Support • (786) 621-8600 Contact us
Demo

Recent Posts

Beware of Security by Press Release

On Wednesday, the security industry once again witnessed an all-too-familiar cycle: I call it “security by press release.” It goes a bit like this: A security firm releases a report claiming to have unearthed a major flaw in a competitor’s product; members of the trade press uncritically republish the claims without adding much clarity or waiting for responses from the affected vendor; blindsided vendor responds in a blog post showing how the issue is considerably less dire than originally claimed.

At issue are claims made by Denver-based security company DirectDefense, which published a report this week warning that Cb Response — a suite of security tools sold by competitor Carbon Black (formerly Bit9) — was leaking potentially sensitive and proprietary data from customers who use its product.

snm

DirectDefense warned about a problem with Cb Response’s use of “a cloud-based multiscanner” to scan suspicious files for malware. DirectDefense didn’t name the scanner in question, but it’s Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There’s also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. This is the full extent of the “vulnerability” that DirectDefense labeled “the world’s largest pay-for-play data exfiltration botnet.”

Carbon Black responded with its own blog post noting that the feature DirectDefense warned about was not turned on by default, and that Carbon Black informs customers of the privacy risks that may be associated with sharing files with VirusTotal.

ANALYSIS

Adrian Sanabria, a security expert and co-founder of Savage Security, published a blog post that called “bullshit” on DirectDefense’s findings, noting that the company inexplicably singles out a competitor when many other security firms similarly allow customers to submit files to VirusTotal.

“Dozens of other security vendors either have an option to automatically submit binaries (yes, whole binaries, not just the hash) to VirusTotal or do it without the customers knowledge altogether,” Sanabria wrote. “In singling out Carbon Black, DirectDefense opens itself up to criticism and closer scrutiny.”

Such as shilling for a partner firm (Cylance) that stands to gain from taking Carbon Black down a few notches in the public eye, Sanabria observed [link added].

“I personally don’t believe DirectDefense is a shill for Cylance, but in singling out one of many vendors that do the same thing, they’ve stepped into a classic PR gaffe that makes them look like one,” he wrote.

My take is that most people in corporate cybersecurity roles understand what VirusTotal is and the potential privacy risks involved in uploading files to the service — either on a one-off basis or automatically submitted through some security suite like CB Response (if not, those security folks probably need to investigate another career).

That’s not to say that organizations don’t inadvertently overshare. I’ve seen instances where entire email threads and apparently sensitive documents have been submitted to VirusTotal along with embedded malware.

Lesley Carhart, a security incident response team leader and a prolific security commentator on Twitter, said there are immense amounts of trust given VirusTotal. Carhart said if a malicious actor were able to identify individual files uploaded from a target organization to VirusTotal — even just as file hashes — they could gain lots of information about the organization, including what software suites they use, what operating systems, and which document types.

“They provide an amazing free resource for the infosec community, as well as some great paid services,” Carhart said of VirusTotal. “However, we have unintentionally given them one of the largest repositories of files in the world.”

If DirectDefense’s report helped some security people better grasp the risks of oversharing with multiscanners like VirusTotal, that’s a plus. But from where I sit, these types of overblown research reports tend to live or die by uncritical and/or unbalanced coverage in the news media — also known as “churnalism.”

My advice to tech reporters: Quit taking claims like these at face value and start asking some basic questions before publishing anything. For example, the early coverage of DirectDefense’s report in the media suggests that few reporters even asked about the identity of the multiscanner referenced throughout the report. Also, it’s clear that few (if any) reporters asked DirectDefense whether it had alerted Carbon Black before going public with their findings (it hadn’t).

Pro tip: If a researcher or company with a vulnerability “scoop” doesn’t mention interaction with the affected vendor before going public with their research, this should be a giant red flag indicating that this individual or entity is merely trying to use the media to generate short-term PR buzz, and that the “vulnerability” in question is little more than smoke and mirrors.

Source: KREBS ON SECURITY

Alleged vDOS Operators Arrested, Charged

Two young Israeli men alleged by this author to have co-founded vDOS — until recently the largest and most profitable cyber attack-for-hire service online — were arrested and formally indicted this week in Israel on conspiracy and hacking charges.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated more than two million distributed denial-of-service (DDoS) attacks over the four year period it was in business.

That story named two then 18-year-old Israelis — Yarden “applej4ck” Bidani and Itay “p1st” Huri — as the likely owners and operators of vDOS. Within hours of that story’s publication the two were detained by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

vDOS as it existed on Sept. 8, 2016.

vDOS as it existed on Sept. 8, 2016.

On Tuesday, Israeli prosecutors announced they had formally arrested and charged two 19-year-olds with conspiring to commit a felony, prohibited activities, tampering with or disrupting a computer, and storing or disseminating false information. A statement from a spokesman for the Israeli state attorney’s office said prosecutors couldn’t name the accused because their alleged crimes were committed while they were minors.

But a number of details match perfectly with previous reporting on Bidani and Huri. As noted in the original Sept. 2016 expose’ on vDOS’s alleged founders, Israeli prosecutors say the two men made more than $600,000 in two of the four years the service was in operation. vDOS was shuttered for good not longer after Bidani and Huri’s initial detention in Sept. 2016.

“The defendants were constantly improving the attack code and finding different network security weaknesses that would enable them to offer increased attack services that could overcome existing defenses and create real damage to servers and services worldwide,” Israeli prosecutors alleged of the accused and their enterprise.

“Subscribers were able to select an ‘attack’ package from the various packages offered, with the packages classified by the duration of each attack in seconds, the number of simultaneous attacks and the magnitude of the attack in Gigabits per second, and their prices ranged from $ 19.99 to $ 499.99,” the allegation continues.

19-year-old Yarden Bidani.

19-year-old Yarden Bidani.

Lawyers for Bidani and Huri could not be immediately reached for comment. But both have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks.

The owners of these stresser services have sought to hide behind wordy “terms of service” agreements to which all customers must agree, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail.

In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

At the height of vDOS’s profitability in mid-2015, the DDoS-for-hire service was earning its then-17-year-old proprietors more than $42,000 a month in PayPal and Bitcoin payments from thousands of subscribers. That’s according to an analysis of the leaked vDOS database performed by researchers at New York University.

The vDos home page.

The vDOS home page.

Source: KREBS ON SECURITY