Security News Top Next-Gen Security Firm Leaking Terabytes of Customer Data

[frogboy]

Sensitive corporate data from customers protected by Carbon Black endpoint detection and response (EDR) solutions has been found on multiscanner services, according to an investigation by DirectDefense, a provider of managed security strategies.

The shocking data leak has been tied to an API key which DirectDefense claims it belongs to Carbon Black Cb Response, a next-gen anti-malware EDR product.

Problem is in how EDR products operate, in general
EDR solutions work by managing lists of whitelisted files and applications. When EDR products find a new file not included in its database, they upload it to their cloud service, which it would then upload it to a multiscanner service (think VirusTotal).

The EDR cloud would use the aggregated scan result from this multiscanner service to decide if to whitelist or blacklist the file. The problem is that even if the EDR and multiscanner rename the files using hashes, copies of those files are still saved on the multiscanner service.

Most of these multiscanners work on a pay-for-access model, allowing anyone to access threat intelligence data on past scanned files, and even download copies for further analysis. This is exactly how DirectDefense found the Carbon Black leak.

Full Article. Top Next-Gen Security Firm Leaking Terabytes of Customer Data

 

[Fritz]

Just like Norton et.al. who upload whatever files they deem worthy of inspection. Why people are surprised that sensitive data taken off-site will actually appear off-site is beyond my comprehensive abilities.

 

[ForgottenSeer 58943]

My understanding is;

The difference between this EDR and other cloud services is the files and data updated. Carbon Black appears to have been uploading not only normal newer executables, but actual customer data files. They also appear to have been uploading customized blobs filled with other data, hence the 'totally unique' files only seen by this API key. That's what got them called out and isolated, the very unique files which they were sending that contained sensitive data.

Cloud scanning should be used with caution IMO. For example when I discovered Zemana was revealing its distributed VT uploader machines and even exposing their own IP addresses, desktops, OS and other sensitive data I realized in the case of Zemana, they are potentially opening themselves up to a major compromise. (See Zemana thread) I immediately stopped using Zemana.

This is gross negligence from Carbon Black IMO. Class Action Lawsuit anyone?

 

[Emmanuellws]

Lucky to be part of Panda Adaptive Defense 360 customers. Panda Security is in compliance with the GDPR. Clearly Carbon Black not matured yet in this so called "NextGen AV" as they rose to fame and won awards way faster than Panda Security's Adaptive Defense 360, ....Panda started their Collective Intelligence since 2007 and is now a matured product.

 

[Fritz]

The difference between this EDR and other cloud services is the files and data updated. Carbon Black appears to have been uploading not only normal newer executables, but actual customer data files.

Norton does this as well. Unfortunately, I can't quite find the link to the document right now.

 

[ForgottenSeer 58943]

Norton does this as well. Unfortunately, I can't quite find the link to the document right now.

Ouch, what a horrible idea.

Zemana doesn't upload things like document files, PDF's, etc. That's why it will miss DOCM malware and such. But they have to do this or they could compromise security. If Norton is uploading everything then they are pretty much stealing your private data. Like I need another reason to dislike Norton. Ugh.

 

[Fritz]

Yep, crazy, isn't it? Most of the major players do it to a varying extent but Norton excels in that regard. One of the reasons I like Emsisoft.

 

[Emmanuellws]

i find it weird why would you want to upload the whole office documents into the cloud to analyze the file? Can't they just block any bad behavior scriptings prior to the enabled macro within the document? If the script runs, and malware downloaded...just block it and upload the malware sample to the cloud and not the document.

 

[Fritz]

Oh I'm right there with you @Emmanuellws, they sure could. But why would they restrain themselves? Technically, there's nothing to say against it. On-premise analysis may well lead to more insight. And if we were just a bunch of Borg that'd be ethically fine as well. But I'm me and not somebody else. What I do is my business, not Norton's.

Then again people rarely give a hoot these days and data = $$$. Why risk a headache thinking about your AV's behavior after feeding Facebook and Google all day long anyways. Just one more bug in the ever brimming nest. That's why they do it. Because they can.

 

[ForgottenSeer 58943]

Good post Fritz.

IT is in dire straights right now... For one thing, the normal deployment scheme of a UTM/NGFW, then endpoint protection and walking away isn't sufficient. Infections are getting through. That's what most firms have deployed because the approaches to deal with this are painful to crybabies in firms. So the result is, I would say a good 60-80% of every company in the world have already been compromised but don't know it in some cases. We see it constantly.. Compromises everywhere. Nonstop.

Even IF you are very privacy aware and take great precautions almost nobody you deal with is doing the same thing. So your data gets out there anyway. A pharmacy running a Netgear. Your dentist office using Linksys router with YahooMail. Your Xrays being sent over Hotmail or as plain text unencrypted documents. There is an apocalypse brewing, I can feel it. Eventually something so big will happen that suddenly people will realize that all of it is compromised. ALL OF IT. One of the bigger prescription firms that handles the big name pharmacies got compromised, nobody knows about it. We know because someone altered my wifes records and attempted to get her fired. The records were altered to say she was diagnosed psychotic and was on anti-psychotic medication. Of course she isn't, and it took her to authorize records release from her physician to prove it. (she works in a critical field) The prescription data firm denied a breach but clearly - they were breached. Imagine if this happened and really cost someone their job, or even their life? I walked into a defense contractor that was running a free Chinese Antivirus Product, and running M0n0wall on their gateway. Can you imagine the secrets spilling out?

Nobody is minding your data. Period. The weakest link is everyone BUT you in most cases and you can't control them. Homeowners/consumers don't care enough to bother.. They line up at computer stores buying the latest IoT gadget without a second thought about security. Manufacturers aren't being held responsible. Companies that maintain your data aren't being held responsible. Everyone is passing the buck.

An apocalypse is coming.

 

[Solarquest]

Good post Fritz.

IT is in dire straights right now... For one thing, the normal deployment scheme of a UTM/NGFW, then endpoint protection and walking away isn't sufficient. Infections are getting through. That's what most firms have deployed because the approaches to deal with this are painful to crybabies in firms. So the result is, I would say a good 60-80% of every company in the world have already been compromised but don't know it in some cases. We see it constantly.. Compromises everywhere. Nonstop.

Even IF you are very privacy aware and take great precautions almost nobody you deal with is doing the same thing. So your data gets out there anyway. A pharmacy running a Netgear. Your dentist office using Linksys router with YahooMail. Your Xrays being sent over Hotmail or as plain text unencrypted documents. There is an apocalypse brewing, I can feel it. Eventually something so big will happen that suddenly people will realize that all of it is compromised. ALL OF IT. One of the bigger prescription firms that handles the big name pharmacies got compromised, nobody knows about it. We know because someone altered my wifes records and attempted to get her fired. The records were altered to say she was diagnosed psychotic and was on anti-psychotic medication. Of course she isn't, and it took her to authorize records release from her physician to prove it. (she works in a critical field) The prescription data firm denied a breach but clearly - they were breached. Imagine if this happened and really cost someone their job, or even their life? I walked into a defense contractor that was running a free Chinese Antivirus Product, and running M0n0wall on their gateway. Can you imagine the secrets spilling out?

Nobody is minding your data. Period. The weakest link is everyone BUT you in most cases and you can't control them. Homeowners/consumers don't care enough to bother.. They line up at computer stores buying the latest IoT gadget without a second thought about security. Manufacturers aren't being held responsible. Companies that maintain your data aren't being held responsible. Everyone is passing the buck.

An apocalypse is coming.

terribly and sadly true....