Attacks/Breaches
8/27/2013
05:55 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Confidential Submission To The Antivirus Cloud

Would a government intelligence agency want your antivirus telemetry?

Host-based antivirus solutions have continued to shift much of their pre-emptive detection technology into the cloud -- reducing the burden on the beleaguered desktop operating system and promoting a global perspective of the threat. But in the wake of governmental Internet monitoring programs, more questions than answers are arising about who sees what, and precisely what do they do with this raw but likely confidential information.

I remember an incident about five years ago that raised more than a few eyebrows. A team had completed the analysis of a high-profile botnet criminal gang -- enumerating all the key members, identifying their personal addresses, bank accounts, etc. -- and had crafted a special report that we wanted to share with law enforcement. The problem was that, even as a compressed archive, the file was too large for the law enforcement team to receive as an email attachment. I'm sure most of us have been in similar circumstances, and IT teams all around the world ended up doing the same thing occasionally -- we encrypted the file, uploaded it to our nonpublic website, crafted a special (i.e., custom) URL for the file, and emailed the URL to our key law enforcement contact. The officer then followed the link, downloaded the file, informed us that he'd safely downloaded the file, and we promptly deleted it from the website. All in all, it's a fairly secure method of transferring large files -- if a little cumbersome.

The interesting thing, though, was that after looking at the Web logs, it was noticed that the file was downloaded twice -- once from an IP address associated with the law enforcement office, and the second time by an IP address in the Philippines. Not something that was expected, and definitely a little worrying at the time.

The cause of the second download from the mystery Philippines IP address lay with the desktop antivirus suite the law enforcement officer was running on his computer. He had had the "cloud-based" enhanced security features enabled, and essentially his antivirus product had intercepted the URL he had followed to download the file; since the URL was unknown and unclassified by the suite's reputation system, it was submitted to the cloud for further analysis. So, while he was downloading the file, his antivirus provider was simultaneously downloading the file to its servers in the Philippines in order to classify the URL, and to also scan the large file with a more advanced mix of antiviral tools. Just as well the file was encrypted!

Rest assured, the law enforcement officer (and no doubt everyone he worked with) took quick steps to turn off this feature of their antivirus suite to prevent future slip-ups. Given the confidential nature of the files they may have been receiving on a daily basis and the URLs they may have been visiting or investigating at any point in time -- "disclosure" of that information could have had a significant effect on many of the cases they were working on.

Fast-forward to today, and I think that most people will struggle to locate the settings within their antivirus suite that turn off the cloud-based submission system, and will probably find that their suite relies more on the cloud for protection than ever before. By turning off the cloud-based assistance, they'd likely have less local antivirus capabilities than products of five or more years ago.

I suspect that many corporate users can appreciate the sometimes problem of confidential and personal files being passed to the cloud, where some remote system or cluster of analysts will eventually peruse and pass judgment on its maliciousness.

Some additional questions you need to factor into the equation are how long those files will remain accessible, who can view the files, and whether the files (or metadata) are made available to third-parties.

If you take the time to read through most antivirus suite EULAs and software licenses, you'll probably be hard-pressed to find the clauses pertaining to the data you submit to a vendor's cloud. This will probably be concerning to the CIOs of most businesses out there. After investing in perimeter defenses and smart filters to prevent data leakage, here's a route that you've probably contractually agreed to, but had no idea that you had.

While the egress of confidential files and their contents may be worrying, I'd be just as concerned about the URL reputation systems -- and the Web links that each PC, laptop, or other antivirus protected device is browsing each day, which are, in turn, being sent back as telemetry data to the antivirus vendor. This is likely a rich dataset for outsiders trying to understand your business.

Think about the way your organization uses and accesses the Internet (in the office, on the road, and from home). New business deals, supply chain vendors, competitor analysis, internal resource URLs, etc. -- all insight that can be garnered from the metadata easily enough. This is a dataset considerably richer than the likes of Google or Yahoo can piece together -- because the host-based antivirus has visibility at a per-user, per-host, level.

In the wake of many of the NSA metadata collection revelations, it would be prudent to assume that the intelligence agencies of many countries would dearly like to have the data being harvested by your chosen antivirus suite -- a dataset that you probably consented to providing when you installed the software package. Now factor into the equation that your chosen antivirus vendor is likely headquartered in the Philippines, Romania, Czech Republic, Russia, United Kingdom, Finland, or elsewhere around the planet, and you may be feeling a cold chill down the back of your neck.

I'm not saying that any of the antivirus vendors conspire with government agencies to share their collected intelligence, but if there's one thing the recent revelations should make you appreciate, it should be that most governments have ample legal rights and privileges to obtain this information from the companies within their jurisdiction when they feel the need to. With that in mind, I'd advise CIOs and CSOs to carefully review their practice for cloud submissions and be prudent in their overall choice of antivirus vendor.

Gunter Ollmann, CTO, IOActive Inc. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2008-3277
Published: 2014-04-15
Untrusted search path vulnerability in a certain Red Hat build script for the ibmssh executable in ibutils packages before ibutils-1.5.7-2.el6 in Red Hat Enterprise Linux (RHEL) 6 and ibutils-1.2-11.2.el5 in Red Hat Enterprise Linux (RHEL) 5 allows local users to gain privileges via a Trojan Horse p...

CVE-2010-2236
Published: 2014-04-15
The monitoring probe display in spacewalk-java before 2.1.148-1 and Red Hat Network (RHN) Satellite 4.0.0 through 4.2.0 and 5.1.0 through 5.3.0, and Proxy 5.3.0, allows remote authenticated users with permissions to administer monitoring probes to execute arbitrary code via unspecified vectors, rela...

CVE-2011-3628
Published: 2014-04-15
Untrusted search path vulnerability in pam_motd (aka the MOTD module) in libpam-modules before 1.1.3-2ubuntu2.1 on Ubuntu 11.10, before 1.1.2-2ubuntu8.4 on Ubuntu 11.04, before 1.1.1-4ubuntu2.4 on Ubuntu 10.10, before 1.1.1-2ubuntu5.4 on Ubuntu 10.04 LTS, and before 0.99.7.1-5ubuntu6.5 on Ubuntu 8.0...

CVE-2012-0214
Published: 2014-04-15
The pkgAcqMetaClearSig::Failed method in apt-pkg/acquire-item.cc in Advanced Package Tool (APT) 0.8.11 through 0.8.15.10 and 0.8.16 before 0.8.16~exp13, when updating from repositories that use InRelease files, allows man-in-the-middle attackers to install arbitrary packages by preventing a user fro...

CVE-2013-4768
Published: 2014-04-15
The web services APIs in Eucalyptus 2.0 through 3.4.1 allow remote attackers to cause a denial of service via vectors related to the "network connection clean up code" and (1) Cloud Controller (CLC), (2) Walrus, (3) Storage Controller (SC), and (4) VMware Broker (VB).

Best of the Web