Uh-oh Cyber-News: Infected Nuclear Reactors, Cyber-Bank Robbers, and Cyber-Dam-Busters.

Just a quick read of the news these days and you can find yourself wanting to reach for… a Geiger counter. I mean, some of the news stories are just so alarming of late. Or am I overreacting? Let’s see…

Uh-oh News Item No. 1: Apocalypse Averted – for Now. 

inews-1Photo courtesy of Wikipedia

It was reported that the IT system of Unit B of the Gundremmingen Nuclear Power Plant in Swabia, Bavaria, southwestern Germany – right on the 30-year anniversary to-the-day of the Chernobyl disaster (!) – had been infected by some malware. However, it was also reported that there’s no reason to worry at all as no danger’s being posed whatsoever. All’s ok; we can all sleep soundly; everything’s under control; the danger level couldn’t be lower.

After sighing a ‘pheewwwww’ and mopping one’s brow, you read further…

… And as you do, you get a few more details of the incident. And it does indeed seem all is ok: the background radiation level, after all, didn’t go up – that’s the main thing, surely. Right? But then you read further still…

And you find out that the (Internet-isolated) system that was infected happens to be the one that controls the movement of nuclear fuel rods. It’s here you stop, rub the eyes, and read that again slowly…

WHAAAAT?

Read on: Cyber-Spy-Novel-Worthy …

Get Your KICS en Route to Industrial Protection.

Hurray!

We’ve launched our KICS (Kaspersky Industrial CyberSecurity), the special cyber-inoculation against cyber-disease, which protect factories, power plants, hospitals, airports, hotels, warehouses, your favorite deli, and thousands of other types of enterprises that use industrial control systems (ICS). Or, put another way, since it’s rare for an enterprise today to manage without such systems, we’ve just launched a cyber-solution for millions of large, medium and small production and service businesses all around the world!

So what’s this KICS all about exactly? What’s it for? First, rewind…

Before the 2000s a cyberattack on an industrial installation was a mere source of inspiration for science fiction writers. But on August 14, 2003 in northeastern USA and southeastern Canada, the science fiction became a reality:

kaspersky-industrial-security-1Oops

Because of certain power grid glitches, 50 million North Americans went without electricity – some for several hours, others for several days. Many reasons were put forward as to the reasons behind this man-made catastrophe, including unkempt trees, a bolt of lightning, malicious squirrels, and… a side-effect from a cyberattack using the Slammer (Blaster) computer worm.

Read on: Hacked in 60 seconds…

The Big Picture.

Last spring (2015), we discovered Duqu 2.0 – a highly professional, very expensive, cyber-espionage operation. Probably state-sponsored. We identified it when we were testing the beta-version of the Kaspersky Anti Targeted Attack (KATA) platform – our solution that defends against sophisticated targeted attacks just like Duqu 2.0.

And now, a year later, I can proudly proclaim: hurray!! The product is now officially released and fully battle ready!

Kaspersky Anti-Targeted Attack Platform

But first, let me now go back in time a bit to tell you about why things have come to this – why we’re now stuck with state-backed cyber-spying and why we had to come up with some very specific protection against it.

(While for those who’d prefer to go straight to the beef in this here post – click here.)

‘The good old days’ – words so often uttered as if bad things just never happened in the past. The music was better, society was fairer, the streets were safer, the beer had a better head, and on and on and on. Sometimes, however, things really were better; one example being how relatively easy it was to fight cyber-pests in years past.

Of course, back then I didn’t think so. We were working 25 hours a day, eight days a week, all the time cursing the virus writers and their phenomenal reproduction rate. Each month (and sometimes more often) there were global worm epidemics and we were always thinking that things couldn’t get much worse. How wrong we were…

At the start of this century viruses were written mainly by students and cyber-hooligans. They’d neither the intention nor the ability to create anything really serious, so the epidemics they were responsible for were snuffed out within days – often using proactive methods. They simply didn’t have any motivation for coming up with anything more ominous; they were doing it just for kicks when they’d get bored of Doom and Duke Nukem :).

The mid-2000s saw big money hit the Internet, plus new technologies that connected everything from power plants to mp3 players. Professional cybercriminal groups also entered the stage seeking the big bucks the Internet could provide, while cyber-intelligence-services-cum-armies were attracted to it by the technological possibilities if offered. These groups had the motivation, means and know-how to create reeeaaaally complex malware and conduct reeeaaaally sophisticated attacks while remaining under the radar.

Around about this time… ‘antivirus died’: traditional methods of protection could no longer maintain sufficient levels of security. Then a cyber-arms race began – a modern take on the eternal model of power based on violence – either attacking using it or defending against its use. Cyberattacks became more selective/pinpointed in terms of targets chosen, more stealthy, and a lot more advanced.

In the meantime ‘basic’ AV (which by then was far from just AV) had evolved into complex, multi-component systems of multi-level protection, crammed full of all sorts of different protective technologies, while advanced corporate security systems had built up yet more formidable arsenals for controlling perimeters and detecting intrusions.

However, that approach, no matter how impressive on the face of it, had one small but critical drawback for large corporations: it did little to proactively detect the most professional targeted attacks – those that use unique malware using specific social engineering and zero-days. Malware that can stay unnoticed to security technologies.

I’m talking attacks carefully planned months if not years in advance by top experts backed by bottomless budgets and sometimes state financial support. Attacks like these can sometimes stay under the radar for many years; for example, the Equation operation we uncovered in 2014 had roots going back as far as 1996!

Banks, governments, critical infrastructure, manufacturing – tens of thousands of large organizations in various fields and with different forms of ownership (basically the basis of today’s world economy and order) – all of it turns out to be vulnerable to these super professional threats. And the demand for targets’ data, money and intellectual property is high and continually rising.

So what’s to be done? Just accept these modern day super threats as an inevitable part of modern life? Give up the fight against these targeted attacks?

No way.

Anything that can be attacked – no matter how sophisticatedly – can be protected to a great degree if you put serious time and effort and brains into that protection. There’ll never be 100% absolute protection, but there is such a thing as maximal protection, which makes attacks economically unfeasible to carry out: barriers so formidable that the aggressors decide to give up putting vast resources into getting through them, and instead go off and find some lesser protected victims. Of course there’ll be exceptions, especially when politically motivated attacks against certain victims are on the agenda; such attacks will be doggedly seen through to the end – a victorious end for the attacker; but that’s no reason to quit putting up a fight.

All righty. Historical context lesson over, now to that earlier mentioned sirloin…

…Just what the doctor ordered against advanced targeted attacks – our new Kaspersky Anti Targeted Attack platform (KATA).

So what exactly is this KATA, how does it work, and how much does it cost?

First, a bit on the anatomy of a targeted attack…

A targeted attack is always exclusive: tailor-made for a specific organization or individual.

The baddies behind a targeted attack start out by scrupulously gathering information on the targets right down to the most minor of details – for the success of an attack depends on the completeness of such a ‘dossier’ almost as much as the budget of the operation. All the targeted individuals are spied on and analyzed: their lifestyles, families, hobbies, and so on. How the corporate network is constructed is also studied carefully. And on the basis of all the information collected an attack strategy is selected.

Next, (i) the network is penetrated and remote (& undetected) access with maximum privileges is obtained. After that, (ii) the critical infrastructure nodes are compromised. And finally, (iii) ‘bombs away!’: the pilfering or destruction of data, the disruption of business processes, or whatever else might be the objective of the attack, plus the equally important covering one’s tracks so no one knows who’s responsible.

The motivation, the duration of the various prep-and-execution stages, the attack vectors, the penetration technologies, and the malware itself – all of it is very individual. But not matter how exclusive an attack gets, it will always have an Achilles’ heel. For an attack will always cause at least a few tiny noticeable happenings (network activity, certain behavior of files and other objects, etc.), anomalies being thrown up, and abnormal network activity. So seeing the bird’s-eye view big picture – in fact the whole picture formed from different sources around the network – makes it possible to detect a break-in.

To collect all the data about such anomalies and the creation of the big picture, KATA uses sensors – special ‘e-agents’ – which continuously analyze IP/web/email traffic plus events on workstations and servers.

For example, we intercept IP traffic (HTTP(s), FTP, DNS) using TAP/SPAN; the web sensor integrates with the proxy servers via ICAP; and the mail sensor is attached to the email servers via POP3(S). The agents are real lightweight (for Windows – around 15 megabytes), are compatible with other security software, and make hardly any impact at all on either network or endpoint resources.

All collected data (objects and metadata) are then transferred to the Analysis Center for processing using various methods (sandbox, AV scanning and adjustable YARA rules, checking file and URL reputations, vulnerability scanning, etc.) and archiving. It’s also possible to plug the system into our KSN cloud, or to keep things internal – with an internal copy of KpSN for better compliance.

Once the big picture is assembled, it’s time for the next stage! KATA reveals suspicious activity and can inform the admins and SIEM (Splunk, Qradar, ArcSight) about any unpleasantness detected. Even better – the longer the system works and the more data accumulates about the network, the more effective it is, since atypical behavior becomes easier to spot.

More details on how KATA works… here.

Ah yes; nearly forgot… how much does all this cost?

Well, there’s no simple answer to that one. The price of the service depends on dozens of factors, including the size and topology of the corporate network, how the solution is configured, and how many accompanying services are used. One thing is clear though: the cost pales into insignificance if compared with the potential damage it prevents.

Best test scores – the fifth year running!

Quicker, more reliable, more techy, and of course the most modest…

… Yep, you guessed it, that’ll be us folks – YET AGAIN!

We’ve just been awarded Product of the Year once more by independent Austrian test lab AV-Comparatives. Scoring top @ AV-C is becoming a yearly January tradition: 2011201220132014, and now 2015! Hurray!

year award 2015 product of the year_CS6

Image00002

Now for a bit about how they determine the winner…

Read on: Five main criteria…

Cyber-news: Vulnerable nuclear power stations, and cyber-saber… control?

Herewith, a quick review of and comment on some ‘news’ – rather, updates – on what I’ve been banging on about for years! Hate to say ‘told you so’, but… TOLD YOU SO!

First.

(Random pic of) the Cattenom Nuclear Power Plant in France where, I hope, all is tip-top in terms of cybersecurity(Random pic of) the Cattenom Nuclear Power Plant in France where, I hope, all is tip-top in terms of cybersecurity

I’ve been pushing for better awareness of problems of cybersecurity of industry and infrastructure for, er, let’s see, more than 15 years. There has of late been an increase in discussion of this issue around the world by state bodies, research institutes, the media and the general public; however, to my great chagrin, though there’s been a lot of talk, there’s still not been much in the way of real progress in actually getting anything done physically, legally, diplomatically, and all the other …lys. Here’s one stark example demonstrating this:

Earlier this week, Chatham House, the influential British think tank, published a report entitled ‘Cyber Security at Civil Nuclear Facilities: Understanding the Risks’. Yep, the title alone brings on goosebumps; but some of the details inside… YIKES.

I won’t go into those details here; you can read the report yourself – if you’ve plenty of time to spare. I will say here that the main thrust of the report is that the risk of a cyberattack on nuclear power plants is growing all around the world. UH-OH.

The report is based exclusively on interviews with experts. Yes, meaning no primary referenceable evidence was used. Hmmm. A bit like someone trying to explain the contents of an erotic movie – doesn’t really compare to watching the real thing. Still, I guess this is to be expected: this sector is, after all, universally throughout the whole world, secret.

All the same, now let me describe the erotic movie from how it was described to me (through reading the report)! At least, let me go through its main conclusions – all of which, if you really think about them, are apocalyptically alarming:

  1. Physical isolation of computer networks of nuclear power stations doesn’t exist: it’s a myth (note, this is based on those stations that were surveyed, whichever they may be; nothing concrete). The Brits note that VPN connections are often used at nuclear power stations – often by contractors; they’re often undocumented (not officially declared), and are sometimes simply forgotten about while actually staying fully alive and ready for use [read: abuse].
  2. A long list of industrial systems connected to the Internet can be found on the Internet via search engines like Shodan.
  3. Where physical isolation may exist, it can still be easily gotten around with the use of USB sticks (as in Stuxnet).
  4. Throughout the whole world the atomic energy industry is far from keen on sharing information on cyber-incidents, making it tricky to accurately understand the extent of the the security situation. Also, the industry doesn’t collaborate much with other industries, meaning it doesn’t learn from their experience and know-how.
  5. To cut costs, regular commercial (vulnerable) software is increasingly used in the industry.
  6. Many industrial control systems are ‘insecure by design’. Plus patching them without interrupting the processes they control is very difficult.
  7. And much more besides in the full 53-page report.

These scary facts and details are hardly news for IT security specialists. Still, let’s hope that high-profile publications such as this one will start to bring about change. The main thing at present is for all the respective software to be patched asap, and for industrial IT security in general to be bolstered to a safe level before a catastrophe occurs – not after.

Among other things, the report recommends promoting ‘secure by design’ industrial control systems. Hear hear! We’re totally in support of that one! Our secure OS is one such initiative. To make industrial control systems, including SCADA, impenetrable, requires an overhaul of the principles of cybersecurity on the whole. Unfortunately, the road towards that is long – and we’re only at the very beginning of it. Still, at least we’re all clear on which direction to head toward. Baby steps…

Second.

For several years I’ve also been pushing for the creation of a global agreement against cyberwar. Though we signs of a better understanding of the logic of such an agreement on the part of all the respective parties – academics, diplomats, governments, international organizations, etc. – we’re seeing little real progress towards any such concrete agreement, just like with the securing of industrial systems. Still, at least the reining in of cyber-spying and cyberwar is on the agenda at last.

Photo: Michael Reynolds/EPA. SourcePhoto: Michael Reynolds/EPA. Source

For example, Barack Obama and Xi Jinping at the end of September agreed that their countries – the two largest economies in the world – won’t engage in commercial cyberspying on each other anymore. Moreover, the topic of cybersecurity dominated their joint press conference (together with a load measures aimed at slowing climate change). Curiously, the thorny issues of political and military cyber-espionage weren’t brought up at all!

So. Does this represent a breakthrough? Of course not.

Still, again, at least this small step is in the right direction. There have also been rumors that Beijing and Washington are holding negotiations regarding an agreement on prohibiting attacks in cyberspace. At the September meeting of the leaders the topic wasn’t brought up, but let’s hope it will be soon. It would be an important, albeit symbolic, step.

Of course, ideally, such agreements would be signed in the future by all countries in the world, bringing the prospect of a demilitarized Internet and cyberspace that little bit closer. Yes, that would be the best scenario; however, for the moment, not the most realistic. Let’s just keep pushing for it.

The abracadabra of anonymous sources.

Who killed JFK?

Who’s controlling the Bermuda Triangle?

What’s the Freemasons’ objective?

Easy! For it turns out that answers to these questions couldn’t be more straightforward. All you have to do is add: ‘according to information from anonymous sources‘, and voila! — there’s your answer — to any question, about anything, or anyone. And the answers are all the more credible – not because of their… credibility – but because of the level of prestige commonly ascribed to the particular media outlet that broke the story.

Just recently, Reuters got a ‘world exclusive’ of jaw-dropping proportions in the antivirus world. The article, filled with sensational – false – allegations, claims Kaspersky Lab (KL), creates very specific, targeted malware, and distributes it anonymously to other anti-malware competitors, with the sole purpose of causing serious trouble for them and harming their market share. Oh yes. But they forgot to add that we conjure all this up during steamy banya sessions, after parking the bears we ride outside.

The Reuters story is based on information provided by anonymous former KL employees. And the accusations are complete nonsense, pure and simple.

Disgruntled ex-employees often say nasty things about their former employers, but in this case, the lies are just ludicrous. Maybe these sources managed to impress the journalist, but in my view publishing such an ‘exclusive’ – WITHOUT A SHRED OF EVIDENCE – is not what I understand to be good journalism. I’m just curious to see what these ‘ex-employees’ tell the media next time about us, and who might believe their BS.

The reality is that the Reuters story is a conflation of a number of facts with a generous amount of pure fiction.

In 2012-2013, the anti-malware industry suffered badly because of serious problems with false positives. And unfortunately, we were among the companies badly affected. It turned out to be a coordinated attack on the industry: someone was spreading legitimate software laced with malicious code targeting specifically the antivirus engines of many companies, including KL. It remains a mystery who staged the attack, but now I’m being told it was me! I sure didn’t see that one coming, and am totally surprised by this baseless accusation!

Here’s how it happened: in November 2012 our products produced false positives on several files that were in fact legitimate. These were the Steam client, Mail.ru game center, and QQ client. An internal investigation showed that these incidents occurred as the result of a coordinated attack by an unknown third party.

For several months prior to the incidents, through intra-industry information-exchange channels such as the VirusTotal website, our anti-malware research lab repeatedly received numerous slightly modified legitimate files of Steam, Mail.ru and QQ. The creator(s) of these files added pieces of malicious code to them.

Later we came to the conclusion that the attackers might have had prior knowledge of how different companies’ detection algorithms work and injected the malicious code precisely in a place where auto systems would search for it.

These newly received modified files were evaluated as malicious and stored in our databases. In total, we received several dozen legitimate files containing malicious code.

False positives started to appear once the legitimate owners of the files released updated versions of their software. The system compared the files to the malware database – which contained very similar files – and deemed the legitimate files malicious. After that, we upgraded our detection algorithms to avoid such detections.

Meanwhile the attacks continued through 2013 and we continued to receive modified legitimate files. We also became aware that our company was not the only one targeted by this attack: other industry players received these files as well and mistakenly detected them.

In 2013 there was a closed-door meeting among leading cybersecurity and other software industry players that also suffered from the attack – as well as vendors that were not affected by the problem but were aware of it. During that meeting the participants exchanged information about the incidents, tried to figure out the reasons behind them, and worked on an action plan. Unfortunately no breakthrough occurred, though some interesting theories regarding attribution were expressed. In particular, the participants of the meeting considered that some other AV vendor could be behind the attack, or that the attack was an attempt by an unknown but powerful malicious actor to adjust its malware in order to avoid detection by key AV products.

Accusations such as these are nothing new. As far back as the late nineties I’d take with me to press conferences a placard with the word ‘No!’ on it. It saved me so much time. I’d just point to it when every third question was: “Do you write viruses yourselves, for your product to then ‘cure’ the infections?” Oh yeah. Sure. And still today I get asked the same all the time. Do they really think an 18+ year-old business built 100% on trust would be doing such things?

It seems some folks just prefer to presume guilt until innocence is proven. I guess there’ll always be folks like that. C’est la vie. But I really do hope that people will see through these anonymous, silly and groundless accusations… What I can say for sure is that we’ll continue working very closely with the industry to make the digital world safer, and that our commitment and resolve to expose cyberthreats regardless of their source or origin won’t waiver.

.@kaspersky rubbishes claims they poisoned competitors with false positivesTweet

Your car controlled remotely by hackers: it’s arrived.

Every now and again (once every several years or so), a high-profile unpleasantness occurs in the cyberworld – some unexpected new maliciousness that fairly bowls the world over. For most ‘civilians’ it’s just the latest in a constant stream of seemingly inevitable troublesome cyber-surprises. As for my colleagues and me, we normally nod, wink, grimace, and raise the eyebrows à la Roger Moore among ourselves while exclaiming something like: ‘We’ve been expecting you Mr. Bond. What took you so long?’

For we’re forever studying and analyzing the main tendencies of the Dark Web so we can get an idea of who’s behind its murkiness and of the motivations involved; that way we can predict how things are going to develop.

Every time one of these new ‘unexpected’ events occurs, I normally find myself in the tricky position of having to give a speech (rather – speeches) along the lines of ‘Welcome to the new era‘. Trickiest of all is admitting I’m just repeating myself from a speech made years ago. The easy bit: I just have to update that old speech a bit by adding something like: ‘I did warn you about this; and you thought I was just scaremongering to sell product!’

Ok, you get it (no one likes being told ‘told you so’, so I’ll move on:).

So. What unpleasant cyber-unexpectedness is it this time? Actually, one affecting something close to my heart: the world of automobiles!

A few days ago WIRED published an article with an opening sentence that reads: ‘I was driving at 70 mph on the edge of downtown St. Louis when the exploit began to take hold.‘ Eek!

The piece goes on to describe a successful experiment in which hackers security researchers remotely ‘kill’ a car that’s too clever by half: they dissected (over months) the computerized Uconnect system of a Jeep Cherokee, eventually found a vulnerability, and then managed to seize control of the critical functions of the vehicle via the Internet – while the WIRED reporter was driving the vehicle on a highway! I kid you not folks. And we’re not talking a one-off ‘lab case’ here affecting one car. Nope, the hole the researchers found and exploited affects almost half a million cars. Oops – and eek! again.

Jeep Cherokee smart car remotely hacked by Charlie Miller and Chris Valasek. The image originally appeared in Wired

However, the problem of security of ‘smart’ cars is nothing new. I first ‘joked’ about this topic back in 2002. Ok, it was on April 1. But now it’s for real! You know what they say… Be careful what you wish for joke about (there’s many a true word spoken in jest:).

Not only is the problem not new, it’s also quite logical that it’s becoming serious: manufacturers compete for customers, and as there’s hardly a customer left who doesn’t carry at all times a smartphone, it’s only natural that the car (the more expensive – the quicker) has steadily been transformed into its appendage (an appendage of the smartphone – not the user, just in case anyone didn’t understand me correctly).

More and more control functions of smart cars are now firmly in the domain of the smartphone. And Uconnect isn’t unique here; practically every large car manufacturer has its own similar technology, some more advanced than others: there’s Volvo On CallBMW Connected DriveAudi MMIMercedes-Benz COMANDGM OnstarHyundai Blue Link and many others.

More and more convenience for the modern car-driving consumer – all well and good. The problem is though that in this manufacturers’ ‘arms race’ to try and outdo each other, critical IT security matters often go ignored.

Why? 

First, the manufacturers see being ahead of the Jones’s as paramount: the coolest tech functionality via a smartphone sells cars. ‘Security aspects? Let’s get to that later, eh? We need to roll this out yesterday.’

Second, remote control cars – it’s a market with good prospects.

Third, throughout the auto industry there’s a tendency – still today! – to view all the computerized tech on cars as something separate, mysterious, faddy (yep!) and not really car-like, so no one high up in the industry has a genuine desire to ‘get their hands dirty’ with it; therefore, the brains applied to it are chronically insufficient to make the tech secure.

It all adds up to a situation where fancy motorcars are becoming increasingly hackable and thus stealable. Great. Just what the world needs right now.

What the…?

Ok. That’s the basic outline. Now for the technical background and detail to maybe get to know what the #*@! is going on here!…

Way back in 1985 Bosch developed CAN. No, not their compatriot avant-garde rockers (who’d been around since 1968), but a ‘controller area network’ – a ‘vehicle bus’ (onboard communications network), which interconnects and regulates the exchange of data among different devices – actually, those devices’ microcontrollers – directly, without a central computer.

For example, when the ‘AC’ button on the dashboard is pressed, the dashboard’s microcontroller sends a signal to the microcontroller of the air conditioner saying ‘turn on, the driver wants cooling down’. Or when the brake pedal is pressed, the microcontroller of the pedal mechanism sends an instruction to the brake pads to press up against the brake discs.

CAN stands for 'controller area network', a 'vehicle bus' which interconnects and regulates the exchange of data among different devices шт a smart car

Put another way, the electronics system of a modern automobile is a peer-to-peer computer network – designed some 30 years ago. It gets better: despite the fact that over three decades CAN has been repeatedly updated and improved, it still doesn’t have any security functions! Maybe that’s to be expected – what extra security can be demanded of, say, a serial port? CAN too is a low level protocol and its specifications explicitly state that its security needs to be provided by the devices/applications that use it.

Maybe they don’t read the manuals. Or maybe they’re too busy trying to stay ahead of competitors and come up with the best smart car features.

Whatever the reasons, the fundamental fact causing all the trouble remains: Some auto manufacturers keep squeezing onto CAN more and more controllers without considering basic rules of security. Onto one and the same bus – which has neither access control nor any other security features – they strap the entire computerized management system that controls absolutely everything. And it’s connected to the Internet. Eek!

Hooking up devices to the Internet isn't a good idea. Engineers should think twice before doing this

Just like on any big computer network (e.g., the Internet), cars too need a strict ‘division of trust’ for controllers. Operations on a car where there’s communication with the outside world – be it installation of an app on the media system from an online store, or sending car performance diagnostics to the manufacturer – need to be firmly and securely split from the engine control, the security and other critical systems.

If you show an IT security specialist a car, lots of functions of which can be controlled by, say, an Android app, he or she would be able to demonstrate in no time at all a dozen or so different ways to get round the ‘protection’ and seize control of the functions the app can control. Such an experiment would also demonstrate how the car isn’t all that different really from a bank account: bank accounts can be hacked with specially designed technologies, in their case with banking Trojans. But there is a further potential method that could be used to hack a car just like a bank account too: with the use of a vulnerability, like in the case of the Jeep Cherokee.

Any reasons to be cheerful?…

…There are some.

Now, the auto industry (and just about everyone else) seems to be well aware of the degree of seriousness of the problem of cybersecurity of its smart car sector (thanks to security researchers like those in the WIRED article, though some manufacturers are loath to show their gratitude openly).

A sign of this is how recently the US Alliance of Automobile Manufacturers announced the creation of an Information Sharing and Analysis Center, “that will serve as a central hub for intelligence and analysis, providing timely sharing of cyber threat information and potential vulnerabilities in motor vehicle electronics or associated in-vehicle networks.” Good-o. I just don’t see how they plan to get along without security industry folks involved.

And it’s not just the motor industry that’s now on its toes: hours (!) after the publication of the WIRED article (the timing was a coincidence, it was reported) new federal legislation in the US was introduced establishing standardization of motor industry technologies in the field of cybersecurity. Meantime, we’re hardly twiddling thumbs or sat on hands: we’re actively working with several auto brands, consulting them on how to get their smart-car cybersecurity tightened up proper.

So, as you can see, there is light at the end of the tunnel. However…

…However, the described cybersecurity issue isn’t limited just to the motor industry.

CAN and other standards like it are used in manufacturing, the energy sector, transportation, utilities, ‘smart houses’, even in the elevator in your office building – in short – EVERYWHERE! And everywhere it’s the same problem: the growth of functionality of all this new tech is hurtling ahead without taking security into account!

What seems more important is always improving the tech faster, making it better than the competition, giving it smartphone connectivity and hooking it up to the Internet. And then they wonder how it’s possible to control an airplane via its entertainment system!

What needs doing?

First things first, we need to move back to pre-Internet technologies, like propeller-driven aircraft with analog-mechanical control systems…

…Not :). No one’s planning on turning the clocks back, and anyway, it just wouldn’t work: the technologies of the past are slow, cumbersome, inefficient, inconvenient and… a lot less secure! Nope, there’s no going backwards. Only forwards!

In our era of polymers, biotechnologies and all-things-digital, movement forward is producing crazy results. Just look around you – and inside your pockets. Everything is moving, flying, being communicated, delivered and received, exchanged… all at vastly faster speeds to those of the past. Cars (and other vehicles) are only a part of that.

All that does make life more comfortable and convenient, and digitization is solving many old problems of reliability and security. But alas, at the same time it’s creating new problems. And if we keep galloping forward at breakneck speed, without looking back, improvising as we hurtle along to get the very best functionality, well, in the end there are going to be unpredictable – even fatal – consequences. A bit like how it was with the Zeppelin.

There is an alternative – a much better one: What we need are industry standards; new, modern architecture, and a responsible attitude to the development of features – by taking into account security – as a priority.

In all, the WIRED article has shown us a very interesting investigation. It will be even more interesting seeing how things progress in the industry from here. Btw, at the Black Hat conference in Vegas in August there’ll be a presentation by the authors of the Jeep hack – that’ll be something worth following…

Smart cars can be remotely hacked. Fact. Period. Shall we go back to the Stone Age? @e_kaspersky explains:Tweet

PS: Call me retrogressive (in fact I’m just paranoid:), but no matter how smart the computerization of a car, I’d straight away just switch it all off – if there was such a possibility. Of course, there isn’t. There should be: a button, say, next to the hazard lights’ button: ‘No Cyber’!…

…PPS: ‘Dream on, Kasper’, you might say. And perhaps you’d be right: soon, the way things are heading, a car without a connection to the ‘cloud’ won’t start!

PPPS: But the cloud (and all cars connected to it) will soon enough be hacked via some ever-so crucial function, like facial recognition of the driver to set the mirror and seat automatically.

PPPPS: Then cars will be given away for free, but tied to a particular filling station network digital network – with pop-ups appearing right on the windscreen. During the ad-break control will be taken over and put into automatic Google mode.

PPPPPS: What else can any of you bright sparks add to this stream-of-consciousness brainstorming-rambling? :)

AV boost: exorcising the system-straining ghost.

Around the turn of the century we released the LEAST successful version of our antivirus products – EVER! I don’t mind admitting it: it was a mega-fail – overall. Curiously, the version also happened to be mega-powerful too when it came to protection against malware, and had settings galore and all sorts of other bells and whistles. The one thing that let it down though was that it was large and slow and cumbersome, particularly when compared with our previous versions.

I could play the subjunctiveness game here and start asking obvious questions like ‘who was to blame?’, ‘what should have been done differently?’, etc., but I’m not going to do that (I’ll just mention in passing that we made some very serious HR decisions back then). I could play ‘what if’: who knows how different we as a company would be now if it wasn’t for that foul-up? Best though I think is to simply state how we realized we’d made a mistake, went back to the drawing board, and made sure our next version was way ahead of the competiton on EVERYTHING. Indeed, it was the engine that pushed us into domination in global antivirus retail sales, where our share continues to grow.

That’s right, our post-fail new products were ahead of everybody else’s by miles, including on performance, aka efficiency, aka how much system resources get used up during a scan. But still that… stench of sluggishness pursued us for years. Well, frankly, the smelliness is still giving us some trouble today. Memories are long, and they often don’t listen to new facts :). Also, back then our competitors put a lot of effort into trolling us – and still try to do so. Perhaps that’s because there’s nothing else – real nor current – to troll us for :).

Now though, here… time for some well-overdue spring cleaning. It’s time to clear up all the nonsense that’s accumulated over the years re our products’s efficiency once and for all…

Righty. Here are the results of recent antivirus product performance tests. Nothing but facts from a few respected testing labs – and it’s great food for thought. Have a look at the other vendors’ results, compare, and draw your own conclusions:

1. AVTest.org

I’ve said many times that if you want to get the truly objective picture, you need to look at the broadest possible range of tests from the longest possible historical perspective. There are notorious cases of certain vendors submitting ‘cranked up’ versions optimized for specific tests to test labs instead of the regular ‘working’ versions you get in the shops

The guys from the Magdeburg lab have done one heck of a job in analyzing the results achieved by 23 antivirus products during the past year (01/2014 – 01/2015) to determine how much each product slowed the computer down.

avtestorg

No comment!

Read on: a valuable advice to assess test results…

A practical guide to making up a sensation.

There are many ways to make up something sensationalist in the media. One of the practical ways is to speculate and create conspiracy theories. Unfortunately, there’s a demand for such stories and they have a very good chance of making a splash.

So how can a global company with Russian roots play a part in a conspiracy theory? Well, this one is easy: there should be some devilish inner job of the Russian secret services (to produce the “I knew it!” effect). In many cases you can change the adjective “Russian” for any other to produce a similar effect. It’s a simple yet effective hands-on recipe for a sensationalist article. Exploiting paranoia is always a great tool for increasing readership.

There are questions we’ve answered a million times: what are our links with the KGB? Why do you expose cyber-campaigns by Western intelligence services? When do you plan to hire Edward Snowden? And other ones of the ‘have you stopped beating your wife?’ kind.

We’re a transparent company, so we’ve got detailed answers ready. Of course we want to dispel any speculation about our participation in any conspiracy. We’ve nothing to hide: we’re in the security business and to be successful in it you have to be open to scrutiny.

To my great regret, there are occasions when journalists publish something sensationalist without taking account obvious and/or easily obtainable facts contrary to their sensationalist claims, and produce stories that are at odds with professional ethics. And sometimes a bad tabloid journalism style finds its way into otherwise quality media publications. I’d like to comment on one such case.

The fashionable fever of looking for Kremlin-linked conspiracies this week reached some journalists at Bloomberg. Curiously, this happened not long after our investigation into the Equation Group.

It’s been a long time since I read an article so inaccurate from the get-go – literally from the title and the article’s subheading. So it came as little surprise that a large part of the rest of the article is simply false. Speculations, assumptions and unfair conclusions based on incorrect facts. In their pursuit for a sensation, the journalists turned things upside down and ignored some blatantly obvious facts.

My congratulations to the authors: they’ve scored high in bad journalism.

But that’s where the emotion stops today. Now let’s just look at the cold facts – rather, lack of them. Let me go through some of the most outrageous and twisted gaffes.

Bloomberg bullshit

I must have said this a million times, but we do not care who’s behind the cyber-campaigns we expose. There is cyber-evil and we fight it. If a customer comes and shows us a problem we investigate it. And once we take the genie out of the bottle, there’s no way we can put it back.

But since these journalists tried to attribute the cyberattacks we exposed to the countries mentioned, for some reason they forgot about our reports on Red OctoberCloudAtlas, Miniduke, CosmicDuke, Epic Turla, Penguin Turla, Black Energy 1 and 2, Agent.BTZ, and Teamspy. According to some observers, these attacks were attributed to Russian cyber-spies.

Bloomberg bullshit

The only other statement that can compete with this one in terms of frequency, silliness and falsity is: ‘AV companies write the virus themselves’.

Let me spell it out and use a few capitals: I’ve NEVER worked for the KGB.

My detailed biography has been widely distributed around the world and can be easily found online. It clearly states (I wonder if the journalists read it) that I studied mathematics at a school sponsored by they Ministry of Atomic Energy, the Ministry of Defense, the Soviet Space Agency and the KGB. After graduating, I worked for the Ministry of Defense as a software engineer for several years. But whatever… as they say, ‘never let the facts get in the way of a good story’. Right?

UPDATE:

bloomberg-lies-update

Looks like the Bloomberg journos behind the story read my post (but not in detail; otherwise they’d have taken the article down) and made a minor edit to their text. Now, I never worked for KGB but for … Russian military intelligence!

For the record: I never worked for Russian military intelligence. As I mentioned above, I worked as a software engineer at the Ministry of Defense.

Bloomberg bullshit

Is there an implication here that the ‘quickly removed by headquarters’ was to cover up some secret truth – before it got out? Maybe not. But if you do see a possible one, let me tell you what happened:

the design of the our antivirus software box with the KGB mention was developed by our Japanese partners. I learned about it only after it was printed, and asked to have it changed as it just wasn’t true, which was done.

And if there’s a further implication that the mention was removed because we were going global and recruiting ‘senior managers in the U.S. and Europe’ (with whom KGB mentions might not sit well), well then that’s not right either. We were already global. Our American, European and Asian employees (who now make up more than a third of total company’s headcount) had no say in it. Even if they did – so what? Bottom line – I never served in the KGB!

Bloomberg bullshit

Just nonsense!

First, people join and leave organizations all the time. Second, we value only professional qualities in our people. Third, there’s no evidence of ‘closer’ – not even close – ties to Russia’s military or intelligence services. Must say though, I’d be really interested to find out who’s joined our top management team since 2012 who has ‘closer ties to Russia’s military or intelligence services’. I’m dying of curiosity!

Bloomberg bullshit

I do appreciate this interest in my recreational-prophylactic habits. While the reader may visualize naked male bodies in a steam room and dicussions of conspirational plans to conquer the world, the truth of the matter is quite something else. It highlights another way in which the journalists ignored our emailed comments to them to sacrifice objectivity for quirky details and stereotypes.

First, sometimes I do go to the banya (sauna) with my colleagues. It’s not impossible that there might be Russian intelligence officials visiting the same building simultaneously with me, but I don’t know them.

Second, we do fight cybercrime. And without cooperating with law enforcement agencies around the globe (including in the U.S., the UK, Japan, other European countries; INTERPOL and Europol) our battle would have been significantly less effective than it has been recreational – if not completely futile.

Official meetings sometimes do turn pretty informal, including with officers belonging to the security services of the U.S., the UK, Japan, other European countries; INTERPOL and Europol (oops, I’m repeating myself). And I consider the stories about my possible encounters with security officials in a banya an attempt to deliberately mislead readers; the journalists don’t mention that we are impartial in our fight against cybercrime, no matter where it strikes. A warning, dear readers: don’t believe everything you read!

Bloomberg bullshit

‘Gotcha, we’ve caught you! You investigate only US operations and not Russian!’

Well, this one’s real simple. FireEye did some great research, so publishing our own after theirs made no sense. We carefully read the FireEye report, warned our users and… kept on researching the Sofacy operation. BTW, our experts are still working on it, as it’s closely connected to the MiniDuke operation. But please don’t ask why FireEye didn’t announce MiniDuke! You know the answer (hint: who was the first to uncover it?).

Bloomberg bullshit

That is false statement.

We’ve launched an internal investigation, carefully examined all our archives for the last three years, and haven’t found such an email. Those who know Garry personally know he’s not the kind of man to write such things.

Bloomberg bullshit

Does two-year compulsory military service of 18-year old private Chekunov equal working for the KGB? Really? Dear authors, why did you miss the detail where, in the USSR, military service was obligatory for all males, and it was random which particular service you served in? Some entered the infantry, others the submarine division of the navy. Mr. Chekunov served in the Soviet Union’s Border Service for two years, and at that time the service reported to the KGB.

Bloomberg bullshit

Oh those Russians banya nights. The nerve center of all secret operations’ planning!

Actually, here, thanks are due to the authors for the PR! Our Computer Incidents Investigation Unit (CIIU) helps our clients deal with sophisticated cyber-incidents. If law enforcement agencies contact us, we help – regardless of their country. We assist with our world-class expertise any law enforcement agency to save the world from any cyber-evil.

Bloomberg bullshit

The Computer Incidents Investigation Unit (CIIU) has remote access to the personal data of our users? That is a false statement.

Next: the keyword here is ‘can’. Theoretically, any security vendor can do that. Following this logic you can imagine what nasty things Facebook, Google or Microsoft can theoretically do. Theoretically, authors of an article can stick to facts.

The reality, however, is that I’ve no reason to risk my 700mln$ business. Everything we do and can do is stated in the End-User License Agreement (EULA). Moreover, we reveal our source code to large customers and governments. If you have any fears about backdoors – come and check. Seriously. Referring to a theory is an allegation unworthy of a respectable publication.

Bloomberg bullshit

This part explains a lot. Some folks who get fired have a chip on their shoulder. Human nature. It’s common. They have some media contacts – they fancy getting their ‘revenge’. Same old!

I am just worried about how respected media put their reputation on the line based on speculation. As a result we have a perfect example of a sensationalist headline:

Bloomberg bullshit

The result of the investigative journalism revealed these REAL facts:

  • I go to banya;
  • We hire and fire employees; employees leave of their own accord;
  • 60% of our employees are Russians;
  • Our Chief Legal Officer served in the Border Control when he was 18 and at that time the service was a part of the KGB.

 
Mysterious covert data which proves I’m a KGB spy?! This world-famous news agency undertook a huge investigation – believe me, it was impressive! During the fact checking they asked very detailed, probing questions, yet all they came up with were… unproved allegations. Do you know why?

Because there’s nothing there to find.

It’s very hard for a company with Russian roots to become successful in the  U.S., European and other markets. Nobody trusts us – by default. Our only strategy is to be 1000% transparent and honest. It took years to explain who we are. Many people attempted to find ‘dirt’ on us – and failed. Because we’ve nothing to hide.

Actually, I’d like to thank Bloomberg and all the journalists behind this story! Much like our antivirus often does, they performed a full system scan –and found nothing. It’s like a halal or kosher stamp – check! External audit successfully passed.

‘The hardest thing of all is to find a black cat in a dark room, especially if there’s no cat.”

.@e_kaspersky responds to Bloomberg’s allegations in connection with Russian LETweet

So, tell me, what do you think of this whole story:

Independent AV testing in 2014: interesting results!

At KL we’re always at it. Improving ourselves, that is. Our research, our development, our products, our partnerships, our… yes – all that. But for us all to keep improving – and in the right direction – we all need to work toward one overarching goal, or mission. Enter the mission statement…

Ours is saving the world from cyber-menaces of all types. But how well do we do this? After all, a lot, if not all AV vendors have similar mission statements. So what we and – more importantly – the user needs to know is precisely how well we perform in fulfilling our mission – compared to all the rest…

To do this, various metrics are used. And one of the most important is the expert testing of the quality of products and technologies by different independent testing labs. It’s simple really: the better the result on this or that – or all – criteria, the better our tech is at combatting cyber-disease – to objectively better save the world :).

Thing is, out of all the hundreds of tests by the many independent testing centers around the world, which should be used? I mean, how can all the data be sorted and refined to leave hard, meaningful – and easy to understand and compare – results? There’s also the problem of there being not only hundreds of testing labs but also hundreds of AV vendors so, again, how can it all be sieved – to remove the chaff from the wheat and to then compare just the best wheat? There’s one more problem (it’s actually not that complex, I promise – you’ll see:) – that of biased or selective test results, which don’t give the full picture – the stuff of advertising and marketing since year dot.

Well guess what. Some years back we devised the following simple formula for accessible, accurate, honest AV evaluation: the Top-3 Rating Matrix!.

So how’s it work?

First, we need to make sure we include the results of all well-known and respected, fully independent test labs in their comparative anti-malware protection investigations over the given period of time.

Second, we need to include all the different types of tests of the chosen key testers – and on all participating vendors.

Third, we need to take into account (i) the total number of tests in which each vendor took part; (ii) the % of ‘gold medals’; and (iii) the % of top-3 places.

What we get is simplicity, transparency, meaningful sifting, and no skewed ‘test marketing’ (alas, there is such a thing). Of course it would be possible to add into the matrix another, say, 25,000 parameters – just for that extra 0.025% of objectivity, but that would only be for the satisfaction of technological narcissists and other geek-nerds, and we’d definitely lose the average user… and maybe the not-so-average one too.

To summarize: we take a specific period, take into account all the tests of all the best test labs (on all the main vendors), and don’t miss a thing (like poor results in this or that test) – and that goes for KL of course too.

All righty. Theory over. Now let’s apply that methodology to the real world; specifically – the real world in 2014.

First, a few tech details and disclaimers for those of the geeky-nerdy persuasion:

  • Considered in 2014 were the comparative studies of eight independent testing labs (with: years of experience, the requisite technological set-up (I saw some for myself), outstanding industry coverage – both of the vendors and of the different protective technologies, and full membership of AMTSO) : AV-Comparatives, AV-Test, Anti-malware, Dennis Technology Labs, MRG EFFITAS, NSS Labs, PC Security Labs and Virus Bulletin. A detailed explanation of the methodology – in this video and in this document.
  • Only vendors taking part in 35% or more of the labs’ tests were taken into account. Otherwise it would be possible to get a ‘winner’ that did well in just a few tests, but which wouldn’t have done well consistently over many tests – if it had taken part in them (so here’s where we filter out the faux-test marketing).

Soooo… analyzing the results of the tests in 2014, we get……..

….Drums roll….

….mouths are cupped….

….breath is bated….

……..we get this!:

Independent testing 2014:  the results

Read on: Are all washing powder brands the same?…