Carbon Black denies its IT security guard system oozes customer secrets

Security firms are, understandably, quite sensitive about claims that their products are insecure, so accusations of this sort tend to cause a kerfuffle.

On Wednesday, security consultancy DirectDefense published a blog post alleging endpoint security vendor Carbon Black's Cb Response protection software would, once installed for a customer, spew sensitive data to third parties. This included customers' AWS, Azure and Google Compute private keys, internal usernames and passwords, proprietary internal applications, and two-factor authentication secrets, allegedly.

DirectDefense boss Jim Broome said the problem stems from the way Cb Response patrols corporate file systems, and transmits data out to third-party malware scanners to check whether files are legit or infected with nasties. If a Cb Response installation doesn't recognize a document or executable, it can punt it out to multiple scanners to see if they have come across the binaries before, and work out if they're safe or need quarantining.

"This means that files uploaded by Cb Response customers first go to Carbon Black (or their local Carbon Black server instance), but then are immediately forwarded to a cloud-based multiscanner, where they are dutifully spread to anyone that wants them and is willing to pay," he claimed.

"Welcome to the world's largest pay-for-play data exfiltration botnet."

By cloud-based multiscanner, he means VirusTotal, by the way. VT subscribers have access to a feed of data uploaded to the service.

Broome said his team discovered data flowing from Cb Response to VirusTotal while working for a client last year, and has since found multiple organizations using the Cb Response system. He said he went public with their findings to warn people – without informing the vendor – and put out a press release to highlight the supposed danger.

However, Carbon Black has fired back with a blog post of its own, claiming DirectDefense got its facts completely wrong. It's not a bug causing the data emissions – it's a feature that's turned off by default.

Bug? Feature?

"This is an optional feature, turned off by default, to allow customers to share information with external sources for additional ability to detect threats," said Michael Viscuso, cofounder of Carbon Black.

"In Cb Response, there is an optional, customer-controlled configuration (disabled by default) that allows the uploading of binaries (executables) to VirusTotal for additional threat analysis. This option can be enabled by a customer, on a per-sensor group basis. When enabled, executable files will be uploaded to VirusTotal, a public repository and scanning service owned by Google."

He pointed out that even with the information sharing feature turned on, users can customize exactly what data is sent out of the network. There's also a popup warning page telling admins that they are sending data outside the company network.

He also said DirectDefense could have contacted them about this before creating a big fuss about it, and Carbon Black would have explained the issue.

A spokeswoman for DirectDefense told The Register that they didn't tip off Carbon Black about the issue because it didn't consider the data transmission a vulnerability, instead describing it "a function of how the tool is architected."

"Yes, we've seen this feature setting in the product and in the manual that stated this is off by default," the biz admitted in a followup blog post.

"However, the recommendations or messaging from Carbon Black's professional services team during the course of installing the product is to turn this feature on to help accelerate the analysis of the file scans."

So DirectDefense decided to "educate users" about the issue, albeit in somewhat alarmist terms. Education or PR stunt that backfired – you decide. ®

PS: Infosec veteran Adrian Sanabria had this to say about DirectDefense's claims: "Is this bullshit? Short version? Yes."