Russian antivirus firm faked malware to harm rivals
http://www.reuters.com/article/us-ka...0QJ1CR20150814
By Joseph Menn | SAN FRANCISCO
There has been and it was confirmed by their CEO that Kaspersky has close ties to the FSB at the CEO Level...BUT that is all....they claim they never share with the FSB....oh really......especailly when now the FSB has unlimited abilities to monitor all Russian Internet movement......Beginning more than a decade ago, one of the largest security companies in the world, Moscow-based Kaspersky Lab, tried to damage rivals in the marketplace by tricking their antivirus software programs into classifying benign files as malicious, according to two former employees.
They said the secret campaign targeted Microsoft Corp (MSFT.O), AVG Technologies NV (AVG.N), Avast Software and other rivals, fooling some of them into deleting or disabling important files on their customers' PCs.
Some of the attacks were ordered by Kaspersky Lab's co-founder, Eugene Kaspersky, in part to retaliate against smaller rivals that he felt were aping his software instead of developing their own technology, they said.
"Eugene considered this stealing," said one of the former employees. Both sources requested anonymity and said they were among a small group of people who knew about the operation.
Kaspersky Lab strongly denied that it had tricked competitors into categorizing clean files as malicious, so-called false positives.
"Our company has never conducted any secret campaign to trick competitors into generating false positives to damage their market standing," Kaspersky said in a statement to Reuters. "Such actions are unethical, dishonest and their legality is at least questionable."
Executives at Microsoft, AVG and Avast previously told Reuters that unknown parties had tried to induce false positives in recent years. When contacted this week, they had no comment on the allegation that Kaspersky Lab had targeted them.
The Russian company is one of the most popular antivirus software makers, boasting 400 million users and 270,000 corporate clients. Kaspersky has won wide respect in the industry for its research on sophisticated Western spying programs and the Stuxnet computer worm that sabotaged Iran's nuclear program in 2009 and 2010.
The two former Kaspersky Lab employees said the desire to build market share also factored into Kaspersky's selection of competitors to sabotage.
"It was decided to provide some problems" for rivals, said one ex-employee. "It is not only damaging for a competing company but also damaging for users' computers."
The former Kaspersky employees said company researchers were assigned to work for weeks or months at a time on the sabotage projects.
Their chief task was to reverse-engineer competitors' virus detection software to figure out how to fool them into flagging good files as malicious, the former employees said.
The opportunity for such trickery has increased over the past decade and a half as the soaring number of harmful computer programs have prompted security companies to share more information with each other, industry experts said. They licensed each other's virus-detection engines, swapped samples of malware, and sent suspicious files to third-party aggregators such as Google Inc's (GOOGL.O) VirusTotal.
By sharing all this data, security companies could more quickly identify new viruses and other malicious content. But the collaboration also allowed companies to borrow heavily from each other's work instead of finding bad files on their own.
Lab in 2010 complained openly about copycats, calling for greater respect for intellectual property as data-sharing became more prevalent.
In an effort to prove that other companies were ripping off its work, Kaspersky said it ran an experiment: It created 10 harmless files and told VirusTotal that it regarded them as malicious. VirusTotal aggregates information on suspicious files and shares them with security companies.
Within a week and a half, all 10 files were declared dangerous by as many as 14 security companies that had blindly followed Kaspersky's lead, according to a media presentation given by senior Kaspersky analyst Magnus Kalkuhl in Moscow in January 2010.
When Kaspersky's complaints did not lead to significant change, the former employees said, it stepped up the sabotage.
INJECTING BAD CODE
In one technique, Kaspersky's engineers would take an important piece of software commonly found in PCs and inject bad code into it so that the file looked like it was infected, the ex-employees said. They would send the doctored file anonymously to VirusTotal.
Then, when competitors ran this doctored file through their virus detection engines, the file would be flagged as potentially malicious. If the doctored file looked close enough to the original, Kaspersky could fool rival companies into thinking the clean file was problematic as well.
VirusTotal had no immediate comment.
In its response to written questions from Reuters, Kaspersky denied using this technique. It said it too had been a victim of such an attack in November 2012, when an "unknown third party" manipulated Kaspersky into misclassifying files from Tencent (0700.HK), Mail.ru (MAILRq.L) and the Steam gaming platform as malicious.
The extent of the damage from such attacks is hard to assess because antivirus software can throw off false positives for a variety of reasons, and many incidents get caught after a small number of customers are affected, security executives said.
The former Kaspersky employees said Microsoft was one of the rivals that were targeted because many smaller security companies followed the Redmond, Washington-based company's lead in detecting malicious files. They declined to give a detailed account of any specific attack.
Microsoft's antimalware research director, Dennis Batchelder, told Reuters in April that he recalled a time in March 2013 when many customers called to complain that a printer code had been deemed dangerous by its antivirus program and placed in "quarantine."
Batchelder said it took him roughly six hours to figure out that the printer code looked a lot like another piece of code that Microsoft had previously ruled malicious. Someone had taken a legitimate file and jammed a wad of bad code into it, he said. Because the normal printer code looked so much like the altered code, the antivirus program quarantined that as well.
Over the next few months, Batchelder's team found hundreds, and eventually thousands, of good files that had been altered to look bad. Batchelder told his staff not to try to identify the culprit.
"It doesn't really matter who it was," he said. "All of us in the industry had a vulnerability, in that our systems were based on trust. We wanted to get that fixed."
Continued.......
Last edited by OUTLAW 09; 08-15-2016 at 05:01 PM.
Suit warns of Russian ‘back door’ into U.S. fingerprint systems
http://www.sfgate.com/nation/article...witter-desktop …
Former execs of French firm that developed FBI fingerprint tech say it was made by the Russians & could be sabotaged
http://www.sfgate.com/nation/article...-S-9140446.php …
BUT WAIT so do the Chinese when they hacked the entire OMB Security Clearance database complete with fingerprints......they stole the data of over 20M US citizens
Last edited by OUTLAW 09; 08-15-2016 at 05:50 PM.
Hackers could acquire sensitive data through hard drive noises — via @TimesofIsrael
http://read.bi/2aWkM06
Originally Posted by OUTLAW 09
Wikileaks Published Dozens of Malware Links in Email Dump
http://gizmodo.com/wikileaks-publ
If this was Russia, it signals an unprecedented public escalation of the US-Russian cyber cold war.
http://motherboard.vice.com/read/hac...cyber-cold-war
Hack of NSA-Linked Group Signals a Cyber Cold War
Written by
Lorenzo Franceschi-Bicchierai
August 16, 2016 // 01:52 PM EST
REMEMBER the two core key cornerstones of Russian non linear warfare is information warfare and cyber warfare....
Taken from the active site
https://twitter.com/shadowbrokerss
10.Equation Group Cyber Weapons Auction - Invitation
11.- ------------------------------------------------
12.
13.!!! Attention government sponsors of cyber warfare and those who profit from it !!!!
14.
15.How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.
16.
17.Picture Urls
18.- ------------
19.http://imgur.com/a/sYpyn
20.https://theshadowbrokers.tumblr.com/
21.https://github.com/theshadowbrokers/EQGRP-AUCTION
Last edited by OUTLAW 09; 08-16-2016 at 06:47 PM.
The main twitter page link for theshadowsbrokers has been disabled and removed.
https://www.washingtonpost.com/world...mepage%2Fstory
Powerful NSA hacking tools mysteriously surface online
Serious question now becomes for the ever reluctant Obama WH to confront Russia...WHEN will they have to actually push back with a very well thought through cyber attack to signal to Putin to "stand down"....The release of the cache of files could pose severe consequences for the National Security Agency’s operations and the security of government and corporate computers. “Without a doubt, they’re the keys to the kingdom,” said a former employee who worked in the agency’s hacking division.
We are now in a full scale cyber war that the Obama WH does not quite want to believe it possible....THAT happens when your opponent views you as a weak leader for never pushing back in eastern Ukraine and or in Syria and or in their constant INF nuclear violations...
These are the hacking techniques used in suspected Clinton Foundation attack:
http://reut.rs/2bpnKfR
Great read by @HowellONeill — now that it's all but proven that hackers stole NSA cyberweapons —now what?
http://bit.ly/2bhLBLX
Experts have 2 theories for how top secret NSA data was stolen — both are equally disturbing
http://read.bi/2bAXah2
ThreatConnect, Inc. @ThreatConnect
From the start...read it all! Guccifer 2.0, the #DNCHack, and FANCY BEARS, Oh My!
http://hubs.ly/H042YHT0
Cyber espionage: A new cold war?
An online ‘auction’ signals a build-up of tension between Russia and America
http://on.ft.com/2ba2uaA
Commentary: Evidence points to another Snowden at the NSA
http://reut.rs/2bzmk1d
Just a side note....when the US "acquired" a bulk of the MfS/Stasi files just after the Wall collapsed....an analysis of these files indicated at least 100 US citizens had been/still were active in spying for the GDR/DDR either for the Stasi, GRU or KGB.....
BUT although the indications of 100 or more were there.... it was virtually impossible to identify them.....
My experience in doing security clearance reviews for the Army Security Agency in Berlin during the Cold War days reinforces the simple fact..the NSA has always been either lax and or not diligent enough in protecting themselves from outside spies....so this does not surprise me in the least....then we pulled the clearances from two US Army COLs and over 30 Army enlisted and NCOs....due to serious questions.....and we pointed initially the finger at the US Army/Stasi Spy CWO Hall but no one wanted to pay attention to the hints until 1988....
In those days new US laws virtually tied our hands to investigate unless the individual walked around with a sign around his neck stating "I am a spy".....was frustrating in those days....
ESPECIALLY now that the Chinese have the complete security clearance records of ALL US government employees former and present (20M plus or minus) and their finger prints and will in the end share them with the Russian SVR.......
Last edited by OUTLAW 09; 08-22-2016 at 07:52 AM.
https://www.yahoo.com/tech/nsa-leak-...121630860.html
NSA leak rattles cybersecurity industry
Jaikumar Vijayan
Christian Science Monitor Sat,
Aug 20 5:16 AM PDT .
After an unknown group released a cache of hacking tools from the National Security Agency earlier this week, some of the biggest tech companies in the world are scrambling to patch their systems and software to protect themselves and customers from attacks.
The leak came from the anonymous group calling itself the Shadow Brokers. While the group's origin and motivations remain unknown, cybersecurity experts and former agency employees have authenticated the cache of NSA hacking tools.
By exposing the custom-made malware online, the Shadow Brokers have suddenly made many of the systems American corporations rely on for cybersecurity more vulnerable to digital attacks from criminals and spies.
Now, many cybersecurity experts are asking why the NSA would stockpile so many of these kinds of security vulnerabilities without telling the affected companies such as networking giants Cisco and digital security firm Fortinet.
"The policy question we have to ask ourselves is what's an acceptable amount of time for the NSA to keep these exploits exclusively, before being legally compelled to disclose them," says Jeremiah Grossman, head of security strategy at cybersecurity firm SentinelOne.
While he says that the NSA needs some of the software exploits to spy on its adversaries and carry out digital missions, holding onto those flaws too long can be detrimental to American security.
Cisco said it inspected the NSA cache and discovered at least two hacking tools targeting security flaws in its products. The company said it did not know about the existence of one of the flaws until this week’s leak.
Beyond Cisco and Fortinet, which discovered firewall vulnerabilities among the digital weapons, many other companies could be at risk.
So far, the Shadow Brokers have released about 300 megabytes of data comprising a total of over 50 attack tools that would let attackers bypass firewalls that organizations rely on to defend against external attacks.
The leak also raises questions about the nature of nation-state hacking, and how much spy agencies know about flaws in software that they aren't revealing to tech companies and the public.
"How many of these are the Russians and the Chinese sitting on?" asked Jason Healey, senior research scholar at Columbia University’s School of International and Public Affairs.
The US does have a process that requires the NSA to disclose its bug discoveries to the White House National Security Council. The idea is to ensure that security flaws with especially broad impact are disclosed to the relevant companies so they can fix them, said Mr. Healey.
While that process may need to be updated in light of the NSA leaks, it is likely that other countries don’t have even this level of transparency.
"It is quite possible that their arsenals are even more significant than the US arsenal, which means there are a bunch more vulnerabilities we don't know about," he said. "It means the overall security of US infrastructure could be even worse than we thought."
http://www.businessinsider.de/nsa-cy...16-8?r=US&IR=T
The NSA cyber-weapon auction is a total smokescreen — here's what's really going on
Paul Szoldra
17.08.2016
A group calling itself the "Shadow Brokers" claimed earlier this week that it hacked into the US National Security Agency and stole an apparent treasure trove of exploits and hacking tools that it is now trying to auction off.
But experts say that this is all a smokescreen for a not-so-subtle message from Moscow to Washington: Don't mess with us.
"It's a smokescreen, there's nothing real about this," John Schindler, a former NSA analyst and counterintelligence officer, told Business Insider. "This is Moscow's way of upping the ante in the spy war, and sending a message no one can miss [which is] 'we have you penetrated, we've got you by the balls, don't push us.'"
He added: "The Russians are making a power play because they think they can right now."
The previously-unknown Shadow Brokers created a number of social-media accounts earlier this month on Reddit, Github, Twitter, and Imgur, before announcing on August 13 its "cyber weapon auction," which promised bidders a "full state sponsor tool set" from a hacking unit believed to be within the NSA known only as "The Equation Group."
It released a 234-megabyte archive on various file-sharing sites with one-half being free to view and use — which numerous experts say is legitimate — while the other half was encrypted. The winner of the auction, the group said, would get the decryption key.
But an auction for hacking tools and exploits is not something that ever happens, experts say. Instead, exploits are bought and sold on the black market for hundreds of thousands and sometimes millions of dollars, in private.
There's something else going on here, and it seems like it has nothing to do with a hacking group looking for cash.
Auction files 'better than Stuxnet'
In the announcement of its auction, Shadow Brokers seemed to ensure that no one would seriously consider bidding on the other half of its treasure trove, which it claims has within it software that is better than "Stuxnet" — the US-Israeli malware that destroyed Iranian nuclear centrifuges.
Its FAQ tells bidders that they are going to lose their Bitcoin, no matter what they do. If you win the auction, you'll get the files, but if you lose the auction, you don't get the files — and you don't get your Bitcoin back.
"Sorry lose bidding war lose bitcoin and files," the group wrote.
That's probably why the so-called auction hasn't moved anywhere close to the group's goal of 1 million Bitcoin, or roughly $575 million. The high bid is currently 1.629 Bitcoin, a surprisingly low figure for a software package that, if it were "better than Stuxnet," would contain a number of unknown software exploits called "zero days," each of which can be sold for $100,000 or more on the black market.
"This auction is one of the more bizarre things that I've ever seen in this space. People who buy and sell exploits would not just dump money into an auction," a source who used to work for the NSA's elite hacker unit, Tailored Access Operations, told Business Insider on condition of anonymity in order to discuss sensitive matters. "It kind of makes no sense."
"The low Bitcoin offers are pretty amusing though," Dr. Peter Singer, a strategist at the think tank New America and coauthor of "Ghost Fleet," told Business Insider in an email.
Further, the website WikiLeaks apparently has the full archive and says that it will release its own "pristine copy in due course." WikiLeaks did not respond to an email from Business Insider asking when that release would be.
This just "shows the fraud of the whole Bitcoin angle," Schindler said.
'Conventional wisdom indicates Russian responsibility'
Former NSA contractor Edward Snowden offered his opinion on the underlying message behind the "auction" in a series of tweets on Tuesday, notably pointing the finger at Russia as being behind it.
After cybersecurity firm CrowdStrike said that it uncovered two different state-sponsored Russian hacking groups inside the servers of the Democratic National Committee in June, Snowden wrote that "if Russia hacked the DNC, they should be condemned for it," and then chided the US for not releasing evidence that he believed the NSA had that would prove it.
That "smoking gun" evidence never came, though a number of US political and intelligence officials have said that the DNC hack was at the Kremlin's direction.
"Circumstantial evidence and conventional wisdom indicates Russian responsibility," wrote Snowden of this latest breach, adding, "This leak looks like somebody sending a message that an escalation in the attribution game could get messy fast."
How messy? According to Snowden, the fully-leaked toolkit — from 2013 — could offer insight into previous hacks carried out by the NSA, or it could be reverse-engineered to help adversaries detect them in the future. Even Schindler, the former NSA analyst who's an outspoken critic of Snowden, agrees with Snowden's finding on the overt message, though he doesn't think that leaked tools will have any significant effect on future NSA operations.
"This stuff has all been changed," Schindler said. "Three years is a long time in cyber ops, because that's not the point. The point is to show NSA that we've got you by the balls."
More network analysis of the current Russian informational warfare/disinformation networks that should be thoroughly understood as one of the core legs of Russian "soft power"......
Kremlin-linked Estonian disinfo op and the surrounding social network
http://aktivnyye.com/t/20160821-kornilov_network.html …
Modus Operandi: NGO <-> Alternative News <-> Money Laundering
http://aktivnyye.com/t/20160821-kornilov_network.html … <- children of the night:
I don’t always put the network entities into a table for ease of identification.
http://aktivnyye.com/t/20160821-korn...ork_table.html …
http://aktivnyye.com/i/20160821/KornilovNet2
The connection to the Rodina Party was an unexpected gift.
AND another form of info warfare (soft power) hard at work.....
Finnish pro- #Kremlin figure registers another web domain to start up a new fake embassy for #Luhansk
Network Analysis on Internet "Russian trolls".......
EU Mythbusters
✔ @EUvsDisinfo Another summer #longread: @STRATCOMCOE report on social media as a tool of hybrid warfare:
http://goo.gl/n7fa2U
Russian info warfare...troll networks
"The #Year Of The #Troll":
http://www.rferl.org/content/the-yea.../27419384.html …
Geolocating #KremlinTrolls and Their Followers.by @webradius:
http://kremlintrolls.com/t/20150622-
Follow great works @webradius:
http://aktivnyye.com/t/20160418-dff.html …& More:
http://aktivnyye.com/index.html
KremlinTrolls are afraid this↑↓
Referrer #Networks":@webradius:
http://aktivnyye.com/t/20160215-fringenet3.html …
"#Disinformation Flows":@webradius:
http://aktivnyye.com/t/20160212-fringenet2.html …
"#Disinformation Flows"@webradius:
http://aktivnyye.com/t/20160212-fringenet2.html …
The Fringes of #Disinfo:A #Network Based on Referrers:@webradius:
http://aktivnyye.com/t/20160207-fringenet1.html …
KremlinTrolls:#Russia|ns & their British Reds:by @webradius:
http://kremlintrolls.com/t/20151003-
KremlinTrolls Blog/Another Look at #Russia|n"diplomat"#Nalobin's #Network:@webradius:
http://kremlintrolls.com/t/20150810-...in_reflux.html …
UK #KremlinTrolls&"#STWC-activists'#StoptheWar'"coop.#Russia|n #intel #Nalobin:by @webradius:
http://kremlintrolls.com/t/20150927-nalobinXstwc.html …
Watch analysis by @webradius:#KremlinTrolls& Other Acquaintances of #Russia|n EMB #Canada:
http://kremlintrolls.com/t/20150907-canada_plus.html …
“#Russia|n #KremlinTrolls >>>
by @webradius >
http://kremlintrolls.com/t/20150616-ri3m.html …
pic.twitter.com/ezDqScQTST
#Russia|n #KremlinTrolls #Putin's.by @webradius:
http://kremlintrolls.com/t/20150616-ri3m.html …
KremlinTrolls are engaged in massive anti-UA #propaganda in #Poland:
http://www.stopfake.org/en/kremlin-t...nda-in-poland/ …
See if you know someone& add to list #KremlinTrolls& other #Kremlin's #UsefuIIdiots of #Russia|n Embassy in #Canada
Do not forget to add #Kremlintrolls& #Kremlin's #UsefulIdiots to list☭&alert about them to followers
'Troll hunting' algorithm could make web a better place
http://www.wired.co.uk/article/googl...cial-behaviour …
Same Russian hackers likely breached Olympic drug-testing agency and DNC http://trib.al/qCmylR3
Reuters Commentary: Evidence points to another Snowden at the NSA
http://www.reuters.com/article/us-in...-idUSKCN10X01P
Selected Excepts:
"...In addition, if Russia had stolen the hacking tools, it would be senseless to publicize the theft, let alone put them up for sale. It would be like a safecracker stealing the combination to a bank vault and putting it on Facebook. Once revealed, companies and governments would patch their firewalls, just as the bank would change its combination.
A more logical explanation could also be insider theft. If that’s the case, it’s one more reason to question the usefulness of an agency that secretly collects private information on millions of Americans but can’t keep its most valuable data from being stolen, or as it appears in this case, being used against us.
In what appeared more like a Saturday Night Live skit than an act of cybercrime, a group calling itself the Shadow Brokers put up for bid on the Internet what it called a “full state-sponsored toolset” of “cyberweapons.” “!!! Attention government sponsors of cyberwarfare and those who profit from it !!!! How much would you pay for enemies cyberweapons?” said the announcement.
While the “auction” seemed tongue in cheek, more like hacktivists than Russian high command, the sample documents were almost certainly real. The draft of a top-secret NSA manual for implanting offensive malware, released by Edward Snowden, contains code for a program codenamed SECONDDATE. That same 16-character string of numbers and characters is in the code released by the Shadow Brokers. The details from the manual were first released by The Intercept last Friday.
The reasons given for laying the blame on Russia appear less convincing, however. “This is probably some Russian mind game, down to the bogus accent,” James A. Lewis, a computer expert at the Center for Strategic and International Studies, a Washington think tank, told the New York Times. Why the Russians would engage in such a mind game, he never explained.
...Rather than the NSA hacking tools being snatched as a result of a sophisticated cyber operation by Russia or some other nation, it seems more likely that an employee stole them. Experts who have analyzed the files suspect that they date to October 2013, five months after Edward Snowden left his contractor position with the NSA and fled to Hong Kong carrying flash drives containing hundreds of thousands of pages of NSA documents."
Russian state company says "let’s store all the Internet correspondence in a single data center"
https://meduza.io/en/news/2016/08/22...campaign=share …
Aug 16
Massive Email Bombs Target .Gov Addresses
Over the weekend, unknown assailants launched a massive cyber attack aimed at flooding targeted dot-gov (.gov) email inboxes with subscription requests to thousands of email lists. According to experts, the attack — designed to render the targeted inboxes useless for a period of time — was successful largely thanks to the staggering number of email newsletters that don’t take the basic step of validating new signup requests.
These attacks apparently have been going on at a low level for weeks, but they intensified tremendously over this past weekend. This most recent assault reportedly involved more than 100 government email addresses belonging to various countries that were subscribed to large numbers of lists in a short space of time by the attacker(s). That’s according to Spamhaus, an entity that keeps a running list of known spamming operations to which many of the world’s largest Internet service providers (ISPs) subscribe.
When Spamhaus lists a swath of Internet address space as a source of junk email, ISPs usually stop routing email for organizations within those chunks of addresses. On Sunday, Spamhaus started telling ISPs to block email coming from some of the largest email service providers (ESPs) — companies that help some of the world’s biggest brands reach customers via email. On Monday, those ESPs soon began hearing from their clients who were having trouble getting their marketing emails delivered.
In two different posts published at wordtothewise.com, Spamhaus explained its reasoning for the listings, noting that a great many of the organizations operating the lists that were spammed in the attack did not bother to validate new signups by asking recipients to click a confirmation link in an email. In effect, Spamhaus reasoned, their lack of email validation caused them to behave in a spammy fashion.
“The issue is the badly-run ‘open’ lists which happily subscribed every address without any consent verification and which now continue as participants in the list-bombing of government addresses,” wrote Spamhaus CEO Steve Linford. It remains unclear whether hacked accounts at ESPs also played a role.
Also writing for wordtothewise.com, Laura Atkins likened email subscription bombs like this to “distributed denial of service” (DDoS) attacks on individuals.
Posting Permissions
Bookmarks