On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed.
At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response — a suite of security tools sold by competitor Carbon Black (formerly Bit9) — was leaking potentially sensitive and proprietary data from customers who use its product.
DirectDefense warned about a problem with Cb Response’s use of “a cloud-based multiscanner” to scan suspicious files for malware. DirectDefense didn’t name the scanner in question, but it’s Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There’s also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.
Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. This is the full extent of the “vulnerability” that DirectDefense labeled “the world’s largest pay-for-play data exfiltration botnet.”
Carbon Black responded with its own blog post noting that the feature DirectDefense warned about was not turned on by default, and that Carbon Black informs customers of the privacy risks that may be associated with sharing files with VirusTotal.
Adrian Sanabria, a security expert and founder of Savage Security, published a blog post that called “bullshit” on DirectDefense’s findings, noting that the company inexplicably singles out a competitor when many other security firms similarly allow customers to submit files to VirusTotal.
“Dozens of other security vendors either have an option to automatically submit binaries (yes, whole binaries, not just the hash) to VirusTotal or do it without the customers knowledge altogether,” Sanabria wrote. “In singling out Carbon Black, DirectDefense opens itself up to criticism and closer scrutiny.”
Such as shilling for a partner firm (Cylance) that stands to gain from taking Cabon Black down a few notches in the public eye, Sanabria observed [link added].
“I personally don’t believe DirectDefense is a shill for Cylance, but in singling out one of many vendors that do the same thing, they’ve stepped into a classic PR gaffe that makes them look like one,” he wrote.
My take is that most people in corporate cybersecurity roles understand what VirusTotal is and the potential privacy risks involved in uploading files to the service — either on a one-off basis or automatically submitted through some security suite like CB Response (if not, those security folks probably need to investigate another career).
That’s not to say that organizations don’t inadvertently overshare. I’ve seen instances where entire email threads and apparently sensitive documents have been submitted to VirusTotal along with embedded malware.
Leslie Carhart, a security incident response team leader and a prolific security commentator on Twitter, said there are immense amounts of trust given VirusTotal. Carhart said if a malicious actor were able to identify individual files uploaded from a target organization to VirusTotal — even just as file hashes — they could gain lots of information about the organization, including what software suites they use, what operating systems, and which document types.
“They provide an amazing free resource for the infosec community, as well as some great paid services,” Carhart said of VirusTotal. “However, we have unintentionally given them one of the largest repositories of files in the world.”
If DirectDefense’s report helped some security people better grasp the risks of oversharing with multiscanners like VirusTotal, that’s a plus. But from where I sit, these types of overblown research reports tend to live or die by uncritical and/or unbalanced coverage in the news media — also known as “churnalism.”
My advice to tech reporters: Quit taking claims like these at face value and start asking some basic questions before publishing anything. For example, the early coverage of DirectDefense’s report in the media suggests that few reporters even asked about the identity of the multiscanner referenced throughout the report. Also, it’s clear that few (if any) reporters asked DirectDefense whether it had alerted Carbon Black before going public with their findings (it hadn’t).
Pro tip: If a researcher or company with a vulnerability “scoop” doesn’t mention interaction with the affected vendor before going public with their research, this should be a giant red flag indicating that this individual or entity is merely trying to use the media to generate short-term PR buzz, and that the “vulnerability” in question is little more than smoke and mirrors.