Attacks/Breaches
8/27/2013
05:55 PM
Gunter Ollmann
Gunter Ollmann
Commentary
Connect Directly
RSS
E-Mail
50%
50%
Repost This

Confidential Submission To The Antivirus Cloud

Would a government intelligence agency want your antivirus telemetry?

Host-based antivirus solutions have continued to shift much of their pre-emptive detection technology into the cloud -- reducing the burden on the beleaguered desktop operating system and promoting a global perspective of the threat. But in the wake of governmental Internet monitoring programs, more questions than answers are arising about who sees what, and precisely what do they do with this raw but likely confidential information.

I remember an incident about five years ago that raised more than a few eyebrows. A team had completed the analysis of a high-profile botnet criminal gang -- enumerating all the key members, identifying their personal addresses, bank accounts, etc. -- and had crafted a special report that we wanted to share with law enforcement. The problem was that, even as a compressed archive, the file was too large for the law enforcement team to receive as an email attachment. I'm sure most of us have been in similar circumstances, and IT teams all around the world ended up doing the same thing occasionally -- we encrypted the file, uploaded it to our nonpublic website, crafted a special (i.e., custom) URL for the file, and emailed the URL to our key law enforcement contact. The officer then followed the link, downloaded the file, informed us that he'd safely downloaded the file, and we promptly deleted it from the website. All in all, it's a fairly secure method of transferring large files -- if a little cumbersome.

The interesting thing, though, was that after looking at the Web logs, it was noticed that the file was downloaded twice -- once from an IP address associated with the law enforcement office, and the second time by an IP address in the Philippines. Not something that was expected, and definitely a little worrying at the time.

The cause of the second download from the mystery Philippines IP address lay with the desktop antivirus suite the law enforcement officer was running on his computer. He had had the "cloud-based" enhanced security features enabled, and essentially his antivirus product had intercepted the URL he had followed to download the file; since the URL was unknown and unclassified by the suite's reputation system, it was submitted to the cloud for further analysis. So, while he was downloading the file, his antivirus provider was simultaneously downloading the file to its servers in the Philippines in order to classify the URL, and to also scan the large file with a more advanced mix of antiviral tools. Just as well the file was encrypted!

Rest assured, the law enforcement officer (and no doubt everyone he worked with) took quick steps to turn off this feature of their antivirus suite to prevent future slip-ups. Given the confidential nature of the files they may have been receiving on a daily basis and the URLs they may have been visiting or investigating at any point in time -- "disclosure" of that information could have had a significant effect on many of the cases they were working on.

Fast-forward to today, and I think that most people will struggle to locate the settings within their antivirus suite that turn off the cloud-based submission system, and will probably find that their suite relies more on the cloud for protection than ever before. By turning off the cloud-based assistance, they'd likely have less local antivirus capabilities than products of five or more years ago.

I suspect that many corporate users can appreciate the sometimes problem of confidential and personal files being passed to the cloud, where some remote system or cluster of analysts will eventually peruse and pass judgment on its maliciousness.

Some additional questions you need to factor into the equation are how long those files will remain accessible, who can view the files, and whether the files (or metadata) are made available to third-parties.

If you take the time to read through most antivirus suite EULAs and software licenses, you'll probably be hard-pressed to find the clauses pertaining to the data you submit to a vendor's cloud. This will probably be concerning to the CIOs of most businesses out there. After investing in perimeter defenses and smart filters to prevent data leakage, here's a route that you've probably contractually agreed to, but had no idea that you had.

While the egress of confidential files and their contents may be worrying, I'd be just as concerned about the URL reputation systems -- and the Web links that each PC, laptop, or other antivirus protected device is browsing each day, which are, in turn, being sent back as telemetry data to the antivirus vendor. This is likely a rich dataset for outsiders trying to understand your business.

Think about the way your organization uses and accesses the Internet (in the office, on the road, and from home). New business deals, supply chain vendors, competitor analysis, internal resource URLs, etc. -- all insight that can be garnered from the metadata easily enough. This is a dataset considerably richer than the likes of Google or Yahoo can piece together -- because the host-based antivirus has visibility at a per-user, per-host, level.

In the wake of many of the NSA metadata collection revelations, it would be prudent to assume that the intelligence agencies of many countries would dearly like to have the data being harvested by your chosen antivirus suite -- a dataset that you probably consented to providing when you installed the software package. Now factor into the equation that your chosen antivirus vendor is likely headquartered in the Philippines, Romania, Czech Republic, Russia, United Kingdom, Finland, or elsewhere around the planet, and you may be feeling a cold chill down the back of your neck.

I'm not saying that any of the antivirus vendors conspire with government agencies to share their collected intelligence, but if there's one thing the recent revelations should make you appreciate, it should be that most governments have ample legal rights and privileges to obtain this information from the companies within their jurisdiction when they feel the need to. With that in mind, I'd advise CIOs and CSOs to carefully review their practice for cloud submissions and be prudent in their overall choice of antivirus vendor.

Gunter Ollmann, CTO, IOActive Inc. Gunter Ollmann serves as CTO for IOActive Inc. where he is responsible for the strategic vision of the security services portfolio, driving new research areas and bringing new services to market. With over two decades in the information security arena, Gunter has stared down ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-3946
Published: 2014-04-24
Cisco IOS before 15.3(2)S allows remote attackers to bypass interface ACL restrictions in opportunistic circumstances by sending IPv6 packets in an unspecified scenario in which expected packet drops do not occur for "a small percentage" of the packets, aka Bug ID CSCty73682.

CVE-2012-5723
Published: 2014-04-24
Cisco ASR 1000 devices with software before 3.8S, when BDI routing is enabled, allow remote attackers to cause a denial of service (device reload) via crafted (1) broadcast or (2) multicast ICMP packets with fragmentation, aka Bug ID CSCub55948.

CVE-2013-6738
Published: 2014-04-24
Cross-site scripting (XSS) vulnerability in IBM SmartCloud Analytics Log Analysis 1.1 and 1.2 before 1.2.0.0-CSI-SCALA-IF0003 allows remote attackers to inject arbitrary web script or HTML via an invalid query parameter in a response from an OAuth authorization endpoint.

CVE-2014-2391
Published: 2014-04-24
The password recovery service in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 makes an improper decision about the sensitivity of a string representing a previously used but currently invalid password, which allows remote attackers to obtain potent...

CVE-2014-2392
Published: 2014-04-24
The E-Mail autoconfiguration feature in Open-Xchange AppSuite before 7.2.2-rev20, 7.4.1 before 7.4.1-rev11, and 7.4.2 before 7.4.2-rev13 places a password in a GET request, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer log...

Best of the Web