Carbon Black denies its IT security guard system oozes customer secrets Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post alleging endpoint security vendor Carbon Black's Cb Response protection software would, once installed …
Why not just upload a sha hash of the file? Wouldn't that be sufficient to flag a known baddy? At least if it's not morphing itself.
AWS secrets can be pretty disastrous to lose, for example.
Some of these AV snakeoil salesmen vendors bring to mind the old adage that it's best not to see a doctor because if the disease hasn't killed you yet they're sure to.
I'm not familiar with the software, but there is probably many steps in the process. Taking a hash of the suspicious file and comparing it to known hashes is probably the first step. Only if it's not able to be identified is the actual file sent outside the network for further identification. Comparing hashes isn't a perfect solution, the file (possible virus) could be armored/polymorphic to avoid identification.
Carbon Black is in the right here. Somebody (DirectDefense) is trying to get their name in the news...
If Carbon Black's customer delt with "Top Secret" information/software (for example) they probably wouldn't enable this feature. The file would probably be flagged, and analyzed by companies internal security professionals.
You can choose between not uploading anything, just uploading a hash, or uploading the entire binary. Note that I say binary and not 'every file on your system', a keyfile won't be uploaded unless it's an executable.
About the only problem here is if you specifically decide to turn on the binary uploading (and the config window explicitly tells you about the possible drawbacks), and you have a custom application which contains hard coded credentials (why would you do that), then someone could pick through the binary on Virustotal and extract the credentials.
Uploading the hash apparently is the default. Someone turned it on.
The warning about what can happen if you turn on full binary upload is pretty explicit from what the Carbon Black blog showed. And if you throw stones in public with Irresponsible Disclosure...
DirectDefense probably should work on their own email security configuration:
"v=spf1 include:spf.protection.outlook.com include:aspmx.pardot.com -all"
equates to 379,653 IP addresses authorized to send email using their domain. Mass-email marketer and all Office 365 users. Not to worry, though. They've got it handled with DMARC:
_dmarc.directdefense.com: Non-existent domain
Good job on implementing DNSSEC to protect your customers and visitors from DNS spoofing as well:
Domain Name: DIRECTDEFENSE.COM
Name Server: NS55.DOMAINCONTROL.COM
Name Server: NS56.DOMAINCONTROL.COM
DNSSEC: unsigned
15 out of 100 is good, right? https://observatory.mozilla.org/analyze.html?host=www.directdefense.com
No, I do not work for either company nor have I ever done so. I simply don't like people who needlessly endanger others just to prove how smart they are. The real victims are the companies whose data was just put at risk because DirectDefense decided to go public first. I hope they just lost themselves some customers with that move.
At least some company named DirectDefense isn't being used as a reference for Cylance, a competitor of Carbon Black, or anything similar: https://www.cylance.com/cylanceprotect-achieves-hipaa-security-rule-compliance-certification
"The certification is made by DirectDefense, a leading provider of HIPAA/HITECH security assessment services to industries, such as healthcare and insurance, that process, store or transmit electronic protected health information (EPHI)."
Wait, what?
https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html?language=es
"It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."
My opinion is the same as yours. "Snakeoil" hit it right on the head. They're all slimy in their own way.
Hey, check out the beautiful trophy-thingy here: https://blog.savagesec.com/words-have-meanings-dc925219bb8e
Cylance apparently picked DirectDefense as their 2016 Partner of the Year. Maybe this latest blog of theirs will win them the Cylance 2017 Advertising Partner of the Year.
That is an extremely well-balanced article on the entire data leakage problem as a whole.
I think your paranoia is unwarranted. Or at the least misdirected. It seems the company that irresponsibly went public with this first actually has some connection with one of Carbon Black's competitors. In either case, anyone who cares about security will, unless there are exceptional circumstances, notify the vendor first and allow time to respond.
"anyone who cares about security will, unless there are exceptional circumstances, notify the vendor first and allow time to respond."
Anyone who cares about security wouldn't upload their records to a third party 'cloud' service!
"Anyone who cares about security wouldn't upload their records to a third party 'cloud' service!"
Sure, forget about conducting actual risk assessments and the myriad of protective measures available, even in infrastructure you don't own. Everyone knows Cloud = bad, full stop.
/s
This is what bolsters DD's case for me, if it's true:
"Yes, we've seen this feature setting in the product and in the manual that stated this is off by default," the firm said in a followup blog post.
"However, the recommendations or messaging from Carbon Black's professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans."
Sounds like DD went to Cb, on behalf of a customer, to ask them how to setup Cb. Cb said to turn on the uploading without mentioning the risks. "This will make it faster" is something anyone would want, especially if no downsides are mentioned. If anything, Cb needs to train their customer reps to be more considerate of privacy and security concerns.
Of course, it's possible Cb did say that and DD didn't mention it. Who knows.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
