August 06, 2019

ExtraHop Issues Warning About "Phoning Home" in New Security Advisory

Written by
Rate this item
(0 votes)

ExtraHop, the leader in cloud-first detection and response for the hybrid enterprise, today issued a security advisory exposing several cases of third-party vendors "phoning home" proprietary data without the knowledge of or authorization from their customers. The advisory serves as a warning to all enterprises to hold their vendors more accountable for how they use customer data.

The newly-issued advisory defines phoning home as a host connecting to a server for the purpose of sending data to the server, the "white hat" term for exfiltrating data. According to the report, phoning data home is a common practice that can be used for legitimate and useful reasons with the customer's consent. But when customers are unaware of this vendor exfiltration, it risks exposure of sensitive data, such as Personally Identifiable Information (PII), in violation of increasingly strict privacy regulations.

"We decided to issue this advisory after seeing a concerning uptick in this kind of undisclosed phoning home by vendors," said Jeff Costlow, ExtraHop CISO. "What was most alarming to us was that two of the four cases in the advisory were perpetrated by prominent cybersecurity vendors. These are vendors that enterprises rely on to safeguard their data. We're urging enterprises to establish better visibility of their networks and their vendors to make sure this kind of security malpractice doesn't go unchecked."

The advisory highlights four cases spanning the financial services, healthcare, and food service industries where ExtraHop documented vendors phoning home their customers' data without the customer's knowledge or authorization, including:

  • Foul-play in financial services. During a recent training session, ExtraHop noticed that domain controllers were shipping data to a public cloud instance. The customer had no idea that domain controllers were sending SSL traffic outbound to 50 different public cloud endpoints controlled by the vendor. The report documents how a prominent cybersecurity vendor had been doing this for at least two months.
  • Medical device malpractice. A U.S. hospital was piloting a medical device management product that was only to be used on designated hospital Wi-Fi to ensure patient data privacy and HIPAA compliance. ExtraHop noticed that traffic from the workstation that was managing the initial device rollout was opening encrypted SSL:443 connections to vendor-owned cloud storage, in strict violation of HIPAA regulations.
  • When shadow IT phones home to China. While ExtraHop was onsite with a large multinational food services customer, they discovered that approximately every 30 minutes, a network-connected device was sending UDP traffic out to a questionable IP address. The device in question was a Chinese manufactured security camera that was phoning home to an IP address known to be associated with malware downloads.
  • When "on-box analysis" isn't entirely "on box." During a proof-of-concept (POC) with a financial services institution, ExtraHop noticed a large volume of outbound traffic headed from the customer's U.S. datacenter to the United Kingdom. More than 400GB per day over two-and-a-half days (totaling more than 1TB of data) was exfiltrated by a security vendor that was also in a POC with the financial services institution. The customer was surprised because the vendor claimed to perform all analysis and machine learning "on-box"-meaning on the appliance deployed in the customer's environment.

ExtraHop's security advisory recommends that companies take the following actions to mitigate these kinds of phoning-home risks:

  • Monitor for vendor activity: Watch for unexpected vendor activity on your network, whether they are an active vendor, a former vendor or even a vendor post-evaluation.
  • Monitor egress traffic: Be aware of egress traffic, especially from sensitive assets such as domain controllers. When egress traffic is detected, always match it to approved applications and services.
  • Track deployment: While under evaluation, track deployments of software agents.
  • Understand regulatory considerations: Be informed about the regulatory and compliance considerations of data crossing political and geographic boundaries.
  • Understand contract agreements: Track whether data is used in compliance with vendor contract agreements.

ExtraHop also urges companies to ask questions of their vendors to ensure they understand how their data is being used, where their data is going and the vendor protocols for phoning home. ExtraHop believes these actions will hold vendors more accountable and ultimately limit the exposure of sensitive enterprise data.

Click here to download the complete Phoning Home Security Advisory.

David Marshall

David Marshall has been involved in the technology industry for over 19 years, and he's been working with virtualization software since 1999. He was able to become an industry expert in virtualization by becoming a pioneer in that field - one of the few people in the industry allowed to work with Alpha stage server virtualization software from industry leaders: VMware (ESX Server), Connectix and Microsoft (Virtual Server).

Through the years, he has invented, marketed and helped launch a number of successful virtualization software companies and products. David holds a BS degree in Finance, an Information Technology Certification, and a number of vendor certifications from Microsoft, CompTia and others. He's also co-authored two published books: "VMware ESX Essentials in the Virtual Data Center" and "Advanced Server Virtualization: VMware and Microsoft Platforms in the Virtual Data Center" and acted as technical editor for two popular Virtualization "For Dummies" books. With his remaining spare time, David founded and operates one of the oldest independent virtualization news blogs, VMblog.com. And co-founded CloudCow.com, a publication dedicated to Cloud Computing. Starting in 2009 and continuing all the way to 2016, David has been honored with the vExpert distinction by VMware for his virtualization evangelism.

Platinum Sponsors

Learn more about Bitdefender

Learn more about Datrium

Learn more about Extrahop

Learn more about FireMon

logo hitachi 600

Learn more about LG Business Solutions

Learn more about Liquidware

Learn more about Solarwinds

Learn more about Veeam

Learn more about Zadara

Gold Sponsors

Learn more about iland

Learn more about Pivot3

Learn more about Morpheus

logo nakivo 600

Learn More about Platform9

Learn more about thinprint

Learn more about vembu

Learn more about virtustream

Learn more about Zerto

Latest Tweets

Latest Videos

vmworld through the years | Infographic

  • VMWorld Through the Years Tour 2004-2019 | Infographic

    VMworld is the premiere virtualization and cloud computing event held every year by VMware going back to 2004 when it kicked things off in San Diego.  This year, the show returns to San Francisco after a three year run in Las Vegas.

    Come along as VMblog takes you on a tour of VMworld through the years, rock and roll style.  View the City and Attendance play bill.  View the VMworld Set List.  Find out how many Keynotes were hosted by which CEO.  What about the bands who have played over the years?  Check out the key updates made during each VMworld event and the tag lines used over the years.  And find out which vendors you should be adding to your must see list at VMworld 2019.

    If you enjoy our Infographic as much as we do, please consider sharing it via Social Media or by embedding it on your blog (using the embed code below and linking back to us).

    Enjoy!  See you there.