hbaker1@pipeline.com
Date: Tue, 02 Jan 2018 16:39:01 -0800
What does an antivirus program do? It scans every file in your device looking for *signatures*, and then uploads those files which match the signatures for further analysis by the antivirus provider.
So hacking antivirus involves 2 steps: produce signatures for files you want to steal, and then exfiltrate those files. The hard work of scanning for those files is already automated by the antivirus program!
Both steps are trivial *if/when you're the antivirus vendor*! Duh!
But even when you're not the antivirus vendor, the antivirus technology is the perfect "evil maid" which constantly runs in the background, indexing files for later -- possibly more labor-intensive -- exfiltration.
Nicole Perlroth, 1 Jan 2018
How Antivirus Software Can Be Turned Into a Tool for Spying
https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html
It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.
Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There's good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.
By downloading security software, consumers also run the risk that an untrustworthy antivirus maker -- or hacker or spy with a foothold in its systems -- could abuse that deep access to track customers' every digital movement.
"In the battle against malicious code, antivirus products are a staple,"
said Patrick Wardle, chief research officer at Digita Security, a security
company. "Ironically, though, these products share many characteristics
with the advanced cyberespionage collection implants they seek to detect."
Mr. Wardle would know. A former hacker at the National Security Agency,
Mr. Wardle recently succeeded in subverting antivirus software sold by
Kaspersky Lab, turning it into a powerful search tool for classified
documents. Mr. Wardle's curiosity was piqued by recent news that Russian
spies had used Kaspersky antivirus products to siphon classified documents
off the home computer of an NSA developer, and may have played a critical
role in broader Russian intelligence gathering.
"I wanted to know if this was a feasible attack mechanism," Mr. Wardle said.
"I didn't want to get into the complex accusations. But from a technical
point of view, if an antivirus maker wanted to, was coerced to, or was
hacked or somehow subverted, could it create a signature to flag classified
documents?"
That question has taken on renewed importance over the last three months in
the wake of United States officials' accusations that Kaspersky's antivirus
software was used for Russian intelligence gathering, an accusation that
Kaspersky has rigorously denied.
Last month, Kaspersky Lab sued the Trump administration after a Department
of Homeland Security directive banning its software from federal computer
networks. Kaspersky claimed in an open letter that "DHS has harmed
Kaspersky Lab's reputation and its commercial operations without any
evidence of wrongdoing by the company."
For years, intelligence agencies suspected that Kaspersky Lab's security
products provided a back door for Russian intelligence. A draft of a
top-secret report leaked by Edward J. Snowden, the former National Security
Agency contractor, described a top-secret, NSA effort in 2008 that concluded
that Kaspersky's software collected sensitive information off customers'
machines.
The documents showed Kaspersky was not the NSA's only target. Future
targets included nearly two dozen other foreign antivirus makers, including
Checkpoint in Israel and Avast in the Czech Republic. [...]
[Excellent long item PGN-truncated for RISKS. The print version (2 Jan
2018) has a different headline: Spies Exploit The Software That Protects.]