivirus software can turn against you, the next question is whether we can do anything about it. We talked to security experts to find out more.
Kaspersky’s purported data exfiltration: A timeline
The Kaspersky story heated up earlier this fall. On October 5, The Wall Street Journal reported that hackers working for the Russian government in 2015 stole documents detailing how the U.S. attacks foreign computer networks and defends domestic ones. The Russian hackers used Kaspersky Anti-Virus to identify the data and target it on the home computer of a National Security Agency contractor, the Journal said.
A few days later The New York Times reported that the Americans only found out about the purported Kaspersky data leak from Israeli spies. The Israelis, the Times said, hacked into Kaspersky themselves, where they watched Russian hackers use Kaspersky software in real time as a “sort of Google search for sensitive information.”
The Journal followed up a day later with another report. This one said Russian agents used Kaspersky to search for terms like “top secret” across computers where Kaspersky software was installed.
Kaspersky Lab has denied allegations that it’s in cahoots with Russian intelligence. Nevertheless, retailers including Best Buy, Office Depot, and Staples have pulled Kaspersky software from store shelves during, and leading up to, the controversy.
Company co-founder and CEO Eugene Kaspersky announced he would open up the company’s code to third-party review to quell concerns about Russian interference.
Soon after, Kaspersky Lab also announced the preliminary results of an internal investigation into the purported spying on the U.S. The company said its antivirus software simply did its job. A contractor put covert malware onto his home machine with Kaspersky installed. After a scan, the antivirus detected the new malware, uploaded it to Kaspersky’s cloud servers for analysis, and at that point the covert data was exposed. Kaspersky said once it discovered the government-developed malware the code was deleted from company servers and never delivered to any government agencies.
The Russians are coming. The Russians are coming?
For most North Americans, the default is to assume the worst about Kaspersky Lab, especially because Eugene Kaspersky himself was trained at a KGB-run school.
Security experts see some room for explanation. It’s not unusual, for one thing, for information security (infosec) professionals to start in the military or government intelligence before entering the private sector.
Kaspersky Lab is actually an important player in the infosec community for the useful threat information it makes freely available. “I think they have probably some of the best researchers and talents in the world,” said Amit Serper, principal security researcher for Boston-based infosec company Cybereason.
Good works aren’t enough to absolve Kaspersky, however. That’s why the company wants third parties to audit its code. But even that won’t satisfy most critics. “I think it’s entirely for show, and I think they know that,” Williams said. “It’s not a question of ‘is the code itself secure?’ I would argue that Kaspersky is probably some of the most secure A/V code out there right now. It’s a matter of how they use the code that’s going to be controlled by the Kaspersky command center.”
Serper offered similar sentiments, but added that the data is what most concerns him. “What data is collected [from user PCs]? How is it collected? How is it saved? How is it catalogued? I think it’s a data science question, and not a software engineering question.”
What home users can do
We may never know whether Kaspersky Lab is a willing accomplice for Russian intelligence. What you can do, however, is stick to the basics of PC security and understand your “threat model”—the realistic threats that you confront as an everyday computer user. If you’re an engineer working on infrastructure projects, a research scientist, or even a journalist, then Russian spying on your machine might be part of your threat model, says Williams. Those people may want to avoid Kaspersky products.
The reality, however, is that Russian intelligence is not interested in the average American’s family photos or personal diaries. As Williams pointed out on Twitter, technicians working on your PC at a local computer shop pose a higher risk of data theft than Russian intelligence via Kaspersky or other software.
“Personally, I don’t think that Kaspersky is a threat to the home user,” Serper said.
Williams also wouldn’t advise that most home users dump Kaspersky—he hasn’t even advised any of his family and friends to delete the software. “But if I have a brand-new machine,” Williams added. “And I’m trying to decide should I install Kaspersky or not? I’m not sure that I would.”
That’s not only because of the worries about espionage, Williams says, but the question of Kaspersky’s long-term fate in the U.S. market given current tensions.
Whatever your decision, the worst option would be to give up on antivirus altogether. “Are you worried about the .01 percent of the Advanced Persistent Threat groups [elite and state-level hackers] that are probably not interested in you,” Williams said. “or are you worried about the 99.9 percent of stuff that’s going to hurt you? The reality is A/V keeps most of that stuff away.”
Besides, this problem is not likely to disappear—if anything, more consumer-grade software may soon end up in the cross-fire. Before reports of Kaspersky surfaced, hackers linked to China infiltrated and delivered malware via the popular PC utility CCleaner. Williams believes we’ll see more state-level hackers accelerate their computer hacking programs thanks to recent high-level leaks of infiltration methods such as Vault 7 and the Shadow Brokers hack.
Staying safe with antivirus software
To counter these potential problems, Williams advises home users to stick to big-name products as a way to benefit from a digital version of herd immunity. “For a product that’s widely used,” he said, “a back door in that product will be caught much more quickly than a product that is sparsely used.”
Serper reminds us to keep our machines and software up to date. Vulnerabilities and hacking methods that get leaked are much easier to pull off because many people don’t patch their machines to fix critical vulnerabilities.
As usual, basic common sense and security practices are your best defense. Rely on good, popular software, pick an antivirus that you trust, regularly patch your operating system and software, and don’t forget to use a reliable ad blocker in your browser to guard against some common web-based attacks. That may not defend you against all possible intrusions, but it’s the most reasonable approach short of wearing a tinfoil hat and running Linux.