Monthly Archives: September 2017

And the plot thickens: Hackers Entered Equifax Systems in March

Equifax previously disclosed data was potentially accessed in May

Hackers roamed undetected in Equifax Inc.’s computer network for more than four months before its security team uncovered the massive data breach, the security firm FireEye Inc. said this week in a confidential note Equifax sent to some of its customers.

FireEye’s Mandiant group, which has been hired by Equifax to investigate the breach, said the first evidence of hackers’ “interaction” with the company occurred on March 10, according to the Mandiant report, which was reviewed by The Wall Street Journal.

Equifax had previously disclosed that data belonging to approximately 143 million Americans was potentially accessed in May. It isn’t known when Equifax learned from Mandiant that the hacking activity began in March, not May. Equifax wasn’t available for comment.

Equifax has said it didn’t discover the breach until July 29. Days later it called in Mandiant. Equifax didn’t disclose the breach until Sept. 7.

The attack, which is being probed by the Federal Bureau of Investigation, is one of the most significant data breaches given the scope of the information disclosed: people’s names, addresses, dates of birth and Social Security numbers. In its wake, consumers, customers, regulators and legislators have been asking how the attack occurred and whether Equifax took sufficient measures to protect such sensitive information.

Equifax sent the Mandiant report to some customers, many of which are financial firms, with a cover letter dated Tuesday, Sept. 19, that was signed by the company’s new chief information officer, Mark Rohrwasser, and new chief security officer, Russ Ayres. Equifax last Friday announced the departure of the two executives who previously held those positions.

In a progress report that accompanied that announcement last Friday, Equifax said hackers accessed consumers’ data from May 13 through July 30. It didn’t mention in that report that the attack had begun at an earlier date.

Mandiant’s report this week noted the hackers accessed one of Equifax’s servers by taking advantage of a flaw in software called Apache Struts, used by many companies to build interactive websites.

Two days before the access occurred, on March 8, security researchers at Cisco Systems Inc. warned of the flaw in Struts and a patch was issued by the Apache Software Foundation. Equifax in its report last week said its security staff “took efforts” to fix the system, saying it understood the intense focus outside the company on patching efforts and that its review was ongoing.

After interacting with Equifax’s server in early March, the hackers then entered the computer command “Whoami,” Mandiant wrote. This command would have given the attackers the username of the computer account to which they had just gained access, an early step in a hacking attempt.

Investigators have not determined for certain whether the March incident was issued by the data thieves or a different set of hackers, but it was likely the beginning of a monthslong reconnaissance mission, according to a person familiar with the investigation. It is common for attackers to lurk for months after their initial break-in as they probe corporate systems—the digital equivalent of trying as many doorknobs as possible to see which doors can be opened.

The March activity was likely a result of the hackers “spamming the internet for vulnerable systems,” said Johannes Ullrich, dean of research with the SANS Technology Insitute, a cybersecurity training school.

It isn’t surprising that the hackers took weeks before accessing the sensitive data, Mr. Ullrich said. “Typically, you first build out a beachhead so that it’s difficult to get kicked out,” he added.

On average, it takes companies close to 100 days to discover that they have been hacked, FireEye said in a report released earlier this year. In Equifax’s case, it took 141 days.

Eventually, between May 13 and late July, the attackers accessed files that contained Equifax credentials, such as username and password, and “performed database queries that provided access to documents and sensitive information stored in databases in an Equifax legacy environment,” the Mandiant report said.

Overall, the attackers accessed “numerous database tables in several databases,” the Mandiant report said.

The report added that the attackers “compromised two systems” that support Equifax’s online dispute web application. This is the place where consumers go to dispute information on their credit reports.

The hackers also set up about 30 Web shells—hidden pages that would allow them to remotely run commands on Equifax’s systems even if the Struts vulnerability was patched, the report said. The attackers “remotely accessed” the Equifax systems from approximately 35 “distinct public IP addresses,” it added.

The identity of the hackers is still unknown. Mandiant said in its letter that it hadn’t been able to attribute the breach to any “threat group actor” it currently tracks. Nor did the “tools, tactics and procedures” used overlap with those seen in previous investigations by the firm.

 

Critical Bluetooth Flaws Put Over 5 Billion Devices At Risk Of Hacking


Bluetooth is one of the most popular short-range wireless communications technologies in use today and is built into many types of devices, from phones, smartwatches and TVs to medical equipment and car infotainment systems. Many of those devices are now at risk of being hacked due to critical flaws found in the Bluetooth implementations of the operating systems they use.

Over the past several months, a team of researchers from IoT security firm Armis have been working with Google, Microsoft, Apple and Linux developers, to silently coordinate the release of patches for eight serious vulnerabilities that could allow attackers to completely take over Bluetooth-enabled devices or to hijack their Internet traffic.

The flaws found by Armis are particularly dangerous because they can be exploited over the air without any type of authentication or device pairing. Simply having Bluetooth enabled on a device is enough to make it vulnerable if patches for these issues are not installed.

The attacks can be fully automated and they don’t require any user interaction, as attackers can force vulnerable devices to open Bluetooth connections. In one scenario, the flaws can be used to build a worm-like attack where one compromised device automatically infects others when they come in its Bluetooth range. This can lead to the creation of massive botnets.

The Armis researchers have dubbed this new attack vector BlueBorne and they estimate that it affects over 5.3 billion devices. Furthermore, based on their discussions with vendors, they believe that 40% of the impacted devices will never be patched, either because they’re old and won’t receive firmware updates at all or because updating them is too complicated and users won’t bother.

The vulnerabilities are not located in the Bluetooth protocol itself, but in the individual Bluetooth implementations — or stacks — that are present in Android, Windows, Linux and iOS. Because of this, it doesn’t matter what version of the Bluetooth protocol a device supports — they’re all affected, with the exception of those that support only Bluetooth Low Energy, also known as Bluetooth Smart.

The Armis team first stumbled across one of the flaws during their regular work on the company’s security product, which helps organizations identify rogue or compromised IoT devices on their networks. The team then checked the similar code in other Bluetooth stacks and found additional vulnerabilities.

Four of the eight vulnerabilities were found in Android’s Bluetooth implementation, two in Linux, one in iOS and one in Windows. Their impact varies based on operating system.

“I think this is really just the tip of the iceberg as far as vulnerabilities in Bluetooth implementations go,” the Armis researchers said. “We feel that there are potentially other stacks affected by similar issues, but future research needs to be done to determine this.”

The vulnerability that affects the Bluetooth stack in Windows Vista and later does not lead to remote code execution but allows hackers to launch man-in-the-middle traffic interception attacks. Attackers can remotely force vulnerable Windows computers to set up a malicious Bluetooth-based network interface and route all of their communications through it. In this way, attackers can get all of a victim’s Internet traffic over Bluetooth.

Microsoft released security updates to address this vulnerability on supported Windows versions in July and customers who installed those updates are protected against this attack.

“We updated to protect customers as soon as possible, but as a responsible industry partner, we withheld disclosure until other vendors could develop and release updates,” a Microsoft spokesperson said in an emailed statement.

An almost identical man-in-the-middle issue was found in the Android Bluetooth stack. However, Android’s implementation also has an information leak flaw and two remote code execution vulnerabilities.

Attackers can exploit the information leak problem in order to extract sensitive information from the device memory, information that can then help them exploit the remote code execution vulnerabilities and take complete control of the targeted devices. According to the Armis team, this attack would be completely invisible to the user.

“We have released security updates for these issues, and will continue working with other affected platforms across the industry to develop protections that help keep users safe,” Google said in an emailed statement.

Google releases security fixes for its Pixel and Nexus devices every month and also contributes those patches to the Android Open Source Project. Device manufacturers that are in the Android partner program receive security patches a month or more before they’re made public, to give them enough time to integrate them in their own Android-based firmware.

Even so, there are millions of Android devices out there that have long reached end of support and will not get these patches. Those devices will remain vulnerable to these Bluetooth attacks indefinitely.

Please be sure to update all of your devices with the newest firmware or patches.

Millions of Time Warner Cable Customer Records Exposed in Third-Party Data Leak

Roughly four million records containing the personal details of Time Warner Cable (TWC) customers were discovered stored on an Amazon server without a password late last month.

The files, more than 600GB in size, were discovered on August 24 by the Kromtech Security Center while its researchers were investigating an unrelated data breach at World Wrestling Entertainment. Two Amazon S3 buckets were eventually found and linked to BroadSoft, a global communications company that partners with service providers, including AT&T and TWC.

Not all of the TWC records contained information about unique customers. Some contained duplicative information, meaning the breach ultimately exposed less than four million customers. Due to the size of the cache, however, the researchers could not immediately say precisely how many were affected. The leaked data included usernames, emails addresses, MAC addresses, device serial numbers, and financial transaction information—though it does not appear that any Social Security numbers or credit card information was exposed.

Time Warner Cable was purchased by Charter Communications last year and is now called Spectrum, though the leaked records date back from this year to at least 2010.

Other databases revealed billing addresses, phone numbers, and other contact info for at least hundreds of thousands of TWC subscribers. The servers also contained a slew of internal company records, including SQL database dumps, internal emails, and code containing the credentials to an unknown number of external systems.

A leak of administrative credentials typically heightens the risk of further systems and sensitive materials being compromised. But Kromtech did not attempt to access or review any of the password protected data, and so the contents of any other servers potentially vulnerable remains unknown.

CCTV footage, presumably of BroadSoft’s workers in Bengaluru, India—where the breach is believed to have originated—was also discovered on the Amazon bucket.

“We see more and more examples of how bad actors use leaked or hacked data for a range of crimes or other unethical purposes,” said Bob Diachenko, Kromtech’s chief communications officer. “In this case engineers accidentally leaked not only customer and partner data but also internal credentials that criminals could have easily used to monitor or access company’s network and infrastructure.”

Publication of the breach, which Kromtech detailed on its website Friday, was delayed so that BroadSoft could privately alert its customers.

A spokesperson for BroadSoft said the company had verified that customer data was exposed to the public internet, but that it does not believe the information to be “highly sensitive.” The company also does not believe it was accessed by anyone with malicious intent. “We immediately secured these Amazon S3 bucket exposures and are continuing to aggressively investigate these exposures and will take additional remedial actions as needed.”

Charter Communications sent the following statement:

“We were notified by a vendor that certain non-financial information of legacy Time Warner Cable customers who used the MyTWC app became potentially visible by external sources. Upon discovery, the information was removed immediately by the vendor, and we are currently investigating this incident with them. There is no indication that any Charter systems were impacted. We encourage customers who used the MyTWC app to change their user names and passwords. Protecting customer privacy is of the utmost importance to us. We apologize for the frustration and anxiety this causes, and will communicate directly to customers if their information was involved in this incident.”

Seems to be an everyday occurrence, cybersecurity is something everyone should be aware of.

 

 

Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers

Social Security numbers, birth dates, addresses and driver’s license numbers exposed.

Credit-reporting company Equifax Inc. said Thursday that hackers gained access to some of its systems, potentially compromising the personal information of roughly 143 million U.S. consumers in one of the biggest and most threatening data breaches of recent years.

The size of the hack is second only to the pair of attacks on Yahoo disclosed last year that affected the information of as many as 1.5 billion customers. It also involves nearly twice the number affected by one of the highest-profile breaches at a financial firm, the cyberattack at J.P. Morgan Chase & Co. about three years ago.

The Equifax breach could prove especially damaging given the gateway role credit-reporting companies play in helping to determine which consumers gain access to financing and how much of it is made available. The attack differs, too, in that the attackers in one swoop gained access to several pieces of consumers’ information that could make it easier for the attackers to try to commit fraud.

Equifax said hackers gained access to systems containing customers’ names, Social Security numbers, birth dates and addresses. The company also offers credit-monitoring and identity-theft protection products to guard consumers’ personal information.

“This is the nightmare scenario—all four pieces of information in one place,” said John Ulzheimer, a credit specialist and former manager at Equifax.

On Friday, shares of Equifax fell 14% to $123.03 in morning trading in New York.

The incident comes at a time of heightened sensitivity to cyberattacks in the political, commercial and personal realms, especially in the wake of presumed Russian interference in the U.S. presidential election last year.

The number of large hacks has increased in recent years—with incidents involving tens of millions of accounts each involving tech companies, banks, retailers and others.

More companies are putting more information online from more users, creating bigger targets for hackers who continually develop and refine their techniques and tools.

Equifax is one of the big three credit-reporting firms in the U.S. and maintains credit reports on more than 200 million U.S. adults. The other two are TransUnion and Experian. Credit reports compiled by such companies include personally identifiable information as well as records of the credit cards and loans consumers have, their spending limits on cards, and whether they are on time with their debt payments.


“This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do,” Equifax Chief Executive Richard Smith said in prepared remarks. “I apologize to consumers and our business customers for the concern and frustration this causes.”

The four pieces of information exposed in the attack are generally needed for consumers to apply for many forms of consumer credit, including credit cards and personal loans. That means that swindlers who have access to this data could have an easier time getting approved for credit in other people’s names and potentially makes it more difficult for lenders to spot a problem. In addition, Equifax said the hackers gained access to some driver’s license numbers.

An added concern is that the breach raises the chances of more fraudulent loan approvals occurring when various forms of fraud are already hitting lenders and contributing to higher losses.

Smaller financial institutions, including community banks, credit unions and online personal-loan lenders, are more vulnerable to the effects of this breach, said Al Pascual, head of fraud and security at Javelin Strategy & Research.

That is because they are more reliant on the four, key pieces of borrower information when determining whether they are dealing with a legitimate applicant, he said. The biggest banks, he added, have in recent years moved to relying on additional information. With online applications, for example, that includes pinpointing what geographic area the applicant is located in to figure out whether they are an actual person or a fraudster.

Equifax said in its statement that while the incident potentially affected approximately 143 million U.S. consumers, “the company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.

Equifax said an internal investigation revealed hackers exploited a vulnerability in a U.S. website application to gain unauthorized access to files from mid-May through July. The company said it discovered the breach on July 29.

Equifax said it reported the intrusion to law enforcement and contracted a cybersecurity firm to conduct a forensic review. In the days following the company’s discovery of the breach, three top Equifax executives, including Chief Financial Officer John Gamble, sold shares worth a combined $1.8 million, according to Securities and Exchange Commission filings. A company spokesman said the three executives who sold a small percentage of their Equifax shares on Tuesday, Aug. 1, and Wednesday, Aug. 2, had no knowledge that an intrusion had occurred at the time they sold their shares.

Equifax also said credit-card numbers for approximately 209,000 U.S. consumers were accessed, as well as dispute documents with sensitive information for another 182,000 people.

With the Equifax attack, banks now will have to reissue cards for the approximately 209,000 credit cards stolen in the breach, but for consumers the theft uniquely identifying information such as Social Security numbers and birth dates could have a permanent effect. Additionally, a limited number of people in Canada and the U.K. were affected, the company said.

Stock of other financial companies weren’t initially affected with shares of credit-card issuers and big banks mostly unchanged or up slightly in after-hours trading.

Equifax said it has set up a website—www.equifaxsecurity2017.com—to help consumers determine if their information has been compromised and to allow them to sign up for a complimentary slate of credit-monitoring and identity-theft protection. The company also has established a dedicated call center for consumers.

This is becoming an everyday occurrence.  When are we going to get the message to tighten up security across this nation !!

How Good Cybersecurity Habits Could Save You Millions

Landlords collect extremely valuable information from residents. What many don’t know, however, is that they are liable if their residents’ information is stolen.
by Meeghan Fuhr | Aug 30, 2017

Landlords collect extremely valuable information from residents, including addresses, credit card numbers, social security numbers and bank account numbers, making the multifamily industry an attractive target for hackers. Prevention and detection are key aspects of cybersecurity. What many small multifamily owners and managers don’t know, however, is that they are liable if their residents’ information is stolen.

Small multifamily owners and managers may think they have limited options when it comes to keeping their data secure, but there are many simple preventative measures they can take, and ultimately, it is their responsibility to take them.

“An identity is worth about $10-$20 on the dark net, but the actual liability stemming from its loss could be $158 or more,” said Michael Reese, chief information officer at USA Properties Fund. Multiply that by however many residents are in a database, and you could be looking at millions of dollars.

So, Who is Responsible for Making Cybersecurity a Priority?

A common misconception among management is that cybersecurity is an IT issue when, in reality, every level of an organization needs to be involved and bringing in an outside cybersecurity firm is recommended.

“It’s very difficult to have your own IT department manage your cybersecurity framework. You must have a ‘separation of duties,’ [similar to how] you can’t audit yourself. Cybersecurity is an executive decision, not an IT decision. You need to have governance, policies and procedures, and continuous training and education,” Reese said.

Many people believe they are protected because they have a good firewall, but that is just the first line of defense. “It’s best to have a layered approach,” said Reese, with firewalls, IDS/IPS (intrusion detection systems and intrusion prevention systems), server and workstation anti-virus, and SIEM (security information and event management) software/hardware. Reese also stressed that when you receive a notice that software needs to be updated, don’t ignore it!

Simple, Inexpensive Ways to Lessen the Risk of an Attack

Requiring employees to have strong passwords that are changed regularly is a simple measure multifamily firms of all sizes can implement. “Poor password practices make it that much easier for hackers to get into a company’s network or email,” Reese said. “Passwords that use a combination of numbers, symbols, upper and lower case letters are much more difficult to break.”

Another good practice is to require that Virtual Private Networks (VPNs) always be used for remote access. “If any of your employees work remotely, or link to a public Wi-Fi network (think Starbucks), they should have a VPN network installed on their laptop, tablet or smartphone. A VPN provides a secure path through the web and protects your activities from anyone trying to get in.” Reese noted that there are many relatively affordable options out there.

Additionally, it is important to control access to your firm’s data. Not everyone in your company needs access to all of the systems and data that you have,” Reese said. “Do sales people need access to personnel files, or do operations people need access to accounts receivable information?” It’s best to limit access to data only to those employees who regularly need it.

Lastly, train employees regularly. More than 75 percent of hacks come through some action by an employee, usually as the result of phishing,” Reese said. Phishing emails typically appear to come from a “legitimate” source such as a company, customer or employee, with the goal of either obtaining private information or getting the recipient to click attachments that allow malware into the network. “You should train your employees to question these emails and even call the supposed sender to confirm.”

Train your people to become good ‘cyber-citizens,’” Reese said. “And support a culture of data security!”

You can read the original article at link below from Commercial Property Executive:

 

Trove of Private Military Contractor Job Applicants Exposed Online

Another day another trove of data goes public – This time, personal and sensitive data of American citizens who applied for jobs at North Carolina-based Private Military Contractor (mercenary and security firm) TigerSwan and hundreds of those claiming “Top Secret” US government security clearances.

According to Chris Vickery, director of cyber risk research at security firm UpGuard; Resumé files of 9,402 people were found available publically on an unprotected Amazon Web Services ran by a third-party vendor TalentPen who used the files for recruitment purposes until February 2017.

A look at the exposed files revealed applicant names, home addresses, phone numbers, email addresses, driver’s license numbers and highly sensitive job history of US military veterans, mercenaries and even Iraqi and Afghan nationals who worked alongside US forces and government institutions back in their countries.

Rich Campagna, CEO at Bitglass, told HackRead.com that: “In the last few months, we’ve seen a string of high profile data incidents of this nature, including Deep Root Analytics, Verizon Wireless, and Dow Jones. These exposures are difficult to stop because they originate from human error, not malice. Just one wrong tick box in the cloud set-up process can put vast amounts of sensitive customer data at risk. This is why Amazon recently introduced ‘Macie’: to discover, classify and protect sensitive data in AWS S3.

Organisations using IaaS must leverage at least some of the security technologies available to them, either from public cloud providers, IDaaS providers, or CASBs, which provide visibility and control over cloud services like AWS. It could also be argued that these AWS server misconfigurations could have been avoided with basic security best practices such as limiting access from outside the corporate network, encrypting highly sensitive data, and training employees on security risks.”

TigerSwan was founded in 2008 by retired US Army lieutenant colonel and Delta Force operator James Reese. Since then the international security and global stability firm have provided its services during the infamous Iraq war, 2014 Sochi Olympics and Standing Rock Protests (Dakota Access Pipeline protests, DAPL).

However, in May 2017, The Intercept cited leaked documents indicating that the firm used counterterrorism tactics at standing rock to “defeat pipeline insurgencies.” In 2011, the firm also won a one year contract in Saudi Arabia where it provided construction and security services for the South Gate Entry Control Point, Eskan Village, Riyadh.

In their statement, the firm has acknowledged the issue and said that:

“At no time was there ever a data breach of any TigerSwan server. All resume files in TigerSwan’s possession are secure. We take seriously the failure of TalentPen to ensure the security of this information and regret any inconvenience or exposure our former recruiting vendor may have caused these applicants. TigerSwan is currently exploring all recourse and options available to us and those who submitted a resumé.”

It is unclear for how long the data remained unprotected or whether it was accessed by anyone else other than UpGuard researchers.

“A cursory examination of some of the exposed resumes indicates not merely the varied and elite caliber of many of the applicants as experienced intelligence and military figures, but sensitive, identifying personal details, said UpGuard.

At the time of publishing this article, there was no official response from TalentPen, LLC since the company has been dissolved. However, TigerSwan forwarded an email to Gizmodo showing conversation with a former TalentPen employee.

“I’m afraid that it does show activity that seems to be consistent with the number of files and overall size of the total number of files. I want to know exactly how there could even be a possibility of this happening given the security in place to protect data and files. The account was setup to only give access to you and I. I even had to provide you with security credentials to access the information. While I no longer work for TalentPen since it had been dissolved earlier this year, I certainly want to help you get to the bottom of this,” the email said.

Here is an archive look at the now offline TalentPen’s website.

This is not the first time when unprotected trove of data has been discovered online. In January 2017, medical data of Veterans affected by sleep disorders was exposed online. The database contained personal details of over 1,200 veterans who have been suffering from of sleep disorders.

In March this year, a misconfigured drive led to data leak of thousands of US Air Force officials including passports, names, social security numbers and other highly sensitive and personal data.

In June this year again, UpGuard discovered secret Pentagon files left unprotected on an Amazon server. The data included over 60,000 files with some of the very sensitive info publicly accessible and not even protected with a password.

If you are working as a database administrator, it’s time to run a security check and keep the data secure.  If you are using a third party “cloud” provider, double check the security features and your contract with the provider.

 

The Russian Company That Is a Danger to Our Security

Eugene Kaspersky, the founder of Kaspersky Lab, is a graduate of the KGB’s elite cryptology institute and was a software engineer for Soviet military intelligence.

MADBURY, N.H. — The Kremlin hacked our presidential election, is waging a cyberwar against our NATO allies and is probing opportunities to use similar tactics against democracies worldwide. Why then are federal agencies, local and state governments and millions of Americans unwittingly inviting this threat into their cyber networks and secure spaces?

That threat is posed by antivirus and security software products created by Kaspersky Lab, a Moscow-based company with extensive ties to Russian intelligence. To close this alarming national security vulnerability, I am advancing bipartisan legislation to prohibit the federal government from using Kaspersky Lab software.

Kaspersky Lab insists that it has “no inappropriate ties with any government.” The company’s products, which are readily available at big-box American retailers, have more than 400 million users around the globe. And it provides security services to major government agencies, including the Department of State, the National Institutes of Health and, reportedly, the Department of Defense.

But at a public hearing of the Senate Intelligence Committee in May, six top intelligence officials, including the heads of the F.B.I., C.I.A. and National Security Agency, were asked if they would be comfortable with Kaspersky Lab software on their agencies’ computers. Each answered with an unequivocal no. I cannot disclose the classified assessments that prompted the intelligence chiefs’ response. But it is unacceptable to ignore questions about Kaspersky Lab because the answers are shielded in classified materials. Fortunately, there is ample publicly available information to help Americans understand the reasons Congress has serious doubts about the company.

The firm’s billionaire founder, Eugene Kaspersky, graduated from the elite cryptology institute of the K.G.B., the Soviet Union’s main intelligence service, and was a software engineer for Soviet military intelligence. He vehemently dismisses concerns that his company assists Russia’s intelligence agencies with cyberespionage and claims that he is the target of Cold War-style conspiracy theories. But Kaspersky Lab has committed missteps that reveal the true nature of its work with Russia’s Federal Security Service, or F.S.B., a successor to the K.G.B.

Bloomberg recently reported on emails from October 2009 in which Mr. Kaspersky directs his staff to work on a secret project “per a big request on the Lubyanka side,” a reference to the F.S.B.’s Moscow offices. The McClatchy news service uncovered records of the official certification of Kaspersky Lab by Russian military intelligence, which experts in this field call “persuasive public evidence” of the company’s links to the Russian government.

The challenge to United States national security grew last year when the company launched a proprietary operating system designed for electrical grids, pipelines, telecommunications networks and other critical infrastructure. The Defense Intelligence Agency recently warned American companies that this software could enable Russian government hackers to shut down critical systems.

Beyond the evidence of direct links between Mr. Kaspersky and the Russian government, we cannot ignore the indirect links inherent in doing business in the Russia of President Vladimir Putin, where oligarchs and tycoons have no choice but to cooperate with the Kremlin. Steve Hall, former C.I.A. station chief in Moscow, told a reporter: “These guys’ families, their well-being, everything they have is in Russia.” He added that he had no doubt that Kaspersky Lab “could be, if it’s not already, under the control of Putin.”

The technical attributes of antivirus software amplify the dangers from Kaspersky Lab. Mr. Kaspersky might be correct when he says that his antivirus software does not contain a “backdoor”: code that deliberately allows access to vulnerable information.

But a backdoor is not necessary. When a user installs Kaspersky Lab software, the company gets an all-access pass to every corner of a user’s computer network, including all applications, files and emails. And because Kaspersky’s servers are in Russia, sensitive United States data is constantly cycled through a hostile country. Under Russian laws and according to Kaspersky Lab’s certification by the F.S.B., the company is required to assist the spy agency in its operations, and the F.S.B. can assign agency officers to work at the company. Russian law requires telecommunications service providers such as Kaspersky Lab to install communications interception equipment that allows the F.S.B. to monitor all of a company’s data transmissions.

The Senate Armed Services Committee in June adopted my measure to prohibit the Department of Defense from using Kaspersky Lab software, to limit fallout from what they fear is already a huge breach of national security data. When broad defense legislation comes before the Senate in the weeks ahead, they hope to amend it to ban Kaspersky software from all of the federal government.

Americans were outraged by Russia’s interference in our presidential election, but a wider threat is Russia’s doctrine of hybrid warfare, which includes cybersabotage of critical American infrastructure from nuclear plants to electrical grids. Kaspersky Lab, with an active presence in millions of computer systems in the United States, is capable of playing a powerful role in such an assault. It’s time to put a stop to this threat to our national security.
You do your own research and then decide if you would want Kaspersky software on your PC in your home.