A blog about generally interesting infosec stuff by Darren Fuller/Paul Marsh, SecQuest Information Security https://www.secquest.co.uk

Wednesday, 9 April 2014

Trend Micro File Harvesting

Going back a year or two we blogged about Microsoft's SmartScreen filter sending potentially sensitive file information to Microsoft's servers who download files after they've been downloaded by Internet Explorer.  If you're putting super-secret-file.zip on a server for someone you probably don't want anyone else coming along and hoovering that up!

We've recently become aware that some versions of Trend antivirus products do exactly the same..

So as before with Microsoft this is the breakdown for Trend:

Original request for file
x.x.x.x - - [07/Apr/2014:13:46:58 +0100] "GET /super-secret-file.zip HTTP/1.1" 200 122880 "-" "Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.154 Safari/537.36"

Trend's requests for file
150-70-173-44.trendmicro.com - - [07/Apr/2014:13:48:14 +0100] "GET /super-secret-file.zip HTTP/1.1" 200 122880 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"

150-70-172-111.trendmicro.com - - [07/Apr/2014:13:49:35 +0100] "GET /super-secret-file.zip HTTP/1.0" 200 122880 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"

So yet another example of companies grabbing data without asking.. can you assume third-party permission to download potentially sensitive files based on T's & C's?

No comments:

Post a Comment