

Kaspersky Lab cybersecurity firm is hacked - goodcanadian
http://www.bbc.com/news/technology-33083050

======
DickingAround
A lot of beating around the bush; just say the US and/or Isreal did it.

We already know Duqu was made by the same people who made Stuxnet. We already
know Stuxnet was made by the US and/or Isreal to hurt the Iranian nuclear
program. So if they have strong evidence it was the same people... we know who
those people are and we should just say their names.

~~~
x5n1
Kaspersky has been a pain in the ass of the status quo because they are
Russian and so it's difficult to control them and rein them in. Lots of
exploits depends on the cooperation and complacency of security companies that
are in the pocket of the various governments. Kaspersky wasn't one of these,
or at least in the pockets of Russia, and so had to be compromised to try to
control their oversight on security and to further the chances of exploits
succeeding. Good on them for detecting the exploit, now they know that they
are valid targets for this sort of thing.

~~~
mc32
I'm sure it knew it was a target for this kind of thing since they did exhibit
bias. That is to say they showed greater interest in exposing western gov't
hacking capabilities and activities than they did in exposing Russian and
Chinese govt actors in the same arena.

I'm sure this is no surprise to them.

~~~
x5n1
> than they did in exposing Russian and Chinese govt actors in the same arena.

That's the job of Western companies. Keeps everyone honest. Western companies
have as much bias as anyone, they are just good at covering it up with
rhetoric... and Americans are good at deluding themselves about their own bias
and Nationalism which is no different from anyone else's.

> On balance, with the current regimes in those countries, I prefer the
> western alternative to these regimes. It's not as if they are equivalent
> just with a different opinion. I truly prefer my western govt's over Russia
> and China's.

I do too. However, no one is as clean, just, and fair as they make themselves
out to be. Everyone who plays geopolitics is dirty as shit. I like my
government because it treats me well enough, ask other people and they might
not have the same opinions.

~~~
mc32
On balance, with the current regimes in those countries, I prefer the western
alternative to these regimes. It's not as if they are equivalent just with a
different opinion. I truly prefer my western govt's over Russia and China's,
no doubts.

~~~
saiya-jin
sounds like picking-of-lesser-evil discussion to me, which is still a bit sad
considering topic...

what a world we got ourselves into! :)

~~~
bakhy
The best world yet.

~~~
palmer_eldritch
The worst too...

~~~
bakhy
I kind of agree, but in a merely technical way :) I like the oriental
philosophical outlook, so basically, I would have to say, the world is simply
what it is. Labelling it "good" or "bad", in an absolute-judgement kind of
way, is arbitrary and useless.

But here, the topic was very specific - to say that picking the lesser evil is
a bad thing is actually, I'm sorry to say, spoiled. Being able to pick at all
is a luxury, which some do not have to this day. And let's not even go into
all the other problems we no longer face today, at least in large parts of the
world.

That's not to say we don't have a tonne of work ahead of us. We probably
always will. And criticism is essential in making progress. But just saying
that "the world" has gone bad is not helpful criticism, it's defeatist.
Because, what can we do if it has indeed gone bad? Let's not throw the baby
out with the bathwater.

------
mirimir
Intel Security just reported that "[p]ersistent and virtually undetectable
attacks by the Equation Group that reprogram hard disk drives and solid state
drive firmware."[0,1] It's interesting that this threat was first reported by
Kaspersky in February.[2]

The firmware exploits are part of the attack system with Duqu 2.0, right?

[0] [http://www.mcafee.com/us/security-
awareness/articles/mcafee-...](http://www.mcafee.com/us/security-
awareness/articles/mcafee-labs-threats-report-may-2015.aspx)

[1]
[https://news.ycombinator.com/item?id=9685829](https://news.ycombinator.com/item?id=9685829)

[2] [http://www.kaspersky.com/about/news/virus/2015/equation-
grou...](http://www.kaspersky.com/about/news/virus/2015/equation-group-the-
crown-creator-of-cyber-espionage)

~~~
HolyLampshade
Different groups in this case. According to Kapersky's report, Duqu used a
zero-day to promote into kernel space, then loaded the full payload into
memory. Less terrifying than the firmware revision from EG as a single attack,
but Duqu was unique in that it replicated itself around in the local network,
making it impossible to remove short of powering down everything.

------
nerdy
"Duqu 2.0 Hits Kaspersky Lab (securelist.com)" thread @
[https://news.ycombinator.com/item?id=9691654](https://news.ycombinator.com/item?id=9691654)

------
mirimir
Kaspersky's technical paper on Duqu 2.0,[0] begins with: "The initial attack
against Kaspersky Lab began with the targeting of an employee in one of our
smaller APAC offices." It notes that the next step was compromising other
machines on LAN. But they only discuss Windows, and don't even mention OSX,
BSD, Linux, etc.

I'm wondering how lateral movement to non-Windows machines would have been
accomplished.

[0]
[https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf)

------
grhmc
Does anyone get the impression this was some sort of early detection
mechanism, done intentionally by the hackers, to know when it has been
publicly discovered? Is this stupid? Probably stupid.

~~~
nerdy
I personally believe this is a honeypot or trial of sorts. The reason could've
been to determine whether or not the intrusion was detected at all as a sort
of validation of just how "almost invisible" the malware is, or it could've
been to determine the time required to detect.

Alternatively, it could be a way of getting at the company's data or even to
instigate a thorough review of their platform from the client's perspective.
There's a lot of subtle information in the Kaspersky report that might be
interesting to intelligence services: \- Simultaneous Duqu & Equation Group
infection of one victim \- Feature coverage (and those omitted, like other
payloads) \- Red herrings detected/ignored; strings, faked compile timestamps
\- Noticed misspelling of "Excceeded" & lack of other linguistic errors

Kaspersky mulled this issue:

 _" So the targeting of security companies indicates that either they are very
confident they won't get caught, or perhaps they don't care much if they are
discovered and exposed. By targeting Kaspersky Lab, the Duqu attackers have
probably taken a huge bet hoping they’d remain undiscovered; and lost."_

However they also conceded that they aren't sure:

 _" The exact reason why Kaspersky Lab was targeted is still not clear –
although the attackers did seem to focus on obtaining information about
Kaspersky's future technologies, Secure OS, anti-APT solutions, KSN and APT
research."_

[https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0...](https://securelist.com/files/2015/06/The_Mystery_of_Duqu_2_0_a_sophisticated_cyberespionage_actor_returns.pdf)

~~~
mike_hearn
The simplest, most obvious explanation is: Israeli intelligence wanted to spy
on Kaspersky because they are the best at finding and analysing state
sponsored malware, they were over-cocky and they eventually got caught.

~~~
nerdy
Or investigation of the relationship between Kaspersky and Russian
intelligence, which according to 6 Kaspersky employees, is too close for my
comfort:
[http://www.bloomberg.com/news/articles/2015-03-19/cybersecur...](http://www.bloomberg.com/news/articles/2015-03-19/cybersecurity-
kaspersky-has-close-ties-to-russian-spies)

It sucks that it's so hard to trust anybody's software (or hardware) today.

------
github-cat
There is never an end to defend against security attacks. Even the most well-
known security company cannot get away with them, how about the general
people?

------
ParadisoShlee
List of related links [https://redletter.link/question/233-newsrollup-the-
duqu-20](https://redletter.link/question/233-newsrollup-the-duqu-20)

------
ingenter
Here's one of the reason _not_ to install antivirus software: if a malicious
adversary finds a vuln in the AV or hacks C&C servers, you have a nice
backdoor you installed to "protect" yourself.

~~~
meowface
That's bordering on complete paranoia. You can make this argument for _any_
software you install with auto-update capabilities... which is likely
significantly more than half the software the average person has.

Your AV company's infrastructure is probably a lot more secure than the
infrastructure of browser plugins you use and games you play.

~~~
leni536
>Your AV company's infrastructure is probably a lot more secure than the
infrastructure of browser plugins you use and games you play.

Well I'm not a security expert and I'm using Linux, so I don't use a Windows
antivirus obviously. A quick test trying to download free or trial Windows
antivirus software (I'm not willing to pay for this simple experiment):

    
    
       Kaspersky:
       - google Kaspersky
       - google result leads to http site, all the way to the download of the trial version it's http (I'm sure at least 80% of users don't notice this)
       - try to type in manually https://www.kaspersky.com
       - it redirects to http://www.kaspersky.com !!!!
    

Ok let's try Avast, it's popular, isn't it?

    
    
       - ok it's all https, http redirects to https, it could even have HSTS, didn't check.
       - download links to http CNET site ...
       - I have to allow half the World's third party js to get to the download.
       - It's of course http,
       - Manually rewrite it to https (not straightforward, it's behind a redirection), invalid certificate (issued to a248.e.akamai.net instead of software-files-a.cnet.com
       - Its installer is probably loaded with CNET crapware anyway
    

Downloading Avira worked fine though, I only tried these three. These
companies are supposed to be security vendors, this is freaking ridiculous.

