Russian Hackers Reportedly Stole NSA Secrets with Antivirus Program’s Help

Russian hackers reportedly managed to steal sensitive U.S. National Security Agency cyberattack tools from the personal computer of a contractor in 2015 after finding the files through an antivirus program from Kaspersky Lab.

This is the third case of an NSA contractor taking home a large number of classified files without authorization, after Edward Snowden and Harold T. Martin III, who is currently awaiting trial for storing 50TB of data on his personal computer.

This third case actually predates that of Harold Martin, who was arrested last year and involves a contractor who used to work for the NSA’s Tailored Access Operations unit, a division of hackers that develops tools for penetrating foreign computers and networks, the Washington Post reported.

The incident reportedly occurred in 2015 when the employee was working on replacing malware and attack tools considered compromised by the Snowden leaks and took home the classified files he was working with. Unnamed sources familiar with the investigation told the Washington Post and the Wall Street Journal that the contractor was using Kaspersky Antivirus on his home computer and that Russian hackers found the files through the program.

It’s not clear whether this happened due to a flaw in the product or with Kaspersky Lab’s knowledge and assistance. The Russian company has repeatedly denied having inappropriate ties to any governments or intelligence agencies.

The case, if true, might be one of the reasons why the FBI, members of Congress and the U.S. government have been advising in recent months against the use of Kaspersky Lab antivirus products. In September, the U.S. Department of Homeland Security ordered all departments and agencies of the federal government’s executive branch to prepare for the removal of products made by Kaspersky from their systems in 90 days.

If the theft of NSA data was partly caused by a vulnerability in Kaspersky Antivirus that was unknown to the developer, it would confirm the warnings of many security researchers: Antivirus programs have a very large attack surface, are prone to many vulnerabilities and can pose a serious risk to computers because they generally run with high privileges.

Over the years, security researchers have found critical vulnerabilities in antivirus products from many vendors that could allow hackers to compromise computers. It’s worth keeping in mind that the presence of security flaws in endpoint security programs is an industrywide problem and poor code maturity is not limited to any particular vendor.

Because of this, some security experts even argue that in highly critical environments that also benefit from other types of protection—for example, application whitelisting—running an antivirus program on systems might actually increase risk rather than reduce it.

The second lesson from this NSA leak is that organizations should be very careful about what data they allow employees to take home, if any. They should implement strong access controls that prevent staffers from taking sensitive data out of their networks and implicitly out of their control.

Apple Fixes Encrypted Volume Password Exposure and Keychain Flaw in MacOS

Apple has released the first update for macOS High Sierra (10.13) and it includes fixes for two security issues that could expose the passwords of encrypted APFS volumes and credentials stored in users’ keychains.

The first flaw is quite embarrassing because it involves the macOS Disk Utility saving the full password for newly created encrypted APFS volumes as the hint for the password. This allows someone with local access to a computer to easily see the password in plain text by asking for the hint.

The second vulnerability, which affects the keychain, was revealed last week by Patrick Wardle, director of research at penetration testing firm Synack. It allows a malicious application—signed or unsigned—to obtain plaintext credentials from the user’s keychain without asking the user for permission. This behavior violates the intended security of the keychain which should prompt users when applications want to access a set of credentials stored inside.

“This was addressed by requiring the user password when prompting for keychain access,” Apple said in its security advisory.

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 28 posts and counting.See all posts by lucian-constantin