back to article Carbon Black denies its IT security guard system oozes customer secrets

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle. On Wednesday, security consultancy DirectDefense published a blog post alleging endpoint security vendor Carbon Black's Cb Response protection software would, once installed …

  1. JLV Silver badge

    Feature, my ass

    Why not just upload a sha hash of the file? Wouldn't that be sufficient to flag a known baddy? At least if it's not morphing itself.

    AWS secrets can be pretty disastrous to lose, for example.

    Some of these AV snakeoil salesmen vendors bring to mind the old adage that it's best not to see a doctor because if the disease hasn't killed you yet they're sure to.

    1. Anonymous Coward
      Anonymous Coward

      Re: Feature, my ass

      I'm not familiar with the software, but there is probably many steps in the process. Taking a hash of the suspicious file and comparing it to known hashes is probably the first step. Only if it's not able to be identified is the actual file sent outside the network for further identification. Comparing hashes isn't a perfect solution, the file (possible virus) could be armored/polymorphic to avoid identification.

      Carbon Black is in the right here. Somebody (DirectDefense) is trying to get their name in the news...

      If Carbon Black's customer delt with "Top Secret" information/software (for example) they probably wouldn't enable this feature. The file would probably be flagged, and analyzed by companies internal security professionals.

    2. phuzz Silver badge
      Facepalm

      Re: Feature, my ass

      You can choose between not uploading anything, just uploading a hash, or uploading the entire binary. Note that I say binary and not 'every file on your system', a keyfile won't be uploaded unless it's an executable.

      About the only problem here is if you specifically decide to turn on the binary uploading (and the config window explicitly tells you about the possible drawbacks), and you have a custom application which contains hard coded credentials (why would you do that), then someone could pick through the binary on Virustotal and extract the credentials.

  2. Anonymous Coward
    Anonymous Coward

    You can't patch stupid

    Uploading the hash apparently is the default. Someone turned it on.

    The warning about what can happen if you turn on full binary upload is pretty explicit from what the Carbon Black blog showed. And if you throw stones in public with Irresponsible Disclosure...

    DirectDefense probably should work on their own email security configuration:

    "v=spf1 include:spf.protection.outlook.com include:aspmx.pardot.com -all"

    equates to 379,653 IP addresses authorized to send email using their domain. Mass-email marketer and all Office 365 users. Not to worry, though. They've got it handled with DMARC:

    _dmarc.directdefense.com: Non-existent domain

    Good job on implementing DNSSEC to protect your customers and visitors from DNS spoofing as well:

    Domain Name: DIRECTDEFENSE.COM

    Name Server: NS55.DOMAINCONTROL.COM

    Name Server: NS56.DOMAINCONTROL.COM

    DNSSEC: unsigned

    15 out of 100 is good, right? https://observatory.mozilla.org/analyze.html?host=www.directdefense.com

    No, I do not work for either company nor have I ever done so. I simply don't like people who needlessly endanger others just to prove how smart they are. The real victims are the companies whose data was just put at risk because DirectDefense decided to go public first. I hope they just lost themselves some customers with that move.

    At least some company named DirectDefense isn't being used as a reference for Cylance, a competitor of Carbon Black, or anything similar: https://www.cylance.com/cylanceprotect-achieves-hipaa-security-rule-compliance-certification

    "The certification is made by DirectDefense, a leading provider of HIPAA/HITECH security assessment services to industries, such as healthcare and insurance, that process, store or transmit electronic protected health information (EPHI)."

    Wait, what?

    https://www.hhs.gov/hipaa/for-professionals/faq/2003/are-we-required-to-certify-our-organizations-compliance-with-the-standards/index.html?language=es

    "It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation."

    My opinion is the same as yours. "Snakeoil" hit it right on the head. They're all slimy in their own way.

    1. Amos1

      Re: You can't patch stupid

      Hey, check out the beautiful trophy-thingy here: https://blog.savagesec.com/words-have-meanings-dc925219bb8e

      Cylance apparently picked DirectDefense as their 2016 Partner of the Year. Maybe this latest blog of theirs will win them the Cylance 2017 Advertising Partner of the Year.

      That is an extremely well-balanced article on the entire data leakage problem as a whole.

  3. Anonymous Coward
    Big Brother

    Protection software spews sensitive data to third parties

    "Carbon Black's Cb Response protection software would .. spew sensitive data to third parties."

    So, its working as designed then ;)

    1. h4rm0ny

      Re: Protection software spews sensitive data to third parties

      I think your paranoia is unwarranted. Or at the least misdirected. It seems the company that irresponsibly went public with this first actually has some connection with one of Carbon Black's competitors. In either case, anyone who cares about security will, unless there are exceptional circumstances, notify the vendor first and allow time to respond.

      1. Anonymous Coward
        FAIL

        Re: Protection software spews sensitive data to third parties

        "anyone who cares about security will, unless there are exceptional circumstances, notify the vendor first and allow time to respond."

        Anyone who cares about security wouldn't upload their records to a third party 'cloud' service!

        1. Casper the friendly ghost

          Re: Protection software spews sensitive data to third parties

          And yet an entire industry has been built on this fallacy!

        2. funkenstein

          Re: Protection software spews sensitive data to third parties

          "Anyone who cares about security wouldn't upload their records to a third party 'cloud' service!"

          Sure, forget about conducting actual risk assessments and the myriad of protective measures available, even in infrastructure you don't own. Everyone knows Cloud = bad, full stop.

          /s

  4. hellwig

    Cb downplaying the risks

    This is what bolsters DD's case for me, if it's true:

    "Yes, we've seen this feature setting in the product and in the manual that stated this is off by default," the firm said in a followup blog post.

    "However, the recommendations or messaging from Carbon Black's professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans."

    Sounds like DD went to Cb, on behalf of a customer, to ask them how to setup Cb. Cb said to turn on the uploading without mentioning the risks. "This will make it faster" is something anyone would want, especially if no downsides are mentioned. If anything, Cb needs to train their customer reps to be more considerate of privacy and security concerns.

    Of course, it's possible Cb did say that and DD didn't mention it. Who knows.

  5. Anonymous Coward
    Anonymous Coward

    Meh

    I've admin'd multiple AVs for companies, this is a normal feature in corporate scale AV. I've always ensured it's off, as I won't take the chance of PII being uploaded. But it's not new to the industry by any means.

  6. robpomeroy

    Security company says other security is rubbish shocker

    In other news DirectDefense CEO said Carbon CEO''s mother was fat and ugly - only to receive a retaliatory Chinese burn.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon