subject:"Ebay port scans your pc on every visit."

Re: Ebay port scans your pc on every visit.

2020-06-07 Thread Michael Butash via PLUG-discuss

Ideally hopefully the last in this -
https://www.bleepingcomputer.com/news/security/ublock-origin-ad-blocker-now-blocks-port-scans-on-most-sites/

Hopefully it devalues LexusNexus/ThreatMatrix as a junk product to be
abandoned.  Better find new exploits legal firm.

-mb


On Sun, May 31, 2020 at 6:12 PM Michael Butash  wrote:

> A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security
> service as a script inclusion by "customers" of theirs.  They list some
> other sites that seem to use this.
>
>
> https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/
>
> I still wonder what shenanigans illegitimate sites are using this for,
> since seemingly only Firefox seems possessing of the security features and
> capable of blocking it with uBlock Origin or like.
>
> -mb
>
>
>
> On Mon, May 25, 2020 at 11:21 PM Michael Butash 
> wrote:
>
>> Far more interesting on that article breaking it down for sure.
>>
>> From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
>> dba ThreatMatrix.  Sounds like they figured out how to use hacker
>> techniques, and monetized it with some crafty sales folk to get into ebay,
>> banks, others.  This is a big market, not surprised this is common as it's
>> been monetized by a somewhat sleazy company apparently.  Funny that,
>> LexusNexus being mostly a search engine data repo for lawyers, the sleaze
>> continues.
>>
>> It didn't sound conclusive why it wasn't attacking linux.  It didn't seem
>> to trigger the port scans, per them, even when they spoofed their user
>> agent as a windoze box.  He concluded they were able to tell somehow it was
>> linux, but not sure how.  They only go hunting for sheep(le).  I might try
>> to reproduce.
>>
>> I tend to side with the fact they have a routine ala if windoze,
>> probe/infect/whatever.  If mac, probe/infect, whatever.  If linux, who
>> cares, it's probably ok.  I found years ago M$ had something like this as
>> an ingestion formula for Office365 that caused only linux web clients to
>> suck/crash/just do bad things.  It was technically chalked up as a "bug"
>> and fixed (causing office365 to finally actually work under linux), but we
>> all know better than that.  Not surprised people do this for various user
>> agents and other meta recognition methods to *influence* behavior.
>>
>> It's that 1% linux desktop user thing, but hey, I'll hang out here and
>> watch the carnage they invoke upon Windows/Mac as market leaders.
>>
>> -mb
>>
>>
>> On Mon, May 25, 2020 at 9:28 PM der.hans  wrote:
>>
>>> Am 25. May, 2020 schwätzte Michael Butash so:
>>>
>>> moin moin,
>>>
>>> >> Should we be insulted that they don't check for SSH?
>>> >>
>>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>>> they do
>>> >> not occur when browsing the site with Linux."
>>> >
>>> > Probably more flattered about ssh - they know they're not getting
>>> anything
>>> > out of a linux system anyways.
>>>
>>> Could they? I thought there was a problem with JavaScript hitting
>>> localhost a couple years ago and this was blocked.
>>>
>>> One of the links in the original article points to a break-down of the
>>> code in question. I'm only about 1/3 of the way through the article, so I
>>> don't yet know how it ends. Spoilers are OK :).
>>>
>>> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>>>
>>> As to script blocking below, yeah, other than security-curious people at
>>> conferences, I don't get much buy in. Kidling however is learning to work
>>> with it :).
>>>
>>> ciao,
>>>
>>> der.hans
>>>
>>> > Interesting on the second comment - didn't catch that.  Wonder why/how
>>> > windoze allows this, but linux does not?  And what about the mac users?
>>> > Now I'm even more curious.
>>> >
>>> > I feel a bit better knowing I'm protected since I don't use windoze for
>>> > anything but visio, but the other billion suckers still using windoze
>>> as a
>>> > main rig are screwed as usual.
>>> >
>>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>>> any.
>>> >
>>> > I too use uBlock Origin, mostly for adware lists, but I use NoScript
>>> that
>>> > flat disallows sites unless whitelisted.  It breaks all sorts of stuff
>>> > until whitelisted, but usually the ones that require me to whitelist
>>> more
>>> > than a few domains, I quickly close and forget about.  It's pretty
>>> scary
>>> > going to big sites like various news outlets just how many domains
>>> their
>>> > javascripts are banging your browser with.  I've seen upwards of 20-30
>>> > foreign domains all attempting to track/probe you at times - those I
>>> close
>>> > quick, blacklist them all, and thank the fact I have script blocking
>>> > enabled.
>>> >
>>> > Trying to get others to use noscript or any sort of whitelist model is
>>> > tough, 99% of the time they don't want the inconvenience and end up
>>> turning
>>> > it off.  I usually stop taking tech support calls or listening to

Re: Ebay port scans your pc on every visit.

2020-05-31 Thread Michael Butash via PLUG-discuss

A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security
service as a script inclusion by "customers" of theirs.  They list some
other sites that seem to use this.

https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/

I still wonder what shenanigans illegitimate sites are using this for,
since seemingly only Firefox seems possessing of the security features and
capable of blocking it with uBlock Origin or like.

-mb



On Mon, May 25, 2020 at 11:21 PM Michael Butash  wrote:

> Far more interesting on that article breaking it down for sure.
>
> From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
> dba ThreatMatrix.  Sounds like they figured out how to use hacker
> techniques, and monetized it with some crafty sales folk to get into ebay,
> banks, others.  This is a big market, not surprised this is common as it's
> been monetized by a somewhat sleazy company apparently.  Funny that,
> LexusNexus being mostly a search engine data repo for lawyers, the sleaze
> continues.
>
> It didn't sound conclusive why it wasn't attacking linux.  It didn't seem
> to trigger the port scans, per them, even when they spoofed their user
> agent as a windoze box.  He concluded they were able to tell somehow it was
> linux, but not sure how.  They only go hunting for sheep(le).  I might try
> to reproduce.
>
> I tend to side with the fact they have a routine ala if windoze,
> probe/infect/whatever.  If mac, probe/infect, whatever.  If linux, who
> cares, it's probably ok.  I found years ago M$ had something like this as
> an ingestion formula for Office365 that caused only linux web clients to
> suck/crash/just do bad things.  It was technically chalked up as a "bug"
> and fixed (causing office365 to finally actually work under linux), but we
> all know better than that.  Not surprised people do this for various user
> agents and other meta recognition methods to *influence* behavior.
>
> It's that 1% linux desktop user thing, but hey, I'll hang out here and
> watch the carnage they invoke upon Windows/Mac as market leaders.
>
> -mb
>
>
> On Mon, May 25, 2020 at 9:28 PM der.hans  wrote:
>
>> Am 25. May, 2020 schwätzte Michael Butash so:
>>
>> moin moin,
>>
>> >> Should we be insulted that they don't check for SSH?
>> >>
>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>> they do
>> >> not occur when browsing the site with Linux."
>> >
>> > Probably more flattered about ssh - they know they're not getting
>> anything
>> > out of a linux system anyways.
>>
>> Could they? I thought there was a problem with JavaScript hitting
>> localhost a couple years ago and this was blocked.
>>
>> One of the links in the original article points to a break-down of the
>> code in question. I'm only about 1/3 of the way through the article, so I
>> don't yet know how it ends. Spoilers are OK :).
>>
>> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>>
>> As to script blocking below, yeah, other than security-curious people at
>> conferences, I don't get much buy in. Kidling however is learning to work
>> with it :).
>>
>> ciao,
>>
>> der.hans
>>
>> > Interesting on the second comment - didn't catch that.  Wonder why/how
>> > windoze allows this, but linux does not?  And what about the mac users?
>> > Now I'm even more curious.
>> >
>> > I feel a bit better knowing I'm protected since I don't use windoze for
>> > anything but visio, but the other billion suckers still using windoze
>> as a
>> > main rig are screwed as usual.
>> >
>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>> any.
>> >
>> > I too use uBlock Origin, mostly for adware lists, but I use NoScript
>> that
>> > flat disallows sites unless whitelisted.  It breaks all sorts of stuff
>> > until whitelisted, but usually the ones that require me to whitelist
>> more
>> > than a few domains, I quickly close and forget about.  It's pretty scary
>> > going to big sites like various news outlets just how many domains their
>> > javascripts are banging your browser with.  I've seen upwards of 20-30
>> > foreign domains all attempting to track/probe you at times - those I
>> close
>> > quick, blacklist them all, and thank the fact I have script blocking
>> > enabled.
>> >
>> > Trying to get others to use noscript or any sort of whitelist model is
>> > tough, 99% of the time they don't want the inconvenience and end up
>> turning
>> > it off.  I usually stop taking tech support calls or listening to
>> whining
>> > after that when they're infected yet again.
>> >
>> > -mb
>> >
>> >
>> > On Mon, May 25, 2020 at 6:17 PM der.hans  wrote:
>> >
>> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>> >>
>> >> moin moin,
>> >>
>> >>>
>> >>
>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
>> >>>
>> >>> This was a bit disturbing to read today.  Ebay injects a few
>> javascript
>>

Re: Ebay port scans your pc on every visit.

2020-05-26 Thread Michael Butash via PLUG-discuss

Far more interesting on that article breaking it down for sure.

>From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
dba ThreatMatrix.  Sounds like they figured out how to use hacker
techniques, and monetized it with some crafty sales folk to get into ebay,
banks, others.  This is a big market, not surprised this is common as it's
been monetized by a somewhat sleazy company apparently.  Funny that,
LexusNexus being mostly a search engine data repo for lawyers, the sleaze
continues.

It didn't sound conclusive why it wasn't attacking linux.  It didn't seem
to trigger the port scans, per them, even when they spoofed their user
agent as a windoze box.  He concluded they were able to tell somehow it was
linux, but not sure how.  They only go hunting for sheep(le).  I might try
to reproduce.

I tend to side with the fact they have a routine ala if windoze,
probe/infect/whatever.  If mac, probe/infect, whatever.  If linux, who
cares, it's probably ok.  I found years ago M$ had something like this as
an ingestion formula for Office365 that caused only linux web clients to
suck/crash/just do bad things.  It was technically chalked up as a "bug"
and fixed (causing office365 to finally actually work under linux), but we
all know better than that.  Not surprised people do this for various user
agents and other meta recognition methods to *influence* behavior.

It's that 1% linux desktop user thing, but hey, I'll hang out here and
watch the carnage they invoke upon Windows/Mac as market leaders.

-mb


On Mon, May 25, 2020 at 9:28 PM der.hans  wrote:

> Am 25. May, 2020 schwätzte Michael Butash so:
>
> moin moin,
>
> >> Should we be insulted that they don't check for SSH?
> >>
> >> Ah, "According to Nullsweep, who first reported on the port scans, they
> do
> >> not occur when browsing the site with Linux."
> >
> > Probably more flattered about ssh - they know they're not getting
> anything
> > out of a linux system anyways.
>
> Could they? I thought there was a problem with JavaScript hitting
> localhost a couple years ago and this was blocked.
>
> One of the links in the original article points to a break-down of the
> code in question. I'm only about 1/3 of the way through the article, so I
> don't yet know how it ends. Spoilers are OK :).
>
> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>
> As to script blocking below, yeah, other than security-curious people at
> conferences, I don't get much buy in. Kidling however is learning to work
> with it :).
>
> ciao,
>
> der.hans
>
> > Interesting on the second comment - didn't catch that.  Wonder why/how
> > windoze allows this, but linux does not?  And what about the mac users?
> > Now I'm even more curious.
> >
> > I feel a bit better knowing I'm protected since I don't use windoze for
> > anything but visio, but the other billion suckers still using windoze as
> a
> > main rig are screwed as usual.
> >
> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.
> >
> > I too use uBlock Origin, mostly for adware lists, but I use NoScript that
> > flat disallows sites unless whitelisted.  It breaks all sorts of stuff
> > until whitelisted, but usually the ones that require me to whitelist more
> > than a few domains, I quickly close and forget about.  It's pretty scary
> > going to big sites like various news outlets just how many domains their
> > javascripts are banging your browser with.  I've seen upwards of 20-30
> > foreign domains all attempting to track/probe you at times - those I
> close
> > quick, blacklist them all, and thank the fact I have script blocking
> > enabled.
> >
> > Trying to get others to use noscript or any sort of whitelist model is
> > tough, 99% of the time they don't want the inconvenience and end up
> turning
> > it off.  I usually stop taking tech support calls or listening to whining
> > after that when they're infected yet again.
> >
> > -mb
> >
> >
> > On Mon, May 25, 2020 at 6:17 PM der.hans  wrote:
> >
> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
> >>
> >> moin moin,
> >>
> >>>
> >>
> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
> >>>
> >>> This was a bit disturbing to read today.  Ebay injects a few javascript
> >>> connections back to your requesting system, measures a basic socket
> >>> connection, telling them if the port is open or not, amounting to
> >>> effectively a local host port scan for specified ports, behind a
> >> firewall,
> >>> from a web page you visited.  They are doing this looking for remote
> >> admin
> >>> applications in fact, rdp, vnc, teamviewer, many others.  Hmm.
> >>
> >> Should we be insulted that they don't check for SSH?
> >>
> >> Ah, "According to Nullsweep, who first reported on the port scans, they
> do
> >> not occur when browsing the site with Linux."
> >>
> >> :)
> >>
> >>> So any public website can query any port from visiting a web page, and
> >>> possibly

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread der.hans via PLUG-discuss

Am 25. May, 2020 schwätzte Michael Butash so:

moin moin,

Should we be insulted that they don't check for SSH?

Ah, "According to Nullsweep, who first reported on the port scans, they do
not occur when browsing the site with Linux."

Probably more flattered about ssh - they know they're not getting anything
out of a linux system anyways.

Could they? I thought there was a problem with JavaScript hitting
localhost a couple years ago and this was blocked.

One of the links in the original article points to a break-down of the
code in question. I'm only about 1/3 of the way through the article, so I
don't yet know how it ends. Spoilers are OK :).

https://blog.nem.ec/2020/05/24/ebay-port-scanning/

As to script blocking below, yeah, other than security-curious people at
conferences, I don't get much buy in. Kidling however is learning to work
with it :).

ciao,

der.hans

Interesting on the second comment - didn't catch that. Wonder why/how
windoze allows this, but linux does not? And what about the mac users?
Now I'm even more curious.

I feel a bit better knowing I'm protected since I don't use windoze for
anything but visio, but the other billion suckers still using windoze as a
main rig are screwed as usual.

I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.

I too use uBlock Origin, mostly for adware lists, but I use NoScript that
flat disallows sites unless whitelisted. It breaks all sorts of stuff
until whitelisted, but usually the ones that require me to whitelist more
than a few domains, I quickly close and forget about. It's pretty scary
going to big sites like various news outlets just how many domains their
javascripts are banging your browser with. I've seen upwards of 20-30
foreign domains all attempting to track/probe you at times - those I close
quick, blacklist them all, and thank the fact I have script blocking
enabled.

Trying to get others to use noscript or any sort of whitelist model is
tough, 99% of the time they don't want the inconvenience and end up turning
it off. I usually stop taking tech support calls or listening to whining
after that when they're infected yet again.

-mb

On Mon, May 25, 2020 at 6:17 PM der.hans wrote:

Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:

moin moin,

https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

This was a bit disturbing to read today. Ebay injects a few javascript
connections back to your requesting system, measures a basic socket
connection, telling them if the port is open or not, amounting to
effectively a local host port scan for specified ports, behind a

firewall,

from a web page you visited. They are doing this looking for remote

admin

applications in fact, rdp, vnc, teamviewer, many others. Hmm.

Should we be insulted that they don't check for SSH?

Ah, "According to Nullsweep, who first reported on the port scans, they do
not occur when browsing the site with Linux."

So any public website can query any port from visiting a web page, and
possibly interact with any sort of local or other api on my system?

I wouldn't think Javascript would be allowed to chain off a host like

that,

JavaScript can run bitcoin miners on your system. It can also attack and
steal the credentials for your bitcoin account and thereby take all your
coins. Plus there are the exploits of password browser plugins such as
LastPass.

I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. I
even remove the 1st party allowances for most of my browser instances.

That does render some site totally unreadable. I ignore most of those.

For some sites, I allow certain JavaScript. For instance, for
HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have to
allow google and recaptcha in order to checkout. Sometimes I just don't
bother with the bundle as it's not worth the annoyance.

For ebay, I have a separate browser instance as the site has lots of
JavaScript. I generally just don't use ebay very much. I need to get
better at running browsers out of containers and restricting their
access. In fact, I might finally be in a position to try out qubes.

ciao,

der.hans

or at least have protections from certain abuse. I suppose it's valid if
linking to another site, but JS/Browsers allowing local random port use
like this, seems ebay is probably not the only ones to abuse this in
certain ways. I know you can do some interesting things with websockets,
seems chaining via same methods to remote interact would be trivial.

This is pretty devious actually, I'm both a bit scared for ebay, not to
mention all the other sites I "trust", let alone the ones I don't.
Everyone else that just allows pervasively javascript is just hozed.

Which

is standard for everyone since javascript existed.

I use noscript pervasively, and whitelist only valid sites. Ebay is a
valid site, didn't think I had to protect myself,

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Michael Butash via PLUG-discuss

> Should we be insulted that they don't check for SSH?
>
> Ah, "According to Nullsweep, who first reported on the port scans, they do
> not occur when browsing the site with Linux."

Probably more flattered about ssh - they know they're not getting anything
out of a linux system anyways.

Interesting on the second comment - didn't catch that.  Wonder why/how
windoze allows this, but linux does not?  And what about the mac users?
Now I'm even more curious.

I feel a bit better knowing I'm protected since I don't use windoze for
anything but visio, but the other billion suckers still using windoze as a
main rig are screwed as usual.

> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.

I too use uBlock Origin, mostly for adware lists, but I use NoScript that
flat disallows sites unless whitelisted.  It breaks all sorts of stuff
until whitelisted, but usually the ones that require me to whitelist more
than a few domains, I quickly close and forget about.  It's pretty scary
going to big sites like various news outlets just how many domains their
javascripts are banging your browser with.  I've seen upwards of 20-30
foreign domains all attempting to track/probe you at times - those I close
quick, blacklist them all, and thank the fact I have script blocking
enabled.

Trying to get others to use noscript or any sort of whitelist model is
tough, 99% of the time they don't want the inconvenience and end up turning
it off.  I usually stop taking tech support calls or listening to whining
after that when they're infected yet again.

-mb


On Mon, May 25, 2020 at 6:17 PM der.hans  wrote:

> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>
> moin moin,
>
> >
> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
> >
> > This was a bit disturbing to read today.  Ebay injects a few javascript
> > connections back to your requesting system, measures a basic socket
> > connection, telling them if the port is open or not, amounting to
> > effectively a local host port scan for specified ports, behind a
> firewall,
> > from a web page you visited.  They are doing this looking for remote
> admin
> > applications in fact, rdp, vnc, teamviewer, many others.  Hmm.
>
> Should we be insulted that they don't check for SSH?
>
> Ah, "According to Nullsweep, who first reported on the port scans, they do
> not occur when browsing the site with Linux."
>
> :)
>
> > So any public website can query any port from visiting a web page, and
> > possibly interact with any sort of local or other api on my system?
> >
> > I wouldn't think Javascript would be allowed to chain off a host like
> that,
>
> JavaScript can run bitcoin miners on your system. It can also attack and
> steal the credentials for your bitcoin account and thereby take all your
> coins. Plus there are the exploits of password browser plugins such as
> LastPass.
>
> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. I
> even remove the 1st party allowances for most of my browser instances.
>
> That does render some site totally unreadable. I ignore most of those.
>
> For some sites, I allow certain JavaScript. For instance, for
> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have to
> allow google and recaptcha in order to checkout. Sometimes I just don't
> bother with the bundle as it's not worth the annoyance.
>
> For ebay, I have a separate browser instance as the site has lots of
> JavaScript. I generally just don't use ebay very much. I need to get
> better at running browsers out of containers and restricting their
> access. In fact, I might finally be in a position to try out qubes.
>
> ciao,
>
> der.hans
>
> > or at least have protections from certain abuse.  I suppose it's valid if
> > linking to another site, but JS/Browsers allowing local random port use
> > like this, seems ebay is probably not the only ones to abuse this in
> > certain ways.  I know you can do some interesting things with websockets,
> > seems chaining  via same methods to remote interact would be trivial.
> >
> > This is pretty devious actually, I'm both a bit scared for ebay, not to
> > mention all the other sites I "trust", let alone the ones I don't.
> > Everyone else that just allows pervasively javascript is just hozed.
> Which
> > is standard for everyone since javascript existed.
> >
> > I use noscript pervasively, and whitelist only valid sites.  Ebay is a
> > valid site, didn't think I had to protect myself, but how would you
> protect
> > against this?  Curious also the take from web dev's on this, other than
> > thanks for the tip.  :)
> >
> > -mb
> >
>
> --
> #  https://www.LuftHans.com   https://www.PhxLinux.org
> #  Boredom is self-inflicted...der.hans
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Michael Butash via PLUG-discuss

This completely bypasses your internet firewall, and your system firewall.
Thus the concern.

Imagine someone installs a remote access toolkit (RAT, ala hackers), has
access to your system to connect/scan your local system, and really
anything else via fed users to request connections from.  This is your
computer's trusted browser, no different from RAT/Malware originating
connections FROM 127.0.0.1 (local system) TO 127.0.0.1 (local system),
which 99.9% of times is allowed.  Do you block outbound connections from
your own pc?  Do you not trust your local system to make connections to
your local system?  Not if you want normal activities to at all work.

Also possible (I think) if for example you worked at bank of america and
instead they were trying to connect to your internal-only CRM on
crm.internal.bankofamerica.com or other juicy bits either.  Sounds like a
heck of an easy way to probe enterprises with even innocuous links sent to
employees to click on, they start probing the host browsing and your
internal network via your just visiting.

If this is banks and ebay doing this to users, imagine what shadier bits of
the internet are doing, like facebook, twitter, marketing companies, and
other axis of evil.  Imagine what the downright nasty bits of the internet
are doing such as torrent/porn sites and other lawless bits.

I see it as something of an exploit of browser trust, but as said, not sure
anything you can do about it.

-mb

On Mon, May 25, 2020 at 5:45 PM Harold Hartley via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:

> Not sure which port they scan to allow them on the inside of the firewall.
> On 5/25/20 5:48 PM, Snyder, Alexander J wrote:
>
> The only outbound ports open without concern are 123(UDP), 53(UDP),
> 80(TCP), and 443(TCP). All other ports are blocked, outbound to the web, on
> my system.
>
> If I read this, this would go around my guards, as they are "piggybacking"
> on 443 in and out, right?
>
> Thanks,
> Alexander
>
> Sent from my Galaxy S10+
>
> On Mon, May 25, 2020, 17:12 Harold Hartley via PLUG-discuss <
> plug-discuss@lists.phxlinux.org> wrote:
>
>> I'm not sure if anything can be done to stop port scanning of ports.
>>
>> I'm really not having a big concern since I have 2 firewalls anyway. I
>> have a firewall on one device and a firewall on my computer. So the only
>> ports they will see is the one on my first device and not the computer.
>> At least that's my theory.
>>
>> On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:
>> > On Sun, 24 May 2020 20:52:43 -0700
>> > Harold Hartley via PLUG-discuss 
>> wrote:
>> >
>> >> But I close up ports that doesn't need to be
>> >> open in order to make my system safe. You'd be surprised at how many
>> >> ports are open that can leave a system open for attacks.
>> > When you say "close up ports", do you mean make sure there's no
>> > executable listening at that port, firewalling that port so nothing can
>> > come in or out, or something else?
>> >
>> > SteveT
>> >
>> > Steve Litt
>> > May 2020 featured book: Troubleshooting Techniques
>> >   of the Successful Technologist
>> > http://www.troubleshooters.com/techniques
>> > ---
>> > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> > To subscribe, unsubscribe, or to change your mail settings:
>> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>> --
>> Harold Hartley
>> 17632 N. 5th Pl
>> Phoenix, Arizona 85022
>>
>> ---
>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> --
> Harold Hartley
> 17632 N. 5th Pl
> Phoenix, Arizona 85022
>
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Harold Hartley via PLUG-discuss


Firefox did away with fingerprinting as well as a few other browsers.

On 5/25/20 6:23 PM, der.hans via PLUG-discuss wrote:

Am 25. May, 2020 schwätzte Snyder, Alexander J via PLUG-discuss so:

moin moin Alexander,


The only outbound ports open without concern are 123(UDP), 53(UDP),
80(TCP), and 443(TCP). All other ports are blocked, outbound to the 
web, on

my system.

If I read this, this would go around my guards, as they are 
"piggybacking"

on 443 in and out, right?


Yeah, they'd certainly be sending whatever information they find as a
ruquest to the server on port 443. It looks like normal web traffic
because it is normal web traffic.

There's also html5 gathering info.

https://en.wikipedia.org/wiki/Canvas_fingerprinting

Here's a fun one. At least this one's Open Source ...

https://en.wikipedia.org/wiki/Evercookie

ciao,

der.hans


Thanks,
Alexander

Sent from my Galaxy S10+

On Mon, May 25, 2020, 17:12 Harold Hartley via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:


I'm not sure if anything can be done to stop port scanning of ports.

I'm really not having a big concern since I have 2 firewalls anyway. I
have a firewall on one device and a firewall on my computer. So the 
only

ports they will see is the one on my first device and not the computer.
At least that's my theory.

On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:

On Sun, 24 May 2020 20:52:43 -0700
Harold Hartley via PLUG-discuss  
wrote:



But I close up ports that doesn't need to be
open in order to make my system safe. You'd be surprised at how many
ports are open that can leave a system open for attacks.

When you say "close up ports", do you mean make sure there's no
executable listening at that port, firewalling that port so nothing 
can

come in or out, or something else?

SteveT

Steve Litt
May 2020 featured book: Troubleshooting Techniques
  of the Successful Technologist
http://www.troubleshooters.com/techniques
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss





---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread der.hans via PLUG-discuss


Am 25. May, 2020 schwätzte Snyder, Alexander J via PLUG-discuss so:

moin moin Alexander,


The only outbound ports open without concern are 123(UDP), 53(UDP),
80(TCP), and 443(TCP). All other ports are blocked, outbound to the web, on
my system.

If I read this, this would go around my guards, as they are "piggybacking"
on 443 in and out, right?


Yeah, they'd certainly be sending whatever information they find as a
ruquest to the server on port 443. It looks like normal web traffic
because it is normal web traffic.

There's also html5 gathering info.

https://en.wikipedia.org/wiki/Canvas_fingerprinting

Here's a fun one. At least this one's Open Source ...

https://en.wikipedia.org/wiki/Evercookie

ciao,

der.hans


Thanks,
Alexander

Sent from my Galaxy S10+

On Mon, May 25, 2020, 17:12 Harold Hartley via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:


I'm not sure if anything can be done to stop port scanning of ports.

I'm really not having a big concern since I have 2 firewalls anyway. I
have a firewall on one device and a firewall on my computer. So the only
ports they will see is the one on my first device and not the computer.
At least that's my theory.

On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:

On Sun, 24 May 2020 20:52:43 -0700
Harold Hartley via PLUG-discuss  wrote:


But I close up ports that doesn't need to be
open in order to make my system safe. You'd be surprised at how many
ports are open that can leave a system open for attacks.

When you say "close up ports", do you mean make sure there's no
executable listening at that port, firewalling that port so nothing can
come in or out, or something else?

SteveT

Steve Litt
May 2020 featured book: Troubleshooting Techniques
  of the Successful Technologist
http://www.troubleshooters.com/techniques
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss




--
#  https://www.LuftHans.com   https://www.PhxLinux.org
#  "Hindsight is always 20/20, unless seen through beer goggles." -- der.hans---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Harold Hartley via PLUG-discuss

Not sure which port they scan to allow them on the inside of the firewall.

On 5/25/20 5:48 PM, Snyder, Alexander J wrote:
The only outbound ports open without concern are 123(UDP), 53(UDP), 
80(TCP), and 443(TCP). All other ports are blocked, outbound to the 
web, on my system.

If I read this, this would go around my guards, as they are 
"piggybacking" on 443 in and out, right?

Thanks,
Alexander

Sent from my Galaxy S10+

On Mon, May 25, 2020, 17:12 Harold Hartley via PLUG-discuss 
> wrote:

I'm not sure if anything can be done to stop port scanning of ports.

I'm really not having a big concern since I have 2 firewalls
anyway. I
have a firewall on one device and a firewall on my computer. So
the only
ports they will see is the one on my first device and not the
computer.
At least that's my theory.

On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:
> On Sun, 24 May 2020 20:52:43 -0700
> Harold Hartley via PLUG-discuss mailto:plug-discuss@lists.phxlinux.org>> wrote:
>
>> But I close up ports that doesn't need to be
>> open in order to make my system safe. You'd be surprised at how
many
>> ports are open that can leave a system open for attacks.
> When you say "close up ports", do you mean make sure there's no
> executable listening at that port, firewalling that port so
nothing can
> come in or out, or something else?
>
> SteveT
>
> Steve Litt
> May 2020 featured book: Troubleshooting Techniques
>       of the Successful Technologist
> http://www.troubleshooters.com/techniques
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org

> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

-- 
Harold Hartley

17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org

To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Snyder, Alexander J via PLUG-discuss

The only outbound ports open without concern are 123(UDP), 53(UDP),
80(TCP), and 443(TCP). All other ports are blocked, outbound to the web, on
my system.

If I read this, this would go around my guards, as they are "piggybacking"
on 443 in and out, right?

Thanks,
Alexander

Sent from my Galaxy S10+

On Mon, May 25, 2020, 17:12 Harold Hartley via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:

> I'm not sure if anything can be done to stop port scanning of ports.
>
> I'm really not having a big concern since I have 2 firewalls anyway. I
> have a firewall on one device and a firewall on my computer. So the only
> ports they will see is the one on my first device and not the computer.
> At least that's my theory.
>
> On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:
> > On Sun, 24 May 2020 20:52:43 -0700
> > Harold Hartley via PLUG-discuss  wrote:
> >
> >> But I close up ports that doesn't need to be
> >> open in order to make my system safe. You'd be surprised at how many
> >> ports are open that can leave a system open for attacks.
> > When you say "close up ports", do you mean make sure there's no
> > executable listening at that port, firewalling that port so nothing can
> > come in or out, or something else?
> >
> > SteveT
> >
> > Steve Litt
> > May 2020 featured book: Troubleshooting Techniques
> >   of the Successful Technologist
> > http://www.troubleshooters.com/techniques
> > ---
> > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> > To subscribe, unsubscribe, or to change your mail settings:
> > https://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
> --
> Harold Hartley
> 17632 N. 5th Pl
> Phoenix, Arizona 85022
>
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Harold Hartley via PLUG-discuss


I'm not sure if anything can be done to stop port scanning of ports.

I'm really not having a big concern since I have 2 firewalls anyway. I 
have a firewall on one device and a firewall on my computer. So the only 
ports they will see is the one on my first device and not the computer. 
At least that's my theory.


On 5/25/20 1:17 AM, Steve Litt via PLUG-discuss wrote:

On Sun, 24 May 2020 20:52:43 -0700
Harold Hartley via PLUG-discuss  wrote:


But I close up ports that doesn't need to be
open in order to make my system safe. You'd be surprised at how many
ports are open that can leave a system open for attacks.

When you say "close up ports", do you mean make sure there's no
executable listening at that port, firewalling that port so nothing can
come in or out, or something else?
  
SteveT


Steve Litt
May 2020 featured book: Troubleshooting Techniques
  of the Successful Technologist
http://www.troubleshooters.com/techniques
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Michael Butash via PLUG-discuss

The interesting thing is any network service tends to open ports, and other
local-only applications still tend to as well. This was de facto for
windoze services for years, since they didn't have anything like unix
sockets to avoid network port usage.  They usually restrict port usage only
to 127.0.0.1, but if ebay or any other malicious website is using their
scripts against you locally, they HAVE access to even these local only
ports.

Even iptables won't help you here since your pc IS the trusted source AND
destination for the network traffic.  No one blocks 127.0.0.1 going to
127.0.0.1, and apparently they are counting on that with this technique.

Even worse, I think about corporate environments where this can be used to
scan for other more "internal" web resources in use in the enterprise.

Apparently nothing new though, found this 2 years ago for Halifax bank
doing the same thing.

https://www.cbronline.com/news/halifax-port-scans

-mb

On Mon, May 25, 2020 at 1:24 AM Steve Litt via PLUG-discuss <
plug-discuss@lists.phxlinux.org> wrote:

> On Sun, 24 May 2020 20:52:43 -0700
> Harold Hartley via PLUG-discuss  wrote:
>
> > But I close up ports that doesn't need to be
> > open in order to make my system safe. You'd be surprised at how many
> > ports are open that can leave a system open for attacks.
>
> When you say "close up ports", do you mean make sure there's no
> executable listening at that port, firewalling that port so nothing can
> come in or out, or something else?
>
> SteveT
>
> Steve Litt
> May 2020 featured book: Troubleshooting Techniques
>  of the Successful Technologist
> http://www.troubleshooters.com/techniques
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Harold Hartley via PLUG-discuss

Yes.

On Mon, May 25, 2020, at 01:17, Steve Litt via PLUG-discuss wrote:
> On Sun, 24 May 2020 20:52:43 -0700
> Harold Hartley via PLUG-discuss  wrote:
> 
> > But I close up ports that doesn't need to be
> > open in order to make my system safe. You'd be surprised at how many
> > ports are open that can leave a system open for attacks.
> 
> When you say "close up ports", do you mean make sure there's no
> executable listening at that port, firewalling that port so nothing can
> come in or out, or something else?
>  
> SteveT
> 
> Steve Litt 
> May 2020 featured book: Troubleshooting Techniques
>  of the Successful Technologist
> http://www.troubleshooters.com/techniques
> ---
> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> https://lists.phxlinux.org/mailman/listinfo/plug-discuss

-- 
  Harold Hartley
  17632 N. 5th place
  Phoenix, AZ 85022
  wheelie...@ownmail.net
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-25 Thread Steve Litt via PLUG-discuss

On Sun, 24 May 2020 20:52:43 -0700
Harold Hartley via PLUG-discuss  wrote:

> But I close up ports that doesn't need to be
> open in order to make my system safe. You'd be surprised at how many
> ports are open that can leave a system open for attacks.

When you say "close up ports", do you mean make sure there's no
executable listening at that port, firewalling that port so nothing can
come in or out, or something else?
 
SteveT

Steve Litt 
May 2020 featured book: Troubleshooting Techniques
 of the Successful Technologist
http://www.troubleshooters.com/techniques
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

2020-05-24 Thread Harold Hartley via PLUG-discuss

That really gives a lot to think about at how many other sites are doing 
the same thing. But I close up ports that doesn't need to be open in 
order to make my system safe. You'd be surprised at how many ports are 
open that can leave a system open for attacks.


On 5/24/20 8:15 PM, Michael Butash via PLUG-discuss wrote:

https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

This was a bit disturbing to read today.  Ebay injects a few 
javascript connections back to your requesting system, measures a 
basic socket connection, telling them if the port is open or not, 
amounting to effectively a local host port scan for specified ports, 
behind a firewall, from a web page you visited.  They are doing this 
looking for remote admin applications in fact, rdp, vnc, teamviewer, 
many others.  Hmm.


So any public website can query any port from visiting a web page, and 
possibly interact with any sort of local or other api on my system?


I wouldn't think Javascript would be allowed to chain off a host like 
that, or at least have protections from certain abuse.  I suppose it's 
valid if linking to another site, but JS/Browsers allowing local 
random port use like this, seems ebay is probably not the only ones to 
abuse this in certain ways.  I know you can do some interesting things 
with websockets, seems chaining  via same methods to remote interact 
would be trivial.


This is pretty devious actually, I'm both a bit scared for ebay, not 
to mention all the other sites I "trust", let alone the ones I don't.  
Everyone else that just allows pervasively javascript is just hozed.  
Which is standard for everyone since javascript existed.


I use noscript pervasively, and whitelist only valid sites.  Ebay is a 
valid site, didn't think I had to protect myself, but how would you 
protect against this?  Curious also the take from web dev's on this, 
other than thanks for the tip.  :)


-mb


---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Harold Hartley
17632 N. 5th Pl
Phoenix, Arizona 85022

---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Ebay port scans your pc on every visit.

2020-05-24 Thread Michael Butash via PLUG-discuss

https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

This was a bit disturbing to read today.  Ebay injects a few javascript
connections back to your requesting system, measures a basic socket
connection, telling them if the port is open or not, amounting to
effectively a local host port scan for specified ports, behind a firewall,
from a web page you visited.  They are doing this looking for remote admin
applications in fact, rdp, vnc, teamviewer, many others.  Hmm.

So any public website can query any port from visiting a web page, and
possibly interact with any sort of local or other api on my system?

I wouldn't think Javascript would be allowed to chain off a host like that,
or at least have protections from certain abuse.  I suppose it's valid if
linking to another site, but JS/Browsers allowing local random port use
like this, seems ebay is probably not the only ones to abuse this in
certain ways.  I know you can do some interesting things with websockets,
seems chaining  via same methods to remote interact would be trivial.

This is pretty devious actually, I'm both a bit scared for ebay, not to
mention all the other sites I "trust", let alone the ones I don't.
Everyone else that just allows pervasively javascript is just hozed.  Which
is standard for everyone since javascript existed.

I use noscript pervasively, and whitelist only valid sites.  Ebay is a
valid site, didn't think I had to protect myself, but how would you protect
against this?  Curious also the take from web dev's on this, other than
thanks for the tip.  :)

-mb
---
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Re: Ebay port scans your pc on every visit.

Ebay port scans your pc on every visit.

16 matches

Site Navigation

Mail list logo

Footer information