[c-nsp] Anybody noticed yet? CSC 6.3 phones home :(

Garry gkg at gmx.de
Tue Aug 11 05:44:38 EDT 2009


Hi ::/0,

I just received a call from one of our customers, who was having some
problems with duplicate records being created in a remote system ... the
system is used through a web interface, and data is stored via a GET
operation ... (no, I did not implement that system, as I would have
opted to use both SSL as well as decent authentication & POST instead)

Anyway, it turns out the duplicate requests were created an IP
150.70.84.25, which according to some research turns out to be used by
Trend Micro, Japan (APNIC records are pretty unusable, though, as usual)

According to the customer, the behavior started around July 30th, which
is a couple days after I upgraded the customer ASA / CSC, which 6.3.1172
installed on the CSC ...

So it turns out that the new release uses a subset of URLs requested,
transfers those to TM, which in turn probably uses them to find
potential malware ... as such, this might be OK, but I could not locate
ANYWHERE in the CSC where there is an option to disable this function,
or at least an information about that feature having been introduced ...
(previous releases to my knowledge didn't do that ...)

Anybody else notice this yet?

I just opened a ticket with TAC and complained about it ... for me, it's
a pretty bad case of security and confidentiality breach ... but maybe
that's just me ...

-garry


More information about the cisco-nsp mailing list