Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/27/2013
05:55 PM
Commentary
Commentary
Commentary
50%
50%

Confidential Submission To The Antivirus Cloud

Would a government intelligence agency want your antivirus telemetry?

Host-based antivirus solutions have continued to shift much of their pre-emptive detection technology into the cloud -- reducing the burden on the beleaguered desktop operating system and promoting a global perspective of the threat. But in the wake of governmental Internet monitoring programs, more questions than answers are arising about who sees what, and precisely what do they do with this raw but likely confidential information.

I remember an incident about five years ago that raised more than a few eyebrows. A team had completed the analysis of a high-profile botnet criminal gang -- enumerating all the key members, identifying their personal addresses, bank accounts, etc. -- and had crafted a special report that we wanted to share with law enforcement. The problem was that, even as a compressed archive, the file was too large for the law enforcement team to receive as an email attachment. I'm sure most of us have been in similar circumstances, and IT teams all around the world ended up doing the same thing occasionally -- we encrypted the file, uploaded it to our nonpublic website, crafted a special (i.e., custom) URL for the file, and emailed the URL to our key law enforcement contact. The officer then followed the link, downloaded the file, informed us that he'd safely downloaded the file, and we promptly deleted it from the website. All in all, it's a fairly secure method of transferring large files -- if a little cumbersome.

The interesting thing, though, was that after looking at the Web logs, it was noticed that the file was downloaded twice -- once from an IP address associated with the law enforcement office, and the second time by an IP address in the Philippines. Not something that was expected, and definitely a little worrying at the time.

The cause of the second download from the mystery Philippines IP address lay with the desktop antivirus suite the law enforcement officer was running on his computer. He had had the "cloud-based" enhanced security features enabled, and essentially his antivirus product had intercepted the URL he had followed to download the file; since the URL was unknown and unclassified by the suite's reputation system, it was submitted to the cloud for further analysis. So, while he was downloading the file, his antivirus provider was simultaneously downloading the file to its servers in the Philippines in order to classify the URL, and to also scan the large file with a more advanced mix of antiviral tools. Just as well the file was encrypted!

Rest assured, the law enforcement officer (and no doubt everyone he worked with) took quick steps to turn off this feature of their antivirus suite to prevent future slip-ups. Given the confidential nature of the files they may have been receiving on a daily basis and the URLs they may have been visiting or investigating at any point in time -- "disclosure" of that information could have had a significant effect on many of the cases they were working on.

Fast-forward to today, and I think that most people will struggle to locate the settings within their antivirus suite that turn off the cloud-based submission system, and will probably find that their suite relies more on the cloud for protection than ever before. By turning off the cloud-based assistance, they'd likely have less local antivirus capabilities than products of five or more years ago.

I suspect that many corporate users can appreciate the sometimes problem of confidential and personal files being passed to the cloud, where some remote system or cluster of analysts will eventually peruse and pass judgment on its maliciousness.

Some additional questions you need to factor into the equation are how long those files will remain accessible, who can view the files, and whether the files (or metadata) are made available to third-parties.

If you take the time to read through most antivirus suite EULAs and software licenses, you'll probably be hard-pressed to find the clauses pertaining to the data you submit to a vendor's cloud. This will probably be concerning to the CIOs of most businesses out there. After investing in perimeter defenses and smart filters to prevent data leakage, here's a route that you've probably contractually agreed to, but had no idea that you had.

While the egress of confidential files and their contents may be worrying, I'd be just as concerned about the URL reputation systems -- and the Web links that each PC, laptop, or other antivirus protected device is browsing each day, which are, in turn, being sent back as telemetry data to the antivirus vendor. This is likely a rich dataset for outsiders trying to understand your business.

Think about the way your organization uses and accesses the Internet (in the office, on the road, and from home). New business deals, supply chain vendors, competitor analysis, internal resource URLs, etc. -- all insight that can be garnered from the metadata easily enough. This is a dataset considerably richer than the likes of Google or Yahoo can piece together -- because the host-based antivirus has visibility at a per-user, per-host, level.

In the wake of many of the NSA metadata collection revelations, it would be prudent to assume that the intelligence agencies of many countries would dearly like to have the data being harvested by your chosen antivirus suite -- a dataset that you probably consented to providing when you installed the software package. Now factor into the equation that your chosen antivirus vendor is likely headquartered in the Philippines, Romania, Czech Republic, Russia, United Kingdom, Finland, or elsewhere around the planet, and you may be feeling a cold chill down the back of your neck.

I'm not saying that any of the antivirus vendors conspire with government agencies to share their collected intelligence, but if there's one thing the recent revelations should make you appreciate, it should be that most governments have ample legal rights and privileges to obtain this information from the companies within their jurisdiction when they feel the need to. With that in mind, I'd advise CIOs and CSOs to carefully review their practice for cloud submissions and be prudent in their overall choice of antivirus vendor.

Gunter Ollmann, CTO, IOActive Inc.

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Hacking It as a CISO: Advice for Security Leadership
Kelly Sheridan, Staff Editor, Dark Reading,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 New Cybersecurity Vulnerabilities That Could Put Your Enterprise at Risk
In this Dark Reading Tech Digest, we look at the ways security researchers and ethical hackers find critical vulnerabilities and offer insights into how you can fix them before attackers can exploit them.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-17475
PUBLISHED: 2020-08-14
Lack of authentication in the network relays used in MEGVII Koala 2.9.1-c3s allows attackers to grant physical access to anyone by sending packet data to UDP port 5000.
CVE-2020-0255
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2020-10751. Reason: This candidate is a duplicate of CVE-2020-10751. Notes: All CVE users should reference CVE-2020-10751 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-14353
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-18270. Reason: This candidate is a duplicate of CVE-2017-18270. Notes: All CVE users should reference CVE-2017-18270 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidenta...
CVE-2020-17464
PUBLISHED: 2020-08-14
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2020-17473
PUBLISHED: 2020-08-14
Lack of mutual authentication in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to obtain a long-lasting token by impersonating the server.