Thursday, July 18, 2013

By Default, Kaspersky [And Other] Anti-Virus Collect LOTS of Data About You[r System]

UPDATE 2013-12-29: different but related: according to this article in Der Spiegel, the NSA intercepts Microsoft error-reporting messages, using XKeyscore to fish them out of internet traffic:
"When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA's powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.

The automated crash reports are a "neat way" to gain "passive access" to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person's computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim's computer.
Although the method appears to have little importance in practical terms, (...)"
UPDATE 2013-11-24: Microsoft Security Essentials entry on Wikipedia: "(...) by default, MSE reports all suspicious behaviors of monitored programs to Microsoft Active Protection Service (MAPS), a web-based service." Opt-in to "Basic Membership" is default setting in the installer. MSE is included in Windows 8; I don't know the default setting there. (source) 

UPDATE 2013-08-01: I looked at EULA's of other vendors. Their relevant paragraphs are too long to include in this post, but the key conclusion is that real-time information networks collecting detailing system configuration information are commonplace in today's anti-malware habitat; as stated by Kaspersky Lab and in other comments. My concern about information collection remains, but a few important points / nuances were made by commenters:
1) Kosay Hatem states that the benefit of these networks is likely greater than the danger of the information collected. I agree that that will be true for nearly all users.
2) An anonymous commenter states that for a system that does "security legal oriented work" (forensics?), one can opt-out. I agree. The comment also states that at the end of the day, you either trust your the AV vendor who's software you install or totally or not; there is no middle ground. I agree, at least when "trust" is defined as acceptance of possible failure (e.g. misbehavior) by the trustee.

 
UPDATE 2013-07-18: Kaspersky Lab responded in a comment below this post. The take-away: "So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs." I will read the EULA's of other vendors and update this post to reflect my findings.

In Kaspersky Anti-Virus, the option "I agree to participate in Kaspersky Security Network" (KSN) is enabled by default, and that means that quite a lot of information is collected by Kaspersky. The KSN Data Collection Statement states:
B. RECEIVED INFORMATION 

* Information about your computer hardware and software, including operating system and service packs installed, kernel objects, drivers, services, Internet Explorer extensions, printing extensions, Windows Explorer extensions, downloaded program files, active setup elements, control panel applets, host and registry records, browser types and e-mail clients that are generally not personally identifiable;

[...]

* Information about applications downloaded by the user (URL, attributes, file size, information about process that initiated download);

* Information about applications and their modules run by the user (size, attributes, date created, information about PE headers, region, name, location, and compression utilities used);

[...]

* The Kaspersky Security Network service may process and submit whole files, which might be used by criminals to harm your computer and/or their parts, to Kaspersky Lab for additional examination.
I'm aware that the digital threat landscape in 2013 is different from that in 1993, but this default behavior by Kaspersky Anti-Virus really grinds my gears. Information about software that is running on a system is conducive to cyber attacks and should be considered sensitive. Perhaps Kaspersky does not share this information with, say, the FSB, but it is unwise to assume that governments (not just the Kremlin for that matter) and security industry would not cooperate at that level. Distribution of spyware via a software update by original vendors, even if carried out with due care and targeting only a few, specific systems, can be detected and will result in users abandoning that software. The sharing of legitimately (?) collected data, however, will remain undetected, and should be expected to happen.

Collecting information beyond what can be reasonably expected requires explicit, informed consent. If you use Kaspersky Anti-Virus, disable this feature and cross fingers that it did not already send all that information to Kaspersky. I don't know whether other AV-software (McAfee etc.) has similar behavioral defaults.

EOF

9 comments:

  1. Dear Matthijs,

    We read your blog with interest. We would like to give you some more information on our Kaspersky Security Network though, which might change your point of view.

    Data collected via KSN is completely anonymous and is used to analyze Internet and software usage by Kaspersky Lab customers. It helps us deliver the most efficient and immediate reaction to threats. The technology helps to rapidly detect and block new and unknown threats, it is also used to update Kaspersky Lab’s Whitelisting database. Similar tools are used by other market players. Kaspersky Security Network is not a secret or completely unique tool. Similar tools are used by all anti-malware vendors as they make it possible to react immediately to threats and ensure increased security. The principles of KSN are explained in the end-user license agreement (EULA).

    Though the data collected via KSN is completely anonymous, Kaspersky Lab treats it as highly confidential information and takes all due precautions. The processed information is stored on computer servers with limited and controlled access. It is subject to our security procedures and corporate policies regarding the protection and use of confidential information.

    Our business model is based on trust, and we take all possible measures to preserve the trust of our clientele. There is nothing in Russian legislation that would oblige Kaspersky Lab to share the information it collects via KSN with the FSB. Kaspersky Lab has never conducted any secret projects for the FSB.

    So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs.

    Should you have any remarks or questions, please let us know. We would be happy to give more information.

    Best regards,

    Kaspersky Lab

    ReplyDelete
    Replies
    1. Knowledge about software configurations is highly valuable in the preparation of cyber attacks (CNA/CNE), and the Russian government is developing offensive cyber capabilities (just like the U.S., Germany, Netherlands, etc., for that matter). I prefer trust over distrust, but the current state of affairs requires alertness regarding system and network activity. When I learn that my local anti-virus software communicates, without asking consent, the configuration of my system, which applications I downloaded, and which applications I run, then the AV-vendor is trespassing (IMHO).

      Eugene Kaspersky was (crypto-)trained at a school co-sponsored by the Russian MoD and KGB, and tenured as a Soviet intelligence officer; also, the Kaspersky company has a remarkable track record of unveiling U.S. cyber espionage operations. That doesn't imply that the Kaspersky company is involved in any way in Kremlin-led offensive activity, intelligence gathering or information operations, but on the other hand, it'd be absurd to ignore it altogether. (Note to self: I should discuss the latter with a Russia-oriented diplomat-scholar at Clingendael or HCSS Centre for Strategic Studies .)

      I'm not an anti-malware developer, but everything you state above seems plausible to me. I will check out EULA's of other anti-malware vendors. If indeed this is industry practice and done in the similar way by all anti-malware vendors, I guess I woke up late in a new world.

      Thanks for taking the effort to respond; it is much appreciated.

      Friendly regards,
      Matthijs

      Delete
  2. >>>>I don't know whether other AV-software (McAfee etc.) has similar behavioral defaults<<<<

    Maybe you should have investigated this first before pick one vendor and blog about it... and yes Mcafee does pretty much the same!

    Greetz

    ReplyDelete
    Replies
    1. Thanks, duly noted! I will take a look at other vendor's EULA and update this post to reflect my findings.

      Delete
  3. Dear Matthijs,

    Regarding your remark that we didn't ask consent we would like to clarify that participation in KSN is strictly voluntarily and confidentially – the user of one of Kaspersky Lab's consumer products has to agree to participate in the system. When installing Kaspersky software users clearly see the option to participate in KSN on the main install screen including a link to explain what KSN does and why it helps us to better protect our customers against malware threats.

    Regarding your ideas about our involvement with FSB we still state that Kaspersky Lab has never conducted any secret projects for the FSB. As said before our business model is based on trust, and we therefore take all possible measures to preserve the trust of our clientele. If there are other matters that remain unclear for you, please don't hesitate to share them with us. We would be happy to address them.

    Best regards,

    Kaspersky Lab


    ReplyDelete
  4. Hi,

    Microsoft Security Essentials does the same....

    ReplyDelete
  5. Dear Mr. Mrkoot ,
    In fact a lot of AV company like Kaspersky ,Bitdefender ,ESET ,Aira , Avast ....etc has the same network . EVEN I HAVE SOME NOTICES ABOUT SECURITY NETWORKS (all AV company has the same idea in security network) . but in the fact , the benefit of this networks more than the dangerous of the information that collected . in other words the user don't care about dll files , drivers , installed programs , and other information if the OS is virus clean , and protected from unknown malware . while user has big problem if he has malware and his information about OS is no in the security network .

    ReplyDelete
  6. I have 2 x Windows systems protected by Kasperksy Antivirus 2013, both previously Kaspersky AV 2012. On both occasions I had the option of participation or non-participation in Kaspersky Security Network during installs.

    Since one system is used for security legal orientated work, I opted out from participating. I'm not sure if this option is more obscure in other Kaspersky products or not.

    This product has served me well and I consider it money well spent, less prone to FP's than similar other products of whatever nature but extremely fast on picking up real issues. However we have to ask how Kapsersky achieves these remarkable results? Part of the answer is their presence on anti-abuse groups linked to cyber issues where we actually have real reachable people.. Another part of the puzzle if Kaspersky Security Network. Plus possibly other methods.

    It is not possible to protect if you do not know what you are protecting against and that is why this is an important mechanism to reach and get feedback from the masses. It works both ways.

    At the end of the day, logically you either you trust your selection of AV vendor totally or not - in fact any software vendor. There is no middle ground.

    ReplyDelete
  7. The new update of Avast AV is collecting system data also.

    ReplyDelete