Story image

Conspiracy looms: NSS Labs takes CrowdStrike, ESET, Symantec & AMTSO to court

27 Sep 2018

Cybersecurity testing organisation NSS Labs is accusing three major security firms and an industry body of boycotting independent security tests of their products.

NSS Labs filed an antitrust suit against CrowdStrike, ESET, Symantec, and the Anti-Malware Testing Standards Organization (AMTSO) earlier this month. It claims that the defendants boycott NSS Labs’ apparently unbiased and independent product testing to prevent criticism and imperfections in security products.

NSS Labs also accuses CrowdStrike and its CTO Dimitri Alperovitch of arranging a meeting at the RSA conference earlier this year. 

The meeting was “with the express intent, purpose and effect of obtaining agreement among the competitors to refuse to do business with companies, including specifically NSS Labs, who attempt to perform public tests of their products using testing methodologies other than those agreed to by the EPP Vendor Conspirators and embodied in the AMTSO Testing Standard”.

NSS Labs CEO Vikram Phatak wrote in a recent blog that his company’s mission is to help the cybersecurity industry become more transparent and accountable – but some security vendors don’t live up to those standards, and they know it.

“If you are in the cybersecurity industry, it won’t surprise you to hear that vendors often know about their products’ deficiencies yet don’t reveal them to consumers. What should shock you is that they are actively conspiring to prevent independent testing that uncovers those product deficiencies to prevent consumers from finding out about them,” he writes.

This has a flow-on effect for customers, who have almost everything to lose, including financial loss and in some cases, physical safety. 

He says that some vendors address flaws; others try to avoid testing. If one vendors avoids testing they are singled out, but apparently there’s safety in numbers.

“If a group of vendors agree ahead of time to boycott an independent test lab – say a lab they cannot get to do their bidding – then each is insulated from criticism by being one among many."

NSS Labs claim that the AMTSO and participating organisations including CrowdStrike, ESET, and Symantec, have conspired to claim fair and useful testing that sets their agendas – not fair and unbiased testing.

Phatak adds that CrowdStrike has included clauses in its end user licensing agreements saying that product testing is subject to their permission – something he believes is unethical and deceptive.

“NSS Labs is informed and believes and thereon alleges that CrowdStrike is attempting to conceal its EPP Security Defects in part because of the negative publicity that resulted from the Russian hacking of the Democratic National Committee (DNC),” legal documents state.

CrowdStrike has responded to NSS Labs statements, saying NSS Labs is a 'pay-to-play' testing business that uses fraud to obtain products.

"NSS is a for-profit, pay-to-play testing organisation that obtains products through fraudulent means and is desperate to defend its business model from open and transparent testing. We believe their lawsuit is baseless."

"CrowdStrike supports independent and standards-based testing—including public testing—for our products and for the industry. We have undergone independent testing with AV-Comparatives, SE Labs, and MITRE. We applaud AMTSO’s efforts to promote clear, consistent, and transparent testing standards."

However Phatak claims vendors are "openly exerting control and collectively boycotting testing organisations that don’t comply with their AMTSO standards – even going so far as to block the independent purchase and testing of their products".

“AMTSO and its Board of Directors largely comprise, and are controlled by, EPP product vendors,” legal documents state.

He says that NSS Labs knows consumers trust security vendors to protect them, but there is often no way to know if a company is really trustworthy. If it’s good enough to sell, it’s good enough to test, he adds.

NSS Labs is also seeking damages according to proof, an injunction against the defendants for wrongful acts, attorney fees and lawsuit fees.

“Many of you reading this have relied on NSS Labs tests and insights to guide your decisions. We strive to earn your trust every day and do not take your trust for granted. It is our hope that our actions today mark an important step forward in advancing transparency and accountability in the cybersecurity industry,” Phatak concludes.

Doctor Who fans: This one’s for you
Doctor Who: The Edge of Time is a new, VR gaming experience set to be released this September.
Are AI assistants teaching girls to be servants?
Have you ever interacted with a virtual assistant that has a female-based voice or look, and wondered whether there are implicitly harmful gender biases built into its code?
Hands-on review: Is the Apple Watch 4 worth the price?
Apple’s flagship wearable device, the Apple Watch, is generally touted as the gold standard for what wearables should be able to achieve today.
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Game review: Rage 2 (PC)
The similarities between Mad Max and Rage 2 are very apparent. The overall setting and design aesthetic are clearly inspired, if not from the Mad Max game, from the Mad Max movies.
Apple brings 8-core processors to MacBook Pro
The addition of 8th- and 9th-generation Intel Core processors will deliver 40% more performance than a 6-core Pro.
Hands-on review: Playing the long game with the The iPhone XR
The red XR is a rare case of having a phone that’s ‘too pretty to be covered’ - and it’s not hard to see why.
Hands-on review: MiniTool Power Data Recovery Software
I came across a wee gem of advice when researching the world of data recovery. As soon as you get that sinking feeling and realise you’ve lost a file, stop using your computer.