Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

8/9/2017
06:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Carbon Black Refutes Claims of Flaw in its EDR Product

Endpoint security firm responds to DirectDefense's report, noting that the information was shared voluntarily via a feature in the product that comes disabled by default.

A security service provider's sensational claims this week about an endpoint detection and response (EDR) product from Carbon Black leaking terabytes of sensitive customer data has focused attention on how organizations should pay close attention to how their security controls work.

DirectDefense Inc., which discovered the supposed leak, described it as the "largest pay-for-play data exfiltration botnet" and pinned the blame for it on a fundamental flaw in Carbon Black's EDR architecture.

But Carbon Black co-founder and CTO Michael Viscuso characterized DirectDefense's claims as a gross misrepresentation of what is actually going on. He says the data that DirectDefense claimed was leaked was actually data that customers had shared voluntarily, and a feature that allows that is off by default.

DirectDefense Inc said its researchers had been able to harvest highly sensitive data belonging to several Fortune 1000 companies as the result of Carbon Black's Cb Response tool publicly sharing the data with cloud multi-scanner services such as Google's VirusTotal.

The data included keys that would have let attackers take control of an organization's cloud instances or that would have let someone upload rogue applications to an organization's mobile app store, DirectDefense said. Also available via Cb Response was customer data, internal usernames, passwords, and network data belonging to Carbon Black customers as well as details about their communications infrastructure.

Jim Broome, president of DirectDefense, says security researchers at his company stumbled upon the data while investigating a potential data breach at a customer site last year. When they used a cloud multi-scanner service to search for some malware samples, they found several completely unrelated files that upon closer inspection turned out to be from Carbon Black's customers.

Further investigation revealed that Cb Response had uploaded hundreds of thousands of files, representing terabytes of data on Carbon Black's customers to the multi-scanner service, he says.

The issue, according to both Carbon Black and DirectDefense, has to do with the way Cb Response vets the security of new and previously unseen files. Like many EDR tools, Cb Response routinely monitors and inspects a wide range of binaries related to activity on endpoint devices.

Whenever the tool encounters an unknown or suspicious binary, it automatically sends the file for further analysis to cloud-based scanning services such as VirusTotal to determine if the file is good or bad and needs to be blocked. Such scanning is common to many EDR products.

The problem, Broome says, is that often, the files that get automatically sent for scanning to cloud multi-scanner services can contain very sensitive data of the sort DirectDefense harvested. For example, if Cb Response is deployed across an application development environment, it might upload executables to a cloud multi-scanner each time a new piece of code is compiled.

Such files can contain a lot of sensitive data that an organization might not even begin to realize is being uploaded to a multi-scanner service and then made available to any paid subscriber of these services.

For example, researchers from DirectDefense were able to recover identity and access management credentials for a large streaming media company's AWS instance that Cb Response has shared on a multi-scanner service. Similarly, they found hardcoded AWS and Azure keys belong to a social media company and shared AWS keys that provided access to customer data belonging to a financial services company, Broome says.

"The key point is for Carbon Black customers to be aware of the use of their data," Broome says. Cloud multi-scanning services of the sort that Cb Response taps can be incredibly useful in identifying new and unknown threats, he admits.

But before organizations turn such tools on, they need to know what data is being collected and uploaded to cloud scanning services that are accessible to anyone with a subscription. "What seems to have gotten lost is the issue of educating the customer base," of where or when such scanning is useful he says.

Carbon Black's Viscuso says DirectDefense's blog completely misses the fact that data sharing with scanning services is a completely optional feature. Cb Response has a feature that lets organizations upload unknown binaries to the VirusTotal's of the world, but it is turned off by default.

Carbon Black in fact has explicit warnings about the risks that organizations face when enabling Cb Response to share data with VirusTotal and customers in fact have to opt-in twice separately, he says. The warnings clearly spell out what happens when customers enable the sharing and clearly notes that any binaries that are uploaded to VirusTotal will be made available to others.

In fact, Carbon Black specifically recommends that organizations should not enable the sharing of binaries related to sensitive applications, Viscuso says.

Unlike many other EDR vendors, Carbon Black goes to the extent of recommending that even hashes not be shared in such environments. "We are very explicit about the risks," Viscuso says. "In fact, we were actually nervous it was too much information," and would scare customers from enabling the sharing at all, he says.

In the few instances where a customer wanted data that was shared with VirusTotal to be removed, Carbon Black has been able to get the scanning service to do it, he claims.

Cloud multi-scanners can be extremely useful he says but it is up to the organizations themselves to decide how and when they want to use it. "We believe that security organizations are very intelligent and we shouldn't stand in their way and make risk decisions for them."

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-32823
PUBLISHED: 2021-06-24
In the bindata RubyGem before version 2.4.10 there is a potential denial-of-service vulnerability. In affected versions it is very slow for certain classes in BinData to be created. For example BinData::Bit100000, BinData::Bit100001, BinData::Bit100002, BinData::Bit<N>. In combination with &lt...
CVE-2021-35041
PUBLISHED: 2021-06-24
The blockchain node in FISCO-BCOS V2.7.2 may have a bug when dealing with unformatted packet and lead to a crash. A malicious node can send a packet continuously. The packet is in an incorrect format and cannot be decoded by the node correctly. As a result, the node may consume the memory sustainabl...
CVE-2021-2322
PUBLISHED: 2021-06-23
Vulnerability in OpenGrok (component: Web App). Versions that are affected are 1.6.7 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via HTTPS to compromise OpenGrok. Successful attacks of this vulnerability can result in takeover of OpenGrok. CVSS 3.1 ...
CVE-2021-20019
PUBLISHED: 2021-06-23
A vulnerability in SonicOS where the HTTP server response leaks partial memory by sending a crafted HTTP request, this can potentially lead to an internal sensitive data disclosure vulnerability.
CVE-2021-21809
PUBLISHED: 2021-06-23
A command execution vulnerability exists in the default legacy spellchecker plugin in Moodle 3.10. A specially crafted series of HTTP requests can lead to command execution. An attacker must have administrator privileges to exploit this vulnerabilities.