EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 30 minutes ago, adrynalyne said: Ok then. Let's see a screenshot of it sending your private information to that IP. Full headers and data. You can use fake details and reproduce I am sure. I removed it from all my PCs'. If you want to see evidence by yourself then you are more than welcome to install Kaspersky trial on your own PC :). I have provided links and external sources. It does not invalidate fact that, browser tries to send sensitive data to Kaspersky's servers, even if Kaspersky blocks traffic to its own domains later. It is still a big security hole. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 5 minutes ago, EJocys said: I removed it from all my PCs'. If you want to see evidence by yourself then you are more than welcome to install Kaspersky trial on your own PC :). I have provided links and external sources. It does not invalidate fact that, browser tries to send sensitive data to Kaspersky's servers, even if Kaspersky blocks traffic to its own domains later. It is still a big security hole. That isn't how this works. You made the claim. Burden of proof is on you friend. From everything you you have posted so far, I think you just misunderstood what you saw. Feel free to prove otherwise though. xendrome and +Gary7 2 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 9 minutes ago, adrynalyne said: That isn't how this works. You made the claim. Burden of proof is on you friend. From everything you you have posted so far, I think you just misunderstood what you saw. Feel free to prove otherwise though. Facts and evidence are very obvious: a) Kaspersky is using ie.kis.scr.kaspersky-labs.com domain for injection URLs on Internet Explorer b) ie.kis.scr.kaspersky-labs.com points to external server (185.85.13.154) on the Internet. Proof: https://who.is/dns/ie.kis.scr.kaspersky-labs.com P.S.: How long do you think it takes for Kaspersky devs to update DNS records to 127.*.** and claim honest mistake? Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 8 minutes ago, EJocys said: Facts and evidence are very obvious: a) Kaspersky is using ie.kis.scr.kaspersky-labs.com domain for injection URLs on Internet Explorer b) ie.kis.scr.kaspersky-labs.com points to external server (185.85.13.154) on the Internet. Proof: https://who.is/dns/ie.kis.scr.kaspersky-labs.com P.S.: How long do you think it takes for Kaspersky devs to update DNS records to 127.*.** and claim honest mistake? Not proof nor evidence of sending sensitive data home, and to the Kremlin at that. It's far more likely that IE doesn't have the plugin needed to use internal routing like ff. Is it a good practice how they have it set up? Nope. Is it indicative of phoning home with your bank details to Russia? Nope. xendrome and alex_d2w 2 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 12 minutes ago, adrynalyne said: Not proof nor evidence of sending sensitive data home, and to the Kremlin at that. If you cannot understand evidence, which I have supplied in my previous posts and security implications of Kaspersky's solution, then no evidence will convince you. It is not only about sending data, it is about huge security hole in implementation, which looks like definition of the back door. I have screenshot (taken before I got rid of Kaspersky) which relates to injection on IE. You can see script loading from ie.kis.scr.kaspersky-labs.com domain. I do not expect people to believe it and this is the reason, why I provided instructions on my first post on how to replicate it. Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 2 minutes ago, EJocys said: If you cannot understand evidence which I've supplied in my previous posts and security implications of Kaspersky's solution, then no evidence will convince you. It is not only about sending data it is about huge security hole in implementation which looks like definition of the back door. I think everyone reading this thread can agree: you have provided no such evidence and instead only what you think is evidence. Again, nobody denies the script injection and I'm sure most of us agree that it's not a good way to handle it. That's not what you are on the line for though. You made a claim that it is sending home your sensitive data and have yet to provide any evidence. xendrome and alex_d2w 2 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 17 minutes ago, adrynalyne said: Again, nobody denies the script injection and I'm sure most of us agree that it's not a good way to handle it. That's not what you are on the line for though. You made a claim that it is sending home your sensitive data and have yet to provide any evidence. So, according to you, web browser trying to open https://ie.kis.scr.kaspersky-labs.com/1B74BD89-2A22-4B93-B451-1C9E1052A0EC/init?url=https%3A%2F%2Ffc1.retail.santander.co.uk%2Fquery%2F1%2FfwyK.html%3Feu%3Dhttps%3A%2F%2Fretail.santander.co.uk%2FLOGSUK_NS_ENS%2FChannelDriver.ssobto%3Fdse_operationName%3DLOGON&nocache=1fdc6, when ie.kis.scr.kaspersky-labs.com points to external Internet server (185.85.13.154) do not qualify as evidence of browser trying to sending sensitive data to external server? Please note that, I am not trying to prove that destination server gets the data. What is obvious that web broser is trying to delive it to server with remote address. I've provided you with the screenshot from IE debugger and proof that domain point to external source is also there: https://who.is/dns/ie.kis.scr.kaspersky-labs.com Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 1 minute ago, EJocys said: So, according to you, web browser trying to open https://ie.kis.scr.kaspersky-labs.com/1B74BD89-2A22-4B93-B451-1C9E1052A0EC/init?url=https%3A%2F%2Ffc1.retail.santander.co.uk%2Fquery%2F1%2FfwyK.html%3Feu%3Dhttps%3A%2F%2Fretail.santander.co.uk%2FLOGSUK_NS_ENS%2FChannelDriver.ssobto%3Fdse_operationName%3DLOGON&nocache=1fdc6, when ie.kis.scr.kaspersky-labs.com points to external Internet server (185.85.13.154) do not qualify as evidence of browser trying to sending sensitive data to external server? Please note that, I am not trying to prove that destination server gets the data. What is obvious that web broser is trying to delive it to server with remote address. Ok? Where in that url is sensitive data??? Alejandro779 1 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 11 minutes ago, adrynalyne said: Ok? Where in that url is sensitive data??? That link contains URL and GET data used by my bank. GET requests frequently contain usernames; secret and password reset keys and sometimes passwords (depending on implementation). Kaspersky does it with every single page and browser tries to submit every single request to Kaspersky server. Another problem that browser tries to load external script (main.js) into encrypted secure connection which poses security issues on its own. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 7 minutes ago, EJocys said: That link contains URL and GET data used by my bank. GET requests frequently contain usernames; secret and password reset keys and sometimes passwords (depending on implementation). Kaspersky does it with every single page and browser tries to submit every single request to Kaspersky server. Another problem that browser tries to load external script (main.js) into encrypted secure connection which poses security issues on its own. Please point out the portions that contain your sensitive data. Link to comment Share on other sites More sharing options...
Alejandro779 Posted August 21, 2016 Share Posted August 21, 2016 (edited) Enable any sniffer and check if any sensitive data was delivered to Kaspersky servers. Stop your paranoia, Kaspersky KIS just comparing your JS and dangerous file with his catalog of dangerous files. Kasperky Application Advisor at http://whitelisting.kaspersky.com/advisor?lang=es-MX#search/c9b3b344c26c697eca4939d54f9036df adrynalyne, goretsky and alex_d2w 3 Share Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 2 minutes ago, adrynalyne said: Please point out the portions that contain your sensitive data. So the, fact that that browser tried to inform Kaspersky's server which bank I am using and passed data used in GET method is not sensitive enough :). Are you trying to prove that Kaspersky knows which GET data is sensitive and eliminates it before browser tries to post it to remote server? I have no intention to post more data which is even more sensitive on public forums. I've posted just enough to make my point. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 (edited) 2 minutes ago, EJocys said: So the, fact that that browser tried to inform Kaspersky's server which bank I am using and passed data used in GET method is not sensitive enough :). Are you trying to prove that Kaspersky knows which GET data is sensitive and eliminates it before browser tries to post it to remote server? I have no intention to post more data which is even more sensitive on public forums. I've posted just enough to make my point. The only point you have made is that you don't understand what you are reading. You have already been shown to be wrong about t going to the Kremlin. Further you have not shown any evidence of data sent past a query string that contains no sensitive information. Stop wasting our time. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 10 minutes ago, Alejandro779 said: Enable any sniffer and check if any sensitive data was delivered to Kaspersky servers. Stop your paranoia, Kaspersky KIS just comparing your JS and dangerous file with his catalog of dangerous files. Kasperky Application Advisor at http://whitelisting.kaspersky.com/advisor?lang=es-MX#search/c9b3b344c26c697eca4939d54f9036df You don't understand the problem. Problem is that Kesperky injects scripts into encrypted content and browser tries to post data to external servers on the internet. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 3 minutes ago, EJocys said: You don't understand the problem. Problem is that Kesperky injects scripts into encrypted content and browser tries to post data to external servers on the internet. Omg! What data is being posted? You are making claims and delivering proof on none of them! Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 12 minutes ago, adrynalyne said: The only point you have made is that you don't understand what you are reading. You have already been shown to be wrong about t going to the Kremlin. Further you have not shown any evidence of data sent past a query string that contains no sensitive information. Stop wasting our time. I have same opinion about you :). I provided links and screenshots which clearly shows browser requests and replies. I've provided IP addresses by using independent DNS services. You managed to ignore it and even misunderstand my "Kremlin" references, despite providing you with clear proof that IP geographical location is pointing to Kremlin and noting that it is a technical record and in reality location can be different (which probably is). At this point you are trying hard to misrepresent my points and missed security flaw consequences in Kasperskys "injection" implementation. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 Just now, EJocys said: I am have same opinion about you :). I provided links and screenshots which clearly shows browser requests and replies. I've provided IP addresses by using independent DNS services. You managed to ignore it and even misunderstand my "Kremlin" references, despite providing you with clear proof that IP geographical location is pointing to Kremlin and noting that it is a technical record and in reality location can be different (which probably is). At this point you are trying hard to misrepresent my points and missed security flaw consequences in Kasperskys "injection" implementation. This whole thread reeks of ignorance. Have fun misunderstanding what you are seeing and making claims you either can't or don't know how to backup. I'm tired of wasting my time. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 3 minutes ago, adrynalyne said: This whole thread reeks of ignorance. Yes, because you are posting on it :). Why don't you install Kaspersky Trial. Login to your bank, reset your password, look at account details and post all browser request/reply details involving Kaspersky's URL here. Link to comment Share on other sites More sharing options...
HawkMan Posted August 21, 2016 Share Posted August 21, 2016 3 hours ago, EJocys said: There is no need to use Fidler because integrated debug tools of the browser reported all links and traffic just fine. Extension was using real domain registered in Russia (ie.kis.scr.kaspersky-labs.com). If there were, no need to go outside then https://localhost:port would be enough. It probably would be fine if "ie.kis.scr.kaspersky-labs.com" had 127.0.0.0 assigned internally, but that was not the case. Supplying data with GET requests also is interesting, because I used same method as a workaround to bypass web Brower’s cross-domain security in some of my applications. What I was seeing was browser extension with intentional back door used by antivirus. Do you think it was a mistake, for company, specializing in security and linked to Russian KGB and FSB to inject secure web content with externaly pointing URL? I don't think so. URL for Firefox users (ff.kis.scr.kaspersky-labs.com) resolves to 127.245.107.154 which is internal, but URL for Internet Explorer (ie.kis.scr.kaspersky-labs.com) resolves directly to Kremlin: 185.85.13.154. If you don't know what you're doing and what you're analyzing or what the reports from the "tools" you are using says. Then you shouldn't write an post about how you found someone spying on you. it'll just lead you you being on youtube, telling people how to hack with tracert... Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 9 minutes ago, HawkMan said: If you don't know what you're doing and what you're analyzing or what the reports from the "tools" you are using says. Then you shouldn't write an post about how you found someone spying on you. it'll just lead you you being on youtube, telling people how to hack with tracert... I've used debugging tools of "Internet Explorer" and "Firefox" to analyse requests made by web browser which is exactly the right tool I need to see all requests made to hosts. My point was to prove that Kaspersky is forcing web browser to send data to external addresses on the Internet. Point was to prove that Kaspersky opens "back door" unnecessary. I don't care if it closes/blocks later. Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 8 minutes ago, HawkMan said: If you don't know what you're doing and what you're analyzing or what the reports from the "tools" you are using says. Then you shouldn't write an post about how you found someone spying on you. it'll just lead you you being on youtube, telling people how to hack with tracert... He totally knows what he is doing... After all: I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. Link to comment Share on other sites More sharing options...
EJocys Posted August 21, 2016 Author Share Posted August 21, 2016 (edited) 19 minutes ago, adrynalyne said: He totally knows what he is doing... After all: Sure I do, for example: ported System.Security.Cryptography classes (RSA, AES-256) for JavaScript: http://www.codeproject.com/Articles/22073/Object-Oriented-JavaScript-Class-Library-in-C-NET. I don't know everything. But I think, that your assumption, that I don't know, how to use network sniffing tools, is based on your misunderstanding. I am not a native English speaker, maybe it contributes to that. Please note that I asked for people to check this issue (gather evidence) by themselves. Edited August 21, 2016 by EJocys Link to comment Share on other sites More sharing options...
adrynalyne Posted August 21, 2016 Share Posted August 21, 2016 2 minutes ago, EJocys said: Sure I do, for example: ported System.Security.Cryptography classes (RSA, AES-256) for JavaScript: http://www.codeproject.com/Articles/22073/Object-Oriented-JavaScript-Class-Library-in-C-NET. I think, your assumption, that I don't know, how to use network sniffing tools, is based on your misunderstanding. I am not a native English speaker, maybe it contributes to that. Your lack of ability to provide evidence is what contributes to it. Your lack of knowledge of ip geolocation and how inaccurate it can be contributes to it. i think it is true in any language--if you make a bold claim, back it up. You are not doing that here. Link to comment Share on other sites More sharing options...
+Mirumir Subscriber¹ Posted August 21, 2016 Subscriber¹ Share Posted August 21, 2016 2 hours ago, EJocys said: I am not planing to install KAV anymore. I am writing comercial software (including network capturing and encryption), websites and network mobile apps and debug them by using network tools for 21 years now. I know that I am reading. It is hard to mis-unbderstand or misread web brower debug tools. It is not the rocket science. It looks like, it is not the first time Kaspersky is injecting scripts. While I understand the purpose of it (antivirus must have access to plain content in order to analyse it), I don't agree with "back door" implementation method of it i.e. Using live domains and live IPs. You could try getting Xkeyscore to see what's really going on on your system and with your traffic Link to comment Share on other sites More sharing options...
AndyMutz Posted August 21, 2016 Share Posted August 21, 2016 6 hours ago, EJocys said: So, if you have Kaspersky on your computer, then please open secure site like https://www.google.com, press F12 for debug mode, go into “Network” tab, refresh page, see for yourself and report your opinion. i just tried this and i have no traces of any kaspersky entries in that log. i have been using kaspersky for years, but i am not using every protection it offers, e.g. i always disable the browser addon and i also deactivate the URL and HTTPS scan options. -andy- +Mirumir and alex_d2w 2 Share Link to comment Share on other sites More sharing options...
Recommended Posts