Application Security

8/9/2017
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Carbon Black Refutes Claims of Flaw in its EDR Product

Endpoint security firm responds to DirectDefense's report, noting that the information was shared voluntarily via a feature in the product that comes disabled by default.

A security service provider's sensational claims this week about an endpoint detection and response (EDR) product from Carbon Black leaking terabytes of sensitive customer data has focused attention on how organizations should pay close attention to how their security controls work.

DirectDefense Inc., which discovered the supposed leak, described it as the "largest pay-for-play data exfiltration botnet" and pinned the blame for it on a fundamental flaw in Carbon Black's EDR architecture.

But Carbon Black co-founder and CTO Michael Viscuso characterized DirectDefense's claims as a gross misrepresentation of what is actually going on. He says the data that DirectDefense claimed was leaked was actually data that customers had shared voluntarily, and a feature that allows that is off by default.

DirectDefense Inc said its researchers had been able to harvest highly sensitive data belonging to several Fortune 1000 companies as the result of Carbon Black's Cb Response tool publicly sharing the data with cloud multi-scanner services such as Google's VirusTotal.

The data included keys that would have let attackers take control of an organization's cloud instances or that would have let someone upload rogue applications to an organization's mobile app store, DirectDefense said. Also available via Cb Response was customer data, internal usernames, passwords, and network data belonging to Carbon Black customers as well as details about their communications infrastructure.

Jim Broome, president of DirectDefense, says security researchers at his company stumbled upon the data while investigating a potential data breach at a customer site last year. When they used a cloud multi-scanner service to search for some malware samples, they found several completely unrelated files that upon closer inspection turned out to be from Carbon Black's customers.

Further investigation revealed that Cb Response had uploaded hundreds of thousands of files, representing terabytes of data on Carbon Black's customers to the multi-scanner service, he says.

The issue, according to both Carbon Black and DirectDefense, has to do with the way Cb Response vets the security of new and previously unseen files. Like many EDR tools, Cb Response routinely monitors and inspects a wide range of binaries related to activity on endpoint devices.

Whenever the tool encounters an unknown or suspicious binary, it automatically sends the file for further analysis to cloud-based scanning services such as VirusTotal to determine if the file is good or bad and needs to be blocked. Such scanning is common to many EDR products.

The problem, Broome says, is that often, the files that get automatically sent for scanning to cloud multi-scanner services can contain very sensitive data of the sort DirectDefense harvested. For example, if Cb Response is deployed across an application development environment, it might upload executables to a cloud multi-scanner each time a new piece of code is compiled.

Such files can contain a lot of sensitive data that an organization might not even begin to realize is being uploaded to a multi-scanner service and then made available to any paid subscriber of these services.

For example, researchers from DirectDefense were able to recover identity and access management credentials for a large streaming media company's AWS instance that Cb Response has shared on a multi-scanner service. Similarly, they found hardcoded AWS and Azure keys belong to a social media company and shared AWS keys that provided access to customer data belonging to a financial services company, Broome says.

"The key point is for Carbon Black customers to be aware of the use of their data," Broome says. Cloud multi-scanning services of the sort that Cb Response taps can be incredibly useful in identifying new and unknown threats, he admits.

But before organizations turn such tools on, they need to know what data is being collected and uploaded to cloud scanning services that are accessible to anyone with a subscription. "What seems to have gotten lost is the issue of educating the customer base," of where or when such scanning is useful he says.

Carbon Black's Viscuso says DirectDefense's blog completely misses the fact that data sharing with scanning services is a completely optional feature. Cb Response has a feature that lets organizations upload unknown binaries to the VirusTotal's of the world, but it is turned off by default.

Carbon Black in fact has explicit warnings about the risks that organizations face when enabling Cb Response to share data with VirusTotal and customers in fact have to opt-in twice separately, he says. The warnings clearly spell out what happens when customers enable the sharing and clearly notes that any binaries that are uploaded to VirusTotal will be made available to others.

In fact, Carbon Black specifically recommends that organizations should not enable the sharing of binaries related to sensitive applications, Viscuso says.

Unlike many other EDR vendors, Carbon Black goes to the extent of recommending that even hashes not be shared in such environments. "We are very explicit about the risks," Viscuso says. "In fact, we were actually nervous it was too much information," and would scare customers from enabling the sharing at all, he says.

In the few instances where a customer wanted data that was shared with VirusTotal to be removed, Carbon Black has been able to get the scanning service to do it, he claims.

Cloud multi-scanners can be extremely useful he says but it is up to the organizations themselves to decide how and when they want to use it. "We believe that security organizations are very intelligent and we shouldn't stand in their way and make risk decisions for them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
6 Security Trends for 2018/2019
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/15/2018
6 Reasons Why Employees Violate Security Policies
Ericka Chickowski, Contributing Writer, Dark Reading,  10/16/2018
Getting Up to Speed with "Always-On SSL"
Tim Callan, Senior Fellow, Comodo CA,  10/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: Too funny!
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-10839
PUBLISHED: 2018-10-16
Qemu emulator <= 3.0.0 built with the NE2000 NIC emulation support is vulnerable to an integer overflow, which could lead to buffer overflow issue. It could occur when receiving packets over the network. A user inside guest could use this flaw to crash the Qemu process resulting in DoS.
CVE-2018-13399
PUBLISHED: 2018-10-16
The Microsoft Windows Installer for Atlassian Fisheye and Crucible before version 4.6.1 allows local attackers to escalate privileges because of weak permissions on the installation directory.
CVE-2018-18381
PUBLISHED: 2018-10-16
Z-BlogPHP 1.5.2.1935 (Zero) has a stored XSS Vulnerability in zb_system/function/c_system_admin.php via the Content-Type header during the uploading of image attachments.
CVE-2018-18382
PUBLISHED: 2018-10-16
Advanced HRM 1.6 allows Remote Code Execution via PHP code in a .php file to the user/update-user-avatar URI, which can be accessed through an "Update Profile" "Change Picture" (aka user/edit-profile) action.
CVE-2018-18374
PUBLISHED: 2018-10-16
XSS exists in the MetInfo 6.1.2 admin/index.php page via the anyid parameter.