Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

https://krebsonsecurity.com/2017/08/carbon-emissions-oversharing-bug-puts-security-vendor-back-in-spotlight/

Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary data from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files.

cblogoAs noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.”

Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product.

But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning.

“On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.”

Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files.

According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run.

The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available.

Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files.

Posted in Solutions | Comments Off on Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

"That's too bad": Trump carelessly shrugs off U.S. military on eve of Afghanistan speech (Eric Boehlert/Shareblue)

http://www.memeorandum.com/170821/p43#a170821p43


Eric Boehlert / Shareblue:

“That’s too bad”: Trump carelessly shrugs off U.S. military on eve of Afghanistan speech  —  Donald Trump is scheduled to address the nation Monday night to unveil his new plan to try to win the 16-year war in Afghanistan.  The strategy may include an escalation of combat, with Trump sending more U.S. troops to put their lives at risk.

Posted in Solutions | Comments Off on "That's too bad": Trump carelessly shrugs off U.S. military on eve of Afghanistan speech (Eric Boehlert/Shareblue)

August 18, 2017: Former Police Officer Pleads Guilty to Trafficking Steroids, Money Laundering

August 18, 2017: Former Police Officer Pleads Guilty to Trafficking Steroids, Money Laundering

Posted in Solutions | Leave a comment

November 2, 2015: Owner of Bodybuilding Drug Companies Admits to Selling Misbranded Drugs

https://www.fda.gov/ICECI/CriminalInvestigations/ucm473579.htm

November 2, 2015: Owner of Bodybuilding Drug Companies Admits to Selling Misbranded Drugs

Posted in Solutions | Comments Off on November 2, 2015: Owner of Bodybuilding Drug Companies Admits to Selling Misbranded Drugs

Commission and Commission Staff Issue Updates to Interpretive Guidance on Revenue Recognition

https://www.sec.gov/news/press-release/2017-145

The Securities and Exchange Commission today issued two releases and the SEC staff released a Staff Accounting Bulletin to update interpretive guidance regarding revenue recognition.

Consistent with developments in private-sector accounting standard setting, the SEC issued a release to update its guidance for bill-and-hold arrangements by stating that registrants should no longer refer to the criteria in Accounting and Auditing Enforcement Release No. 108, In the Matter of Stewart Parness (AAER 108), to recognize revenue for such arrangements upon the registrants’ adoption of Accounting Standards Codification (ASC) Topic 606, Revenue from Contracts with Customers. The release states that until a registrant adopts ASC Topic 606, it should continue referring to the guidance included in AAER 108.

In addition, the SEC issued a release to update its 2005 Commission Guidance Regarding Accounting for Sales of Vaccines and Bioterror Countermeasures to the Federal Government for Placement into the Pediatric Vaccine Stockpile or the Strategic National Stockpile. The release states that consistent with ASC Topic 606, manufacturers should recognize revenue for vaccines that are placed into the Vaccines for Children Program and the Strategic National Stockpile.  The release states that until a registrant adopts ASC Topic 606, it should continue referring to the guidance included in the 2005 Release.

Separately, the SEC’s Office of the Chief Accountant and Division of Corporation Finance released Staff Accounting Bulletin (SAB) No. 116 that brings existing SEC staff guidance into conformity with the Financial Accounting Standard Board’s adoption of and amendments to ASC Topic 606. The SAB modifies SAB Topic 13, Revenue Recognition, SAB Topic 8, Retail Companies, and Section A, Operating-Differential Subsidies of SAB Topic 11, Miscellaneous Disclosure. The guidance in SAB 116 applies upon a registrant’s adoption of ASC Topic 606. Until such time, the SAB states that registrants should continue referring to prior staff guidance on revenue recognition.

The statements in Staff Accounting Bulletins are not Commission rules or interpretations nor are they published as bearing the Commission’s official approval.  They represent interpretations and practices followed by the SEC’s Office of the Chief Accountant and the Division of Corporation Finance in administering the federal securities laws.

Posted in Solutions | Comments Off on Commission and Commission Staff Issue Updates to Interpretive Guidance on Revenue Recognition

Carbon Emissions: Oversharing Bug Puts Security Vendor Back in Spotlight

Last week, security firm DirectDefense came under fire for over-hyping claims that Cb Response, a cybersecurity product sold by competitor Carbon Black, was leaking proprietary data from customers who use it. Carbon Black responded that the bug identified by its competitor was a feature, and that customers were amply cautioned in advance about the potential privacy risks of using the feature. Now Carbon Black is warning that an internal review has revealed a wholly separate bug in Cb Response that could in fact result in some customers unintentionally sharing sensitive files.

cblogoAs noted in last week’s story, DirectDefense warned about a problem with Cb Response’s use of Google’s VirusTotal — a free tool that lets anyone submit a suspicious file and have it scanned against dozens of commercial anti-malware tools. There is also a paid version of VirusTotal that allows customers to examine any file uploaded to the service.

Specifically, DirectDefense claimed that Cb Response’s sharing of suspicious files with VirusTotal could expose sensitive data because VirusTotal allows paying customers to download any files submitted by other users. DirectDefense labeled the bug “the world’s largest pay-for-play data exfiltration botnet.”

Numerous industry analysts leapt to Carbon Black’s defense — with some even calling “bullshit” on the findings — pointing out that plenty of other vendors submit files through Virustotal and that DirectDefense was merely trying to besmirch a competitor’s product.

But earlier this week, Carbon Black began quietly notifying customers that an internal review of the claims revealed a completely different bug that could result in some benign customer files being miscategorized as executable files and inadvertently uploaded to Virustotal for scanning.

“On Thursday, we discovered a bug affecting a small percentage of our Cb Response customers,” said Mike Viscuso, co-founder and chief technology officer at Carbon Black. “Our review is still ongoing, but based on what we learned to date it requires a very specific customer configuration, and we have already taken steps to remediate the bug and protect our customers.”

Viscuso said this bug appears to affect a small number of Cb Response customers who have enabled VirusTotal submissions and use the program on a Mac OS in the presence of specific third-party applications. For example, he said, when a Mac user opens Spotify, the popular music service will read a configuration file in a way that causes Cb Response to classify regular content files (e.g., Microsoft Word, PDF, .TXT) as an unknown binary file. A binary file is computer-readable but not human readable; for example, executable programs (e.g., .exe files on Windows) are stored as binary files.

According to Viscuso, the bug was introduced in the Mac version of Cb Response roughly three months ago. He said part of the problem seems to stem from the file classification tool that ships with the Cb Response — explaining that the tool sometimes misclassifies corrupted binary files. One of the most common sources of corrupted binary files are antivirus products, which often modify suspected malicious binaries after placing the files in quarantine to ensure the programs can’t be accidentally run.

The Carbon Black discovery comes as more software-as-a-service providers are seeking ways to alert customers who may be inadvertently sharing sensitive data. Amazon recently launched Amazon Macie, a new security service that uses machine learning to discover and classify sensitive data such as personal information in AWS, alerting customers when such data is moved, accessed or otherwise publicly available.

Viscuso said the company was considering whether it, too, could offer any additional service that might help customers prevent the accidental sharing of content files to third-party services like VirusTotal. In the meantime, he said, Carbon Black is providing a full list of uploaded files to affected customers, asking them to report whether the files were binaries or content files.

Posted in Amazon Macie, Carbon Black, DirectDefense, Mike Viscuso, Other, Solutions, spotify, virustotal | Leave a comment

Blowing the Whistle on Bad Attribution

The New York Times this week published a fascinating story about a young programmer in Ukraine who’d turned himself in to the local police. The Times says the man did so after one of his software tools was identified by the U.S. government as part of the arsenal used by Russian hackers suspected of hacking into the Democratic National Committee (DNC) last year. It’s a good read, as long as you can ignore that the premise of the piece is completely wrong.

The story, “In Ukraine, a Malware Expert Who Could Blow the Whistle on Russian Hacking,” details the plight of a hacker in Kiev better known as “Profexer,” who has reportedly agreed to be a witness for the FBI. From the story:

“Profexer’s posts, already accessible to only a small band of fellow hackers and cybercriminals looking for software tips, blinked out in January — just days after American intelligence agencies publicly identified a program he had written as one tool used in Russian hacking in the United States. American intelligence agencies have determined Russian hackers were behind the electronic break-in of the Democratic National Committee.”

The Times’ reasoning for focusing on the travails of Mr. Profexer comes from the “GRIZZLYSTEPPE” report, a collection of technical indicators or attack “signatures” published in December 2016 by the U.S. government that companies can use to determine whether their networks may be compromised by a number of different Russian cybercrime groups.

The only trouble is nothing in the GRIZZLYSTEPPE report said which of those technical indicators were found in the DNC hack. In fact, Prefexer’s “P.A.S. Web shell” tool — a program designed to insert a digital backdoor that lets attackers control a hacked Web site remotely — was specifically not among the hacking tools found in the DNC break-in.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

The P.A.S. Web shell, as previously offered for free on the now-defunct site profexer[dot]name.

That’s according to Crowdstrike, the company called in to examine the DNC’s servers following the intrusion. In a statement released to KrebsOnSecurity, Crowdstrike said it published the list of malware that it found was used in the DNC hack, and that the Web shell named in the New York Times story was not on that list.

Robert M. Lee is founder of the industrial cybersecurity firm Dragos, Inc. and an expert on the challenges associated with attribution in cybercrime. In a post on his personal blog, Lee challenged The Times on its conclusions.

“The GRIZZLYSTEPPE report has nothing to do with the DNC breach though and was a collection of technical indicators the government compiled from multiple agencies all working different Russian related threat groups,” Lee wrote.

“The threat group that compromised the DNC was Russian but not all Russian groups broke into the DNC,” he continued. “The GRIZZLYSTEPPE report was also highly criticized for its lack of accuracy and lack of a clear message and purpose. I covered it here on my blog but that was also picked up by numerous journalists and covered elsewhere [link added]. In other words, there’s no excuse for not knowing how widely criticized the GRIZZLYSTEPPE report was before citing it as good evidence in a NYT piece.”

Perhaps in response to Lee’s blog post, The Times issued a correction to the story, re-writing the above-quoted and indented paragraph to read:

“It is the first known instance of a living witness emerging from the arid mass of technical detail that has so far shaped the investigation into the election hacking and the heated debate it has stirred. The Ukrainian police declined to divulge the man’s name or other details, other than that he is living in Ukraine and has not been arrested.”

[Side note: Profexer may well have been doxed by this publication just weeks after the GRIZZLYSTEPPE report was released.]

This would not be the first time the GRIZZLYSTEPPE report provided fodder for some too-hasty hacking conclusions by a major newspaper. On December 31 2016, The Washington Post published a breathless story reporting that an electric utility in Vermont had been compromised by Russian hackers who had penetrated the U.S. electric grid.

The Post cited unnamed “U.S. officials” saying the Vermont utility had found a threat signature from the GRIZZLYSTEPPE report inside its networks. Not long after the story ran, the utility in question said it detected the malware signature in a single laptop that was not connected to the grid, and the Post was forced to significantly walk back its story.

Matt Tait, a senior fellow at the Robert Strauss Center for International Security and Law at UT Austin, said indicators of compromise or IOCs like those listed in the GRIZZLYSTEPPE report have limited value in attributing who may be responsible for an online attack.

“It’s a classic problem that these IOCs indicate you may be compromised, but they’re not very good for attribution,” Tait said. “The Grizzly Steppe report is a massive file of signatures, and loads of people have run those, found various things on their network, and then assumed it’s all related to the DNC hack. But there’s absolutely no tie between the DNC hack that in any way involved this P.A.S. Web shell.”

If it’s not always clear how seriously to take conclusions from Uncle Sam about the sources of cybercrime, it certainly doesn’t help when intelligence agencies are still relying on discredited sources of information about the sources of cyberattacks. As Mr. Lee observed at the top of his blog post, the Twitter account for the U.S. Defense Intelligence Agency tweeted on Aug. 14, 2017: “Cyber attacks going on right now #DoDIIS17”.

The DIA tweet included a brief video of the global threat map produced by Norse Corp., a company whose lovely but otherwise misguided efforts at cyber attack attribution have been repeatedly denounced by Lee and other cybersecurity experts. For more on how Norse self-destructed from the inside, see my Jan. 2016 story, Sources: Security Firm Norse Corp. Imploding.

dia-norse

One final note: Wired.com has a lengthy but tremendous new story worth reading called A Guide to Russia’s High Tech Tool Box for Subverting US Democracy. It makes a convincing case that the real, long-term goal of Russian state-sponsored hacking activity is to sow public and popular distrust in the democratic process and to weaken democratic institutions inside countries that support the North Atlantic Treaty Organization (NATO).

Posted in CrowdStrike, Defense Intelligence Agency, DNC hack, Dragos Inc., Grizzly Steppe, Matt Tait, Norse Corp., Other, P.A.S. Web shell, Profexer, Robert M. Lee, Robert Strauss Center for International Security and Law, Solutions | Leave a comment

Do the Police Need a Search Warrant to Access Cell Phone Location Data?

https://www.schneier.com/blog/archives/2017/08/do_the_police_n.html

The US Supreme Court is deciding a case that will establish whether the police need a warrant to access cell phone location data. This week I signed on to an amicus brief from a wide array of security technologists outlining the technical arguments as why the answer should be yes. Susan Landau summarized our arguments.

A bunch of tech companies also submitted a brief.

Posted in Solutions | Comments Off on Do the Police Need a Search Warrant to Access Cell Phone Location Data?

November 2, 2015: Owner of Bodybuilding Drug Companies Admits to Selling Misbranded Drugs

November 2, 2015: Owner of Bodybuilding Drug Companies Admits to Selling Misbranded Drugs

Posted in Solutions | Leave a comment

Bill Gates Donates $4.6 Billion in Shares He Held at Microsoft

https://learningsimplify.com/2017/08/17/bill-gates-donates-4-6-billion-shares-held-microsoft/

The billionaire and American philanthropist, Bill Gates, has just made a donation estimated at 4.6 billion USD to a recipient who for now remains unknown. This is the most significant donation made by the American businessman since the beginning of this century.

Bill Gates donated 64 million shares to the publisher of Windows, the IT company he founded with Paul Allen in the mid-1970s. The total value of these shares was estimated at $4.6 billion on June 6. It was Bloomberg who disclosed this information based on a document published Monday by the US Securities & Exchange Commission (SEC), the US stock exchange policeman.

Although there is no information available to identify the beneficiary of this donation, for the time being, there is a consensus that there is a good chance that this gift will be for the Bill Foundation & Melinda Gates. As a reminder, this is the foundation he launched with his wife Melinda 17 years ago. Indeed, Mr. Gates made the majority of his donations to the charity that he and his wife set up and use to support the causes they defend.

Twenty-one years ago, the 61-year-old American billionaire still held 24 percent of Microsoft’s shares. Today, he owns only 1.3 percent of the technology company he created.

This is not the first action of the kind of the businessman since Bill Gates had donated $16 billion to charities in the form of shares he held at Microsoft. The year after, in 2000, he offered $5.1 billion to the Bill & Melinda Gates Foundation at the time of its creation.

According to a study by the Gates Foundation based on the value of shares and liquidity offered since 1994 by Bill and Melinda Gates, it appears that they have already spent about $35 billion to support charities. With US investor and billionaire Warren Buffett, Gates founded the charity Giving Pledge in 2010, an organization that currently has more than 168 donors. The following figure shows the three largest US donors since the beginning of 2017. In 2000, it offered $ 5.1 billion to the Bill & Melinda Gates Foundation at the time of its creation.

Despite the fact that he has “separated” as much money (about 5% of his fortune), Bill Gates still has a colossal fortune which is now estimated at 86.1 billion USD. In addition, he is still ranked as the richest man on the planet.

In July, Jeff Bezos, the boss of Amazon, had temporarily managed to dethrone Microsoft co-founder in this ranking becoming the richest man in the world. However, he managed to occupy this position only for a few hours before giving it back to Gates.

Today, the person who holds most of the shares of Microsoft is Steve Ballmer, the former boss of the company, who left his place at Satya Nadella in 2014. So far Microsoft and Bill Gates still has not commented on the announcement.

The post Bill Gates Donates .6 Billion in Shares He Held at Microsoft appeared first on Learning Simplify.

Posted in Solutions | Comments Off on Bill Gates Donates $4.6 Billion in Shares He Held at Microsoft