Serg Nvns - Fotolia

Kaspersky Lab aided NSA hacking tools investigation

News roundup: According to a new report from Politico, Kaspersky Lab aided the NSA in catching alleged data thief Harold Martin. Plus, telecoms are selling customer data, and more.

Antimalware vendor Kaspersky Lab helped catch the alleged NSA data thief Harold T. Martin, according to a new report.

Martin, a former National Security Agency contractor, was arrested and charged with the theft of a significant amount of classified data in 2016, including a cache of previously undocumented NSA hacking tools. Politico reported this week that Russia-based security company Kaspersky Lab was the source that tipped off U.S. authorities to Martin's involvement.

Kaspersky Lab, which has been banned by the U.S. government due to suspected ties to the Russian government, reportedly received Twitter messages from an anonymous account -- "HAL999999999" -- connected with Martin. The five direct messages from the account were sent to two researchers at the security company, which Politico said it was able to see thanks to the anonymous sources who alerted it to Kaspersky Lab's involvement.

The first two messages reportedly asked for a meeting with Kaspersky Lab CEO Eugene Kaspersky within three weeks. Those messages arrived 30 minutes before the Shadow Brokers group -- an anonymous group suspected to be connected to Russian intelligence -- posted a cache of classified NSA hacking tools online and said it would sell more of the NSA's tools that it stole from the Equation Group for $1 million in bitcoin.

Due to the timing, Politico said, Kaspersky Lab reportedly suspected that Martin was connected to the Shadow Brokers and thus alerted the NSA of its findings and suggested the agency investigate him for the theft of the NSA hacking tools.

We contacted Kaspersky Lab for comment on the report, and a company spokesperson said, "Kaspersky Lab does not have a comment at this time."

Martin was arrested on Aug. 27, 2016, and indicted in February 2017. He is scheduled to go to trial in June and face charges for 20 counts of unauthorized and willful retention of national defense information -- each count could result in up to 10 years in prison.

The involvement of Kaspersky Lab may raise some eyebrows after a tumultuous period between the vendor and the U.S. government. In September 2017, the U.S. Department of Homeland Security (DHS) issued a Binding Operational Directive that mandated U.S. government agencies and departments remove any and all Kaspersky software from their systems.

DHS cited concerns about alleged ties between Kaspersky officials and Russian intelligence that would grant the Russian government access and insight to systems running Kaspersky software. Despite a lack of any publically known evidence of these ties, other governments followed suit, including the United Kingdom and the European Union.

In other news:

  • Google recently announced that users will be able to secure queries between devices and its Google Public DNS service with DNS-over-TLS. This new feature will improve the privacy and integrity of users, according to the company. DNS-over-TLS is available for Android 9 devices, and Google has published documentation for users interested in configuring the setting on Android or other systems. As the largest public domain name system recursive resolver, Google's public DNS allows users to convert internet domains into addresses that email application and web browsers can then use. Google launched the public DNS eight years ago in an attempt to improve the security and accuracy of DNS users worldwide. This new layer of security is crucial, as the domains that users use DNS to look up may expose sensitive information. So, communication with DNS resolvers needs to be protected, and their privacy must be safeguarded from network surveillance. In addition, Google implemented DNS-over-TLS with the RFC 7766 recommendations to minimize the overhead use of TLS. Due to the fact that the use of Google Public DNS requires a change to a device's settings, only users with knowledge of configuring operating-system settings should make the changes.
  • In order to learn about the sales of mobile device location data, Motherboard gave a phone number to a bounty hunter and asked them to find the current location of the phone. The bounty hunter was able to do so without deploying a hacking tool or having prior knowledge of the phone's whereabouts. The location was obtained using tracking tools that rely on real-time location data that is sold to bounty hunters directly from telecommunications companies, including T-Mobile, AT&T and Sprint. For example, a company named MicroBilt sells phone geolocation services with little to no oversight to several difference private industries, according to Motherboard. The report highlights how, despite promises to the contrary, telcos frequently sell location data to partners, who then resell the data to unauthorized third parties, often without notifying or receiving approval from customers.
  • Internet service provider Netcraft reported this week that more than 80 TLS certificates used by U.S. government websites have expired without being renewed. As a result, websites for agencies such as NASA, the U.S. Department of Justice and the Court of Appeals have been rendered insecure and, in some cases, inaccessible. Due to the vast number of employees being sent home across all agencies due to the government shutdown, Netcraft said the affected websites may have no one to renew the TLS certificates. While websites that followed proper procedures and implemented correctly functioning HSTS policies will be down until further notice, websites with expired TLS certificates without HSTS will show an HTTPS error in browsers. This error can be bypassed in order to access the websites with HTTP. However, major browsers encourage users to only browse these sites and not to enter any login information, as their authentication credentials will not be encrypted.

Next Steps

Biden administration bans Kaspersky Lab products in U.S.

Dig Deeper on Security operations and management

Enterprise Desktop
Cloud Computing