Ideally hopefully the last in this -
https://www.bleepingcomputer.com/news/security/ublock-origin-ad-blocker-now-blocks-port-scans-on-most-sites/
Hopefully it devalues LexusNexus/ThreatMatrix as a junk product to be
abandoned. Better find new exploits legal firm.
-mb
On Sun, May 31, 2020 at 6:12 PM Michael Butash <
michael@butash.net> wrote:
> A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security
> service as a script inclusion by "customers" of theirs. They list some
> other sites that seem to use this.
>
>
> https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/
>
> I still wonder what shenanigans illegitimate sites are using this for,
> since seemingly only Firefox seems possessing of the security features and
> capable of blocking it with uBlock Origin or like.
>
> -mb
>
>
>
> On Mon, May 25, 2020 at 11:21 PM Michael Butash <michael@butash.net>
> wrote:
>
>> Far more interesting on that article breaking it down for sure.
>>
>> From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
>> dba ThreatMatrix. Sounds like they figured out how to use hacker
>> techniques, and monetized it with some crafty sales folk to get into ebay,
>> banks, others. This is a big market, not surprised this is common as it's
>> been monetized by a somewhat sleazy company apparently. Funny that,
>> LexusNexus being mostly a search engine data repo for lawyers, the sleaze
>> continues.
>>
>> It didn't sound conclusive why it wasn't attacking linux. It didn't seem
>> to trigger the port scans, per them, even when they spoofed their user
>> agent as a windoze box. He concluded they were able to tell somehow it was
>> linux, but not sure how. They only go hunting for sheep(le). I might try
>> to reproduce.
>>
>> I tend to side with the fact they have a routine ala if windoze,
>> probe/infect/whatever. If mac, probe/infect, whatever. If linux, who
>> cares, it's probably ok. I found years ago M$ had something like this as
>> an ingestion formula for Office365 that caused only linux web clients to
>> suck/crash/just do bad things. It was technically chalked up as a "bug"
>> and fixed (causing office365 to finally actually work under linux), but we
>> all know better than that. Not surprised people do this for various user
>> agents and other meta recognition methods to *influence* behavior.
>>
>> It's that 1% linux desktop user thing, but hey, I'll hang out here and
>> watch the carnage they invoke upon Windows/Mac as market leaders.
>>
>> -mb
>>
>>
>> On Mon, May 25, 2020 at 9:28 PM der.hans <PLUGd@lufthans.com> wrote:
>>
>>> Am 25. May, 2020 schwätzte Michael Butash so:
>>>
>>> moin moin,
>>>
>>> >> Should we be insulted that they don't check for SSH?
>>> >>
>>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>>> they do
>>> >> not occur when browsing the site with Linux."
>>> >
>>> > Probably more flattered about ssh - they know they're not getting
>>> anything
>>> > out of a linux system anyways.
>>>
>>> Could they? I thought there was a problem with JavaScript hitting
>>> localhost a couple years ago and this was blocked.
>>>
>>> One of the links in the original article points to a break-down of the
>>> code in question. I'm only about 1/3 of the way through the article, so I
>>> don't yet know how it ends. Spoilers are OK :).
>>>
>>> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>>>
>>> As to script blocking below, yeah, other than security-curious people at
>>> conferences, I don't get much buy in. Kidling however is learning to work
>>> with it :).
>>>
>>> ciao,
>>>
>>> der.hans
>>>
>>> > Interesting on the second comment - didn't catch that. Wonder why/how
>>> > windoze allows this, but linux does not? And what about the mac users?
>>> > Now I'm even more curious.
>>> >
>>> > I feel a bit better knowing I'm protected since I don't use windoze for
>>> > anything but visio, but the other billion suckers still using windoze
>>> as a
>>> > main rig are screwed as usual.
>>> >
>>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>>> any.
>>> >
>>> > I too use uBlock Origin, mostly for adware lists, but I use NoScript
>>> that
>>> > flat disallows sites unless whitelisted. It breaks all sorts of stuff
>>> > until whitelisted, but usually the ones that require me to whitelist
>>> more
>>> > than a few domains, I quickly close and forget about. It's pretty
>>> scary
>>> > going to big sites like various news outlets just how many domains
>>> their
>>> > javascripts are banging your browser with. I've seen upwards of 20-30
>>> > foreign domains all attempting to track/probe you at times - those I
>>> close
>>> > quick, blacklist them all, and thank the fact I have script blocking
>>> > enabled.
>>> >
>>> > Trying to get others to use noscript or any sort of whitelist model is
>>> > tough, 99% of the time they don't want the inconvenience and end up
>>> turning
>>> > it off. I usually stop taking tech support calls or listening to
>>> whining
>>> > after that when they're infected yet again.
>>> >
>>> > -mb
>>> >
>>> >
>>> > On Mon, May 25, 2020 at 6:17 PM der.hans <PLUGd@lufthans.com> wrote:
>>> >
>>> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>>> >>
>>> >> moin moin,
>>> >>
>>> >>>
>>> >>
>>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
>>> >>>
>>> >>> This was a bit disturbing to read today. Ebay injects a few
>>> javascript
>>> >>> connections back to your requesting system, measures a basic socket
>>> >>> connection, telling them if the port is open or not, amounting to
>>> >>> effectively a local host port scan for specified ports, behind a
>>> >> firewall,
>>> >>> from a web page you visited. They are doing this looking for remote
>>> >> admin
>>> >>> applications in fact, rdp, vnc, teamviewer, many others. Hmm.
>>> >>
>>> >> Should we be insulted that they don't check for SSH?
>>> >>
>>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>>> they do
>>> >> not occur when browsing the site with Linux."
>>> >>
>>> >> :)
>>> >>
>>> >>> So any public website can query any port from visiting a web page,
>>> and
>>> >>> possibly interact with any sort of local or other api on my system?
>>> >>>
>>> >>> I wouldn't think Javascript would be allowed to chain off a host like
>>> >> that,
>>> >>
>>> >> JavaScript can run bitcoin miners on your system. It can also attack
>>> and
>>> >> steal the credentials for your bitcoin account and thereby take all
>>> your
>>> >> coins. Plus there are the exploits of password browser plugins such as
>>> >> LastPass.
>>> >>
>>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>>> any. I
>>> >> even remove the 1st party allowances for most of my browser instances.
>>> >>
>>> >> That does render some site totally unreadable. I ignore most of those.
>>> >>
>>> >> For some sites, I allow certain JavaScript. For instance, for
>>> >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I
>>> have to
>>> >> allow google and recaptcha in order to checkout. Sometimes I just
>>> don't
>>> >> bother with the bundle as it's not worth the annoyance.
>>> >>
>>> >> For ebay, I have a separate browser instance as the site has lots of
>>> >> JavaScript. I generally just don't use ebay very much. I need to get
>>> >> better at running browsers out of containers and restricting their
>>> >> access. In fact, I might finally be in a position to try out qubes.
>>> >>
>>> >> ciao,
>>> >>
>>> >> der.hans
>>> >>
>>> >>> or at least have protections from certain abuse. I suppose it's
>>> valid if
>>> >>> linking to another site, but JS/Browsers allowing local random port
>>> use
>>> >>> like this, seems ebay is probably not the only ones to abuse this in
>>> >>> certain ways. I know you can do some interesting things with
>>> websockets,
>>> >>> seems chaining via same methods to remote interact would be trivial.
>>> >>>
>>> >>> This is pretty devious actually, I'm both a bit scared for ebay, not
>>> to
>>> >>> mention all the other sites I "trust", let alone the ones I don't.
>>> >>> Everyone else that just allows pervasively javascript is just hozed.
>>> >> Which
>>> >>> is standard for everyone since javascript existed.
>>> >>>
>>> >>> I use noscript pervasively, and whitelist only valid sites. Ebay is
>>> a
>>> >>> valid site, didn't think I had to protect myself, but how would you
>>> >> protect
>>> >>> against this? Curious also the take from web dev's on this, other
>>> than
>>> >>> thanks for the tip. :)
>>> >>>
>>> >>> -mb
>>> >>>
>>> >>
>>> >> --
>>> >> # https://www.LuftHans.com https://www.PhxLinux.org
>>> >> # Boredom is self-inflicted...der.hans
>>> >
>>>
>>> --
>>> # https://www.LuftHans.com https://www.PhxLinux.org
>>> # ... make it clear I support "Free Software" and not "Open Source",
>>> # and don't imply I agree that there is such a thing as a
>>> # "Linux operating system". - rms
>>
>>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss