Responding to U.S. government suggestions that its antivirus software has been used for surveillance of customers, Moscow-based Kaspersky Lab is launching what it’s calling a transparency initiative to allow independent third parties to review its source code and business practices and to assure the information security community that it can be trusted.
The company plans to begin the code review before the end of the year and establish a process for conducting ongoing reviews, of both the updates it makes to software and the threat-detection rules it uses to detect malware and upload suspicious files from customer machines. The latter refers to signatures — search terms used to detect potential malware — which are the focus of recent allegations.
The company will open three “transparency centers” in the U.S., Europe, and Asia, where trusted partners will be able to access the third-party reviews of its code and rules. It will also engage an independent assessment of its development processes and work with an independent party to develop security controls for how it processes data uploaded from customer machines.
“[W]e want to show how we’re completely open and transparent. We’ve nothing to hide,” Eugene Kaspersky, the company’s chair and CEO, said in a written statement.
The moves follow a company offer in July to allow the U.S. government to review its source code.
Although critics say the transparency project is a good idea, some added it is insufficient to instill trust in Kaspersky going forward.
“The thing [they’re] talking about is something that the entire antivirus industry should adopt and should have adopted in the beginning,” said Dave Aitel, a former NSA analyst and founder of security firm Immunity. But in the case of Kaspersky, “the reality is … you can’t trust them, so why would you trust the process they set up?”
Kaspersky has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers who stole classified documents or tools from the worker’s machine. News reports, quoting U.S. government sources, have suggested Kaspersky colluded with the hackers to steal the documents from the NSA worker’s machine, or at least turned a blind eye to the activity.
It’s believed the documents or tools were siphoned from the NSA worker’s machines using “silent signatures” — keyword searches that antivirus companies conduct on customer machines to uncover suspicious files and send them back to the company for review. Although silent signatures are an acceptable method for detecting malware, recent stories have suggested that Kaspersky, or Russian government hackers operating with Kaspersky’s knowledge, used keywords that were deliberately designed to search for intelligence about classified U.S. operations, not for malicious code.
That’s possible, although some experts say it’s also possible the collection was inadvertent — that Kaspersky software identified classified NSA malware still in development, or related documents, and uploaded the material to Kaspersky servers, thinking it was a possible infection.
Kaspersky claims to have more than 400 million users worldwide, but that market share is under threat after the government-sourced news reports and after the Department of Homeland Security banned Kaspersky products last month from civilian government systems. Best Buy removed the software from computers it sells based on concerns that it can be used to spy on customers. Although it’s not yet clear if other governments and commercial partners will follow suit, the company is under great pressure to preserve its remaining business relationships.
The source code review would help address concerns that Kaspersky might embed a backdoor in its software or software updates or be forced to do so on behalf of the Russian government, or that the software could contain vulnerabilities that would allow the Russian government or others to hijack it to spy on Kaspersky customers. (The NSA and its British counterpart GCHQ have, at least in the recent past, endeavored to hack and repurpose Kaspersky software for their own purposes.) The review of Kaspersky’s threat-detection rules would respond to concerns that the company could use silent signatures to pull any file from customer computers, not just malicious ones.
And a secure control process for handling data and suspicious files collected from customer machines for analysis could also help ensure that the Russian government, or other threat actors, can’t intercept customer data while in transit from customer machines to Kaspersky’s network, or hack that network to obtain customer data and files after such material is collected.
Even as it works toward the secure process and announces new review structures, Kaspersky acknowledged that trust isn’t a given and that it has to earn the confidence of customers, partners, and others through transparency and accountability.
“I believe that with these actions, we’ll be able to overcome mistrust and support our commitment to protecting people in any country on our planet,” Kaspersky said in his statement.
Jake Williams said he’s not worried about the general security of Kaspersky software and the risk that someone could embed a backdoor in it or hijack it for their own nefarious use. The founder of Rendition Infosec and former NSA employee said that after Kaspersky was hacked in 2014 using a spy tool, known as Duqu 2.0, the company conducted a thorough review of its code.
“I honestly think Kaspersky is probably the safest code out there when it comes to antivirus,” said Williams.
“I know [Kaspersky] put the work into it to make sure that code is safe. I don’t think others have the same motivation and the same level of desire to get it right. So I think Kaspersky is already the safest on the planet when it comes to that.”
And while Williams agrees with Aitel that the transparency centers and code review are a great idea, he’s not sure the centers adequately address the trust issue. Even if Kaspersky has a third party examining signatures it sends to customer machines, the company could conceivably devise a way to secretly send intelligence-collecting signatures to select customers — signatures that don’t get reviewed.
“I think your critics will still come back and say ‘this is how they will hide stuff,'” he noted.
Williams and Aitel said the company still hasn’t adequately addressed allegations in a recent story which claimed that Kaspersky marketers in the U.S. were pushing the company’s software to U.S. government agencies as a spy tool that could be used to ferret out potential terrorists among other Kaspersky customers. Nor has the company given a straight answer to questions that it used silent signatures to collect the tools from the NSA worker’s machine.
Instead the company’s response until now has been to say it “does not possess any knowledge of the situation in question.”
“If they were innocent, they would be saying, ‘We know exactly what the U.S. is talking about,” said Aitel. “These were the files we pulled off this guy’s machine and this is why we did it — because [they looked] suspicious … and we have logs [we can show you]. But they’re not saying that because some of the stuff that they pulled they had no reason to pull.”
Correction: Oct. 25, 2017, 9:25 a.m.
After Kaspersky responded to questions, this piece was updated to remove a suggestion that the threat-detection rules subject to review include Yara rules. Yara rules are not included.