I remember an incident about five years ago that raised more than a few eyebrows. A team had completed the analysis of a high-profile botnet criminal gang -- enumerating all the key members, identifying their personal addresses, bank accounts, etc. -- and had crafted a special report that we wanted to share with law enforcement. The problem was that, even as a compressed archive, the file was too large for the law enforcement team to receive as an email attachment. I'm sure most of us have been in similar circumstances, and IT teams all around the world ended up doing the same thing occasionally -- we encrypted the file, uploaded it to our nonpublic website, crafted a special (i.e., custom) URL for the file, and emailed the URL to our key law enforcement contact. The officer then followed the link, downloaded the file, informed us that he'd safely downloaded the file, and we promptly deleted it from the website. All in all, it's a fairly secure method of transferring large files -- if a little cumbersome.
The interesting thing, though, was that after looking at the Web logs, it was noticed that the file was downloaded twice -- once from an IP address associated with the law enforcement office, and the second time by an IP address in the Philippines. Not something that was expected, and definitely a little worrying at the time.
The cause of the second download from the mystery Philippines IP address lay with the desktop antivirus suite the law enforcement officer was running on his computer. He had had the "cloud-based" enhanced security features enabled, and essentially his antivirus product had intercepted the URL he had followed to download the file; since the URL was unknown and unclassified by the suite's reputation system, it was submitted to the cloud for further analysis. So, while he was downloading the file, his antivirus provider was simultaneously downloading the file to its servers in the Philippines in order to classify the URL, and to also scan the large file with a more advanced mix of antiviral tools. Just as well the file was encrypted!
Rest assured, the law enforcement officer (and no doubt everyone he worked with) took quick steps to turn off this feature of their antivirus suite to prevent future slip-ups. Given the confidential nature of the files they may have been receiving on a daily basis and the URLs they may have been visiting or investigating at any point in time -- "disclosure" of that information could have had a significant effect on many of the cases they were working on.
Fast-forward to today, and I think that most people will struggle to locate the settings within their antivirus suite that turn off the cloud-based submission system, and will probably find that their suite relies more on the cloud for protection than ever before. By turning off the cloud-based assistance, they'd likely have less local antivirus capabilities than products of five or more years ago.
I suspect that many corporate users can appreciate the sometimes problem of confidential and personal files being passed to the cloud, where some remote system or cluster of analysts will eventually peruse and pass judgment on its maliciousness.
Some additional questions you need to factor into the equation are how long those files will remain accessible, who can view the files, and whether the files (or metadata) are made available to third-parties.
If you take the time to read through most antivirus suite EULAs and software licenses, you'll probably be hard-pressed to find the clauses pertaining to the data you submit to a vendor's cloud. This will probably be concerning to the CIOs of most businesses out there. After investing in perimeter defenses and smart filters to prevent data leakage, here's a route that you've probably contractually agreed to, but had no idea that you had.
While the egress of confidential files and their contents may be worrying, I'd be just as concerned about the URL reputation systems -- and the Web links that each PC, laptop, or other antivirus protected device is browsing each day, which are, in turn, being sent back as telemetry data to the antivirus vendor. This is likely a rich dataset for outsiders trying to understand your business.
Think about the way your organization uses and accesses the Internet (in the office, on the road, and from home). New business deals, supply chain vendors, competitor analysis, internal resource URLs, etc. -- all insight that can be garnered from the metadata easily enough. This is a dataset considerably richer than the likes of Google or Yahoo can piece together -- because the host-based antivirus has visibility at a per-user, per-host, level.
In the wake of many of the NSA metadata collection revelations, it would be prudent to assume that the intelligence agencies of many countries would dearly like to have the data being harvested by your chosen antivirus suite -- a dataset that you probably consented to providing when you installed the software package. Now factor into the equation that your chosen antivirus vendor is likely headquartered in the Philippines, Romania, Czech Republic, Russia, United Kingdom, Finland, or elsewhere around the planet, and you may be feeling a cold chill down the back of your neck.
I'm not saying that any of the antivirus vendors conspire with government agencies to share their collected intelligence, but if there's one thing the recent revelations should make you appreciate, it should be that most governments have ample legal rights and privileges to obtain this information from the companies within their jurisdiction when they feel the need to. With that in mind, I'd advise CIOs and CSOs to carefully review their practice for cloud submissions and be prudent in their overall choice of antivirus vendor.
Gunter Ollmann, CTO, IOActive Inc.