After US Allegations Against Kaspersky Lab, UK Responds

为什么在系统漏洞事件的报告、推送和处置协作方面,是由黑客技术爱好者们自觉自发而建立起来的平台,比由官方主导、安全厂商支撑的、用巨资砸出来的国家信息安全漏洞共享平台的影响力还要大呢?
Kaspersky Lab’s headquarters in Moscow
The British government has taken a cue from the U.S. government’s concern about Kaspersky Lab’s anti-virus software. The U.K.’s National Cyber Security Center (NCSC), which advises organizations on cybersecurity matters and is part of intelligence agency GCHQ, now recommends that British government agencies that handle certain types of classified information not use anti-virus software developed by any Russia-based organization.

See Also: How to Scale Your Vendor Risk Management Program
But in a step that goes beyond the NCSC’s advice, banking giant Barclays says it will no longer gives its customers free copies of Kaspersky’s anti-virus software.
The NCSC, however, has stressed that most organizations should carefully consider their own potential risks before opting to ditch Kaspersky’s software. Its advice differs from the United States, where the government first advised against procuring Kaspersky and then completely banned it from government networks in early September (see Kaspersky Software Ordered Removed From US Government Computers).
The NCSC’s warning will have little immediate effect on Kaspersky Lab. Ian Levy, NCSC’s technical director, notes in a blog post that there’s almost “no installed base of Kaspersky AV in [U.K.] central government.”
But the new guidance could further dim Kaspersky Lab’s opportunities for future U.K. sales, both in the government and for large contracts, such as banks. And the NCSC’s recommendation represents yet more bad news for Kaspersky Lab, which has strongly refuted allegations that the Russian government may have coopted its software to serve as a search engine for other governments’ secrets.
Tarnished Darling
Kaspersky Lab’s anti-virus product is widely regarded as one of the most capable offerings on the market. Led by the gregarious Eugene Kaspersky, a software engineer turned entrepreneur, the company has a research team that has uncovered some of the world’s most sophisticated hacking groups, including Equation, which is widely believed to be the U.S. National Security Agency’s offensive hacking team.
But the software company’s reputation has been tarnished after anonymous U.S. officials suggested that using its software might put users at risk. In October, Israeli intelligence agents reportedly told the U.S. government that they had hacked into Kaspersky Lab’s infrastructure and found that Russian hackers were already there, monitoring the company’s communications with endpoints.
Because anti-virus software has deep access to an operating system and the ability to copy files, such applications remain attractive targets for hackers (see Yes Virginia, Even Security Software Has Flaws).
The Kaspersky Lab saga has continued to become more complex, after the company said that its consumer anti-virus software had flagged and collected four classified documents and NSA-developed malware from the home computer of an NSA analyst in 2014. The analyst, Nghia Hoang Pho, has pleaded guilty to mishandling classified material (see Spy Whose Files Were Plucked by Kaspersky Pleads Guilty).
Kaspersky has said that it detected malware on the home PC that it thought might be connected with the Equation Group. As with other anti-virus software, Kaspersky Lab’s software collected the suspicious files and sent them back to headquarters for analysis.
When researchers realized what had been collected and informed Eugene Kaspersky, he says that he ordered the material to be deleted, the company said last month following an in-depth investigation into the incident. But the U.S. government alleges that the material ended up in the hands of the Russian government after the analyst’s computer was further targeted (see Report: NSA Secrets Stolen From Computer Using Kaspersky Software).
Recommendation: Not For Secrets
The British government has now reacted to these allegations.
“There’s been a lot of speculation about foreign involvement in the U.K. supply chain recently,” Ian Levy, technical director of the U.K. National Cyber Security Center, says in a blog post.
您的信息安全职责
In a letter to the permanent secretaries of U.K. government bodies, Ciaran Martin, head of the NCSC, writes that Russian anti-virus products should not be used for certain official-tier organizations or anyone handling information classified as “secret” or higher. But most systems, he says, are not at risk.
“Russia has the intent to target U.K. central government and the U.K.’s critical national infrastructure,” Martin writes. “However, the overwhelming majority of U.K. individuals and organizations are not being actively targeted by the Russian state, and are far more likely to be targeted by cybercriminals.”
Because of the “highly intrusive” nature of anti-virus software and that fact that most products send data and information back to a vendor, “that’s why the country of origin matters,” Martin writes.
“It isn’t everything, and nor is it a simple matter of flags – there are Western companies who have non-Western contributors to their supply chain, including from hostile states,” he writes. “But in the national security space there are some obvious risks around foreign ownership.”
Don’t Panic
In a separate blog post, Levy – the NCSC’s technical director – says that the agency’s advice is “a bit complex and nuanced” but urges no one to panic. “For example, we really don’t want people doing things like ripping out Kaspersky software at large, as it makes little sense,” he writes.
Future efforts may also ease any lingering concerns. Martin says that the NCSC is in discussions with Kaspersky Lab that are focused on developing a framework that could be used to verify that U.K. data isn’t transferred to the Russian state.
“We will be transparent about the outcome of those discussions with Kaspersky Lab, and we will adjust our guidance if necessary in the light of any conclusions,” Martin writes.
In a statement, Kaspersky Lab says it looks “forward to continuing our dialogue with the NCSC to develop a framework that can independently verify and provide assurance of the integrity of Kaspersky Lab’s products and services.”
Barclays Bails
Some British users of Kaspersky Lab products, however, have already cut ties with the company. British bank Barclays, for example, has withdrawn an offer to its customers to receive a free copy of Kaspersky Lab’s anti-virus software, Reuters reports.
Many banks have deals with anti-virus companies to offer free security software, which reduces the risk of bank-related fraud that starts with malicious software infections.
In response to the Barclays move, Kaspersky Lab says it is “disappointed Barclays has decided to discontinue offering Kaspersky Lab anti-virus to new customers.” It adds that “it’s very important to note that the NCSC is not encouraging consumers or businesses against using Kaspersky Lab software.”
如果用户或者合作伙伴能轻松破解您的产品,要么您的产品很好——像苹果,要么您的产品就很烂——像钻了虫子的苹果。

猜您喜欢

面向企业员工的HSE基础知识扫盲式在线学习教程
中小零售商要特别小心在线诈骗
Security-Frontline-安全前线
网络安全公益短片个人信息保护实战
FLOOPA 21SECONDSNOW
网络安全宣传之电信诈骗防范