Huntress's 'hilarious' attacker surveillance splits infosec community Security outfit Huntress has been forced onto the defensive after its latest research – described by senior staff as "hilarious" – split opinion across the cybersecurity community. Defenders, for the most part, agreed with the vendor's assessment of the situation, which revolved around an attacker, for whatever reason, …
IF you are playing with 'naughty' things you can not hide behind 'Invasion of Privacy' and all the other nonsense.
The person was not accidentally running some 'Naughtyware' and was making some attempts to defend themselves from attacks coming back the other way !!!
Well Done Huntress ... is all I can say !!!
The huge amount of harm that is being done by the 'Expert' and the Wanna be hackers is off the scale !!!
No innocents was harmed by this !!!
Much more needs to be done to fight back !!!
P.S.
How can you be surprised by the amount of info that these EDR tools and similar can collect ???
It is what they are meant to do !!!
:)
You need to think bigger picture my friend. What prevents these same SOC analysts from looking at random customer browser history, app history, cached images, text history, etc just for giggles? It's quite possible that Huntress has a very rigorous procedure and technical controls to prevent this kind of abuse. It's also quite possible that they don't.
So.... they downloaded a trial version... and that gave huntress the right to monitor their pc? I'm not sure I understand how that is ethical - they are checking their trial customer's PCs for what exactly that when found, gives them permission to assume they are bad actors?
The important part is what it's a trial version of. It's a trial version of their product which puts their company in control of your security. "Managed Endpoint Detection and Response" means that you are giving them the power and permission to take all sorts of monitoring and modification control of the computers you install that on. If you do not trust a company, you do not install or purchase that service because of the control that it provides. Anyone using such a product is making the choice to give the company providing it an unusual amount of trust.
If this had been some other kind of software, I would be on your side. The software was specifically intended to allow their automated and human analysts to monitor what that system was doing and take action if it was doing something that threatened your or others' security. Generally, those who install it are most worried about their own security, but they're still interested in malware spread from that machine in case it's a beachhead they can disinfect before stuff spreads. The system concerned was spreading malware. The software detected what it was supposed to detect.
This post has been deleted by its author
Either way, I would not use these types of software without 'assuming', as you have, that the possibility was there for the information to be 'seen' by others.
I do not 'Trust' anybody or entity on the basis of 'promises' made or implied by contract or 'hand shake' etc.
I assume that if the risk is there it CAN happen !!!
You have to make the assessment, BEFORE you implement the installation of such systems, what is the risk, possible consequences and value gained.
You balance all these factors and decide if it is worth it !!!
By necessity, using 'other peoples software/computers' involves 'other people' ... there is your risk !!!
What Huntress did was, in my view, reasonable for the information gained !!!
It adds to my 'perceived risks' of using them or similar entities BUT does not mean I would want them and similar entities to be stopped from existing.
Question 1: How many services that are run on 'Other peoples computers' have similar risks, where your data can be seen/spied on ???
Question 2: How many of these services do you 'rail against' in a similar way ???
We all, in reality, accept the risks for the benefits gained by using the services and choose to ignore the issue because it is an 'Inconvenient Truth' !!!
:)
Look I'm as glad as anyone seeing this happen, crims getting what they deserve etc. but we can't pretend like it's OK, especially with lines like "no innocents were harmed". And I absolutely LOATHE "slippery slope" crap. But it absolutely is one.
And why do you think it's not okay? We may agree on some of it, but you haven't actually stated why it's not. What should the limitations be on software with the explicit purpose of putting investigators on your machine if your machine appears to have malware on it? What limitations should apply when it appears to be a normal user's machine, and which if any should be removable when it becomes clear that a criminal is running the machine?
"Horizon3.ai's CEO, Snehal Antani, posted on X: "That visibility gave defenders unique insights, but it also raises a real question: Should a private company be allowed to monitor an adversary like that, or were they obliged to notify authorities once it crossed from IR into intelligence collection?""
Ok this was good insight and jolly japes, but I'm missing how they specifically and only targeted this bad actor in the first place
Unless literally everyone that installs their tool will be under this kind of surveillance, in which case I don't think this is quite the glowing advertisement they think it is?
From near the end of the article: "its researcher happened upon the case while investigating "numerous alerts" that malware was being executed from the attacker's computer, and they later confirmed the unique machine name was the same one observed in "several incidents" before"
The purpose of the software is to monitor the machines you install it on for malware-related events. When those events occur, people from the company that makes it are called in to figure out what the event was and whether action needs to be taken. Usually, the action that they're going to take is intended to protect you, which is why you might install that. In this case, the people responding to malware spreading found that the owner of the machine wanted malware to spread. So yes, if you install this on your machine, you can also be monitored and, if there are indications of malware spreading from your machine, you will be. That is the entire point of the service. Those who install it normally know and actively choose that.
https://www.huntress.com/privacy-policy
It enumerates many of their data gathering efforts, in quite some detail. There's a lot of clarity there, and the end result is, "signing up for an endpoint detection and response service allows the service to detect intrusions by checking in many places that an intruder might inadvertently leave a trace."
This is one of the few I've seen that goes into a fair bit more detail than most 'sends telemetry back" software products.
Reading through the browser history from long before the product was actually installed... very much OUT SIDE OF THE RED LINE that we established at Carbon Black for EDR telemetry. We looked at _behavior_ not what you were reading. End of story. This is not normal or a commonly accepted standard.
Aren't you supposed to protect whomever uses your product? Since when is monitoring your customer a form of protection?
Security is supposed to stand guard at the door, not in the room getting up in your business.
You should check the logs on your own company machines, because it sounds like you have a building full of people flinging spyware.
Of course I do, but things "shipped with" an OS are different from those malware toolkits "put on by purposeful action". MS-DOS didn't ship with "malwaregen.exe", and if someone did install it, any 'malware prevention and detection service' that didn't at least report it as suspicious action, wouldn't be worth the money.
Possibly. It depends who owns the computers on which it was installed and what data they have access to. It's mostly business-focused software, so the intent is normally that the IT department will install it and users should be informed that their work computers are monitored and should keep their personal stuff away from them unless they are willing for those to be monitored as well. If someone without the authority starts installing this without permission, even if they don't seek to use the data themselves, they'll still probably have several complaints about the significant amount of power they just gave a provider that hadn't been decided as trustworthy.
You have "ability" to install stuff, but not necessarily "authority" to do so. Most workplaces that allow employees to directly install software, have a "don't install software not related to the work you do" policy.
It's more fun working for places that let you put on your own software, but mistaking ability for authority has gotten many people disciplined or fired.
Seriously, why does the Register feel it appropriate to quote these FakeI people at all?
EDR software is EDR software. It's job is to have deep visibility into what happens on a machine. (IE: run as root) It's job is NOT to "protect the user" when the user is clearly engaged in criminal activity. In fact, their role is most like a PI, and there are certainly statues governing their behavior. Statues about preventing & reporting, not aiding & abetting.
As for work systems, you don't own the system you were issued, nor the network you connect to. EVERYTHING you do on it is subject to review by the owner. If for no other reason, because the owner can go to jail for what you do on it. (Check out what happens to owners of crack houses, for instance.)
Nope, if your employer installs spyware on their machine, that you use for your work for them in Germany then they are breaking the law. Not every country is as lax about what employers can do to employees as whatever country you live in and are drawing assumptions from about how the whole world works.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
