Friday, October 27, 2017

Having Nothing to Hide - Kaspersky Opens Transparency Centers


theintercept |  Responding to U.S. government suggestions that its antivirus software has been used for surveillance of customers, Moscow-based Kaspersky Lab is launching what it’s calling a transparency initiative to allow independent third parties to review its source code and business practices and to assure the information security community that it can be trusted.

The company plans to begin the code review before the end of the year and establish a process for conducting ongoing reviews, of both the updates it makes to software and the threat-detection rules it uses to detect malware and upload suspicious files from customer machines. The latter refers to signatures — search terms used to detect potential malware —  which are the focus of recent allegations.

The company will open three “transparency centers” in the U.S., Europe, and Asia, where trusted partners will be able to access the  third-party reviews of its code and rules. It will also engage an independent assessment of its development processes and work with an independent party to develop security controls for how it processes data uploaded from customer machines.

“[W]e want to show how we’re completely open and transparent. We’ve nothing to hide,” Eugene Kaspersky, the company’s chair and CEO, said in a written statement.

The moves follow a company offer in July to allow the U.S. government to review its source code.
Although critics say the transparency project is a good idea, some added it is insufficient to instill trust in Kaspersky going forward.

“The thing [they’re] talking about is something that the entire antivirus industry should adopt and should have adopted in the beginning,” said Dave Aitel, a former NSA analyst and founder of security firm Immunity. But in the case of Kaspersky, “the reality is … you can’t trust them, so why would you trust the process they set up?”

Kaspersky has come under intense scrutiny after its antivirus software was linked to the breach of an NSA employee’s home computer in 2015 by Russian government hackers who stole classified documents or tools from the worker’s machine. News reports, quoting U.S. government sources, have suggested Kaspersky colluded with the hackers to steal the documents from the NSA worker’s machine, or at least turned a blind eye to the activity.