Question Forum to ask about port monitoring

Toggle sidebar Toggle sidebar
F

fastline

Distinguished
Feb 7, 2017
16
0
18,510
We have run into possible security concerns regarding some software. The OEM has apparently lied, indicating they do not use a "call home" feature. however, we have learned that is NOT the case and we have so far verified they are indeed doing just that and now I want to know what is being sent/received. I see this as a large invasion of privacy and a serious security concern.

Is there a forum where very skilled PC guys hang out where we can figure out how to monitor traffic and determine what is being communicated?
 
Sort by date Sort by votes
Folks here might be able to assist. How did you determine "we have learned that is NOT the case and we have so far verified they are indeed doing just that"?

Did you use a network analyzer or "sniffer" to identify the suspicious activity?
 
Upvote 0 Downvote
Yes, this is just on a simple home network and router/modem. Activity was verified with a TCP monitor but I have not taken action. My concern is they are doing much more than just "checking in". there is indication these softwares are recording activity, MAC addresses, you name it. I am not OK with software sending stuff behind my back.

It appears via the TCP monitor that if the software is open AND there is a browser open, the flood gates open. However, I now highly suspect they are trying to "piggy back" onto other things and I can only guess that they try to mimic a Windows operation or something.

I suspect the actual port activity that I noticed as going right to the software folders in the C drive are probably just "low hanging fruit", but there is more happening than most would realize. I have heard all sorts of software are doing this now. There was at least some indication from an IT guy that was dealing with this was an actual email address was obtained and used by the software, in which the only identifiable email in that system was on Mozilla Thunderbird. That is VERY concerning if a software is accessing email data and sending it back home!

I guess I just want to get to the bottom of it and find out what else I don't know.
 
Upvote 0 Downvote
As far as the software, I would rather not say just due to being on the net. I used TCP logview so far. I run Avast for security but it has not detected anything, though there is lots of activity from Avast showing in TCP.
 
Upvote 0 Downvote
fastline said:
Yes, this is just on a simple home network and router/modem.

I guess I just want to get to the bottom of it and find out what else I don't know.
Click to expand...
If this is software installed on a PC then you can run wireshark on that computer. That will allow you to capture network traffic.
If this is an appliance like a media player or game console or webcam, then you would have to purchase a managed switch which can do port mirroring. That would allow you to use wireshark on that mirrored port to capture all the data.
 
Upvote 0 Downvote
Yes, this is on a PC. Would wireshark be able to examine EXACTLY what was sent or received? not just IPs? The issue I have is there is a list of IPs under many different ports that have no host name or source path, so it is unclear what they are even doing.

Also, because this activity seems to only happen when a browser is open, is there another way to invoke an open browser without using google or something? When even one window of chrome is open, there is a LONG list of activity going to the google chrome.exe. I am not entirely sure if something can be slipped in there or not?
 
Upvote 0 Downvote
Wireshark can capture a LOT. Sometimes too much.
But also, if this is https between the device and home base, that is encrypted. You may capture where it goes, but not necessarily what it is.

If you're going to run Wireshark, do it for only a few seconds while the device connects and does whatever it does.
Save that capture log, and analyze in the WS interface.
 
Upvote 0 Downvote
I loaded it and realized just that! I was immediately looking for tools to isolate the activity. I soon realized it captures EVERYTHING so I need smart ways to filter in which it does not seem like they do a good job with that. They run at "sleep with a server" levels, but I need to trims that stuff down to focus on activity that is relative.

I have asked on their forum for ways to possibly look at only my own MAC being shipped out. That is probably something I can take to the bank as a concern. Other concerns I probably need to learn about. If encrypted, it probably needs blocked. I learned from a smarter guy that it is sometimes easier to close all ports and "allow" as needed, but I still want to honestly know what these softwares do and what they retrieve! It is insane for me to realize how much information is stolen!

Would it ( opinion only) reasonable to assume the software could only send/receive if it is running? What is very odd to me is some similar concerns online regarding thunderbird email, and we just started using it!!! I 100% verified before that port activity was obvious as soon as the software was open and a browser was open. I personally though it was too damn easy to block everything, and realizing this is a multi-billion dollar company, they would find a smarter way in! I still think there is a secret server with unnamed IPs trickling info.
 
Last edited:
Upvote 0 Downvote
I have already run them down with TCP logview and blocked that. However, I still think there is more to it. It can't be that easy. ?? All the talk of malwares and such, which are so hard to find and detect, so I think this was too easy. Literally, the calls in question just go right to and from their folders? How do they obtain computer information like the MAC?
 
Upvote 0 Downvote
Shutting the traffic OFF may not be the best idea, until you can determine exactly what it is.

It may be as simple as "Hey, I'm still here in the same system."
Not being able to talk to home base may shut it down.

As we don't know what this device is, we can't really tell.
 
Upvote 0 Downvote
Have had one tower running offline for more than a year. I think it is best to block the activity entirely.

Actually the long term solution is finding a way to either run two towers entirely, or integrate a hard partition so all the softwares run on a system that does not have network access. As we talked about this inhouse, this seems a solid solution anyway to totally avoid concerns with malware, viruses, etc. The other side of the system that has network access will be limited in what is on it, making a reload of that system a much easier situation.
 
Upvote 0 Downvote
My thoughts:

Name the software.

Although you do not want to name the software "due to being on the net" there is no reason to hold that view.

Overall you are entirely within your rights to question what is going on especially if bad, malicious, privacy violations, spying, etc. things are suspected.

May not even be the OEM - could be some 3rd party involvement taking advantage of some vulnerability.

Could be innocent overall, misbehaving code - who knows?

Naming (or not naming) the software is not going to make your network more or less secure per se.

However, knowing what software you are using may garner more attention and someone else may be able to provide additional input with regards to experiences and solutions.
 
Upvote 0 Downvote
You must log in or register to reply here.

TRENDING THREADS

Latest posts

Moderators online

Share this page

COMPANY
RESOURCES
FOLLOW
Top Bottom