back to article NSA bloke used backdoored MS Office key-gen, exposed secret exploits – Kaspersky

The NSA staffer who took home top-secret US government spyware installed a backdoored key generator for a pirated copy of Microsoft Office on his PC – exposing the confidential cyber-weapons on the computer to hackers. That's according to Kaspersky Lab, which today published a report detailing, in its view, how miscreants …

Anonymous Coward

Re: Kaspersky's transparency strategy

"NSA spying on your files: BAD. FSB spying on your files: GOOD.

Is that the idea here?"

No. Or at least partially no.

NSA wants to collect everything from everybody, including me. They've said that in public so I'm assuming it's true.

FSB has totally different approch: Only interesting individuals and/or companies are spied on and even then not _everything_ is "collected" as NSA says.

Being a basically non-interesting entity I'd choose FSB over NSA any day and it has nothing to do with politics.

This assuming Kaspersky is a FSB front end and unless there's some proof of that, I'll doubt it. Too transparent for that. Or masters of disguise, your choise.

Founder being schooled by FSB isn't a surprise, probably best available school for cyber warfare and viruses Russia has.

By that logic it's funny thing that no-one has bothered to analyze connections between NSA and let's say McAfee. I'll bet same schools can be found at some point.

Too obvious?

7
1
Anonymous Coward

Re: Kaspersky's transparency strategy

FSB has totally different approch: Only interesting individuals and/or companies are spied on and even then not _everything_ is "collected" as NSA says.

Being a basically non-interesting entity I'd choose FSB over NSA any day and it has nothing to do with politics.

You know this for a fact? If anything current lack of infrastructure would be the FSB's only reason for not collecting everything. That and them not having a ?-eyes group to feed them with information of which one notable member (UK) sits at the juncture of most of the planet's comms traffic. They also run a great business in tapping undersea cables.

Look at the map here (https://www.submarinecablemap.com) and see why the 5-eyes members might be who they are.

Also, you only think you're a non-interesting entity. Maybe you are, maybe you aren't.

Out of the two I think I'd prefer neither.

0
0
Silver badge
Facepalm

Wait a minute

An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run? Oh, that shouldn't have set off any alarms in his/her head! I wouldn't give that idiot access to the road leading to the parking lot. With brain donors like this working in our security agencies, we might as well hand Putin the keys to the country and start learning Russian.

66
1
Silver badge

Re: Wait a minute

This. Right here.

9
1
Silver badge

Re: Wait a minute

The only defence against totalitarianism is the basic incompetence of the security services (on all sides)

30
0
Silver badge

Re: Wait a minute

And the NSA is most competent spookhaus around, heaven help us if that is true. I wonder if they can add 1 + 1 and get anywhere near the right order of magnitude.

11
0
ST
Silver badge
Devil

Re: Wait a minute

> An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?

This is Kaspersky's version of events, and I do not find it believable.

In the US, running bootleg copies of software is illegal. Yes, a lot of people do it, relying on "I won't get caught". But for a federal employee, or contractor, the situation is much more serious than for the average Joe.

The story with the MS Office crack sounds a lot like a smokescreen.

What is not clear at all is (a) the sequence of events and (b) the connection between the install of the NSA snooping software and the MS Office key crack.

According to Kaspersky, its anti-virus was disabled for the purpose of allowing the installation of the MS Office key crack. It follows that before this install, Kasperky anti-virus was running on this computer.

If Kaspersky has the ability to detect the NSA snooping tools, then the detection of these tools would have occurred as soon as the tools were copied to/installed on that laptop/desktop. Independently of the MS Office key crack. This makes the whole tangent about the MS Office key crack pointless.

Which begs the question: how does Kaspersky know what to look for, and upload their find to Russia? I bet they don't upload random pictures of pets or landscapes. This is where the sequence of events - as explained by Kaspersky - breaks down. Along with the implication that a NSA employee who has access to these tools is careless or dumb enough to install them on a Windows personal computer at home that is under constant monitoring by Kaspersky.

3
44
Anonymous Coward

Re: Wait a minute

"An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?"

Sounds like senior management to me.

41
0
Anonymous Coward

Re: Wait a minute

No, I find this very believable. I have worked with "security professionals" who have done exactly this. The history of collection is full of clever people who thought that they were too smart to be caught by dumb systems.

38
1

This post has been deleted by its author

Silver badge
FAIL

Re: Wait a minute

Yes some people are not the brightest sparklers in the firework box. I well remember the case of a employee of the month(?) who became an ex-employee when found to be running phone frauds and illicit activities within 6 weeks of being employed on 'security and anti terrorism' in an 'overseas location'. Whoever organised his recruitment and vetting copped a fizzer for that embarrassing fiasco. Happily no major harm was caused in that case.

9
0
Anonymous Coward

Re: 1 + 1

Let's have a = 1 and b = 1

So a = b

Multiply both sides by a and have a^{2} = ab

Now subtract b^{2} from both sides to get a^2 - b^2 = ab - b^2

Factorise both sides to get (a + b)(a - b) = (a - b)

Divide both sides by (a - b) and we get a + b = 1 .

Because a and b have both a value of 1, then... 1 + 1 = 1

1
7
Anonymous Coward

Re: 1 + 1

Divide both sides by (a - b) and we get a + b = 1

Yeah. Sure. It's a shame that division by zero is exclusively reserved by God for creating black holes :)

13
0

Re: 1 + 1

"Factorise both sides to get (a + b)(a - b) = (a - b)"

Hmm, no. You get (a+b)(a-b)=(b+1)(a-b) which means that after dividing by (a-b) you end up with a+b=b+1. Or 2 = 2.

6
1
Silver badge

Re: Wait a minute

"An NSA employee with access to highly classified information is STUPID enough to run a crack? And disabled his AV to enable it to run?"

It's a conspiracy versus cock-up moment. Was he really that stupid or was this a sting operation with some chickenfeed to justify blacklisting Kaspersky?

7
0
Silver badge

Re: Wait a minute

This makes the whole tangent about the MS Office key crack pointless.

The point is that the malware installed by the Office keygen could have been the vector for someone other than Kaspersky getting access to the computer to obtain the NSA malware on it.

how does Kaspersky know what to look for, and upload their find to Russia?

Because hacking tools are usually suites that are built up over time, based on earlier revisions, enhanced, added to, and so on. Therefore, as with any suite, they often have common libraries, common blocks of code (so even if not a library, a copy-paste of working exploits from an older version into the newer version) and so on.

Linguistic analysis can quite accurately tell who wrote a post, or series of posts, of novels, essays and so on. Everyone has their own style, grammar, punctuation usage, same repeated spelling errors and whatnot.

The exact same thing applies to programming. Someone could have a favourite error routine that they've developed over years and reuse in new code rather than writing it from scratch - or using someone else's. The number of spaces/tabs used in indentation, language used in comments, variable/function/class naming styles, all can be used to determine who wrote a piece of code.

Since Kaspersky had earlier samples of NSA malware/exploits, they already have a library of those common routines, styles, and so on to search for. So if they find a file that has a chunk of known code (e.g. still using same exploit_0345 library in the new stuff, or an entire code chunk is the same as a sample they already have - but the rest is different) then any virus scanner worth it's name will flag that as a suspect file. And if the user has enabled (or rather, hasn't disabled) the "send suspicious code back to mothership for further analysis" option that most modern AV have - Kaspersky, ESET, Symantec, Windows Defender, and most of the other big-name ones - then that file, and 'surrounding' files, e.g. an entire zip archive if it finds suspicious files in the archive - will be sent back.

6
1
Silver badge

Re: Wait a minute

>>It's a conspiracy versus cock-up moment. Was he really that stupid or was this a sting operation with some chickenfeed to justify blacklisting Kaspersky?

Given that this took place some time ago and that exploits have real value, I'm going to go with it being an error that they are opportunistically capitalising on. When life gives you lemons, sort-of-thing.

NSA/USA don't really need real events to attack foreign powers over. With a compliant media and the inability of people to question your version (because it's all cloak-and-dagger take our word for it subject matter). I doubt they'd sacrifice real value for planning ahead a mud-slinging exercise two years in advance. When they can get as much effect just with the CIA saying "Russia hacked our election. We have evidence" on demand.

6
0

Re: Wait a minute

That corrupted home machine full of pretend NSA malware looks like a honeypot to me. Tempt Kaspersky, have them upload, use as infection vector.

Hence the deletion (from normal analysis environment). After the above was confirmed.

Spy vs. Spy.

4
1
Anonymous Coward

Re: Wait a minute

Sigh....When you run an AV scan, it will scan basically all the files in the areas you tell it to scan, executables, plain files, and compressed archives, the lot. Because Malware isn't always simple and may hide and have helper files etc. Kaspersky also uses heuristics and scans for likely malicious but not yet identified files; and that uses their experience with malware over the years. As they are familiar with earlier "Equation Group" malware, they probably look for files with similar characteristics. With the users permission they upload known and suspected malicious files for further analysis.

This is all absolutely standard for almost all AV products and hardly a cause for any suspicions specifically directed at Kaspersky. Of course it's all the "RUSSIA, RUSSIA, RUSSIA" hysteria in the USA that makes this such a meme.

Of course, knowing what we know and if we believe that AV products are snooping on us, one would certainly want to avoid any US based AV as they are certainly cooperating with NSA and others to actively snoop on you. Maybe use Finnish or Swiss based products - if they are snooping their secret services seem a little less likely to care what you may or may not do.

11
0
Silver badge

Re: Wait a minute

Sigh....When you run an AV scan, it will scan basically all the files in the areas you tell it to scan, executables, plain files, and compressed archives, the lot.

However, many AV's mostly do a simple/quick scan focusing on program files as designated by their extension, in this mode archive files (ie. zip files) tend to be skipped. Only when I do a full scan will the AV look inside an archive file.

Hence I can install an archive file containing interesting material, open it, extract and open source and text files from within it and not have the AV flag anything - however if I copy a file with an executable extension out of the archive into a filesystem folder then this will get scanned in real-time and get flagged.

I get this all the time with the Nirsoft tools, hence now I have a folder where I permit these tools to be installed and prompt to enable their execution.

So the reason the NSA toolkit was on the computer and the AV hadn't detected it was because, the user, up to the time they had cause to do a full system scan, had not given Kaspersky any reason to fully scan the archive.

4
0
Silver badge
Coat

Re: Wait a minute

With brain donors like this

I don't think there's much risk of that TBH.

0
0
Silver badge
FAIL

Re: Wait a minute

If Kaspersky has the ability to detect the NSA snooping tools, then the detection of these tools would have occurred as soon as the tools were copied to/installed on that laptop/desktop. Independently of the MS Office key crack. This makes the whole tangent about the MS Office key crack pointless.

You do realise that one can install two OR MORE bits of software/data on a computer at one time, right? Or is that beyond your comprehension?

TFA says that Kaspersky was disabled on the machine for some weeks. I could install whole terrabytes of data in that time! Imagine! Incredible!

Which begs the question: how does Kaspersky know what to look for, and upload their find to Russia?

If you don't know how AV software works, you might want to skip commenting on articles about it. Maybe reading the article again would give you a few clues, but I suspect you're a bit beyond that.

6
1
Anonymous Coward

Re: Wait a minute

"In the US, running bootleg copies of software is illegal."

So?

If you thing anyone else cares, you have a major disconnection from reality.

Even NSA subcontractors won't give a hoot. That's the most believable part of whole story and in par with any observable reality.

"Along with the implication that a NSA employee who has access to these tools is careless or dumb enough to install them on a Windows personal computer at home "

That's exactly what people do. I see commenter has never worked in IT support: No-one can even imagine how stupid things educated employees do. All the time.

6
0
Silver badge
Black Helicopters

I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to. After Snowden's revelations and the damage it did to them, I wouldn't be surprised.

We really need a tinfoil hat icon.

15
2

Interesting idea Mark 85

7
0
Silver badge
Facepalm

I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to

You mean just like a licenced copy of Office?

12
0
Anonymous Coward

I'm wondering if the NSA spyware wasn't preinstalled on the computer by the NSA to keep track of employees and what they're up to

You mean just like a licenced copy of Office?

LOL. Quiet day?

:)

5
0
Silver badge

Quiet day?

Conference calls all day :/

2
0
Black Helicopters

Tinfoil hat time?

Maybe I'm just suspicious, but the NSA is pissed off with Kaspersky for detecting its exploits.

It can control US ane EU based vendors and "persuade" them not to detect NSA exploits, but being Russian, Kaspersky is out of NSA's control. Perhaps this ban is a way of making an example out of those who don't toe the line, or perhaps I'm just paranoid?

29
0
Silver badge
Thumb Up

Re: Tinfoil hat time?

"perhaps I'm just paranoid?"

Nope, just very, very realistic!

21
0
Silver badge
Trollface

Re: perhaps I'm just paranoid?

Yes, you are.

Doesn't mean that you're wrong, though.

12
0
Anonymous Coward

Re: perhaps I'm just paranoid?

When I was young I was always told I was being paranoid.

In hindsight I realised (too late for my sanity) that I was quite right in most of my assessments and that the people accusing me of being paranoid were the very ones pissing up my back.

15
0
Silver badge

Re: perhaps I'm just paranoid?

"Doesn't mean that you're wrong, though."

Nor that they're not out to get him.

1
0
Anonymous Coward

Re: Tinfoil hat time?

"It can control US and EU based vendors"

UK-based yes, others questionable or no. No legal leverage and outside of NATO very little political/military leverage.

Finnish F-Secure got some negative publicity in US and positive elsewhere when it found some NSA tools.

Probably not much used in US so no similar political attacks against it like Kaspersky.

4
0
Anonymous Coward

FSB needs blenders

If It comes down to being hacked by NSA or FSB, I'll choose the NSA. NSA never bought $2000 worth of blenders on my credit card.

1
9
Silver badge

So snowden and the rest should just claim they got hacked. Is the contractor going to jail ?

10
0
Silver badge

Ok the cracked version of office smells like BS. Who here has not helped them self to their companies volume licensing for ahem certain MS products. If s/he is mart enough to be a hacker s/he is smart enough to do that. So either that person was targeted or for some reason a non techie got ahold of some hacking tools . Not sure which is worse

1
17

You think a clever hacker would rather hack his own company (the NSA) rather than a soft target (Microsoft)

13
0
Silver badge
Facepalm

Mate, I've worked with MS admins who didn't realise the VL centre even existed! So I can quite believe someone who is not an MS admin doing something bloody stupid like running a keygen for Office.

13
0
I3N
Bronze badge
Coat

Sure enough, been in meetings where MS was blamed for charging for software was the excuse ... only employment requirement was that you could piss in a cup and pass a lie detector test

6
0
Anonymous Coward

"Who here has not helped them self to their companies volume licensing for ahem certain MS products."

On company laptop easy peasy. If it's BYOD, a bit harder and why would anyone working for NSA care a single bit about pirated software?

You believe someone would come after them? Would anyone believe so? When you are already a professional criminal (spying on people illegally) why would you care as long as your back is secured (by NSA)?

I really don't know but believable so far.

Also: This person was turning antivirus off for weeks: That alone tells us the level of intelligence and/or carelessness involved.

6
0
Anonymous Coward

Kaspersky AV

Sounding more and more like the way to go.

PS: I keep all my State Secrets on a 1.44MB floppy under my old National Geographic collection in the basement...

11
1
Silver badge

Re: Kaspersky AV

Sure and not your porn stash

0
2
Silver badge

Re: Kaspersky AV

"Sure and not your porn stash"

Don’t be ridiculous! Who has a porn stash that can be fitted on a floppy?

23
0
Silver badge

ASCII Porn Stash

Nonsense, my ASCII porn stash fits nicely onto a floppy.

ASCII character 248 *is* sexy.

9
0
Silver badge

Re: Kaspersky AV

>PS: I keep all my State Secrets on a 1.44MB floppy under my old National Geographic collection in the basement...

I assume the State Secrets date from the time when 1.44MB floppies were in common usage and hence it is questionable whether the disk after all this time is actually readable...

1
0
Anonymous Coward

Re: Kaspersky AV

Don’t be ridiculous! Who has a porn stash that can be fitted on a floppy?

If you have a floppy and a porn stash, your stash just ain't that good.

1
0
Happy

The photo looks like Dan Akroyd...

(letters)

0
0

Re: The photo looks like Dan Akroyd...

Steve Bannon, without his liver sticking out.

6
0
Silver badge
Big Brother

PLA, NSA, KGB, Mossad....

Someone's botbot will soon be smarting!

4
2

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018