Et tu, Brute?

The infamous quote from William Shakespeare’s play Julius Caesar depicts the ultimate betrayal when the great Roman Dictator was assassinated by a group of senators including his friend and protégé, Marcus Junius Brutus. The tragedy of Julius Caser is a reminder to be watchful of that to which we trust in the most. The greatest of threats come not from outside capital walls, but from within their very gates.

Sound cyber security advice has always included the use of anti-virus software. The most visual line of defense, anti-virus is our confidant in computer security and is granted unrestricted access to email, files, and trusted system processes. Unfortunately, a recent events demand we take a second look at our old friend, anti-virus, and question the degree of control afforded the software in the name of security.

Actus Primus.

Starting in mid-August, software updates distributed from anti-virus company Avast included an embedded malicious payload. Cisco Talos, a cyber threat intelligence team, reported the attack after nearly a full month of the update’s release. The malware was a Trojan backdoor hidden inside a digitally-signed package and downloaded over two million times. Supply-chain attacks, like this one and the NotPetya attack earlier this year, are difficult to detect and bypass many protective mechanisms under a cloak of false legitimacy.

This Trojan reported system profiles of infected host computers to the attacker’s Internet-residing command and control server. Targeted computers of interest then received follow-on advanced malware to perform yet-unknown industrial espionage activities. At least 40 computers were confirmed to have received the advanced malware and all belonged to technology companies including Intel, Sony, and Samsung.

Cisco Talos assessed the malware as “very well developed” requiring extensive funding and programming expertise to produce. Security researchers noted the code bears similarities with malware used by a suspected nation-state hacking group. A clean software update was quickly pushed by Avast. However, the extent of the breach, to include if any sensitive information may have been taken, remains unknown.

Actus Secunda.

In a series of articles last month, the Wall Street Journal alleged that Kaspersky Lab anti-virus software, installed on a U.S. National Security Agency (NSA) contractor’s computer, aided nation-state sponsored hackers in 2015. Information obtained from the hack included “details about how the NSA penetrates foreign computer networks, the computer code it uses for such spying, and how it defends networks inside the U.S.” Keyword searching is not a routine anti-virus function prompting accusations the modifications to the anti-virus software was only possible with Kaspersky Labs knowledge and not hackers exploiting a bug in the software.

Kasperky denied any direct involvement issuing the following official statement, “Kaspersky Lab was not involved in and does not possess any knowledge of the situation in question, and the company reiterates its willingness to work alongside US authorities to address any concerns they may have about its products as well as its systems.”

Kaspersky anti-virus is used by more than 400 million computers globally and is generally viewed favorably by the security community for their active efforts to thwart cyber attack. The allegations of wrong-doing by Kaspersky have yet to be backed by hard evidence made available to the public. The use of Kaspersky software or services was prohibited on U.S. Government computers but it remains to be seen how these claims will further affect Kaspersky software sales.

Epilogus.

Detecting anti-virus misuse is best accomplished by employing defense-in-depth; the use of several security products to mitigate seams in protection between them. Unfortunately, this technique is often reserved for medium-to-large businesses as it is cost-prohibited for the small businesses and consumers. Perhaps a better solution is for ethical anti-virus companies to develop self-regulating methods to justify continued consumer trust in their products.

Julius Caesar failed to heed the soothsayer’s grim warning, “Beware the Ides of March!” and his death forever changed the history of Rome. So too has the warning been cast to not over-trust installed security products.

Finis.

Comments

comments