NOTA BENE

Notes, comment and buzz from Eugene Kaspersky – Official Blog

May 7, 2015

AV boost: exorcising the system-straining ghost.

Around the turn of the century we released the LEAST successful version of our antivirus products – EVER! I don’t mind admitting it: it was a mega-fail – overall. Curiously, the version also happened to be mega-powerful too when it came to protection against malware, and had settings galore and all sorts of other bells and whistles. The one thing that let it down though was that it was large and slow and cumbersome, particularly when compared with our previous versions.

I could play the subjunctiveness game here and start asking obvious questions like ‘who was to blame?’, ‘what should have been done differently?’, etc., but I’m not going to do that (I’ll just mention in passing that we made some very serious HR decisions back then). I could play ‘what if': who knows how different we as a company would be now if it wasn’t for that foul-up? Best though I think is to simply state how we realized we’d made a mistake, went back to the drawing board, and made sure our next version was way ahead of the competiton on EVERYTHING. Indeed, it was the engine that pushed us into domination in global antivirus retail sales, where our share continues to grow.

That’s right, our post-fail new products were ahead of everybody else’s by miles, including on performance, aka efficiency, aka how much system resources get used up during a scan. But still that… stench of sluggishness pursued us for years. Well, frankly, the smelliness is still giving us some trouble today. Memories are long, and they often don’t listen to new facts :). Also, back then our competitors put a lot of effort into trolling us – and still try to do so. Perhaps that’s because there’s nothing else – real nor current – to troll us for :).

Now though, here… time for some well-overdue spring cleaning. It’s time to clear up all the nonsense that’s accumulated over the years re our products’s efficiency once and for all…

Righty. Here are the results of recent antivirus product performance tests. Nothing but facts from a few respected testing labs – and it’s great food for thought. Have a look at the other vendors’ results, compare, and draw your own conclusions:

1. AVTest.org

I’ve said many times that if you want to get the truly objective picture, you need to look at the broadest possible range of tests from the longest possible historical perspective. There are notorious cases of certain vendors submitting ‘cranked up’ versions optimized for specific tests to test labs instead of the regular ‘working’ versions you get in the shops

The guys from the Magdeburg lab have done one heck of a job in analyzing the results achieved by 23 antivirus products during the past year (01/2014 – 01/2015) to determine how much each product slowed the computer down.

avtestorg

No comment!

Read on: a valuable advice to assess test results…

March 20, 2015

A practical guide to making up a sensation.

There are many ways to make up something sensationalist in the media. One of the practical ways is to speculate and create conspiracy theories. Unfortunately, there’s a demand for such stories and they have a very good chance of making a splash.

So how can a global company with Russian roots play a part in a conspiracy theory? Well, this one is easy: there should be some devilish inner job of the Russian secret services (to produce the “I knew it!” effect). In many cases you can change the adjective “Russian” for any other to produce a similar effect. It’s a simple yet effective hands-on recipe for a sensationalist article. Exploiting paranoia is always a great tool for increasing readership.

There are questions we’ve answered a million times: what are our links with the KGB? Why do you expose cyber-campaigns by Western intelligence services? When do you plan to hire Edward Snowden? And other ones of the ‘have you stopped beating your wife?’ kind.

We’re a transparent company, so we’ve got detailed answers ready. Of course we want to dispel any speculation about our participation in any conspiracy. We’ve nothing to hide: we’re in the security business and to be successful in it you have to be open to scrutiny.

To my great regret, there are occasions when journalists publish something sensationalist without taking account obvious and/or easily obtainable facts contrary to their sensationalist claims, and produce stories that are at odds with professional ethics. And sometimes a bad tabloid journalism style finds its way into otherwise quality media publications. I’d like to comment on one such case.

The fashionable fever of looking for Kremlin-linked conspiracies this week reached some journalists at Bloomberg. Curiously, this happened not long after our investigation into the Equation Group.

It’s been a long time since I read an article so inaccurate from the get-go – literally from the title and the article’s subheading. So it came as little surprise that a large part of the rest of the article is simply false. Speculations, assumptions and unfair conclusions based on incorrect facts. In their pursuit for a sensation, the journalists turned things upside down and ignored some blatantly obvious facts.

My congratulations to the authors: they’ve scored high in bad journalism.

But that’s where the emotion stops today. Now let’s just look at the cold facts – rather, lack of them. Let me go through some of the most outrageous and twisted gaffes.

Bloomberg bullshit

I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose. There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there’s no way we can put it back.

But since these journalists tried to attribute the cyberattacks we exposed to the countries mentioned, for some reason they forgot about our reports on Red OctoberCloudAtlas, Miniduke, CosmicDuke, Epic Turla, Penguin Turla, Black Energy 1 and 2, Agent.BTZ, and Teamspy. According to some observers, these attacks were attributed to Russian cyber-spies.

Bloomberg bullshit

The only other statement that can compete with this one in terms of frequency, silliness and falsity is: ‘AV companies write the virus themselves’.

Let me spell it out and use a few capitals: I’ve NEVER worked for the KGB.

My detailed biography has been widely distributed around the world and can be easily found online. It clearly states (I wonder if the journalists read it) that I studied mathematics at a school sponsored by they Ministry of Atomic Energy, the Ministry of Defense, the Soviet Space Agency and the KGB. After graduating, I worked for the Ministry of Defense as a software engineer for several years. But whatever… as they say, ‘never let the facts get in the way of a good story’. Right?

UPDATE:

bloomberg-lies-update

Looks like the Bloomberg journos behind the story read my post (but not in detail; otherwise they’d have taken the article down) and made a minor edit to their text. Now, I never worked for KGB but for … Russian military intelligence!

For the record: I never worked for Russian military intelligence. As I mentioned above, I worked as a software engineer at the Ministry of Defense.

Bloomberg bullshit

Is there an implication here that the ‘quickly removed by headquarters’ was to cover up some secret truth – before it got out? Maybe not. But if you do see a possible one, let me tell you what happened:

the design of the our antivirus software box with the KGB mention was developed by our Japanese partners. I learned about it only after it was printed, and asked to have it changed as it just wasn’t true, which was done.

And if there’s a further implication that the mention was removed because we were going global and recruiting ‘senior managers in the U.S. and Europe’ (with whom KGB mentions might not sit well), well then that’s not right either. We were already global. Our American, European and Asian employees (who now make up more than a third of total company’s headcount) had no say in it. Even if they did – so what? Bottom line – I never served in the KGB!

Bloomberg bullshit

Just nonsense!

First, people join and leave organizations all the time. Second, we value only professional qualities in our people. Third, there’s no evidence of ‘closer’ – not even close – ties to Russia’s military or intelligence services. Must say though, I’d be really interested to find out who’s joined our top management team since 2012 who has ‘closer ties to Russia’s military or intelligence services’. I’m dying of curiosity!

Bloomberg bullshit

I do appreciate this interest in my recreational-prophylactic habits. While the reader may visualize naked male bodies in a steam room and dicussions of conspirational plans to conquer the world, the truth of the matter is quite something else. It highlights another way in which the journalists ignored our emailed comments to them to sacrifice objectivity for quirky details and stereotypes.

First, sometimes I do go to the banya (sauna) with my colleagues. It’s not impossible that there might be Russian intelligence officials visiting the same building simultaneously with me, but I don’t know them.

Second, we do fight cybercrime. And without cooperating with law enforcement agencies around the globe (including in the U.S., the UK, Japan, other European countries; INTERPOL and Europol) our battle would have been significantly less effective than it has been recreational – if not completely futile.

Official meetings sometimes do turn pretty informal, including with officers belonging to the security services of the U.S., the UK, Japan, other European countries; INTERPOL and Europol (oops, I’m repeating myself). And I consider the stories about my possible encounters with security officials in a banya an attempt to deliberately mislead readers; the journalists don’t mention that we are impartial in our fight against cybercrime, no matter where it strikes. A warning, dear readers: don’t believe everything you read!

Bloomberg bullshit

‘Gotcha, we’ve caught you! You investigate only US operations and not Russian!’

Well, this one’s real simple. FireEye did some great research, so publishing our own after theirs made no sense. We carefully read the FireEye report, warned our users and… kept on researching the Sofacy operation. BTW, our experts are still working on it, as it’s closely connected to the MiniDuke operation. But please don’t ask why FireEye didn’t announce MiniDuke! You know the answer (hint: who was the first to uncover it?).

Bloomberg bullshit

That is false statement.

We’ve launched an internal investigation, carefully examined all our archives for the last three years, and haven’t found such an email. Those who know Garry personally know he’s not the kind of man to write such things.

Bloomberg bullshit

Does two-year compulsory military service of 18-year old private Chekunov equal working for the KGB? Really? Dear authors, why did you miss the detail where, in the USSR, military service was obligatory for all males, and it was random which particular service you served in? Some entered the infantry, others the submarine division of the navy. Mr. Chekunov served in the Soviet Union’s Border Service for two years, and at that time the service reported to the KGB.

Bloomberg bullshit

Oh those Russians banya nights. The nerve center of all secret operations’ planning!

Actually, here, thanks are due to the authors for the PR! Our Computer Incidents Investigation Unit (CIIU) helps our clients deal with sophisticated cyber-incidents. If law enforcement agencies contact us, we help – regardless of their country. We assist with our world-class expertise any law enforcement agency to save the world from any cyber-evil.

Bloomberg bullshit

The Computer Incidents Investigation Unit (CIIU) has remote access to the personal data of our users? That is a false statement.

Next: the keyword here is ‘can’. Theoretically, any security vendor can do that. Following this logic you can imagine what nasty things Facebook, Google or Microsoft can theoretically do. Theoretically, authors of an article can stick to facts.

The reality, however, is that I’ve no reason to risk my 700mln$ business. Everything we do and can do is stated in the End-User License Agreement (EULA). Moreover, we reveal our source code to large customers and governments. If you have any fears about backdoors – come and check. Seriously. Referring to a theory is an allegation unworthy of a respectable publication.

Bloomberg bullshit

This part explains a lot. Some folks who get fired have a chip on their shoulder. Human nature. It’s common. They have some media contacts – they fancy getting their ‘revenge’. Same old!

I am just worried about how respected media put their reputation on the line based on speculation. As a result we have a perfect example of a sensationalist headline:

Bloomberg bullshit

The result of the investigative journalism revealed these REAL facts:

  • I go to banya;
  • We hire and fire employees; employees leave of their own accord;
  • 60% of our employees are Russians;
  • Our Chief Legal Officer served in the Border Control when he was 18 and at that time the service was a part of the KGB.

 
Mysterious covert data which proves I’m a KGB spy?! This world-famous news agency undertook a huge investigation – believe me, it was impressive! During the fact checking they asked very detailed, probing questions, yet all they came up with were… unproved allegations. Do you know why?

Because there’s nothing there to find.

It’s very hard for a company with Russian roots to become successful in the  U.S., European and other markets. Nobody trusts us – by default. Our only strategy is to be 1000% transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us – and failed. Because we’ve nothing to hide.

Actually, I’d like to thank Bloomberg and all the journalists behind this story! Much like our antivirus often does, they performed a full system scan –and found nothing. It’s like a halal or kosher stamp – check! External audit successfully passed.

‘The hardest thing of all is to find a black cat in a dark room, especially if there’s no cat.”

.@e_kaspersky responds to Bloomberg’s allegations in connection with Russian LETweet

So, tell me, what do you think of this whole story:

March 17, 2015

Independent AV testing in 2014: interesting results!

At KL we’re always at it. Improving ourselves, that is. Our research, our development, our products, our partnerships, our… yes – all that. But for us all to keep improving – and in the right direction – we all need to work toward one overarching goal, or mission. Enter the mission statement…

Ours is saving the world from cyber-menaces of all types. But how well do we do this? After all, a lot, if not all AV vendors have similar mission statements. So what we and – more importantly – the user needs to know is precisely how well we perform in fulfilling our mission – compared to all the rest…

To do this, various metrics are used. And one of the most important is the expert testing of the quality of products and technologies by different independent testing labs. It’s simple really: the better the result on this or that – or all – criteria, the better our tech is at combatting cyber-disease – to objectively better save the world :).

Thing is, out of all the hundreds of tests by the many independent testing centers around the world, which should be used? I mean, how can all the data be sorted and refined to leave hard, meaningful – and easy to understand and compare – results? There’s also the problem of there being not only hundreds of testing labs but also hundreds of AV vendors so, again, how can it all be sieved – to remove the chaff from the wheat and to then compare just the best wheat? There’s one more problem (it’s actually not that complex, I promise – you’ll see:) – that of biased or selective test results, which don’t give the full picture – the stuff of advertising and marketing since year dot.

Well guess what. Some years back we devised the following simple formula for accessible, accurate, honest AV evaluation: the Top-3 Rating Matrix!.

So how’s it work?

First, we need to make sure we include the results of all well-known and respected, fully independent test labs in their comparative anti-malware protection investigations over the given period of time.

Second, we need to include all the different types of tests of the chosen key testers – and on all participating vendors.

Third, we need to take into account (i) the total number of tests in which each vendor took part; (ii) the % of ‘gold medals'; and (iii) the % of top-3 places.

What we get is simplicity, transparency, meaningful sifting, and no skewed ‘test marketing’ (alas, there is such a thing). Of course it would be possible to add into the matrix another, say, 25,000 parameters – just for that extra 0.025% of objectivity, but that would only be for the satisfaction of technological narcissists and other geek-nerds, and we’d definitely lose the average user… and maybe the not-so-average one too.

To summarize: we take a specific period, take into account all the tests of all the best test labs (on all the main vendors), and don’t miss a thing (like poor results in this or that test) – and that goes for KL of course too.

All righty. Theory over. Now let’s apply that methodology to the real world; specifically – the real world in 2014.

First, a few tech details and disclaimers for those of the geeky-nerdy persuasion:

  • Considered in 2014 were the comparative studies of eight independent testing labs (with: years of experience, the requisite technological set-up (I saw some for myself), outstanding industry coverage – both of the vendors and of the different protective technologies, and full membership of AMTSO) : AV-Comparatives, AV-Test, Anti-malware, Dennis Technology Labs, MRG EFFITAS, NSS Labs, PC Security Labs and Virus Bulletin. A detailed explanation of the methodology – in this video and in this document.
  • Only vendors taking part in 35% or more of the labs’ tests were taken into account. Otherwise it would be possible to get a ‘winner’ that did well in just a few tests, but which wouldn’t have done well consistently over many tests – if it had taken part in them (so here’s where we filter out the faux-test marketing).

Soooo… analyzing the results of the tests in 2014, we get……..

….Drums roll….

….mouths are cupped….

….breath is bated….

……..we get this!:

Independent testing 2014:  the results

Read on: Are all washing powder brands the same?…

February 26, 2015

Cancunference 2015.

Some ten-plus years ago, our then still quite small company decided to push the boundaries – literally: we went transnational. Before long we found we had expert-analyst KLers working in all corners of the globe, all of them communicating with one another by email, messengers, telephone and other indirect means. Nothing wrong with that really, but still, it’ll never beat face-to-face interaction. So we decided to have a yearly jamboree where we’d all get together and top up on the much needed proper face time. That was when our annual conference for IT security experts was born: the Security Analyst Summit (SAS).

cancun-mexico-sas2015-1

cancun-mexico-sas2015-2

Read on: Work hard, play hard, like always…

January 16, 2015

Encrypted communications and real-world security: finding a balance

The latest debate that followed David Cameron’s proposal to ban encrypted personal communications in the UK has raised several very important issues.

The proposal would include a ban on messaging services like WhatsApp, iMessage or Snapchat in the UK. Technically this is possible to do, however such a ban on using all encrypted communication channels is not easy to enforce.

And I doubt that it will actually bring significantly more security to offline UK.

The mandate of the security services and law enforcement agencies is to keep the general public safe from criminals, terrorists and all sort of other threats. It seems that the security services want to be able to access our communications in order to be able to stop and prevent illegal activities and, ultimately, better protect people.

Encryption is vital for cybersecurity; it’s used first and foremost to keep communications safe from hackers and cybercriminals.
Do we need to give up the protection of our our data and online communications in order to improve real-world security? I seriously doubt we should.

I think that, if implemented, a ban on the use of encryption in online communication will not tangibly increase offline security. But it will definitely damage the state of cybersecurity and ultimately expose ordinary users as well as businesses to all sorts of cyberattacks, hacks and espionage.

Governments have made attempts to compromise cybersecurity to gain intelligence. For example, we have already seen government-grade malware, such as Flame, exploiting legitimate software, such as Microsoft Update, among other things.

I don’t know the value of the intelligence they obtained during this operation, but the existence of such malware did not contribute positively to global cybersecurity.

I think the real problem here is that global leaders and security services apparently see a contradiction between security and cybersecurity; while the latter should in fact be an integral and valuable part of the former.

October 21, 2014

Geography lesson.

Every day we release up to 2000 updates for our products.

Every week our users around the globe download those updates over a billion times.

Every month we distribute around four petabytes of updates.

These updates (together with our other technologies) protect you against new cyberthreats. In recent years we’ve been seeing new malware popping up not just every day or every hour, but every minute and even every second! Each year we analyze more than a billion samples of malicious code.

For the average user, receiving antivirus updates is a simple, automatic process. They run silently in the background without disturbing you (and quite right too). However, there’s a lot more to an update than first meets the eye. Updates are merely the tip of a sophisticated iceberg that connects our products to a huge distributed IT system that we built up ourselves using a whole bunch of original ideas and know-how.

That’s the overall scheme. The details get more interesting…

Kaspersky Internet Security Update

Read on: So what actually happens when you update your antivirus?…

September 29, 2014

The evolution of OS X malware.

Is there any (Mac) OS X-specific malware around?

Oh yes. But for some odd reason I haven’t said anything interesting on this topic for quite a while…

The last time was two and a half years ago. Yes, that’s how long it’s been since the global Flashback worm outbreak that infected 700 thousand Macs worldwide. The security industry made quite a bit of noise about it (and quickly disabled the Flashback botnet), but since then – mostly silence… It might seem to some that ever since there’s been a complete lull on the Mac-malware front and not one bit of iMalware has disturbed Apple Bay’s calm waters…

But they’d be wrong…

Mac malware is not amyth, they do exist

Sure, if you compare the threat levels of picking up some malware on different platforms, at the top of the table, by a long way, as ever, is the most widely used platform – Microsoft Windows. Quite a way behind it is Android – a relatively new kid on the block. Yep, over the past three years the cyber-vermin has been seriously bombarding the poor little green robot with exponentially increasing levels of malicious activity. Meanwhile, in the world of iPhones and iPads, except for very rare cyber-espionage attacks, there have been hardly any successful attacks thereon (despite using various exotic methods). It’s a similar story with Macs too – things are relatively peaceful compared to other platforms; but of late there have been… stirrings – about which I’ll be talking in this post.

Briefly, a few numbers – kinda like an executive summary:

  • The numbers of new for-Mac malware instances detected in the last few years are already in the thousands;
  • In the first eight months of 2014, 25 different ‘families’ of Mac malware were detected;
  • The likelihood of an unprotected Mac becoming infected by some Mac-specific-unpleasantness has increased to about three percent.
In 2013 alone @kaspersky detected ~1700 malware samples for OS XTweet

Read on: let’s dig deeper and look at the situation from a malware expert PoV…

September 2, 2014

Under the hood – 2015.

We’ve a tradition here at KL (besides the summer birthday bashesNew Year shindigs and the rest, that is). Every summer we launch new versions of our home products. Er, and it’s already the end of summer! (Eh? Where did that go?) So let me give you the highlights of the juiciest new features of our 2015 versions, or, to put it another way – about the latest sly tricks of the cyber-villains that we’ve successfully been busting with our new tech that’s winding its way into KL-2015s :).

All righty, off we go…

Kaspersky Internet Security 2015 - Main Window

What’s new in Kaspersky Internet Security 2015? @e_kaspersky reportsTweet

Read on: The all-seeing eye of Sauron. No more…

July 26, 2014

Cybernews from the dark side – July 26, 2014.

Remote controlled car – your car, while you’re driving it…

News about new hacks, targeted attacks and malware outbreaks is beginning to bore the general public. It’s becoming an incessant stream after all. What isn’t boring the life out of the general public is something a bit more unusual: stuff you wouldn’t dream could be hacked… getting hacked.

A report from China told how hackers broke into the Tesla motor car’s gadgetry – as part of a contest during a hacker conference. So, why Tesla? What’s so good about Tesla? Well, that’ll be its being an electric car, and its being crammed with so much ‘smart’ electronics that it hardly resembles an automobile than a mobile supercomputer. Still, what was Tesla expecting? Any new functionality – especially that developed without the involvement of IT security experts – will inevitably bring with it new threats via vulnerabilities, which is just what the hackers at the conference in China found.

Cybernews from the darkside

Read on: malware getting closer to industrial systems…

July 14, 2014

Our antivirus formula.

Every system is based on a unique algorithm; without the algorithm there’s no system. It doesn’t really matter what kind of algorithm the system follows – linear, hierarchical, determined, stochastic or whatever. What’s important is that to reach the best result the system needs to follow certain rules.

We’re often asked about our products‘ algorithms – especially how they help us detect future threats better than the competition.

Well, for obvious reasons I can’t divulge the details of our magic formulae; however, what I will be doing in this tech-post (perhaps the techiest post on this blog ever) is open ajar the door to our technological kitchen – to give you a glimpse of what goes on inside. And if you still want more info, please fire away with your questions in the comments, below.

Read on: A very brief look at our Coca-Cola-like ‘secret’ magical formula in a little over 2000 words…