Earlier this week, a report citing “terabytes of leaked content” was released by cybersecurity firm DirectDefense. In this report, the firm lambasted Carbon Black (a well-respected endpoint security provider) for purportedly making vast amounts of user data publicly visible on an automated basis. Using language like “Welcome to the world’s largest pay-for-play data exfiltration botnet,” DirectDefense claims that all Carbon Black customers are at risk of massive data breaches.
The story quickly reached the media — as is typically the case when the words “terabytes of data” are thrown around — and spread through infosec circles rapidly. There was only one issue, however:
Every single file contained in the “leak” was uploaded due to an optional, off-by-default setting enabled by the “victim” users.
The product in question, Cb Response, is a cloud-based solution to identify potentially malicious binary files on a protected system. Included in this software is a feature where unrecognized files can be checked against the VirusTotal database to see if other services have reported them as malicious. This can be done in two ways: either by testing a unique hash of the file, or by directly uploading the file to VirusTotal and testing it there.
DirectDefense’s “breach” lies in the fact that VirusTotal makes tested files visible to users, which is a key component in how the service works — it’s an aggregate provider for a number of security services, allowing distributed virus identification across platforms.
It shouldn’t need to be noted, but yes, it’s not secure to send proprietary files to a third party location where they can be accessed by the public. However, Carbon Black makes no mistake in informing their users of the privacy concerns of this feature. The following is a small excerpt of the warning shown to Cb Response’s users who wish to enable this feature:
In case you missed it, the line “VirusTotal also makes the files available to VirusTotal partners” should be a pretty big indicator that it’s not a setting to enable if you’re hosting sensitive data. This “data leak” was the fault of the sysadmins configuring the software and not reading the manual, not an inexcusable vulnerability by the developers.
We now move to the subject of Responsible Disclosure. You can read the Wikipedia article about it but it’s pretty simple to sum up: If you find a security vulnerability in a system or application, inform the people who are responsible for it. This allows the responsible party to develop and release a fix for the vulnerability before you publish your findings to the public. You still get to take credit for the discovery, but with the added benefit of allowing potential future victims to receive security patches before the exploit is released in the wild.
DirectDefense apparently disagrees with this concept. In Carbon Black’s official response, CTO Michael Viscuso stated:
“However, it is important to note that Carbon Black was not informed about this issue by DirectDefense prior to publication of the blog to validate their findings. For example, the blog asserts that this is an architectural flaw in all Cb products. To the contrary, this is exclusively a Cb Response feature – not included in Cb Protection or Cb Defense. It is also not a foundational architectural flaw. It is a feature, off by default, with many options to ensure privacy, and a detailed warning before enabling. “
If DirectDefense had followed basic responsible disclosure standards, it’s pretty likely they’d have received this information as a reply. It’s not exciting to hear that your research’s findings aren’t accurate, but it’s certainly a better alternative than putting your foot in your mouth on a global scale.
A Conflict of Interest?
It’s possible, however, that DirectDefense simply didn’t care about the accuracy of the report. Bad publicity tends to stick, even when later disproved, and Carbon Black happens to be a direct competitor of DirectDefense’s partner company, Cylance:
Making massive, twenty-percent-accurate accusations publicly about the enemy of your friend is a pretty weak business move, in my opinion. The cybersecurity industry, above all, is based in reputation and trust. This is true both for businesses and for individuals in the industry. DirectDefense, in a single blog post, has lost the respect of an industry. We’ll see if companies outside of the security-specific sphere find it relevant in time.