Security Firm Accused of Exposing Terabytes of Customer Data
A report released today details how a feature offered by a major security provider is leaving private customer data exposed.
Update: Just when it looked as though this story might subside, according to Brian Krebs, during the week of 8/14, "Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning."
On Wednesday, August 9, information security services provider DirectDefense disclosed it had found sensitive information belonging to Carbon Black customers openly accessible via a third-party online file scanning service (later identified by Carbon Black as VirusTotal).
According to the report, the exposed data included Amazon Web Services (AWS) keys, Identity and Access Management (IAM) credentials, other internal usernames and passwords, customer financial data, and more.
With this announcement sending shockwaves through the industry and raising several questions, including ones about how cloud-based security products operate, we thought it’d be helpful to provide a short FAQ.
So how is Carbon Black customer information getting exposed?
DirectDefense asserts the problem exists with the approach Carbon Black takes to identifying malware with its CB Response solution. When CB Response encounters a file it hasn’t seen before, one feature it provides is uploading the file to VirusTotal, which scans the file with other AV solutions. VirusTotal saves the files, making them accessible to other VirusTotal members. While that isn’t inherently a big issue, it can be a problem when the files uploaded are JAR files or scripts that can contain a wide variety of information.
The company also took issue with DirectDefense not disclosing the findings with them first.
Some have been quick to point out DirectDefense was recentlynamed a Cylance "Partner of the Year". Whether that has anything to do with this or not, it certainly doesn't look good. Irregardless, the fact remains that sensitive customer information was accessible via VirusTotal, which brings us to our next question.
Is this a problem for all cloud-based security vendors?
No. It comes back to how vendors use third-party multiscanners (if at all), and what types of information they upload (if any). In this case, the types of files Carbon Black was allegedly uploading to VirusTotal in some cases included an array of private customer information.
Is this a problem for Barkly customers?
Nope. Barkly does not send any customer information to third-party scanners, and does not rely on third-party scanners to identify malware. Our malware predictions are done locally, on the endpoint. That allows us to protect our customers from the latest malware while also keeping their information secure.