Kaspersky, Partners Concerned Over Report That NSA Infiltrated Security Software, Anti-Virus Vendors
First, it was the networking vendors, cloud providers and telecom companies. Now, the latest report from leaked NSA documents showed the government agency also targeted security vendors to get access to vendor and client networks and track users, according to a report from the Intercept.
Citing documents from National Security Agency whistleblower Edward Snowden, the report said the NSA and U.K. equivalent Government Communications Headquarters (GCHQ) obtained intelligence on major security software companies and their users by reverse engineering the companyies' solutions and monitoring Web and email traffic.
The report also detailed "Project Camberdada," which it said included targeting monitoring of anti-virus company communications and traffic with the suggested goal of finding software flaws that the NSA could then "repurpose" for its own needs. This project in particular targeted 23 anti-virus companies around the globe, including AVG and Check Point. The report noted the omission of large anti-virus vendors including McAfee, Symantec and Sophos, which are based in the U.S. and U.K.
[Related: Universities Increasingly Vulnerable To Cyberattacks]
In particular, the NSA targeted Kaspersky Lab, the report said. Through reverse engineering the Moscow-based security vendor's solutions, the two agencies were able to obtain information on the solution itself and its capabilities as well as customer information on its users.
In an email to CRN, a Kaspersky spokesperson said the company finds the report and its implications "extremely worrying."
’As noted during the recent Duqu 2.0 nation-state sponsored attack, we find it extremely worrying that government organizations are targeting security companies instead of focusing their resources against legitimate adversaries and are actively working to subvert security software that is designed to keep us all safe," the spokesperson said.
"Once again, we would like to stress the need for security companies to work together as a community and fight for user privacy, the right to privacy on the Internet, thwart mass surveillance and make the world a safer place," the spokesperson continued.
Partners echoed the vendor's comments. Spencer Ferguson, president and CEO of Murray, Utah-based Wasatch I.T., a Kaspersky platinum partner, called the report "troubling," saying it adds to the growing privacy concerns around the collection of data by the government.
’I feel it’s unspeakable for any organization, regardless of intent, to use methods of this nature in order to gain intelligence unless they have received the proper legal approval," Ferguson said. "Even then there is a much deeper issue that needs to be addressed. Citizens who haven’t [committed], and aren’t suspected of committing a crime shouldn’t be faced with the unknowing invasion of their privacy in the name of security and fear. It goes against everything our country stands for.’
The Kaspersky spokesperson said the company is "closely reviewing and investigating" the information in the report in order to take steps to mitigate it, adding that the company works to "diligently ... protect our users" and keep its products secure.
PUBLISHED JUNE 22, 2015