August 18, 2017

Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary data from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files.

cblogoAs noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.”

Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product.

But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning.

“On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.”

Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files.

According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run.

The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available.

Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files.

22 thoughts on “Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

  1. JCitizen

    On a somewhat similar note. I get tired of competitors of Web-Of-Trust trying to get users to remove the venerable legacy ext/plugin because a few of the WOT servers were found to be insecure and leaking user files. Well, first of all, when you sign up for services like that, where there is no legal requirement to give your accurate personal details, why would you put them in there?

    I think WOT is getting a bad break over this, and I’m sure they are probably trying to close the leaks as fast as they can. The only site adviser comparable is McAfee’s and it insists on putting irritating by products on your machine that should be listed as PUPs by most anti-malware solutions. I would have been willing to pay a small stipend to use the McAfee product! They need to get a grip!

    I’m here to root for WOT and competitors are just dumping on them for OBVIOUS reasons.

    1. Bill

      I’d stopped using the WOT plugin because I’d read that they were actively doing some form of evil like reselling end-user data. I do miss it…

  2. mousez

    Hmm, DNS hack or what?
    Please go away – Nothing here
    OR insecure page without https:// prime for fake web page malware…
    Kreb’s true page.

  3. stine

    Now that I have to enable javascript to access your site, I won’t be returning.

  4. web security cisco

    You made a good site and giving us such a good and useful suggestions they very help us. Thanks for sharing the information with us. I am impressed with your site and also I like your site a lot.

  5. John Connor

    Are you going to acknowledge the hack the other day? Your site was vandalized and replaced with a bare-minimal front page only that contained a Javascript deobfuscator — something used to slip malware past AV and other defenses by keeping it unrecognizable until the moment before the browser’s script engine runs it.

    Visitors should know they may have been infected by something if they visited on Saturday.

    1. BrianKrebs Post author

      There was a DDoS attack over the weekend, and in response there was an interstitial page that we put in place during the attack (it even referenced Google Shield). Nothing was hacked. But thanks for not being a jerk about it or jumping to conclusions.

      1. John Connor

        Well apparently “they” went about it in a cack-handed way then. There was no apparent way to proceed to the main site — which amounts to vandalism, no matter who did it. I don’t recall any mention of Google. And why was there a deobfuscator in the page source? Those have no legitimate purpose.

        1. BrianKrebs Post author

          It was a simple javascript challenge. All you had to do was unblock/enable a single script to run, which was designed to separate readers from bots. That’s all. And it lasted for a few hours on a weekend. So, put away your self-entitled, sanctimonious tinfoil hat and calm down. You obviously understand very little about DDoS defense mitigation techniques.

      2. Werner von Kluubat

        Well a pparently “they” went about it in a ca ck-handed way then. There was no evident way to pro ceed to the main site — which am ounts to v andalism, no matter who did it. I don’t re call any mentio n of Go ogle. And why was there a de obfus cator in the page s ource? Those have no legi timate purp ose.

        1. BrianKrebs Post author

          I really don’t know what your problem is, but the site wasn’t hacked so why don’t you go waste someone else’s time. Any additional comments from you about this will be deleted.

  6. Eve

    Are you going to ack nowledge the ha ck the other day? Your site was vand alized and replaced with a bare-minimal front page only that contained a Javasc ript deob fuscator — something used to slip ma lware past AV and other def enses by keeping it unrecog nizable until the moment before the bro wser’s sc ript engine runs it.

    Visi tors should know they may have been inf ected by something if they visited on Saturday.

  7. mark

    I have other, very serious issues with CarbonBlack. DHS required us to install it… on Linux. Including on computational servers. One simply does NOT want some idiot software scanning many, many gigabyte data files every time they’re accessed….

    Further, I, personally, have seen numerous times in the months since it was installed, where the daemon part of it – there’s a kernel part, as well – was running at 100% of the CPU, for between 5 min and over an hour.

    1. Gary

      I think you misunderstand how CB/Bit9 works. If it’s running at 100%, its likely just been installed and is performing discovery. While Bit9 can be configured to do some FIM functions on non-binaries, default behavior is to discover all binaries, hash them, monitor all binary execution and stop execution of bad/unapproved file hash binaries. By default, it ignores “data” files.

  8. 86Lynell

    I see you don’t monetize your site, don’t waste your traffic,
    you can earn extra bucks every month because you’ve got hi quality content.

    If you want to know how to make extra $$$, search for:
    best adsense alternative Wrastain’s tools

  9. Robert Scroggins

    Thanks for the heads up yesterday, Brian, and for the follow-up today.

    Just ignore those dumb comments you get from people who haven’t a clue. Your work is appreciated by many.


Comments are closed.