Standby for another WannaCry.
As if Saint Julian of BroomCupboard could give a toss.
The CIA wrote code to impersonate Kaspersky Labs in order to more easily siphon off sensitive data from hack targets, according to leaked intel released by Wikileaks on Thursday. Forged digital certificates were reportedly used to "authenticate" malicious implants developed by the CIA. Wikileaks said: Digital certificates …
Now we know why the US government were in a panic to get their own ministries and major businesses to stop using Kaspersky anti-virus. They knew that this was going to become public, and they didn't know if enough was going to be released to allow third parties to do the same thing they had been doing.
They couldn't give their real reason, as that would be admitting to what they had been doing to an innocent third party. So instead, they had to make vague accusations as justification.
The Americans have stolen digital certs before, when they physically broke into offices in Taiwan to steal the signing keys belonging to Taiwanese companies to use with Stuxnet.
It's another example of what seems to be a common pattern. If you want to know what the CIA/NSA/etc have been doing, just look at what they are accusing someone else of doing. It's like when they had been spreading fud about how the Chinese might be hiding spy implants in Huawei networking hardware. They were never able to point to an actual example. It turned out though that it was actually the CIA doing doing it to Cisco gear on a large scale.
It's certainly something to look out for in future. When the CIA/NSA/etc. start warning about another country doing something but offer no tangible proof, it's time to start looking for their own sticky fingers all over something related to it.
Expert says "Not targetted against Kaspersky" ... how so?
The US bans Kaspersky for being another agent of the Russian state - with no conclusive evidence that I can identify - evidence is probably a secret. Then it transpires that the CIA are using the tool that they accuse of being a tool for a foreign power, as a tool of a foreign power (if you're not a U.S. citizen) ... truly down the rabbit hole stuff.
I guess what you can't do is trust whatever any intelligence service says, because if you could, they wouldn't be doing their job.
Political-economy is my fave social science and, yes, I don't break it down into the categories/fields. It's all the same from different perspectives. Sorry, I digress. Governments have never had scruples. Ever. It's a shame that so much of the history and analysis of past events are analyzed by the winners. What's worrying is that our present President lacks them entirely. Previous Presidents did have stopping lines. For another example, Teddy Roosevelt.
This post has been deleted by its author
I'm old enough to remember when governments had scruples.Pretty sure you're not that old, sitta europea - the first governments formed several thousands of years ago and which of them ever had scruples ?...
Or perhaps you meant to write that you were old enough to remember when governments could convince the more naive of their citizens that they had scruples ?...
Henri
I've been led to the following Truths:
- If a department in the government of the USA is accusing an external company or country of something - it's because the USA is doing it.
- If a political party in the USA is accusing the other political party of something - it's because the accuser is neck deep in that thing. Or, it's because they've set the other party up.
I hope I'm not alone in my complete disgust with the state of my government.
You are hardly alone. The problem is that such a small percentage pay attention to what's going on before it's too late to effect a change. Some could even argue that it's already too late - no doubt the agencies have plenty of dirt on those who write the laws and paychecks already. Or nowadays, can make it up so well no one could tell anyway. If we ever had it, there is now no doubt we've completely lost control of our government by now.
Personally, I'm tired of having to apologize for being American in my contacts with those who aren't.
Those of us who are awake and care are too few to do anything. The vast majority don't care yet.
Nothing surprising about agencies accusing others of what they are doing themselves, it's just human nature..
https://en.wikipedia.org/wiki/Psychological_projection
It's even covered in The Bible..
"And why beholdest thou the mote that is in thy brother's eye, but considerest not the beam that is in thine own eye?"
"You therefore have no excuse, you who pass judgment on another. For on whatever grounds you judge the other, you are condemning yourself, because you who pass judgment do the same things."
Yeah, this has nothing to do with how many decades of cold war and the neo-cold war that is starting up again.
Let's face it the only thing that the Russian's are guilty of is not falling in line in regards to the global agenda the US has laid out. When any government publicly demonizes a foreign nation it's because that foreign nation won't let itself be exploited.
Some people want you to believe that when HTTPS is used you're fully secure. Guess not.
This is exactly one of the reasons why I believe that the pressing for HTTPS by browsers only works counter productive: it creates a false sense of safety while in fact there's no added security at all. In most cases someone already needed physical access to intercept your web traffic, and if they got that then even HTTPS doesn't have to stop them, as we can see here.
This has nothing to do with browser security. It's the cert used by the backdoor when it's phoning home. If someone tried serving up a HTTPS web site using it, the browser would rightly flag the cert as being invalid.
The only purpose is to look a bit better if someone sniffs the traffic. Unless you actually verify the cert - which network monitoring tools typically don't - it'll look like it's just a Kaspersky AV product phoning home.
While I agree that TLS in general and the entire CA security model in particular is fundamentally flawed, unfortunately it's the only universal thing we have for encrypting HTTP traffic for the foreseeable future. Even just using self-signed certs is many, many times better than sending the traffic unencrypted, since at the very least you now need an active attack as opposed to passive traffic sniffing to see it. Plus you get forward secrecy if the proper TLS magic is supported by both parties.
Impersonation <> properly signed (by the CA) certificate. How are they getting around this? How are they signing the cert such that client is accepting it without a security warning? Surely that is the most interesting bit here?
Anyone can issue a cert for any site, getting that cert trusted by the client is the hard bit.