Homepage / Technology / Tech firms let Russia probe software widely used by US government
How To Locate The Very Best Transgender Online Dating Sites – Hookup Guide Find your perfect match: bi ladies seeking couples SLOT PULSA SITUS SLOT DEPOSIT PULSA 10 RIBU TANPA POTONGAN SEKALI SPIN MAXWIN Sports Betting Bet on Sports Online in South Africa Slot Entertainment Without Funding an Account in a Trusted Virtual Club Составление обзора казино в виртуальном формате Le Jeu en Ligne en France: Casinos en Ligne et leur Rфle dans l’Industrie Moderne des Jeux d’Argent Mostbet App A Convenient And Reliable Way To Place Bets Masjid Al-Huda Mranggen Demak Lemon Casino recenzja nowego polskiego kasyna Atrakcyjne bonusy i wysoki RTP! MostBet Bangladesh BD ᐉ Official Site Most Bet Casino and Sport Betting Lil Nas X calls out the BET Awards in his new single He has a point : NPR Most readily useful Adult Internet Dating Sites | FreeHookupsSites Unlocking the secrets of craigslist m4m green bay dating Just what comes in 66 sizes and vegan latex? Brand new generation of condoms | Sex | 8 Brands & Generics Human Growth Hormone HGH Injections Find local black hookups near you what’s ssbbw chat? About Japanese Dating society and also the west Guy who would like to Date a Japanese woman – MeetKing Blog 9 Guidelines On How To Hook-up On College Gameday (At Any College) Leading Live Casino Games Provider Leading Live Casino Games Provider Pin Up Slotlarýyla Eðlence ve Para Kazanma Bir Arada The core concept of digital entertainment hub AbeBet: signature points and groups Live-сессии с дилерами в онлайн-казино azino777 How Online Gambling Enterprises Operate Around the World Meet compatible single mothers and exchange ideas official site Play airplane online Ritalin: Jak legálně zakoupit bez receptu v České republice Connect with suitable asian singles in your area How-to Date A Pornstar While Making It Operate (The Ultimate Guide) Buy Bitcoin with Credit Card or Debit Card Instantly Buy Bitcoin How to buy BTC Finding trans girls near you – the simplest way to hookup Connect with like-minded singles on a mennonite dating website Assortment of in-demand games respected casino platform abe bet casino in cyberspace Connect with girls from round the world Alexander Gambling establishment: Dйcouvrez une Nouvelle Expйrience de Jeu en Ligne Le meilleur Extra casino en ligne pour jouer BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING The simplest way to get a local hookup what’s millionairess dating? Get prepared to connect to latinas whom share your interests Estonian Chat place – an ideal Place for Dating Estonian Singles Join our bisexual chat room now and commence connecting Discover the advantages of dating a mature mom latina How to discover the best bbw hookup app for you Title: Juega en 1Win Casino Argentina Bonos y Apuestas 5 Best BBW Lesbian Dating Apps/Sites In 2022 Online Gambling Review submissions dia govt.nz Разыгрываемые джекпоты в виртуальном клубе Вулкан казино 30 Of The Greatest Adult Sex Toys For Males | Men’s Room Health Mag Australian Continent Cazino 7 slots cyberspace: conditions and rules for betting with real cash 1Win: ¡el mejor lugar de casino y apuestas deportivas de Argentina! Aufcasino Kde zakoupit Stromectol online: Kompletní průvodce ????Mature Dating Evaluation 2023 – Whatever You Need To Know About It! ???? Take the first step towards fulfilling your ebony lesbian bbw match now Ideas on how to come-out: Tips to keep in mind > Taimi Meet your perfect match – granny hookup site Türkiye-Çin İşbirliği Derinleşiyor GuGi Mobil Yükleme Seçenekleri Hizmet İçi Eğitim Sona Erdi Dooball tv ดูบอล ออนไลน์ สด 66 ลิงค์ บนมือถือ ฟรี ภาพชัด HD ทั่วโลก Find your rich cougar date in the most useful dating site Find your dream fat girl hookup today Slot Thailand Daftar Link Situs Slot Gacor Maxwin x500 Terbaru Hari Ini Resmi Auto Jackpot! Konsultasi ke Dewan Pers, Komisi I DPRD Jambi Pertanyakan Indeks Kemerdekaan Pers Jambi yang Turun Akses News Cerita Korban Judol di Balikpapan yang Nekat Gelapkan Uang How to get local horney women in your area 3 Cara Hapus Akun Judi Online Slot : Okezone Economy SITUS TOTO > Sering Kalah Main Di Situs Slot Gacor Terbaru Mudah Maxwin Situs Slot Gacor Maxwin Main Tanpa Pola Modal 5ribu Terbaik Melhores cassinos online de Novembro 2024: Confira o top 10! Enjoy amazing gay sex experiences using the top sites on the web Make the absolute most of one’s big butt dating adventure here 9 circumstances this means when a person avoids eye contact with a lady – Hack Spirit Top Greatest M4M Personals Sites in 2022 ◉ BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING Лотерейные розыгрыши в kasino on-line Лев казино: условия осуществления и доступа Main features of playing in machines at online-club Karavan Connect with like-minded females making new friends Comment accéder à des jeux gratuits avec Space fortuna bonus ? PUCUK4D⭐ Bandar Toto Togel Online & Situs Toto 4d Terpercaya #1 Betting site Karavan bet Gates of Olympus internet-based: benefits of playing for real money Discover an environment of opportunities with lesbian and bisexual dating Aprovecha Los Códigos Promocionales De Bbrbet ¡más Bonos, Más Juegos 1xbet Giriş Yeni Adresi 2024 ⭐️ 1xbahis Güncel Adres » 1x Guess Mobil Casino How to get started with sext room BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING BLACK SEO LINKS, BACKLINKS, SOFTWARE FOR MASS BACKLINKING La Application De Bbrbet: Juegos Y Apuestas Approach Alcance De Tu Man Start your love story now – join our talk to gay strangers source today

Technology

Tech firms let Russia probe software widely used by US government

Major global technology providers SAP, Symantec and McAfee have allowed Russian authorities to hunt for vulnerabilities in software deeply embedded across the U.S. government, a Reuters investigation has found.

The practice potentially jeopardizes the security of computer networks in at least a dozen federal agencies, U.S. lawmakers and security experts said. It involves more companies and a broader swath of the government than previously reported.

In order to sell in the Russian market, the tech companies let a Russian defense agency scour the inner workings, or source code, of some of their products. Russian authorities say the reviews are necessary to detect flaws that could be exploited by hackers.

But those same products protect some of the most sensitive areas of the U.S. government, including the Pentagon, NASA, the State Department, the FBI and the intelligence community, against hacking by sophisticated cyber adversaries like Russia.

Reuters revealed in October that Hewlett Packard Enterprise software known as ArcSight, used to help secure the Pentagon’s computers, had been reviewed by a Russian military contractor with close ties to Russia’s security services.

Now, a Reuters review of hundreds of U.S. federal procurement documents and Russian regulatory records shows that the potential risks to the U.S. government from Russian source code reviews are more widespread.

Beyond the Pentagon, ArcSight is used in at least seven other agencies, including the Office of the Director of National Intelligence and the State Department’s intelligence unit, the review showed. Additionally, products made by SAP, Symantec and McAfee and reviewed by Russian authorities are used in at least eight agencies. Some agencies use more than one of the four products.

McAfee, SAP, Symantec and Micro Focus, the British firm that now owns ArcSight, all said that any source code reviews were conducted under the software maker’s supervision in secure facilities where the code could not be removed or altered. The process does not compromise product security, they said. Amid growing concerns over the process, Symantec and McAfee no longer allow such reviews and Micro Focus moved to sharply restrict them late last year.

The Pentagon said in a previously unreported letter to Democratic Senator Jeanne Shaheen that source code reviews by Russia and China “may aid such countries in discovering vulnerabilities in those products.”

Reuters has not found any instances where a source code review played a role in a cyberattack, and some security experts say hackers are more likely to find other ways to infiltrate network systems.

But the Pentagon is not alone in expressing concern. Private sector cyber experts, former U.S. security officials and some U.S. tech companies told Reuters that allowing Russia to review the source code may expose unknown vulnerabilities that could be used to undermine U.S. network defenses.

“Even letting people look at source code for a minute is incredibly dangerous,” said Steve Quane, executive vice president for network defense at Trend Micro, which sells TippingPoint security software to the U.S. military.

Worried about those risks to the U.S. government, Trend Micro has refused to allow the Russians to conduct a source code review of TippingPoint, Quane said.

Quane said top security researchers can quickly spot exploitable vulnerabilities just by examining source code.

“We know there are people who can do that, because we have people like that who work for us,” he said.

Many of the Russian reviews have occurred since 2014, when U.S.-Russia relations plunged to new lows following Moscow’s annexation of Crimea. Western nations have accused Russia of sharply escalating its use of cyber attacks during that time, an allegation Moscow denies.

Some U.S. lawmakers worry source code reviews could be yet another entry point for Moscow to wage cyberattacks.

“I fear that access to our security infrastructure — whether it be overt or covert — by adversaries may have already opened the door to harmful security vulnerabilities,” Shaheen told Reuters.

In its Dec. 7 letter to Shaheen, the Pentagon said it was “exploring the feasibility” of requiring vendors to disclose when they have allowed foreign governments to access source code. Shaheen had questioned the Pentagon about the practice following the Reuters report on ArcSight, which also prompted Micro Focus to say it would restrict government source code reviews in the future. HPE said none of its current products have undergone Russian source code review.

Lamar Smith, the Republican chairman of the House Science, Space and Technology Committee, said legislation to better secure the federal cybersecurity supply chain was clearly needed.

Most U.S. government agencies declined to comment when asked whether they were aware technology installed within their networks had been inspected by Russian military contractors. Others said security was of paramount concern but that they could not comment on the use of specific software.

A Pentagon spokeswoman said it continually monitors the commercial technology it uses for security weaknesses.

Tech companies wanting to access Russia’s large market are often required to seek certification for their products from Russian agencies, including the FSB security service and Russia’s Federal Service for Technical and Export Control (FSTEC), a defense agency tasked with countering cyber espionage.

FSTEC declined to comment and the FSB did not respond to requests for comment. The Kremlin referred all questions to the FSB and FSTEC.

FSTEC often requires companies to permit a Russian government contractor to test the software’s source code.

SAP HANA, a database system, underwent a source code review in order to obtain certification in 2016, according to Russian regulatory records. The software stores and analyzes information for the State Department, Internal Revenue Service, NASA and the Army.

An SAP spokeswoman said any source code reviews were conducted in a secure, company-supervised facility where recording devices or even pencils are “are strictly forbidden.”

“All governments and governmental organizations are treated the same with no exceptions,” the spokeswoman said.

While some companies have since stopped allowing Russia to review source code in their products, the same products often remain embedded in the U.S. government, which can take decades to upgrade technology.

Security concerns caused Symantec to halt all government source code reviews in 2016, the company’s chief executive told Reuters in October. But Symantec Endpoint Protection antivirus software, which was reviewed by Russia in 2012, remains in use by the Pentagon, the FBI, and the Social Security Administration, among other agencies, according to federal contracting records reviewed by Reuters.

In a statement, a Symantec spokeswoman said the newest version of Endpoint Protection, released in late 2016, never underwent a source code review and that the earlier version has received numerous updates since being tested by Russia. The California-based company said it had no reason to believe earlier reviews had compromised product security. Symantec continued to sell the older version through 2017 and will provide updates through 2019.

McAfee also announced last year that it would no longer allow government-mandated source code reviews.

The cyber firm’s Security Information and Event Management (SIEM) software was reviewed in 2015 by a Moscow-based government contractor, Echelon, on behalf of FSTEC, according to Russian regulatory documents. McAfee confirmed this.

The Treasury Department and Defense Security Service, a Pentagon agency tasked with guarding the military’s classified information, continue to rely on the product to protect their networks, contracting records show.

McAfee declined to comment, citing customer confidentiality agreements, but it has previously said the Russian reviews are conducted at company-owned premises in the United States.

On its website, Echelon describes itself as an official laboratory of the FSB, FSTEC, and Russia’s defense ministry. Alexey Markov, the president of Echelon, which also inspected the source code for ArcSight, said U.S. companies often initially expressed concerns about the certification process.

“Did they have any? Absolutely!!” Markov wrote in an email.

“The less the person making the decision understands about programming, the more paranoia they have. However, in the process of clarifying the details of performing the certification procedure, the dangers and risks are smoothed out.”

Markov said his team always informs tech companies before handing over any discovered vulnerabilities to Russian authorities, allowing the firms to fix the detected flaw. The source code reviews of products “significantly improves their safety,” he said.

Chris Inglis, the former deputy director of the National Security Agency, the United States’ premier electronic spy agency, disagrees.

“When you’re sitting at the table with card sharks, you can’t trust anyone,” he said. “I wouldn’t show anybody the code.”

Source: Tech CNBC
Tech firms let Russia probe software widely used by US government

Comments are closed.