Kevin Wilkins CISSP – Chief Technology Officer

Gizmodo reports that a security researcher called DirectDefense discovered sensitive information uploaded to VirusTotal by Carbon Black endpoint agents.

So, Carbon Black does cloud-based scanning.  Lots of security tools do this.  But what happens to that data to keep it private in the cloud?  In this case the security tool is uploading to a third party instead of managing their own infrastructure – which would give them more control of privacy.  The data goes to VirusTotal, a large shared platform for collaborative malware analysis.   From there it appears VirusTotal “Private API” users can look at everything that was submitted?

The goal of this process is admirable, but perhaps VirusTotal is a bit TOO open considering the type of data that is being submitted.  I have used VirusTotal personally, but only submitting individual samples of individually suspicious files encountered in the wild and not deemed proprietary.  Carbon Black and presumably others endpoint security tools appear to be uploading samples automatically and in large volumes.

“While the leaked data is not generally available online, DirectDefense believes it is accessible to governments, corporations and security teams willing to pay premium for access” – in this case the DirectDefense researcher was indeed granted access and was surprised at what was found.

The researcher is “unsure if the problem was unique to Carbon Black, ‘only that Carbon Black’s prevalence in the marketspace and the design of their solution’s architecture seems to be providing a significant amount in data exfiltration.’”

Carbon Black responds that this is an optional feature which is “off” by default and that customers are informed of the privacy risks in using it.  Per the Carbon Black CTO, “It is also not a foundational architectural flaw.”


Public vs Private API

While many of the endpoints and features provided by the VirusTotal API are freely accessible to all registered users, some of them are restricted to our premium customers only. Those endpoints and features constitute the VirusTotal Private API.

The Private API has the following advantages over the Public API:

* Enables you to download submitted samples for further research, along with the network traffic captures they generate upon execution and their detailed execution reports.

Nice.  Can I play too?