August 10, 2017

On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed.

At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response — a suite of security tools sold by competitor Carbon Black (formerly Bit9) — was leaking potentially sensitive and proprietary data from customers who use its product.

snm

DirectDefense warned about a problem with Cb Response’s use of “a cloud-based multiscanner” to scan suspicious files for malware. DirectDefense didn’t name the scanner in question, but it’s Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There’s also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. This is the full extent of the “vulnerability” that DirectDefense labeled “the world’s largest pay-for-play data exfiltration botnet.”

Carbon Black responded with its own blog post noting that the feature DirectDefense warned about was not turned on by default, and that Carbon Black informs customers of the privacy risks that may be associated with sharing files with VirusTotal.

ANALYSIS

Adrian Sanabria, a security expert and co-founder of Savage Security, published a blog post that called “bullshit” on DirectDefense’s findings, noting that the company inexplicably singles out a competitor when many other security firms similarly allow customers to submit files to VirusTotal.

“Dozens of other security vendors either have an option to automatically submit binaries (yes, whole binaries, not just the hash) to VirusTotal or do it without the customers knowledge altogether,” Sanabria wrote. “In singling out Carbon Black, DirectDefense opens itself up to criticism and closer scrutiny.”

Such as shilling for a partner firm (Cylance) that stands to gain from taking Carbon Black down a few notches in the public eye, Sanabria observed [link added].

“I personally don’t believe DirectDefense is a shill for Cylance, but in singling out one of many vendors that do the same thing, they’ve stepped into a classic PR gaffe that makes them look like one,” he wrote.

My take is that most people in corporate cybersecurity roles understand what VirusTotal is and the potential privacy risks involved in uploading files to the service — either on a one-off basis or automatically submitted through some security suite like CB Response (if not, those security folks probably need to investigate another career).

That’s not to say that organizations don’t inadvertently overshare. I’ve seen instances where entire email threads and apparently sensitive documents have been submitted to VirusTotal along with embedded malware.

Lesley Carhart, a security incident response team leader and a prolific security commentator on Twitter, said there are immense amounts of trust given VirusTotal. Carhart said if a malicious actor were able to identify individual files uploaded from a target organization to VirusTotal — even just as file hashes — they could gain lots of information about the organization, including what software suites they use, what operating systems, and which document types.

“They provide an amazing free resource for the infosec community, as well as some great paid services,” Carhart said of VirusTotal. “However, we have unintentionally given them one of the largest repositories of files in the world.”

If DirectDefense’s report helped some security people better grasp the risks of oversharing with multiscanners like VirusTotal, that’s a plus. But from where I sit, these types of overblown research reports tend to live or die by uncritical and/or unbalanced coverage in the news media — also known as “churnalism.”

My advice to tech reporters: Quit taking claims like these at face value and start asking some basic questions before publishing anything. For example, the early coverage of DirectDefense’s report in the media suggests that few reporters even asked about the identity of the multiscanner referenced throughout the report. Also, it’s clear that few (if any) reporters asked DirectDefense whether it had alerted Carbon Black before going public with their findings (it hadn’t).

Pro tip: If a researcher or company with a vulnerability “scoop” doesn’t mention interaction with the affected vendor before going public with their research, this should be a giant red flag indicating that this individual or entity is merely trying to use the media to generate short-term PR buzz, and that the “vulnerability” in question is little more than smoke and mirrors.


45 thoughts on “Beware of Security by Press Release

  1. Lucas

    Thank you so much for calling bs on this. The articles coming out about this are infuriating.

  2. Erik

    I could agree that most cybersecurity professionals know precisely what is shared and are capable of making balanced and informed judgements. It’s an area where I’ve spent many a day (and the occasional night) weighing pros and cons.

    The problem is that absolute overwhelming majority of cybersecurity decisions are not made by cybersecurity professionals, and are made with the approximate degree of attention and care given to what sort of pizza to order tonight. I don’t think there are any real scandals here – organizations prioritize their resources according to what they value, and if they don’t place high value on making good cybersecurity decisions then they get the (in)appropriate results.

  3. Alan Welsh

    Perhaps anyone in journalism that publishes ANY article that denigrates a person or company, should be shamed automatically, if they didn’t also mention that they genuinely tried to ask their target for a response, and list their denial, if there was one.

    1. JimV

      “should be shamed automatically”

      Properly targeted litigation in response to slanderous or false (or misleading) assertions would be far more effective, albeit not as fast.

  4. Caffeineguru

    Hopefully, your risk team already identified the issue of CB accidentally sending sensitive data to VT and nobody will be shocked by DirectDefense’s post. *pats self on back*

  5. Cindy Sue Causey

    Hi.. Just writing to say I’ve seen similar related to my favored Debian Linux operating system. It doesn’t happen often, but it does happen where someone will post a frantic security related comment. Someone in the know, most often with a debian dotOrg email addy, will come back with a sensible response that shows there is, yes, a vulnerability, but it’s not near as dire as the excited outburst leads readers to possibly believe.

    The impression I’m left with *every time* is that there is just some… “shtuff” going on about trying to drive traffic off towards another operating system, although that other system will have been an unmentioned and a complete unknown when those outbursts pop up. 🙂

    No, I take that back. I did once research two writers supporting each other’s notions a little too heartily in one particular instance. The appearance at that time was that they were both VERY active on a theoretically competing operating system elsewhere. Go figure. 😀

    Thank you for the work you do! I’ve got something I might send you. I just need to see if it really is what I think it is… and I do think it is what I think it is. 🙂

    1. Jason

      People (often times including media) are not sensible. They are EXCITABLE and don’t know how to (and presumably don’t care to) tone it down, ask questions to confirm their findings / hypotheses.

      That said, the excitable posts do tend to get the quickest responses, often at the expense of being wrong. Which in turn, gets eyeballs and those that care are more informed as a result (if they weren’t prior). #Shrug

      1. JPA

        The problem is the excitable primate brain. Mother Nature must have laughed when she gave intelligence to an ape.

  6. Shaun Waterman

    Well aid as ever, Brian. If reporters aren’t doing those basic checks, IMO *they* need to consider a new career — just as a much as a cyber pro who’d never considered the risks of VT uploads.

  7. Chris Nielsen

    This type of behavior is not limited to security companies. But it’s a disgusting sign of a loser competitor. The only reason to release the information and not contact the company with the flaw is to hurt them, even if the flaw is real. A professional company would at least attempt to inform the company with the security problem.

    Oh, I know we can’t do that because it would be “helping” a competitor. But if you are so self-centered that you can’t realize that you would also be helping customers of that company, then you have the wrong focus for your business: “Win, no mater who gets hurt”.

    And if you are so afraid of your competitor that you have to try and hurt them, then you have already lost. You should be asking why your competitor is someone you need to be afraid of? Why are you inferior to them? The answers to those questions are where you should focus your energy.

  8. terry the censor

    > A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product

    When I was editor of my university paper, I got a call from someone claiming to know of the fraudulent practices of a company that booked spring break trips for students. The fellow wouldn’t give his name, wouldn’t give the names of people who had been ripped off, and wouldn’t even meet with us.

    I described the call to my news editor. She said the caller was likely from a rival company; that this source-free tattling was a common tactic to undermine competitors.

    “They do it all the time.”

  9. Tim Afba

    Thank you for this, but there is also a case to be made for those files submitted containing hard coded usernames and passwords. This is a debate that has many sides over and above the use of multiscanners, but also concerning developer security and best practices…

  10. M4n_in_Bl4ck

    I disagree with your comment “(if not, those security folks probably need to investigate another career)”. So many positions are open, we as a community are better off helping to educate those who make up those positions and are dramatically overburdened rather than demean then for knowledge not yet acquired.

    1. leet_hax0r

      You’re one of the ones who was unintentionally uploading full binaries, aren’t you? 🙂

  11. David Scott

    It is disappointing when a member of the security community chooses the low road. That’s exactly what this demonstrates. Sadly, it’s all too common.

    The security community as a whole looks to drive a culture of collaboration, transparency, and very clear expectations about coordinated vulnerability disclosure, voluntary disclosure, and most importantly RESPONSIBLE disclosure.

    When members of our community don’t follow these best practices, they run the risk of causing even greater damage – not only to the entity they have targeted but often the general public as well. This is compounded when the information released is inaccurate, incomplete, or not validated at all.

  12. Mike

    I agree with Chris Nielsen on how this shows weakness and a losing status on the part of the accusing company. Dovetailing on that…

    Situations like these make me distrust companies, such as DirectDefense in this case. When I see that the accused company (Carbon Black) is actually transparent with such options as having this dangerous-ish feature turned off by default and a strong warning when using the feature, I can trust that company more. Certainly, I can trust a company with features off by default more than i can trust the legalized spyware, on-by-default, never-tell-you features available from Apple, Google, Microsoft, etc. So, DeirectDefense, good on you for making us look into Carbon Black more and show us that they are a better company.

  13. Brian

    “Perhaps anyone in journalism that publishes ANY article that denigrates a person or company, should be shamed automatically, if they didn’t also mention that they genuinely tried to ask their target for a response, and list their denial, if there was one.”

    That’s a good point and there were examples of it gone wrong here. The most egregious being Gizmodo being the first to publish — at 4AM, hours before the affected company was even awake to read the email. It’s far better to sit on a story for just a few hours than to publish one-sided and incorrect articles.

  14. Craig

    Tomorrow’s DirectDefense blog post:

    All Firewalls Suffer Architectural Flaw Allowing Any Any Rule:
    Dump Firewalls and Buy Cylance

  15. Snapper

    One practical point missing here is that in the vast majority of cases, files uploaded to VirusTotal are incoming external files created elsewhere, not files created by the uploading organisation.

    From the Buy side, we really are back in the bad old days of FUD marketing by particularly the newer players in the security space. They are not doing themselves any favors.

    Hear, hear great article thanks Brian.

    1. wlly

      Yes, that’s what I couldn’t understand while reading the article… why would files uploaded to VirusTotal have any confidential content in the first place? Passwords? Names? The whole premise is confusing.

      1. Adrian Sanabria

        Your instincts are correct – there should NOT be sensitive data in these files being uploaded. However, a lot of companies don’t spend much time on security for apps that typically aren’t exposed to the outside world. Lots of shortcuts are taken.

        Say your company has an app, written in C++ that manages customer information. It needs to query data from a database, and perhaps insert and update data as well. There’s a good chance you’ll find a database connect string in that executable with the name, port, username and password for that database.

  16. Quinn

    Well said, but not going to change anything, of course.

    Your ‘Pro Tip’, for example, is aimed at those that make their living doing what you suggest that they shouldn’t do.

    To paraphrase Upton Sinclair, ‘It’s hard to get someone to understand something that his salary depends on his not understanding.’

    So, this article is basically an opinion piece, obviously.

    Probably about something that irks you, because you’re such a stand up guy. (And you just wish everyone else was, too? ;^)

    Well, when it comes to opinions, everyone has one, & they’re usually happy to share them.

    Ad nauseam. Which just clutters up your site, unfortunately.

    (Come to think of it, I have a dime I can spare – I’ll take a dozen, please. ;^)

    Really like your factual pieces, though, such as ‘How A Citadel Trojan Developer Got Busted’.

    A good example of a report that was interesting and exciting and doesn’t do what you’re complaining about.

    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    BTW you seem to have my comments on a black list of some sort.

    Quite understandable. You wouldn’t be the first to try to get me to shut up.

    They’re probably off topic, anyway, being a bit of a raconteur (We called it, ‘Talking story’ when I lived in Hawaii.)

    It’s rather flattering, though, to know that I’ve been added to that grand list of all those, who throughout history have been banned for trying to tell the truth, as they understand it.

    A hardy thanks for that!

    My remarks are usually for you, Brian, anyway.

    Post them, don’t post them, not matter.

    Very best regards,

    Quinn

    1. somguy

      No blacklist, your comment complete with accusations is publically visible.

      What probably happened is it got put into the moderation queue to get approved before posting, and then you jumped to conclusions.

      1. Brian Krebs

        yes, that’s exactly what happened. Your comment has several qualities that got it flagged. There’s really no faster way to push my buttons than to accuse me of wanton censorship, so keep it up: I might just censor you yet.

        1. Richard Turnbull

          Brian, I heartily endorse your endeavor to continue what looks like allowing some fairly rollicking debate and discussion, without turning an extremely valuable online resource into something more appropriate for other venues.
          The internet isn’t exactly lacking for those other venues, where more blunt and even profane statements of moral outrage are completely suitable.

  17. Mahhn

    Saw the story on the Reg yesterday and commented that it’s a normal option in corp AV tools.
    I’m as paranoid as any InfoSec tech, but I recognize BS quick too.

    Glad to see you being critical of incomplete misleading reports.
    Would you take over managing the CIA please,,,,,

  18. Rob

    Any thoughts as to whether this is fallout from the Carbon Black/Cylance/mimikatz dustup during BlackHat?

  19. The Phisher King

    So if there were to ahve been any value in the DirectDefense report it would point at Google, being the operator of VirusTotal, as the cause of the issue, rather than Carbon Black who are merely one customer of the service.
    Instead DirectDefense have lost whatever credibility they may have had, by trying to make one of their competitors look bad.
    Short-sighted, childish and poorly thought out.

  20. Kurt Stammberger

    Great piece. Far from being a rare occurrence, this kind of behavior by security vendors is widespread, indeed almost endemic to the space. Also see: “product management by press release” :-p

  21. IRS iTUNE cards (Number 1 Fan)

    Very interesting article. These companies have to be held accountable for their actions

  22. Blue Critter

    The triviality of this is depressing. With all the lies, alternate facts and fake news about major events (including cyber-security), is this what we want to spend our time on?

  23. Gary Warner

    Could we agree perhaps there are TWO problems? Yes, someone is trying to smear a competitor. But the second problem is, people who don’t understand their CarbonBlack settings have uploaded Terabytes of inappropriate data to VirusTotal and anyone with VirusTotal Intelligence can now DOWNLOAD those files.

    Not handled “professionally” but someone does need to ring an alarm about this. The same behavior could also be pointed in many AV products. If your default install license says “Share unknown binaries with the vendor” (which most of them do) then when your developer compiles new code (thus creating a binary the AV vendor hasn’t seen before) a copy is “shared.” Fortunately most vendors don’t then RE-share it, but still a risk that people should evaluate in their internal shops.

  24. Kyle C

    This type of thing is infiriating. It just makes our jobs harder because inevitably some C level person reads these and gets all excited. We know that there is usually more to the story. It is good information but I wish those that report these things would take a more measured approach and do some basic research before setting off the alarm bells.

  25. hollistic missile

    United states will be destroyed like a bee for great north korean leader kim jong un

    1. Richard Turnbull

      I can’t resist: if this is taken as a real prediction, was it generated from your Ouija board, tarot cards, the Prophecies of Nostradamus, scrying a la John Dee, your ineffably cloudy crystal ball, a joint seance (no pun intended), astrology, or just misfiring synaptic connections within your neocortex? The bees support our current system of nourishment, birth, and the cycle of life, after all.
      We deserve to be told.

    2. Richard Turnbull

      If that was intended as a prediction, was it generated from your Ouija Board, tarot cards, scrying a la John Dee, astrology, a joint seance of mystic seers, your ineffably cloudy crystal ball, or some misfiring synaptic connections within your neocortex? The bees, after all, don’t want to be killed, and they support the food system currently deployed on the planet!
      We deserve to be told.

  26. Scott Barman

    Even though I am a regular reader, I usually do not comment but this hit a nerve. You have hit on a subject that I have been decrying behind the scenes: the proliferation of BRAVO SIERRA by commercial organizations in the name of security education that is nothing more than marketing ploys.

    I cannot tell you how many times that a White Paper by a commercial concern has been put in front of my face as being gospel. When I point out the fallacy in these papers, I am told that I am not being a “team player.” Sorry, it’s not my job to be a “yes man!” It’s my job to protect my client from the risks and not kiss the behinds of the vendors.

    White Papers by anyone, including Gartner, Forrester, and anyone else who is paid to provide this information, should all be taken with several grains of salt and should NOT be the gospel on information security!

  27. Douglas James

    This is just a sign of marketing amateurs (by Cylance) since their product tank is empty, or their feelings are hurt that they’re losing deals left and right to carbon black.
    Or being a retalatory baby in response to cb’s blog post “welcome to EDR” (which puts cylance in its place).
    This market will be dead in 2 years. sayonara!

Comments are closed.