A lot of beating around the bush; just say the US and/or Isreal did it.
We already know Duqu was made by the same people who made Stuxnet. We already know Stuxnet was made by the US and/or Isreal to hurt the Iranian nuclear program. So if they have strong evidence it was the same people... we know who those people are and we should just say their names.
Kaspersky has been a pain in the ass of the status quo because they are Russian and so it's difficult to control them and rein them in. Lots of exploits depends on the cooperation and complacency of security companies that are in the pocket of the various governments. Kaspersky wasn't one of these, or at least in the pockets of Russia, and so had to be compromised to try to control their oversight on security and to further the chances of exploits succeeding. Good on them for detecting the exploit, now they know that they are valid targets for this sort of thing.
I'm sure it knew it was a target for this kind of thing since they did exhibit bias. That is to say they showed greater interest in exposing western gov't hacking capabilities and activities than they did in exposing Russian and Chinese govt actors in the same arena.
> than they did in exposing Russian and Chinese govt actors in the same arena.
That's the job of Western companies. Keeps everyone honest. Western companies have as much bias as anyone, they are just good at covering it up with rhetoric... and Americans are good at deluding themselves about their own bias and Nationalism which is no different from anyone else's.
> On balance, with the current regimes in those countries, I prefer the western alternative to these regimes. It's not as if they are equivalent just with a different opinion. I truly prefer my western govt's over Russia and China's.
I do too. However, no one is as clean, just, and fair as they make themselves out to be. Everyone who plays geopolitics is dirty as shit. I like my government because it treats me well enough, ask other people and they might not have the same opinions.
On balance, with the current regimes in those countries, I prefer the western alternative to these regimes. It's not as if they are equivalent just with a different opinion. I truly prefer my western govt's over Russia and China's, no doubts.
I kind of agree, but in a merely technical way :) I like the oriental philosophical outlook, so basically, I would have to say, the world is simply what it is. Labelling it "good" or "bad", in an absolute-judgement kind of way, is arbitrary and useless.
But here, the topic was very specific - to say that picking the lesser evil is a bad thing is actually, I'm sorry to say, spoiled. Being able to pick at all is a luxury, which some do not have to this day. And let's not even go into all the other problems we no longer face today, at least in large parts of the world.
That's not to say we don't have a tonne of work ahead of us. We probably always will. And criticism is essential in making progress. But just saying that "the world" has gone bad is not helpful criticism, it's defeatist. Because, what can we do if it has indeed gone bad? Let's not throw the baby out with the bathwater.
<s>
Of course the investigation into the Belgacom hack was just 'rhetoric'. No real action was taken, the CEO of the company that lead the investigation did not explicitly attribute the hack, just rhetoric.
</s>
In all honesty, I still think that western security companies have less bias than those working in less free societies.
> That is to say they showed greater interest in exposing western gov't hacking capabilities and activities than they did in exposing Russian and Chinese govt actors in the same arena.
Kaspersky early detected, nailed, and exposed an advanced nation-state attack on its network.
BBC spin - "Kaspersky Lab cybersecurity firm is hacked"
I think you need to look more closely at the list of companies and their locations in the second paragraph, and the list of companies that actually replied to the letter.
>Symantec chief researcher Eric Chien stated that provided a hypothetical keystroke logging tool was used only by the FBI, Symantec would avoid updating its antivirus tools to detect such a Trojan, echoing a similar stance Network Associates allegedly took with its McAfee anti-virus software earlier this week. 'If it was under the control of the FBI, with appropriate technical safeguards in place to prevent possible misuse, and nobody else used it -- we wouldn't detect it,' said Chien. 'However we would detect modified versions that might be used by hackers.
That kind of conspiracy is just too fragile to be believable. While the opsec of such coersion operation with a company full of unpatriotic foreigners sounds like an absolute nightmare, it's also much much safer and much easier to build your APT attack vector not be caught by your targets' AV solution.
Kaspersky is also much easier to control than most AV vendors, Eugene has often been quite positive about Russia spying on its citizens more aggressively than the US does, and he has deep connections with other powerful people of Russia.
Intel Security just reported that "[p]ersistent and virtually undetectable attacks by the Equation Group that reprogram hard disk drives and solid state drive firmware."[0,1] It's interesting that this threat was first reported by Kaspersky in February.[2]
The firmware exploits are part of the attack system with Duqu 2.0, right?
Different groups in this case. According to Kapersky's report, Duqu used a zero-day to promote into kernel space, then loaded the full payload into memory. Less terrifying than the firmware revision from EG as a single attack, but Duqu was unique in that it replicated itself around in the local network, making it impossible to remove short of powering down everything.
Kaspersky's technical paper on Duqu 2.0,[0] begins with: "The initial attack against Kaspersky Lab began with the targeting of an employee in one of our smaller APAC offices." It notes that the next step was compromising other machines on LAN. But they only discuss Windows, and don't even mention OSX, BSD, Linux, etc.
I'm wondering how lateral movement to non-Windows machines would have been accomplished.
Does anyone get the impression this was some sort of early detection mechanism, done intentionally by the hackers, to know when it has been publicly discovered? Is this stupid? Probably stupid.
I personally believe this is a honeypot or trial of sorts. The reason could've been to determine whether or not the intrusion was detected at all as a sort of validation of just how "almost invisible" the malware is, or it could've been to determine the time required to detect.
Alternatively, it could be a way of getting at the company's data or even to instigate a thorough review of their platform from the client's perspective. There's a lot of subtle information in the Kaspersky report that might be interesting to intelligence services:
- Simultaneous Duqu & Equation Group infection of one victim
- Feature coverage (and those omitted, like other payloads)
- Red herrings detected/ignored; strings, faked compile timestamps
- Noticed misspelling of "Excceeded" & lack of other linguistic errors
Kaspersky mulled this issue:
"So the targeting of security companies indicates that either they are very confident they won't get caught, or perhaps they don't care much if they are discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers have probably taken a huge bet hoping they’d remain undiscovered; and lost."
However they also conceded that they aren't sure:
"The exact reason why Kaspersky Lab was targeted is still not clear – although the attackers did seem to focus on obtaining information about Kaspersky's future technologies, Secure OS, anti-APT solutions, KSN and APT research."
The simplest, most obvious explanation is: Israeli intelligence wanted to spy on Kaspersky because they are the best at finding and analysing state sponsored malware, they were over-cocky and they eventually got caught.
There is never an end to defend against security attacks. Even the most well-known security company cannot get away with them, how about the general people?
Here's one of the reason not to install antivirus software: if a malicious adversary finds a vuln in the AV or hacks C&C servers, you have a nice backdoor you installed to "protect" yourself.
Depends on your threat model. I'm more worried about something nasty in one of the many pieces of random software I download from the internet than my AV being compromised.
Are there any good introductory taxonomies or categorisations of threats and potentially appropriate responses?
The obvious distinctions that spring to my (uninformed) mind are: active (mitm, injection) vs passive (snooping, traffic analysis), targeted/opportunistic (maybe insider/outsider too?), and perhaps level of available resources (on the s'kiddie - lone hacker - collective - governmental spectrum, or something)
I guess the biggest problem with not having a coherent threat model is that you can end up putting too much effort into the wrong things and have a false confidence in your security. Weakest links, and all that.
STRIDE is the acronym used at Microsoft to categorize different threat types. STRIDE stands for:
Spoofing Spoofing is attempting to gain access to a system by using a false identity. This can be accomplished using stolen user credentials or a false IP address. After the attacker successfully gains access as a legitimate user or host, elevation of privileges or abuse using authorization can begin.
Tampering Tampering is the unauthorized modification of data, for example as it flows over a network between two computers.
Repudiation Repudiation is the ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove.
Information disclosure Information disclosure is the unwanted exposure of private data. For example, a user views the contents of a table or file he or she is not authorized to open, or monitors data passed in plaintext over a network. Some examples of information disclosure vulnerabilities include the use of hidden form fields, comments embedded in Web pages that contain database connection strings and connection details, and weak exception handling that can lead to internal system level details being revealed to the client. Any of this information can be very useful to the attacker.
Denial of service Denial of service is the process of making a system or application unavailable. For example, a denial of service attack might be accomplished by bombarding a server with requests to consume all available system resources or by passing it malformed input data that can crash an application process.
Elevation of privilege Elevation of privilege occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application. For example, an attacker with limited privileges might elevate his or her privilege level to compromise and take control of a highly privileged and trusted process or account.
They use the DREAD model to calculate threat impact (risk). You can get the risk rating for a given threat by asking the following questions:
Damage potential How great is the damage if the vulnerability is exploited?
Reproducibility How easy is it to reproduce the attack?
Exploitability How easy is it to launch an attack?
Affected users As a rough percentage, how many users are affected?
Discoverability How easy is it to find the vulnerability?
Therese's more detail in chapter 3 [1] (threat modelling) of the book Improving Web Application Security: Threats and Countermeasures [2] Note the book was published 12 years ago.
Yes, but it's a bit paranoid. Windows and Office are likely going to give you more entry points than the net gain you get from having antivirus/malware protection.
That's bordering on complete paranoia. You can make this argument for any software you install with auto-update capabilities... which is likely significantly more than half the software the average person has.
Your AV company's infrastructure is probably a lot more secure than the infrastructure of browser plugins you use and games you play.
>Your AV company's infrastructure is probably a lot more secure than the infrastructure of browser plugins you use and games you play.
Well I'm not a security expert and I'm using Linux, so I don't use a Windows antivirus obviously. A quick test trying to download free or trial Windows antivirus software (I'm not willing to pay for this simple experiment):
Kaspersky:
- google Kaspersky
- google result leads to http site, all the way to the download of the trial version it's http (I'm sure at least 80% of users don't notice this)
- try to type in manually https://www.kaspersky.com
- it redirects to http://www.kaspersky.com !!!!
Ok let's try Avast, it's popular, isn't it?
- ok it's all https, http redirects to https, it could even have HSTS, didn't check.
- download links to http CNET site ...
- I have to allow half the World's third party js to get to the download.
- It's of course http,
- Manually rewrite it to https (not straightforward, it's behind a redirection), invalid certificate (issued to a248.e.akamai.net instead of software-files-a.cnet.com
- Its installer is probably loaded with CNET crapware anyway
Downloading Avira worked fine though, I only tried these three. These companies are supposed to be security vendors, this is freaking ridiculous.
Although I can understand what you are saying, and I would not put it at all like the OP did, I don't think it is necessarily paranoid. For example, almost every single piece of software on my laptop is open source and either built by me, or a 3rd party I trust that didn't write the software in the first place. The packages I install are even signed by that trusted 3rd party. This is one of the reasons why my laptop is more secure than a laptop where more than half of the software is auto-updated, obfuscated binaries built by the people who wrote the software.
Certainly not everyone will do this. Although it is probably no longer considered part of the maniac fringe, I don't think it's going to be mainstream any time soon. However, the benefits are not imaginary.
If, like our phones, workstation software actually had to request specific access at install or use, then it would be much more dangerous if software that needed quite extensive access was exploited like this.
But we don't. Our workstations are actually fairly dumb in this regard. Why is that?
Note: Newer Windows an Mac systems might have this with their stores, I don't know. But a store isn't a requirement for this, so why have we had to wait so long?
It's not paranoia to be deeply concerned by the security implications of a ton of auto updating software from dozens of vendors sitting on hundreds of millions of machines.
We already know Duqu was made by the same people who made Stuxnet. We already know Stuxnet was made by the US and/or Isreal to hurt the Iranian nuclear program. So if they have strong evidence it was the same people... we know who those people are and we should just say their names.