et
Differences
This shows you the differences between two versions of the page.
Previous revision | |||
— | et [2021-02-09 03:36:58] (current) – jenda | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== E.T. Phone Home ====== | ||
+ | |||
+ | It is a common trend today that applications are leaking data to the network. This is an open-source and linux-oriented list of such applications. The behavior was discovered using NSA Litoměřice' | ||
+ | |||
+ | The bugreports should be submitted and linked. | ||
+ | |||
+ | It's interesting that I usually can't find anyone on the web who cares. | ||
+ | |||
+ | <note warning> | ||
+ | |||
+ | Direct further questions regarding privacy and security to your operating system vendor. | ||
+ | </ | ||
+ | |||
+ | ===== Mozilla ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== Chromium ===== | ||
+ | |||
+ | < | ||
+ | |||
+ | All WebKit browsers: ignore user-agent settings, send real information to Google domains | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== Debian (systemd/ | ||
+ | |||
+ | Uses 8.8.8.8 DNS server if no other is available: https:// | ||
+ | |||
+ | ===== Stardict ===== | ||
+ | |||
+ | As of 12/2015 (update: 07/2018: the bug is still there), the default configuration of Stardict in Debian Sid uses dict.cn as the default dictionary. Additionally, | ||
+ | |||
+ | < | ||
+ | |||
+ | It has been confirmed that if you use KeePassX, which by default uses "copy password to clipboard", | ||
+ | |||
+ | Bug: | ||
+ | * https:// | ||
+ | |||
+ | Related, but not the same: | ||
+ | * https:// | ||
+ | * https:// | ||
+ | |||
+ | ===== GNOME ===== | ||
+ | |||
+ | * gitg leaks e-mail addresses from commit messages to gravatar | ||
+ | * gnome-contacts leaks physical address of your contact to proxy.gnome.org, | ||
+ | * clock-applet leaks your current TZ location via HTTP ([[https:// | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ===== GnuPG/ | ||
+ | |||
+ | (at least) in Debian, an automatically spawned service (dirmngr) seems to periodically checks key updates on keyserver //over plain HTTP//, exposing list of your friends to the network. | ||
+ | |||
+ | < | ||
+ | Aug 17 07:55:13 localhost dirmngr[11304]: | ||
+ | </ | ||
+ | |||
+ | Use | ||
+ | < | ||
+ | systemctl --user mask dirmngr.service</ | ||
+ | to disable this. | ||
+ | ===== Linux ===== | ||
+ | |||
+ | By default Linux replies to ARP queries on **all** interfaces. This seems to be in accordance with RFC 826 from 1982, part "Am I the target protocol address?" | ||
+ | |||
+ | * It breaks things. Connect your computer to two networks and let another one use colliding IP range. You will act as an ARP-poisoning host involuntarily! | ||
+ | * It allows an external attacker to decloak which other addresses you are using. They can fingerprint you and they can test for well-known VPNs of competing intelligence agencies. | ||
+ | |||
+ | Example decloak: arping -i br0 10.1.10.1 | ||
+ | |||
+ | Defense: echo 1 > / | ||
+ | |||
+ | ===== Fedora + NetworkManager ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | ===== OpenWRT ===== | ||
+ | |||
+ | < | ||
+ | |||
+ | Btw. there used to be a root shell on ttyS0. | ||
+ | |||
+ | ===== OpenBSD ===== | ||
+ | |||
+ | Sends out configuration during installation (//stores timezone and mirror settings for sysadmins with lazy fingers//). FIXME more details | ||
+ | |||
+ | ===== LibreOffice ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | It [[https:// | ||
+ | |||
+ | ===== Ubuntu (desktop) ===== | ||
+ | |||
+ | https:// | ||
+ | |||
+ | ===== Ubuntu (Phone) ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | It calls to Canonical, Google and YouTube. It downloads advertisements to " | ||
+ | |||
+ | ===== CyanogenMod ===== | ||
+ | |||
+ | A stock CM 12.1 was installed. During installation, | ||
+ | |||
+ | Additionally, | ||
+ | < | ||
+ | User-Agent: Dalvik/ | ||
+ | Host: connectivitycheck.android.com | ||
+ | Connection: Keep-Alive | ||
+ | Accept-Encoding: | ||
+ | |||
+ | This request has been disabled by " | ||
+ | |||
+ | Please note that the sniffing was carried only on wifi. We don't have equipment to sniff mobile data at the moment. | ||
+ | |||
+ | ===== colord ===== | ||
+ | |||
+ | Sends broadcasts when changing monitors. Seems to be scanning for network printers. | ||
+ | |||
+ | ===== Sublime text ===== | ||
+ | |||
+ | Checks for updates | ||
+ | |||
+ | ===== Chirp ===== | ||
+ | |||
+ | Checks for updates | ||
+ | |||
+ | ===== Arduino ===== | ||
+ | |||
+ | Checks for updates | ||
+ | |||
+ | ===== GQRX ===== | ||
+ | |||
+ | Sends broadcasts upon startup, so others can sniff while you sniff. | ||
+ | |||
+ | ===== Psi+ ===== | ||
+ | |||
+ | Listens to the world for file transfer, even when it's turned off. And even when status is offline. | ||
+ | |||
+ | ===== Android ===== | ||
+ | |||
+ | Eternal spy connects to Google Market (tcp/5228) even though updates have been disabled and Market was never started. (Android 4.1, Samsung Galaxy Ch@t Backdoor Edition) | ||
+ | |||
+ | Traffic collected during 30 minutes of idle phone laying on the desk includes: | ||
+ | * mobile-gtalk.l.google.com: | ||
+ | * hxxp: | ||
+ | * hxxp: | ||
+ | * android.l.google.com | ||
+ | * api.samsungosp.com: | ||
+ | |||
+ | …despite all services are disabled in system settings and the phone has never been connected to any Google service. | ||
+ | |||
+ | Brief sniffing on one popular network reveals similar patterns and requests are exposed by many other mobile phones too. Sometimes such requests apart from tracking [[https:// | ||
+ | |||
+ | I have hotfixed the problem using the following netfilter rules to allow only my favorite sites. Of course malware with sufficient privileges can add an exception to the firewall itself. | ||
+ | |||
+ | <code bash> | ||
+ | |||
+ | for ip in 46.167.245.0/ | ||
+ | iptables -I CHECKALLOWED -d $ip -j ACCEPT | ||
+ | done | ||
+ | |||
+ | iptables -I OUTPUT -j CHECKALLOWED | ||
+ | iptables -I OUTPUT -m conntrack --ctstate RELATED, | ||
+ | |||
+ | iptables -A CHECKALLOWED -j REJECT | ||
+ | </ | ||
+ | |||
+ | [[https:// | ||
+ | ===== Windows ===== | ||
+ | |||
+ | However, spying features in Windows are much more advanced, for example: | ||
+ | * https:// | ||
+ | * http:// | ||
+ | * http:// | ||