What happens when they scan an IP address whose ports are shared dynamically by many of the ISP's customers? That is then not just their customer they are scanning - even though I suspect such an ISP NAT will only have outgoing connections?
Bank on it: It's either legal to port-scan someone without consent or it's not, fumes researcher
Halifax Bank scans the machines of surfers that land on its login page whether or not they are customers, it has emerged. Security researcher Paul Moore has made his objection to this practice – in which the British bank is not alone – clear, even though it is done for good reasons. The researcher claimed that performing port …
COMMENTS
-
-
-
Tuesday 7th August 2018 14:12 GMT Dazed and Confused
its scanning 127.0.0.x
Well there's a big difference between opening port 59xx to listen on 127.x.y.z and listening to VNC connections more generally. This also means they are failing to test whether you're protected by a firewall. On Linux boxes I'd often have VNC ports open, but that's got nothing to do with malware.
-
-
-
-
Tuesday 7th August 2018 22:34 GMT Donn Bly
Re: Code
They are running code in my machine without my explicit consent for their own benefit..
That statement is correct for just about any website that you visit, including this one. If that alone were the problem then every website that uses and kind of browser scripting would run afoul.
You didn't explicitly give the site permission to validate that you entered a valid date before submitting the form? Then that would be a violation in your eyes.
I don't use the bank, but I can definitely see the utility of doing a mini-scan warning you of potential RAT or remote access software being active before you are given the chance to enter your userid or password. However, it should probably be put on the page as a first step, ie, a message displayed that says "click continue to run a prerequisite security check before entering your userid".
-
Wednesday 8th August 2018 06:38 GMT John Smith 19
They are running code in my machine without my explicit consent for their own benefit...
Exactly.
It's the lack of consent he's arguing makes this illegal.
OTOH if it's after you logged in to their site (as a customer) then it's "It's in our T&C's you agree to have your ports scanned," which is entirely different.
I think he has a case and it does look like a case of "one law for us, another for them."
-
-
Wednesday 8th August 2018 16:29 GMT John Brown (no body)
Re: They are running code in my machine without my explicit consent for their own benefit...
"Law supersedes any wording in private contracts if the private contract breaks the law."
Except where the law has a loophole for consent and the T&Cs require you give that consent for security purpose.
-
-
Wednesday 8th August 2018 06:57 GMT Dr. Mouse
Re: They are running code in my machine without my explicit consent for their own benefit...
I agree that this is a simple matter of consent.
Most pages now have JS running, but this is mostly in order to do what the visitor is there to do (view/interact with the page). There is implicit consent, as vague as that might be.
In this, they are performing a scan of your private resources without consent. It would be easy enough for them to add a "we must scan your computer for security reasons" page before doing so, get consent, and even allow storage of that answer to avoid it in future.
If it's fine for the banks to do this without consent, it should be fine for security researchers (which, IMHO, it should). If it's not allowed for security researchers to do so without consent, the banks should need consent too.
-
-
-
Wednesday 8th August 2018 13:41 GMT Dr. Mouse
Re: Code
I'm not defending the port scanning but every web page that has Javascript is running code in your machine without your explicit consent.
Most of that is to operate the site itself: To handle interactions, make things pretty, create a better user experience. Some is about adverts, but we have to accept that as part of the site, too. The parts which are part of the site have implicit consent in that you are wanting to view the page, and I think that's good enough for that. Some is about tracking etc., but that's more controlled than it once was and requires a greater level of consent.
This is a scan of private resources without consent. I think that's a very different thing.
-
-
Tuesday 7th August 2018 15:16 GMT Jeff 11
"It's a local scan (in web page code) not a remote port scan.
That's a big CMA difference if you ask me. (local verses remote)."
I don't know why this comment is getting downvoted. No individual or remote system is connecting to your machine, and this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily.
I agree there are ethical ramifications as this information is reported back and used 'somewhere'. But legally, I can't see how this could be any more a violation of the CMA than almost every media website the world over checking to see if you're running an adblocker in your browser, or downloading and running a script that performs port checks on your machine using netstat.
-
Tuesday 7th August 2018 16:42 GMT Eddy Ito
I don't see the point of running the scan really. So you've got some open ports, what of it? Are they going to kick you out if you've dedicated a port for something if it also happens to be commonly used by a RAT? It's none of their concern what ports I choose to have open even if it's a dumb idea. Have they put up a policy that says you must have ports x, y, & z closed in order to connect?
-
Wednesday 8th August 2018 16:04 GMT Anonymous Coward
it's to shift blame
@ Eddy Ito
"I don't see the point of running the scan really."
As they are sending the data back to be stored, it's to shift the blame for any dodgy stuff happening to your account.
once they have recorded you had open ports, any misuse of your account is going to get blamed on you.
It shifts any blame for intrusion afterwards to you for having an open port..
-
Wednesday 8th August 2018 16:26 GMT John Brown (no body)
"Have they put up a policy that says you must have ports x, y, & z closed in order to connect?"
Maybe they are just collecting information to be used against you if any money goes missing from your account? "Well sir, on at least 4 previous occasions you have logged into our online banking service and we have proof you had open ports used by RATs, therefore we deny any responsibility for losing your money. You were hacked and we can 'prove' it"
-
-
Tuesday 7th August 2018 17:15 GMT Alan Brown
" this (invasive, I agree) action is triggered by your browser downloading some asset on a system you are using voluntarily."
Um no. It's no different to surreptitiously kicking off a coinminer in the background when I visit your website.
_Other_ sites such as IRC networks and suchlike are looking at what ports you have open from the outside (mainly to ensure you're not an open proxy) they're not stealing cycles to run a scanner on the victim box and then using that victim box to report details of the internal network which would be shielded from the attacker even on a well-firewalled installation.
Shit like this is why I use scriptblockers.
-
-
-
-
Tuesday 7th August 2018 14:52 GMT Aitor 1
Re: Foaming at the mouth, but the foam kind of makes sense
The law is ridiculous and makes no sense.
Either they change the law or it is applied to everyone, not just the poor as it seems to be the case.
So, to be clear: banks should be allowed to scan before you login, for security, they should disclose it too, and researchers should disclose who they are scanning.
-
Tuesday 7th August 2018 18:31 GMT JohnFen
Re: Foaming at the mouth, but the foam kind of makes sense
I am of the opinion that port scanning should not be prohibited at all. However, if we're going to count it as a prohibited activity, then this:
"banks should be allowed to scan before you login, for security"
makes no sense and should be as illegal as it is for everybody else. Scanning after you log in would be OK, as long as you gave consent. But prior to login, there's no way for the bank to know if they have consent or not.
From a security point of view, it doesn't matter if the scan happens before or after login.
-
-
-
-
Tuesday 7th August 2018 23:14 GMT JohnFen
Re: Scanning after login is too late; the malware could have got some login details
Any malware will get the login details either way. The sorts of scanning the site is doing won't stop that. If the scan shows something suspicious, it's not going to stop you from logging in. It can't, because a port scan of this sort can't possibly be able to determine if you've been compromised with any useful degree of accuracy. If they prevented you from logging in as a result of the scan, they'd be spending a ton of money constantly dealing with customers who have been mistakenly locked out.
All this sort of scan can do is indicate whether or not further investigation is a good idea.
-
-
Tuesday 7th August 2018 11:41 GMT m0rt
Actually, I am up for everyone being able to scan whoever they like. I, personally, think that will result in a percentage point increase in secure online destinations.
The law is an ass when it comes to security in the online world. Basically going after low hanging fruit because 'We are doing something' and all that bollockerdash.
NMAP ftw.
-
Tuesday 7th August 2018 17:13 GMT Camilla Smythe
I'm not.
If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.
I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service.
I've never had one of the twats e-mail me to to warn me that I might have a security problem. I can only conclude that the service is for themselves or the data is sold on to third parties for profit.
That's wear and tear on my equipment and uses up my bandwidth along with adding to my electricity bill so they can fuck off into IPTables.
-
-
This post has been deleted by its author
-
-
Tuesday 7th August 2018 18:39 GMT Camilla Smythe
Re: I'm not... However
If I thought about it and wanted to play nice then if my Bank wanted to scan my ports when I landed on their Login page then they can pop up a message saying something like.
For added security if you are a customer about to log in to your account we would like to perform an external port scan in order to check that your computer has not been compromised. If we find anything suspicious then we might not allow you to Log In and ask you to contact us.
Once you have Logged In we will perform an internal port scan to once again verify that your computer has not been compromised. If we find anything suspicious we may lock your account and ask you to contact us.
If you agree to this then please click Accept to log in. If you do not then please click Reject. You will be redirected to your Home Page.
Of course the above is not going to happen because if they get it wrong they have to accept liability for it.
-
Wednesday 8th August 2018 11:38 GMT m0rt
@camilla Re: I'm not... However
"If I want my ports scanned I can ask, give permission, for someone with an appropriate and legitimate service to do so.
I do not need some dweeb dropping in on my open ports saying they are or appearing in my logs as being some sort of security scanning service."
And that is exactly the mindset that the policy and lawmakers are coming from.
If malicious hackers were nice people then they wouldn't be malicious hackers. So it is, quite literally, an anarchists state out there in Intercyberweb Land. Those that know this will have a better chance than those that don't. And now with added GDPR you better hope that your house is in order because hacked/leaked data along with insufficient GDPR consideration will result in bankruptcy.
So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. I don't say 'How dare you!'
But hey. That is just me.
-
Thursday 9th August 2018 10:28 GMT Alan Brown
Re: @camilla I'm not... However
"So as far as I am concerned, if I put anything online I fully *expect* it to be scanner, probed, prodded and slapped for good measure. "
127.0.0.1 is explicitly NOT online and I don't expect something outside my network to work out a way of bypassing my firewalls, scan it (and possibly the rest of my internal network) the report back to the attacker's mothership.
Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for the way they're explicitly bypassing security and attacking the target network, plus running unauthorised attack code on 3rd party computers.
-
Monday 13th August 2018 09:34 GMT m0rt
Re: @camilla I'm not... However
"Halifax really haven't thought this one through and their actions go well beyond the bounds of what's reasonable behaviour. CMA most definietly applies - not for the scanning, but for *the way they're explicitly bypassing security* and attacking the target network"
Then it isn't much in the way of security it is bypassing, then.
I am not defending Halifax. There is a breach of etiquette here. But at the same time it should be water off a ducks back, not a 'How dare you!' reaction.
The internet is an unforgiving place to be.
-
-
-
-
Wednesday 8th August 2018 09:13 GMT Alan Brown
Re: I'm not.
"I've never had one of the twats e-mail me to to warn me that I might have a security problem."
If they did you'd probably scream your head off about spam. That was the experience of various voluntary efforts that tried this approach in the 1990s. Shooting the messenger is still a popular pasttime.
-
-
-
-
Tuesday 7th August 2018 11:54 GMT Anonymous Coward
I wonder if you could get around this by making a GET / request to Halifax with the header:
X-Info: If you respond to this request then you agree to be port scanned.
That's more than Halifax are doing if you have to be port scanned to read about the fact you're agreeing to be port scanned.
-
-
Tuesday 7th August 2018 11:53 GMT Crisp
Where does it end?
If it's ok to scan for security purposes, that sounds pretty benign doesn't it?
Oh look! Port 23 is open. Surely there's no harm in looking at the banner? Just to make sure that particular implementation of FTP hasn't got any known security vulnerabilities.
Those login attempts? We were just scanning for common known passwords, just to check that your machine is really secure.
Those downloads? We're just collecting document meta data. No human has actually read your invoices, statements and holiday photos. Though we strongly discourage using $RIVALBANK$'s services. They aren't nearly as secure as we are.
-
-
-
-
-
Tuesday 7th August 2018 16:36 GMT Anonymous Coward
Re: "the scanning is done with Javascript running locally"
"Take it half a step further: the login page may not work without JS, but it is probably irrelevant for non-customers."
But that is the point with NS, you run what scripts YOU want. My bank allows various tracker scripts to run on the log in page - very bad practice, but since I auto block those trackers, Google* knows very little about me.
The single active script needed to log in is still allowed, so log in works.
I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process; the result is nearly always the payment failing, and my order being screwed up for hours (or days), before they clear the issue.
Sometimes it is for something eminently STUPID, like using a special font from an external source; bugger off, do it in Times or Arial, I'm not letting some unknown 3rd party into my secure session just to make the page look pretty!!!
*(Ooops)
-
Tuesday 7th August 2018 21:59 GMT Nick Kew
@Ian Emery
I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process
If that's the abomination called "verified by visa" you have in mind, these days my transaction seems to go through just fine if I just back out of it. I presume that's Just One More inexplicable aspect of its brokenness.
-
Wednesday 8th August 2018 06:36 GMT Anonymous Coward
Re: @Ian Emery
VbV was an early example; and to this day doesnt add any security to your purchase - despite what they say.
No, as I said, I have encountered a number of scripts, some for 3rd party payment systems, some for cosmetic effects, and more than one script that doesnt appear until the transaction has supposedly finished and you are supposed to be sent to the order summery page with an order reference number.
The VERY worst was encountered in the payment system for "The Book People"; it has since been fixed, but was so bad I wouldnt use them for a whole year until it was fixed - and I highlighted the issue on several consumer forums after they failed to reply to my complaints about how insecure it was.
-
-
Wednesday 8th August 2018 09:15 GMT Alan Brown
Re: "the scanning is done with Javascript running locally"
"I get VERY grumpy at etailers that try to introduce 3rd party scripts at the final stage of a payment process;"
I get very grumpy at contract suppliers who do it at any point along the way. GDPR and personal data harvesting tends to figure in such complaints.
-
Tuesday 7th August 2018 18:36 GMT JohnFen
Re: "the scanning is done with Javascript running locally"
Using NoScript isn't an all or nothing thing. You can allow some scripts to run and not others. That said, if a site doesn't work properly when I have NoScript going, I tend to just not use that website. Even if it belongs to my bank.
-
-
-
-
-
-
This post has been deleted by its author
-
-
-
Tuesday 7th August 2018 13:37 GMT Anonymous Coward
Re: CMA is overzealous
The CPS has guidance for prosecutions under Section 3A of the CMA which covers the likelihood that software was being used to break the CMA. Amongst other things, prosecutors should consider:
• Was the software developed to obtain unauthorised access to a computer?
• Does the software have legitimate purposes, such as testing a device's security?
• What was the context in which the software was used to commit the offence compared with its original intended purpose?
I can't see how he has a case here. The CPS will point to their guidance.
https://www.cps.gov.uk/legal-guidance/computer-misuse-act-1990
-
Wednesday 8th August 2018 06:06 GMT Anonymous Coward
Re: CMA is overzealous
• Was the software developed to obtain unauthorised access to a computer?
Clearly yes: it was designed to be surreptitiously downloaded from the website to a machine, it then runs on said machine and exfiltrates the results to a remote server in a manner hidden from the user of said website
• Does the software have legitimate purposes, such as testing a device's security?
First problem there, is this 'legitimate' legally?
As the users of the website have not explicitly authorised this scan of their machine, in fact, as it appears to have been hidden from them in the mire of javascript that loads when you visit the login page and then runs automatically in a surreptitious manner, I think not..
Second problem there is, does this code really test a device's security in a 'legitimate' way?
If they get the browser to scan the loopback interface on a machine and find anything listening on the port numbers they instruct it to check, what exactly does that prove? Only that there is something listening on localhost and responding. As no check is done from an external host to see if they can connect to the same port numbers on the machine's network interface, then it's a bit of a meaningless check as far as security is concerned. This then brings into question the legitimacy of the code, whatever the original intention was.
• What was the context in which the software was used to commit the offence compared with its original intended purpose?
You could argue that the intent of the software was to try and bypass the CMA by design, by getting the code to run on a browser on the target machine they obviously hoped to try and bypass Section 1.1.b of the act,
from the guidance URL you pointed to
'Section 17 gives the interpretation of " unauthorised access" for the purpose of section 1.Access is unauthorised where an individual is not entitled to or has not been given consent for the type of access in question.
The offence of unauthorised access requires proof of two mens rea elements section 1(1) :
there must be knowledge that the intended access was unauthorised;
there must have been an intention to secure access to any program or data held in a computer.
There has to be knowledge on the part of the offender that the offender that the access is unauthorised; mere recklessness is not sufficient. This covers not only hackers but also employees who deliberately exceed their authority and access parts of the a system officially denied to them.'
By any definition, this code provides them with "unauthorised access" as at no point has anyone mentioned that consent has been given, informed or otherwise, the fact that the code runs in a 'hidden' manner without any sort of user interaction points to the fact that it was written with 'knowledge on the part of the offender that the offender that the access is unauthorised'
The mere act of visiting a web page does not equal consent to have your machine scanned by code downloaded from said page and the results of said scan then exfiltrated to third parties, in fact, it could be argued that if there is any sort of dedicated firewall device between the machine running this code and the internet, blocking access to the port numbers they instruct the browser to scan, and by choosing to scan only the loopback interface for listening processes then this is clearly a deliberate attempt to 'access parts of the a system officially denied to them'
-
-
Tuesday 7th August 2018 12:04 GMT macjules
Heard that one before
"Halifax/Lloyds Banking Group are not trying to gain remote access to your device; they are merely testing to see if such a connection is possible and if the port responds. There is no immediate threat to your security or money,"
1) What if you are online with another (rival) bank at the same time?
2) I have a Sophos SG UTM software firewall - is that a problem for Halifax? If so, then good.
3) After the TSB debacle I know that when they say "There is no immediate threat to your security or money" they actually mean, "Oops it's all gone, sorry bout that"
-
Tuesday 7th August 2018 13:15 GMT Anonymous Coward
Re: Heard that one before
1) Nothing. The logs show they are just socket checks.
It is literally, "Are you there? No? Ok."
2) If you're dropping or otherwise blocking the checks, neato. Nobody cares.
If your device is a hardware device, in this case no, it wouldn't help you.
The fact of the matter is that Halifax isn't technically scanning you.
Halifax is providing you with a piece of Javascript code and having you scan yourself. This is indicated by all of the '127.0.0.1' addresses in Moore's screenshots.
There are numerous programs to prevent this, if you so desired.
3) What.
-
Tuesday 7th August 2018 17:26 GMT Alan Brown
Re: Heard that one before
"The fact of the matter is that Halifax isn't technically scanning you."
No, Halifax is exploiting a security vulnerability of web browsers to induce your computer to run network scanning code - ie, without bothering to get explicit permission first.
The fact that it's scanning 127.0.0.1 instead of 192.168.0.1-255 or 195.130.217.2[014]1 and 91.220.42.2[014]1(*) isn't relevant. The factor of permission and unauthorised operation _IS_. It would take a couple of tiny tweaks to move this from something apparently benign to something extremely nasty and the fact that its existence has been disclosed means the webserver holding that javascript is now a target for every script kiddie on the planet looking for a DDoS attack engine. As we all know, banking webservers are some of the most secure on the planet.....
(*) Extra points if anyone recognises those IPs and what the likely reaction would be if they were prodded.
-
Wednesday 8th August 2018 04:44 GMT eldakka
Re: Heard that one before
The fact of the matter is that Halifax isn't technically scanning you.
Halifax is providing you with a piece of Javascript code and having you scan yourself. This is indicated by all of the '127.0.0.1' addresses in Moore's screenshots.
Can I claim that defense in court if I grab somebodies arm and smack them in their face with their own fist while saying "Stop punching yourself in the face"?
-
Wednesday 8th August 2018 09:46 GMT trydk
Re: Heard that one before
@Anonymous Coward, Tuesday 7th August 2018 13:15 GMT
So, by physical world analogy, it is OK for Halifax to send you a packet containing a robot that surreptitiously scans your home to check that all windows and doors are properly closed, send the result off to themselves neither informing you that they've done it nor of the result? The big difference here is that the robot probably would not go unnoticed, right?
You cannot in earnest argue that it is OK as you "scan yourself"? If that is a valid argument, it means that anyone making you download a piece of malware go scot free as "you did the malicious part yourself". No ma'am/sir, it ain't working that way!
-
-
-
This post has been deleted by its author
-
Tuesday 7th August 2018 12:19 GMT RobinCM
1. Just because something is listening on localhost doesn't also mean it's listening on the machine's network IP address.
2. Most ISPs supply routers that have NAT firewalls enabled by default, so a machine listening on a private address behind one of those is unlikely to be accessible from the public IP address of the router.
3. If you're not banner grabbing how do you know what's actually listening?
4. I'm pretty sure ISPs do or used to do port scans of customer's public IP addresses, Virgin/Telewest definitely used to do that to me years ago. Does that still happen?
5. I'm slightly concerned that client side JavaScript could be scanning any local IP addresses on my internal network, and wonder what's the legitimate use for this functionality in a web browser? Seems like a drive by IoT disaster waiting to happen.
-
-
Tuesday 7th August 2018 22:08 GMT Nick Kew
If the client side javascript can scan localhost, I guess that NAT firewall isn't too much use against browser-based attacks.
Verily, it has come to pass. The world has routed around misguided security.
-
Wednesday 8th August 2018 08:19 GMT Androgynous Cupboard
Bypassing the firewall.
For me that's the interesting point. Not only are they scanning the local machine without consent, but they're doing so after getting past my firewall. Someone mentioned "drive by downloads" above, if you view the portscan itself as illegal then this situation isn't that different.
I agree on the grand scheme of things it's not a big deal, but the law is the law, and taking this one to court would be useful to clarify the position of anyone who is charged over a portscan in the future. Lord knows I've run a few over the years.
For that reason alone I've thrown in £50.
-
-
Tuesday 7th August 2018 12:21 GMT Teiwaz
I am actually kind of impressed.
Too many companies don't think enough about security.
But I do agree, it should be legal or not, not legal for some corp, and not for everyone else (unless connected to some DOS shenanigans).
Without permission, and all site visitors - got a point about not being particularly effective after login though. I suppose notification could be in T&Cs, but who reads those, considering they are usually couched in legelese and either incomprehensible or make you want to reach for the bottle or 'cause your eyes to glass over.
-
-
Tuesday 7th August 2018 13:16 GMT activereachmax
Re: GDPR
Not necessarily. Network security is usually considered a Legitimate Interest and so capturing IP addresses for security purposes is lawful - as long as the business could show an auditor a Legitimate Interest Assessment and is transparent with the data subject about the collection, who's collecting it, and how to exercise your rights as a data subject with them, as a data controller.
It's a bit like operating a CCTV camera in that information about you is captured by the system for a legitimate security purpose, but that does not require your consent to be legal.
-
Tuesday 7th August 2018 17:45 GMT Anonymous Coward
Re: GDPR
And here is the problem, they are not transparent about their actions, nor would they be able to prove that the ports can had any security benefit. They have no idea what is listening so it could be anything that just happens to be using the same port. Car analogy time. A white van was used in a bank robbery. We therefore assume all white vans are full of bank robbers and will flag them up as such.
-
-
-
-
Wednesday 8th August 2018 18:06 GMT John Brown (no body)
"Or do they only scan <=1024? In which case, it's my business if I'm running 'finger' or something equally odd."
Not to mention the obvious thing. Lots of software uses networking and the loop-back address to communicate internally without ever going onto the wider outside network. *nix users in particular will be aware of this, but Windows is more *nix like these days in that respect too. And then there's the various devices inside the home LAN which are running servers and other services or which need you to be running apps/servers on your desktop PC, the one being scanned by Halifax.
-
Tuesday 7th August 2018 12:49 GMT Alan J. Wylie
One law for them, another for us
Do not forget the case of poor Daniel James Cuthbert, found guilty of an offence under the Computer Misuse Act back in 2005 for adding ../.. to the URL of a charity's web site.
There is a very thin line between "intending to secure access" and checking to see if insecurities may be present.
-
Tuesday 7th August 2018 13:15 GMT VRocker
I actually noticed this back in 2016 and it put me off banking with them back then. I did find it a bit strange that they were trying all sorts of port scans, including RDP and VNC.
They say its for 'scanning for malware' but they never actually alert the users that they found open ports (or didn't last time i checked). I have RDP enabled on this machine but not to the internet obviously. The port is checked from your machine (Websocket from the check.js) so even if its not open to the internet the scanner should find it 'open' and report back. Nothing flags up in pfsense about any outside scans so they're not checking if it is open to the internet but yet, i get no 'alert' to say they found something suspicious on my machine so what is it actually used for?
I imagine the way they'll get around this thing is that the scan is done by your own browser rather than their servers so they're not technically scanning you...
-
Tuesday 7th August 2018 13:36 GMT Christoph
So will they have no objection if I run a full penetration test suite on their site to make sure they are secure enough for me to consider becoming a customer?
Oh, and I'd like to check that they can cope with a DDOS attack so I don't lose access if someone attacks them.
For Security, you know.
-
Tuesday 7th August 2018 13:37 GMT Giovani Tapini
I tend to agree this is less than a good idea
If it is reasonable to do a portscan at all it should be part of the login process. The Halifax comment saying that they want to protect customers is fine, except you are not just protecting customers.
I am not a fan of this even as an idea though, financial services companies should not perform actions they would otherwise be defending against. That's just wrong.
Scanning non-customers is not against the CMA as far as I understand it. Vulnerability scanning does not require full consent in the UK (albeit that's advice, I don't believe it has been tested in court).
Are they going to tell people they are vulnerable? What if they are not a customer and identify vulnerabilities? It opens an unnecessary can of worms without any apparent benefits.
I should imagine most people scanned would not provide a sensible result anyway if they are behind any kind of commercial firewall or NAT based router at the end of their broadband.
-
Tuesday 7th August 2018 18:35 GMT Charles 9
Re: I tend to agree this is less than a good idea
"If it is reasonable to do a portscan at all it should be part of the login process. The Halifax comment saying that they want to protect customers is fine, except you are not just protecting customers."
The can MUST be done BEFORE the login. Any point after is Too Damn Late; the malware can already read your credentials.
-
-
Tuesday 7th August 2018 14:34 GMT Flocke Kroes
Another reason do disable javascript
I do not usually put much thought into javascript because I have kept it disabled since it was first dumped on the internet. Now that I know javascript can connect to arbitrary ports on localhost I spent a few seconds thinking of a way to abuse the capability. The glaringly obvious attack is to connect to the X server because there will be a valid authentication record in ~/.Xauthority
[Frothing at the mouth snarling rant aimed at programmers who created this advertisers' wet dream without spending even a few seconds considering the collateral damage any time they add a "cool new feature".]
X protocol is a pain to implement. So awful that the server and client code is mechanically generated from the definition. A reasonably clever programmer could use the same technique to create a javascript X client for malware. Too late, already happened.
-
Tuesday 7th August 2018 15:09 GMT stephanh
Re: Another reason do disable javascript
Fortunately in-browser JavaScript does not allow arbitrary TCP connections. The "port scan" is done by making HTTP requests and timing how long it takes to error.
So this cannot be used to connect to an unsecured X server running locally, although it may be able to *detect* such a server.
(Note that the link was to a Node module, which *can* create arbitrary TCP connections.)
-
-
Tuesday 7th August 2018 14:38 GMT Anonymous Coward
Lloyds and recent JavaScript changes
Within the past two weeks, Lloyds has changed their site so that JavaScript seems now to be necessary in order to use their online banking. When it's allowed, it makes typing in the user ID / password very sluggish and unresponsive though (as in can type 7-8 characters before they appear). I don't know what's going on, but I don't like it.
Needless to say there's no chance of getting through to anyone technical to complain, or explain.
-
Tuesday 7th August 2018 14:51 GMT Flakk
Nice Idea, Wrong Target?
Considering that the majority of network infiltrations are initiated by compromised internal machines, wouldn't it make better sense for Halifax to direct their resources to scan their own systems? Of course, a skilled hacker could punch through the perimeter defenses, but isn't that the outlier risk?
If Halifax is putting so much effort into detecting lower risk external threats, can we then surmise that their internal and business-critical systems are all locked up tight with a superior set of mature controls?
From Captain Badmouth above:
Well I've just scanned their site on the sophos security header website, and they get a "C" grade, failing 4 out of 7 tests.
Oh...
-
Tuesday 7th August 2018 17:55 GMT Anonymous Coward
So put up a warning
WARNING: Connecting to this page will result in a network scan of your computer/phone, clicking Accept indicates consent to this.
Then set a cookie after you've consented, begin the scan, and do it silently on future visits thanks to that cookie (or every time if you have your browser set to not remember cookies)
-
-
Tuesday 7th August 2018 23:25 GMT Martin an gof
Re: Scanning for free?
Doesn't some AV websites charge you to get your pc scanned?
Follow the link to Shields Up!
M.
-
Wednesday 8th August 2018 07:57 GMT mwnci
It's a Risk equation for the banks, and the legal defence against them doing this, is a terribly dated legislation...The 1990 Computer Misuse Act. Context is everything the 1990 Computer Misuse Act - It's massively out of date and irrelevant...So 28 years ago, lets just see what the cutting edge Computer systems were of 1990.
March 1990 - Macintosh IIfx
June 1990 - Commodore releases the Amiga 3000,
Nov 1990 - 1st ever Microsoft Office release
The internet was Embryonic - with the Archie FTP search engine.
The WORLD WIDE WEB - Didn't appear until 1991!!!!
-
Wednesday 8th August 2018 18:20 GMT John Brown (no body)
"Context is everything the 1990 Computer Misuse Act - It's massively out of date and irrelevant."
There have been amendments since then. Just as with most Acts of Parliament. It quite rare for a law to be thrown out and replaced.
-
-
Wednesday 8th August 2018 16:52 GMT tallenglish
If Its JavaScript Block it
Not sure the point of this, miscreants will just block the javascript and fake any expected results - so mallware will just be able to bypass it as they usually act as man in the middle for HTTPS especially if they are some bad Firefox/Chrome plugin as we have seen previously with the theme tools.
Hackers normally just go for a fake site to steal details anyway.
So I don't even see the point of Halifax bothering with it?
-
Thursday 9th August 2018 10:23 GMT Anonymous Coward
These aren't the droids you're looking for....
CMA isn't the only show in town, and tbh, the way the internet works, I doubt that you'd be able to prove criminal intent in the way that the ports are being scanned.
The bigger fish here is the GDPR and the use of javascript under the PECR regs. I've just checked the Halifax website and a cookie consent banner pops up on landing. PECR covers the use of cookies, beacons and javascript, so mandates consent requirements in the use of cookies etc ("placement and retrieval on a terminal device"). The only exception here is where placement is "necessary" and whether the use of javascript as part of port scanning on a landing page is "necessary". If you're only browsing, with no intention to log in and access services, this security feature is arguably unnecessary, and in that case consent is required.
The Halifax cookie banner doesn't list port scanning for vulnerabilities etc, so I think that this is an issue. And any data placed or collected is being processed, and processing is covered by the GDPR......fair and lawful? Transparent? I don't think so....