Posts Tagged ‘voting systems’

Russia’s Kaspersky to Allow Outside Review of Its Cybersecurity Software

October 23, 2017

Company hopes sharing source code will build trust after allegations its software helped Russia spy on Americans

Kaspersky Lab, the Moscow-based cybersecurity firm whose software U.S. officials suspect helped the Russian government spy on Americans, promised to make its source code available for an independent review.

The company said Monday the review is part of a “global transparency initiative” that it hopes will improve the trustworthiness of its products. It said it would hand over the source code for its software in the first quarter of next year but didn’t specify who would undertake the review or how widely the code would be…

 https://www.wsj.com/articles/russian-cybersecurity-firm-kaspersky-to-make-source-code-available-for-review-1508756502
.
Related:
.
.
.

Image result for Eugene Kaspersky, photos

Eugene Kaspersky

*****************************************************

Kaspersky fights spying claims with code review plan

October 23, 2017 — 0745

Apple Pay now in 20 markets, nabs 90% of all mobile contactless transactions where active

Russian cybersecurity software maker Kaspersky Labs has announced what it’s dubbing a “comprehensive transparency initiative” as the company seeks to beat back suspicion that its antivirus software has been hacked or penetrated by the Russian government and used as a route for scooping up US intelligence.

In a post on its website today the Moscow-based company has published a four point plan to try to win back customer trust, saying it will be submitting its source code for independent review, starting in Q1 2018. It hasn’t yet specified who will be conducting the review but says it will be “undertaken with an internationally recognized authority”.

It has also announced an independent review of its internal processes — aimed at verifying the “integrity of our solutions and processes”. And says it will also be establishing three “transparency centers” outside its home turf in the next three years — to enable “clients, government bodies and concerned organizations to review source code, update code and threat detection rules”.

It says the first center will be up and running in 2018, and all three will be live by 2020. The locations are listed generally as: Asia, Europe and the U.S.

No automatic alt text available.

Finally it’s also increasing its bug bounty rewards — saying it will pay up to $100K per discovered vulnerability in its main Kaspersky Lab products.

That’s a substantial ramping up of its current program which — as of April this year — could pay out up to $5,000 per discovered remote code execution bugs. (And, prior to that, up to $2,000 only.)

Kaspersky’s moves follow a ban announced by the US Department of Homeland Security on its software last month, citing concerns about ties between “certain Kaspersky officials and Russian intelligence and other government agencies, and requirements under Russian law that allow Russian intelligence agencies to request or compel assistance from Kaspersky and to intercept communications transiting Russian networks”.

The US Senate swiftly followed suit, voting to oust Kaspersky software from federal use. While three months earlier the General Services Administration also removed Kaspersky Lab from a list of approved federal vendors.

The extensive system-wide permissions of antivirus software could certainly make it an attractive target for government agents seeking to spy on adversaries and scoop up data, given the trust it demands of its users.

The WSJ has previously reported that Russian hackers working for the government were able to obtain classified documents from an NSA employee who had stored them on a personal computer that ran Kaspersky software.

Earlier this month CEO Eugene Kaspersky blogged at length — rebutting what he dubbed “false allegations in U.S. media”, and writing: “Our mission is to protect our users and their data. Surveillance, snooping, spying, eavesdropping… all that is done by espionage agencies (which we occasionally catch out and tell the world about), not us.”

We’re proud to keep on protecting people against all cyberthreats – no matter of false allegations in U.S. media https://kas.pr/x78t 

Photo published for What’s going on?

What’s going on?

I doubt you’ll have missed how over the last couple months our company has suffered an unrelenting negative-news campaign in the U.S. press.

eugene.kaspersky.com

But when your business relies so firmly on user trust — and is headquartered close to the Kremlin, to boot — words may evidently not be enough. Hence Kaspersky now announcing a raft of “transparency” actions.

Whether those actions will be enough to restore the confidence of US government agencies in Russian-built software is another matter though.

Kaspersky hasn’t yet named who its external reviewers will be, either. But reached for comment, a company spokeswoman told us: “We will announce selected partners shortly. Kaspersky Lab remains focused on finding independent experts with strong credentials in software security and assurance testing for cybersecurity products. Some recommended competencies include, but are not limited to, technical audits, code base reviews, vulnerability assessments, architectural risk analysis, secure development lifecycle process reviews, etc. Taking a multi-stakeholder approach, we welcome input and recommendations from interested parties at transparency@kaspersky.com

She also sent the following general company statement:

Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside U.S. authorities to address any concerns they may have about its products as well as its systems.

As there has not been any evidence presented, Kaspersky Lab cannot investigate these unsubstantiated claims, and if there is any indication that the company’s systems may have been exploited, we respectfully request relevant parties responsibly provide the company with verifiable information. It’s disappointing that these unverified claims continue to perpetuate the narrative of a company which, in its 20 year history, has never helped any government in the world with its cyberespionage efforts.

In addition, with regards to unverified assertions that this situation relates to Duqu2, a sophisticated cyber-attack of which Kaspersky Lab was not the only target, we are confident that we have identified and removed all of the infections that happened during that incident. Furthermore, Kaspersky Lab publicly reported the attack, and the company offered its assistance to affected or interested organisations to help mitigate this threat.

Contrary to erroneous reports, Kaspersky Lab technologies are designed and used for the sole purpose of detecting all kinds of threats, including nation-state sponsored malware, regardless of the origin or purpose. The company tracks more than 100 advanced persistent threat actors and operations, and for 20 years, Kaspersky Lab has been focused on protecting people and organisations from these cyberthreats — its headquarters’ location doesn’t change that mission.

“We want to show how we’re completely open and transparent. We’ve nothing to hide,” added Kaspersky in another statement.

Interestingly enough, the move is pushing in the opposite direction of US-based cybersecurity firm Symantec — which earlier this month announced it would no longer be allowing governments to review the source code of its software because of fears the agreements would compromise the security of its products.

Source:https://techcrunch.com/2017/10/23/kaspersky-fights-spying-claims-with-code-review-plan/

Advertisements

US agencies banned from using Russia’s Kaspersky software

September 14, 2017

Federal agencies in the US have 90 days to wipe Kaspersky software from their computers. Officials are concerned about the Russian company’s ties to the Kremlin and possible threats to national security.

Headquarters of Internet security giant Kaspersky in Moscow (Getty Images/AFP/K. Kudryavtsev)

The administration of US President Donald Trump has ordered government agencies to remove products made by Russian company Kaspersky Labs from their computers.

The Department of Homeland Security (DHS) said Wednesday it was concerned that the cybersecurity firm was susceptible to pressure from Moscow and thus a potential threat to national security.

Read more: Facebook, Russia and the US elections – what you need to know

DHS said in a statement that it was “concerned about the ties between certain Kaspersky officials and Russian intelligence and other government agencies,” as well as Russian laws that might compel Kaspersky to hand over information to the government.

But the makers of the popular anti-virus software have said “no credible evidence has been presented publicly by anyone or any organization as the accusations are based on false allegations and inaccurate assumptions.”

US tech retailer Best Buy confirmed earlier Wednesday that it would no longer sell Kaspersky products, but has declined to give further details on the decision.

Ties between Kaspersky, Kremlin ‘alarming’

Civilian government agencies have 90 days to completely remove Kaspersky software from their computers. The products have already been banned in the Pentagon.

US congressional leaders have applauded the move. Democratic Senator Jeanne Shaheen said the “strong ties between Kaspersky Lab and the Kremlin are alarming and well-documented,” and asked the DHS if the company’s products were used for any critical infrastructure, such as for voting systems, banks and energy supply.

Although Kaspersky Labs was founded by a KGB-trained entrepreneur, Eugene Kaspersky, and has done work for Russian intelligence, the company has repeatedly denied carrying out espionage on behalf of President Vladimir Putin and his government.

es/cmk (AP, Reuters)

http://www.dw.com/en/us-agencies-banned-from-using-russias-kaspersky-software/a-40500232