Kaspersky touts APAC Transparency Center as proving 100% trustworthiness

The company's third global Transparency Center to open next year in Malaysia.

Russian-based security vendor Kaspersky has announced the launch of a Transparency Center in Malaysia, marking the company's third global code review location.

CyberSecurity Malaysia's Office in Cyberjaya will host the new center, located at Cyberjaya , alongside the country's cyber-related government agencies.

"It's great to be here in Kuala Lumpur -- in the heart of the Asia-Pacific region -- to announce the opening of our third Transparency Center," CEO Eugene Kaspersky said at the centre's launch.

"Here we intend to show customers and government stakeholders that our products are 100% trustworthy and ensure the highest level of cybersecurity protection. The launch also proves that the activities we planned under our pioneering Global Transparency Initiative remain on track."

According to Kaspersky, the Transparency Center in Malaysia, open to visitors from early 2020, will serve as a trusted facility for the company's partners and government stakeholders to come and check the source code of Kaspersky's solutions.

Kaspersky launched its first Transparency Center in Zurich, Switzerland in late 2018, and has since been touring the globe trying to claw back trust after the United States government publicly denounced support for the cybersecurity firm.

Another centre was also opened in Madrid, Spain in June this year.

Government regulators and enterprise clients of Kaspersky can request to review the company's solutions and services including threat analysis, secure review, and the application security testing process.

They can also review the source code of Kaspersky's consumer and enterprise solutions,  Kaspersky Internet Security, Kaspersky Endpoint Security, and Kaspersky Security Center, which is a console for the company's business products.

See also: Why 31% of data breaches lead to employees getting fired (TechRepublic)

Like both of the European centers, the new facility will also function as a briefing center that Kaspersky said will allow visitors to learn more about Kaspersky's engineering and data processing practices.

The centers also allow for the review of all versions of Kaspersky's builds and AV-database updates, as well the information the company processes such as data feeds from Kaspersky products that are sent to the cloud-based Kaspersky Security Network.

"As the threat landscape continues to evolve in Malaysia and in the region, we believe that it is crucial for private companies such as Kaspersky and government agencies to build trust and mutual cooperation," Dato' Ts. Dr. Amirudin Abdul Wahab, CEO of CyberSecurity Malaysia said.

"Kaspersky's willingness to open their doors and data processes further shows that they have nothing to hide. As a third-party entity, we also share their insights and concerns to make the cybersecurity industry better.

"We really hope that our partnership will be an example for more governments and private entities in exercising fairness and transparency for the benefit of our citizens and the cybersecurity industry."

The announcement touting transparency comes as c't magazine published information on a data leak caused by Kaspersky's antivirus software.

In testing the company's product, Ronald Eikenberg said he came to the conclusion that Kaspersky's virus protection was manipulating his internet traffic, injecting code without his permission.

"Before that day, I had observed such behaviour only from online banking Trojans," he wrote.

He said the Kaspersky software injected a Universally Unique Identifier (UUID) directly into the HTML source code of each website, allowing other scripts running in the context of the website domain to access the entire HTML source at any time. As he explained, this means they can read the Kaspersky ID.

"In other words, any website can read the user's Kaspersky ID and use it for tracking," the author continued.

"If the same Universally Unique Identifier comes back, or appears on another website of the same operator, they can see that the same computer is being used. If this assumption is correct, Kaspersky has created a dangerous tracking mechanism that makes tracking cookies look old."

This would therefore allow websites to track Kaspersky users, even if they switch to a different browser, including incognito mode.

In response, Kaspersky told ZDNet it would like to thank Eikenberg for reporting the issue to them.

"Kaspersky has changed the process of checking web pages for malicious activity by removing the usage of unique identifiers for the GET requests," the company said, noting the change was made following Eikenberg reporting that using unique identifiers for the GET requests can potentially lead to the disclosure of a user's personal information.

"After our internal research, we have concluded that such scenarios of user's privacy compromise are theoretically possible but are unlikely to be carried out in practice, due to their complexity and low profitability for cybercriminals. Nevertheless, we are constantly working on improving our technologies and products, resulting in a change in this process."

Updated Monday 19 August 2019 at 9.00am AEST: Added Kaspersky's response to the anti-virus flaw and the location of the Malaysian Transparency Center.

RELATED COVERAGE