Month: July 2013

By default, Kaspersky [and other] anti-virus collects LOTS of data about your system

UPDATE 2017-04-07: updates moved to bottom.


Obviously, installing software that runs with high privileges always comes at some risk. But Kaspersky Anti-Virus, the option “I agree to participate in Kaspersky Security Network” (KSN) is enabled by default, meaning that there can be no misunderstanding that quite a lot of information is collected by Kaspersky. The KSN Data Collection Statement states:

B. RECEIVED INFORMATION 

* Information about your computer hardware and software, including operating system and service packs installed, kernel objects, drivers, services, Internet Explorer extensions, printing extensions, Windows Explorer extensions, downloaded program files, active setup elements, control panel applets, host and registry records, browser types and e-mail clients that are generally not personally identifiable;

[…]

* Information about applications downloaded by the user (URL, attributes, file size, information about process that initiated download);

* Information about applications and their modules run by the user (size, attributes, date created, information about PE headers, region, name, location, and compression utilities used);

[…]

* The Kaspersky Security Network service may process and submit whole files, which might be used by criminals to harm your computer and/or their parts, to Kaspersky Lab for additional examination.

I’m aware that the digital threat landscape in 2013 is different from that in 1993, but this default behavior grinds my gears. Information about software that is running on a system is conducive to cyber attacks and should be considered sensitive. Even if Kaspersky does not voluntarily and proactively share this information with, say, the FSB, it is unwise to assume that governments and security industry would not cooperate at that level or that legal requirements. Distribution of spyware via a software update by original vendors, even if carried out with due care and targeting only a few, specific systems, can be detected and may result in users abandoning that software. The sharing of legitimately (?) collected data, however, will remain undetected, and can be expected to take place.

Collecting information beyond what can be reasonably expected requires explicit, informed consent. If you use Kaspersky Anti-Virus, disable this feature. I don’t know whether other AV-software (McAfee etc.) has similar behavioral defaults.

UPDATES

UPDATE 2022-03-15: amid the Ukraine-Russia conflict, the German Bundesamt für Sicherheit in der Informationstechnik warns over the use of software – especially if it requires high system privileges – from Russia:

“A Russian IT manufacturer can conduct offensive operations itself, be forced to attack target systems against its own will, or be spied on without its knowledge as a victim of a cyber operation, or be used as a tool for attacks against its own customers.”

Obviously this argument works both ways, i.e., Russian organizations might be advised to not run software manufactured in countries that have offensive programs against Russia. (And so on.) The thought of digital balkanization is not appealing, so let’s hope things can be sorted out w/o destroying all that nice developers/builders/etc. have created over decades.

UPDATE 2019-08-15: Kaspersky and Trend Micro get patch bonanza after ID flaw and password manager holes spotted (El Reg)

UPDATE 2017-12-21: Lithuania bans Kaspersky Lab software on sensitive computers (Reuters)

UPDATE 2017-11-10: WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab (El Reg)

UPDATE 2017-10-05: Russian gov’t hackers exploited Kaspersky to steal highly-classified info from an NSA contractor (Shane Harris linking to WSJ piece). Of course a government may seek to leverage all means it has: recall the leaked NSA slide that states “Sniff It All, Collect It All, Know It All, Process It All, Exploit It All”. If not through voluntary or coerced cooperation, then by exercising legal powers against local persons and organizations — including those who deliver digital goods or services to domestic and foreign persons.

UPDATE 2017-09-13: U.S. DHS Statement on the Issuance of Binding Operational Directive (BOD) 17-01. From the text:

“[…] The BOD calls on departments and agencies to identify any use or presence of Kaspersky products on their information systems in the next 30 days, to develop detailed plans to remove and discontinue present and future use of the products in the next 60 days, and at 90 days from the date of this directive, unless directed otherwise by DHS based on new information, to begin to implement the agency plans to discontinue use and remove the products from information systems.

This action is based on the information security risks presented by the use of Kaspersky products on federal information systems. Kaspersky   anti-virus products and solutions provide broad access to files and elevated privileges on the computers on which the software is installed, which can be exploited by malicious cyber actors to compromise those information systems. The Department is concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks. The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security. […]”

UPDATE 2017-05-11: Eugene Kaspersky Reddit AMA — good move following a report from ABC News regarding a “secret memorandum sent last month to Director of National Intelligence Dan Coats and Attorney General Jeff Sessions [in which] the Senate Intelligence Committee raised possible red flags about Kaspersky Lab”.

UPDATE 2017-04-06: different problem, same domain (virus scanning): users who wittingly — and possibly as per company policy — upload files, that may contains sensitive business information, to virus scanning services, making those scanning services interesting to attackers.

UPDATE 2017-03-15: Benoit Goas posted the following on [RISKS]: “I just downloaded a set of (obviously personal) medical images from an imaging lab, which allows downloads only as executable zip file (their website runs only with silverlight, but that’s not the main issue).  As indicated on https://blog.avast.com/cybercapture-protection-against-zero-second-attacks , since around mid 2016 Avast antivirus has a new function to protect our computers against “zero second attacks”.  So it saw my download of an executable file, and sent it to their cloud as it was a “very rare program file” that they “needed to study”.  Indeed, my personal medical images are quite unique! But I didn’t expect them to be sent anywhere, especially without asking me.  So I now disabled that option, but some problems were:

  • letting my computer auto update without knowing what it’s adding (lots of
    auto updates are running…)
  • automatically sending personal files outside of private computers without asking first
  • hence “forcing” me to disable that feature that could protect me another day
  • making us download executable files to begin with, to just send us a compressed folder
  • not giving any option to contact the software provider, as it appears that part of the company no longer exists (and I’m sure the imaging place wouldn’t care, as it’s a nice service they provide, and can’t change the tools) –
    […] Best regards, B. GOAS”

UPDATE 2015-09-19: different story on AV: ‘AVG Proudly Announces It Will Sell Your Browsing History to Online Advertisers‘.

UPDATE 2014-08-29: different story on AV: Kaspersky backpedals on “done nothing wrong, nothing to fear” company article.

UPDATE 2013-12-29: different story on collection of information about software configurations: according to this article in Der Spiegel, the NSA intercepts Microsoft error-reporting messages, using XKeyscore to fish them out of internet traffic:

“When TAO selects a computer somewhere in the world as a target and enters its unique identifiers (an IP address, for example) into the corresponding database, intelligence agents are then automatically notified any time the operating system of that computer crashes and its user receives the prompt to report the problem to Microsoft. An internal presentation suggests it is NSA’s powerful XKeyscore spying tool that is used to fish these crash reports out of the massive sea of Internet traffic.

The automated crash reports are a “neat way” to gain “passive access” to a machine, the presentation continues. Passive access means that, initially, only data the computer sends out into the Internet is captured and saved, but the computer itself is not yet manipulated. Still, even this passive access to error messages provides valuable insights into problems with a targeted person’s computer and, thus, information on security holes that might be exploitable for planting malware or spyware on the unwitting victim’s computer.
Although the method appears to have little importance in practical terms, (…)”

UPDATE 2013-11-24: Microsoft Security Essentials entry on Wikipedia: “(…) by default, MSE reports all suspicious behaviors of monitored programs to Microsoft Active Protection Service (MAPS), a web-based service.” Opt-in to “Basic Membership” is default setting in the installer. MSE is included in Windows 8; I don’t know the default setting there. (source) 

UPDATE 2013-08-01: I looked at EULA’s of other vendors. Their relevant paragraphs are too long to include in this post, but the key conclusion is that real-time information networks collecting detailing system configuration information are commonplace in today’s anti-malware habitat; as stated by Kaspersky Lab and in other comments. My concern about information collection remains, but a few important points / nuances were made by commenters:
1) Kosay Hatem states that the benefit of these networks is likely greater than the danger of the information collected. I agree that that will be probably true for most users.
2) An anonymous commenter states that for a system that does “security legal oriented work” (forensics?), one can opt-out. I agree. The comment also states that at the end of the day, you either trust your the AV vendor who’s software you install or totally or not; there is no middle ground. I agree, at least when “trust” is defined as the trustee’s acceptance of possible intentional or non-intentional failure of the trusted party.

 
UPDATE 2013-07-18: Kaspersky Labs responded in a comment below this post. The take-away: “So in short: This is an industry practice and done in the similar way by all anti-malware vendors. It can be easily checked the same way in their product EULAs.” I will read the EULA’s of other vendors and update this post to reflect my findings.

EOF

[Dutch] Spionage is van alle tijden, maar…

UPDATE 2014-01-22: Richard Falkvinge explains Why Today’s Wiretapping Is Entirely Unlike Yesterday’s

Na berichtgeving met claims over spionage door Amerika van EU-ambassades en -kantoren heeft John Kerry, de Amerikaanse minister van Buitenlandse Zaken, gesteld dat spionage ‘niet ongebruikelijk’ is in internationale betrekkingen. Die opmerking zal hij niet hebben gemaakt ter legitimering: immers zijn allerlei vormen van misdaad ‘niet ongebruikelijk’ maar daarmee nog niet gerechtvaardigd. Wel is Kerry’s opmerking relevant voor het kader waarin we de dingen moeten zien.

Een bron met ervaring rond de inlichtingenwereld stelt het volgende:

“Ruim 7 jaar geleden sprak ik met een CIA-operative die me vertelde hoe men zich binnen die dienst altijd heeft verbaasd over het feit dat Nederland (toen) als enige land ter wereld openlijk aangaf (voornamelijk gedurende de Koude Oorlog, en daarna i.v.m. het internationale strafhof) dat iedereen die hier een ambassade wilde er rekening mee moest houden dat wij mee zouden kijken en luisteren. Met andere woorden: ‘wij dulden geen gesodemieter hier…’.

Die Koude Oorlog is binnen de inlichtingenwereld nooit gestopt. Laat dat duidelijk zijn. Er lopen nu meer Russen rond in de westerse landen dan gedurende de Koude Oorlog en er is een veelvoud van agenten actief uit een veelvoud aan landen.

Binnen inlichtingendiensten heb je vrienden en (gezamenlijke) vijanden. Maar ook die vrienden bespioneren jou, en jij hen.

Binnen een bepaalde organisatie werd bekend dat één van onze ministeries al haar e-mailverkeer via een Engelse server had lopen doordat een Engelse partij een aanbesteding had gewonnen. Zoals de waard is vertrouwd hij z’n gasten: dat was meteen ‘problematisch’, en waarom? Omdat men hier, als al het e-mailverkeer van zo’n ministerie door Nederland zou lopen, uit inlichtingenoogpunt daarop mee zou willen kijken.

Als wij het zelf al zouden doen (indien de mogelijkheid zich voordoet of wordt ‘gecreëerd’), hoe kunnen we dan verontwaardigd of verbaasd zijn als een ander het doet (en dat ook eigenlijk middels wetgeving altijd kenbaar heeft gemaakt…).”

Ook dit is relevant voor het kader waarin we de dingen zien: spionage is van alle tijden en vindt in allerlei richtingen plaats (hoewel de VS en GB een no-spy agreement zouden hebben). Onthulling van spionage is vrijwel per definitie mediageniek en koren op bepaalde politieke molens: uitingen van verontwaardiging en verbazing moeten dus ook tegen dat licht worden gehouden.

Dat spionage van alle tijden is, is echter niet een geruststellend eind aan de discussie. Er is immers nog geen tijd geweest waarin technologie zoveel mogelijkheden voor spionage heeft geboden als nu. Ashkan Soltani schrijft in MIT Technology Review dat in Amerika niet wetgeving, maar alleen technologie en financiën drempels zijn tegen massasurveillance. Soltani stelt dan ook:

“The extent to which technology has reduced the time and cost necessary to conduct surveillance should play an important role in our national discussion of this issue.”

Hoewel de VS niet vergelijkbaar zijn met Europa en Nederland — juridisch, ethisch, politiek, economisch, militair — lijkt me duidelijk dat Soltani’s stelling ook relevant is voor het publieke debat binnen Nederland en Europa. Een EU-US expertgroep gaat de proportionaliteit van het Amerikaanse handelen onderzoeken. Ik kijk met belangstelling uit naar hun bevindingen, die in oktober 2013 worden gerapporteerd.

Overigens een mooi voorbeeld van betekenisvol toeval: in juni is besloten de stemming door het Europese Parlement over wijziging van de Europese privacyregels opnieuw uit te stellen, deze keer naar september/oktober 2013. Ik hoop van harte dat alle Europarlementariërs zich de negatieve niet-economische externaliteiten (lees: ongewenste gevolgen) van ongebrijdelde verwerking van persoonsgegevens beginnen te realiseren.

Verder leesvoer: