
Harvesting Cb Response Data Leaks - have_faith
https://www.directdefense.com/harvesting-cb-response-data-leaks-fun-profit/
======
julianj
Several months ago, I tagged a few documents and filled them with fake
passwords. I named them juicy names like 'mypasswords.xlsx' and uploaded them
to sites like virustotal and malwr. I still get notifications that they are
being viewed. The last notification was just a few days ago.

------
strunz
Cb has responded - [https://www.carbonblack.com/2017/08/09/directdefense-
incorre...](https://www.carbonblack.com/2017/08/09/directdefense-incorrectly-
asserts-architectural-flaw-in-cb-response/)

~~~
stedaniels
Whilst they obviously try and refute the minor details Direct Defense gets
wrong, their product should be warning their end users just a little more
strongly for such a devastating "feature".

This is data protection officers nightmare. If any UK company has this turned
on the ICO could rake them over the coals and charge them millions in fines
(if they had the teeth).

~~~
jwcrux
I disagree. I think Carbon Black's disclaimer is more than sufficient:

The screenshot in Carbon Black's response clearly says that VirusTotal "makes
the binaries available for download to their partners".

And here's the relevant text in the disclaimer:

> You are hereby advised (i) VirusTotal makes the metadata publicly available
> along with scan results from dozens of anti-virus products and (ii)
> VirusTotal also makes the files available to VirusTotal partners. You must
> determine whether to elect to enable this feature at your sole discretion.

And the warning also has this text in bold:

> If you have custom business applications with confidential business
> information on your network, sharing binaries with VirusTotal may not be
> appropriate for you.

With this being optional and off by default, I think it's on the customer to
read the clear warning presented and make the call that's right for them.

~~~
bluesign
Sharing with Virustotal is not same as sharing it with ‘anyone’ i suppose,
possibility of downloading files is not acceptable.

~~~
jwcrux
I believe their characterization is accurate. Not just anyone can download
files from VT. You have to have access to their private API which is a premium
billed (and anecdotally very expensive) service.[0]

That, to me, qualifies the term "VirusTotal and their partners" as accurate,
since this is only a select group of companies who are paying VT a large sum
for access to the data.

[0] [https://www.virustotal.com/en/documentation/private-
api/#fil...](https://www.virustotal.com/en/documentation/private-api/#file-
feed)

~~~
user5994461
Cool, so you can pay a bit of money to get the AWS keys, ssh keys and
thousands of top secret credentials from the fortune 500.

Whatever number they charge, it is negligible for the trove of data you'll
get!

------
yodon
tldr; large companies are uploading all their files and executables to Carbon
Black to get them white listed as virus-free. The OP reports these uploaded
files are easily discoverable and inspectable by 3d parties and contain large
numbers of AWS and Azure private keys, API tokens, and other confidential
data.

~~~
tyingq
_" these uploaded files are easily discoverable and inspectable"_

Any clues as to how they are this way? S3 buckets with credentials the same
for all customers or similar?

~~~
julianj
From the article:

> One of the useful features of this multiscanner is that they allow searching
> for similar malware to get some context, and in doing so, we stumbled across
> a couple of files that were very different.

>We noticed that the other files were all uploaded by a similar uploader.

It appears they then automated downloading samples and scanned for content.

From what I can tell, the files were discoverable by anyone that was able to
access/search this multiscanner service.

For instance, malwr.com allows the downloading of samples by authenticated
users. VirusTotal also allows researchers access to download submissions via
their private API[0].

[0] [https://www.virustotal.com/en/documentation/private-
api/#fil...](https://www.virustotal.com/en/documentation/private-api/#file-
feed)

~~~
chinathrow
Wow didn't know that.

I uploaded a few suspected files to virustotal for a quick check but will have
to refrain from doing that in the future.

~~~
tetrep
If you're comfortable uploading something to a server, you should be
comfortable with that server (and any of it's owners/operators) reading it.

While I also didn't know those sites let other people download the samples,
that doesn't change how much I trust them, since my model has changed from
"whatever randos own this website see this file" to "whatever randos own this
website, plus whatever randos they appoint, can see this file". In either
case, I must trust "whatever randos own this site", and so them delegating
that trust shouldn't change much.

There's a bit of a grey area around uploading something to a VPS host that you
control, but unless you signed an agreement explicitly saying that your stuff
won't be looked at, expect it to be.

And for the sake of cliche, it's safest to just assume anything you upload to
the internet is public. Don't assume otherwise unless you really really need
to, and make sure there's at least some legal and/or cryptographic protection
for you if you're going that route :)

~~~
user5994461
Let's not confuse reading a file and reading a file then redistributing it to
whoever is willing to pay for it.

------
rattle1337
This article is really misleading. You have to explicitly turn on the feature
to upload files, and the product warns you explicitly of the implications when
you try to enable it.

~~~
jdc0589
I was getting progressively more and more annoyed that they weren't addressing
this as I read the article.

The setting in question is the "Analyze Unknown Binaries" options, right?
Which I believe are disabled by default in the default group settings. They
should probably have a big ass warning on there, but last time I set up CB
Response it was glaringly obvious that you shouldn't enable it.

~~~
stedaniels
You've got to admit, it's an odd feature to have. No company would ever want
this feature on. It goes against pretty much every data protection law going.
Yet they have it, and it's a click or two away with some mild small print?
Sheesh. It's like selling a walking boot with a shotgun attached pointing at
the toes with a label on the trigger saying "do not pull".

~~~
rattle1337
It's not mild small print. It's a huge popup with explicit details. I've seen
it. You've got to be an idiot to not understand what you're doing.

Some folks use it in lab environments where the information present is very
controlled.

This article is a straight up hit piece.

~~~
Avernar
Software that is designed to prevent malware from uploading sensitive
information to the internet has an option to upload sensitive information to
the internet. What idiot thought that was a good feature to add regardless of
the warnings? It makes the software do the complete opposite of what it's
supposed to do.

If someone needed that then it should have been a special version of the
software, not sometthing that's a single option to enable. Way to easy for it
to get turned on by accident. Even smart people sometimes make mistakes, not
to mention interns, managment that likes to pretend they're techies, botched
upgrades, etc.

------
brawny
You can't go browsing around VirusTotal and download other people's
submissions. So... a VT partner allows you to? Because that's what's described
here. Any idea which VT partner allows downloading of original files?

