Am 25. May, 2020 schwätzte Michael Butash so: moin moin, >> Should we be insulted that they don't check for SSH? >> >> Ah, "According to Nullsweep, who first reported on the port scans, they do >> not occur when browsing the site with Linux." > > Probably more flattered about ssh - they know they're not getting anything > out of a linux system anyways. Could they? I thought there was a problem with JavaScript hitting localhost a couple years ago and this was blocked. One of the links in the original article points to a break-down of the code in question. I'm only about 1/3 of the way through the article, so I don't yet know how it ends. Spoilers are OK :). https://blog.nem.ec/2020/05/24/ebay-port-scanning/ As to script blocking below, yeah, other than security-curious people at conferences, I don't get much buy in. Kidling however is learning to work with it :). ciao, der.hans > Interesting on the second comment - didn't catch that. Wonder why/how > windoze allows this, but linux does not? And what about the mac users? > Now I'm even more curious. > > I feel a bit better knowing I'm protected since I don't use windoze for > anything but visio, but the other billion suckers still using windoze as a > main rig are screwed as usual. > >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. > > I too use uBlock Origin, mostly for adware lists, but I use NoScript that > flat disallows sites unless whitelisted. It breaks all sorts of stuff > until whitelisted, but usually the ones that require me to whitelist more > than a few domains, I quickly close and forget about. It's pretty scary > going to big sites like various news outlets just how many domains their > javascripts are banging your browser with. I've seen upwards of 20-30 > foreign domains all attempting to track/probe you at times - those I close > quick, blacklist them all, and thank the fact I have script blocking > enabled. > > Trying to get others to use noscript or any sort of whitelist model is > tough, 99% of the time they don't want the inconvenience and end up turning > it off. I usually stop taking tech support calls or listening to whining > after that when they're infected yet again. > > -mb > > > On Mon, May 25, 2020 at 6:17 PM der.hans wrote: > >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so: >> >> moin moin, >> >>> >> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/ >>> >>> This was a bit disturbing to read today. Ebay injects a few javascript >>> connections back to your requesting system, measures a basic socket >>> connection, telling them if the port is open or not, amounting to >>> effectively a local host port scan for specified ports, behind a >> firewall, >>> from a web page you visited. They are doing this looking for remote >> admin >>> applications in fact, rdp, vnc, teamviewer, many others. Hmm. >> >> Should we be insulted that they don't check for SSH? >> >> Ah, "According to Nullsweep, who first reported on the port scans, they do >> not occur when browsing the site with Linux." >> >> :) >> >>> So any public website can query any port from visiting a web page, and >>> possibly interact with any sort of local or other api on my system? >>> >>> I wouldn't think Javascript would be allowed to chain off a host like >> that, >> >> JavaScript can run bitcoin miners on your system. It can also attack and >> steal the credentials for your bitcoin account and thereby take all your >> coins. Plus there are the exploits of password browser plugins such as >> LastPass. >> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. I >> even remove the 1st party allowances for most of my browser instances. >> >> That does render some site totally unreadable. I ignore most of those. >> >> For some sites, I allow certain JavaScript. For instance, for >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have to >> allow google and recaptcha in order to checkout. Sometimes I just don't >> bother with the bundle as it's not worth the annoyance. >> >> For ebay, I have a separate browser instance as the site has lots of >> JavaScript. I generally just don't use ebay very much. I need to get >> better at running browsers out of containers and restricting their >> access. In fact, I might finally be in a position to try out qubes. >> >> ciao, >> >> der.hans >> >>> or at least have protections from certain abuse. I suppose it's valid if >>> linking to another site, but JS/Browsers allowing local random port use >>> like this, seems ebay is probably not the only ones to abuse this in >>> certain ways. I know you can do some interesting things with websockets, >>> seems chaining via same methods to remote interact would be trivial. >>> >>> This is pretty devious actually, I'm both a bit scared for ebay, not to >>> mention all the other sites I "trust", let alone the ones I don't. >>> Everyone else that just allows pervasively javascript is just hozed. >> Which >>> is standard for everyone since javascript existed. >>> >>> I use noscript pervasively, and whitelist only valid sites. Ebay is a >>> valid site, didn't think I had to protect myself, but how would you >> protect >>> against this? Curious also the take from web dev's on this, other than >>> thanks for the tip. :) >>> >>> -mb >>> >> >> -- >> # https://www.LuftHans.com https://www.PhxLinux.org >> # Boredom is self-inflicted...der.hans > -- # https://www.LuftHans.com https://www.PhxLinux.org # ... make it clear I support "Free Software" and not "Open Source", # and don't imply I agree that there is such a thing as a # "Linux operating system". - rms