Tag Archive for 'web proxy'

When You Think You Surf Anonymously But You Don’t

Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network (called MARINE CORPS ENTERPRISE NETWORK – MCEN):

IMMEDIATE BAN OF INTERNET SOCIAL NETWORKING SITES (SNS) ON MARINE CORPS ENTERPRISE NETWORK (MCEN)
[...]
REF A: ORDER TO ADDRESS RISK OF USING NIPRNET CONNECTIVITY TO ACCESS INTERNET SNS.
[...]
1. PURPOSE.
THIS MESSAGE ANNOUNCES AN IMMEDIATE BAN ON INTERNET SNS WITHIN THE MCEN UNCLASSIFIED NETWORK (NIPRNET).

2. BACKGROUND. INTERNET SNS ARE DEFINED AS WEB-BASED SERVICES THAT ALLOW COMMUNITIES OF PEOPLE TO SHARE COMMON INTERESTS AND/OR EXPERIENCES (EXISTING OUTSIDE OF DOD NETWORKS) OR FOR THOSE WHO WANT TO EXPLORE INTERESTS AND BACKGROUND DIFFERENT FROM THEIR OWN. THESE INTERNET SITES IN GENERAL ARE A PROVEN HAVEN FOR MALICIOUS ACTORS AND CONTENT AND ARE PARTICULARLY HIGH RISK DUE TO INFORMATION EXPOSURE, USER GENERATED CONTENT AND TARGETING BY ADVERSARIES. THE VERY NATURE OF SNS CREATES A LARGER ATTACK AND EXPLOITATION WINDOW, EXPOSES UNNECESSARY INFORMATION TO ADVERSARIES AND PROVIDES AN EASY CONDUIT FOR INFORMATION LEAKAGE THAT PUTS OPSEC, COMSEC, PERSONNEL AND THE MCEN AT AN ELEVATED RISK OF COMPROMISE. EXAMPLES OF INTERNET SNS SITES INCLUDE FACEBOOK, MYSPACE, AND TWITTER.

3. ACTIONS. TO MEET THE REQUIREMENTS OF REF A, ACCESS IS HEREBY PROHIBITED TO INTERNET SNS FROM THE MCEN NIPRNET, INCLUDING OVER VIRTUAL PRIVATE NETWORK (VPN) CONNECTIONS.
[...]

Reference: www.usmc.mil/news

Of course USMC is not the only organistion who banned Social Networking Sites from their network – there are many other companies and governments out there which followed the ban at the USMC and started banning Social Networking Sites as well. The two most often claimed reasons for such bans are commonly:

  • Security issues while using Social Networking Sites (privacy, mal- and crimeware, targeted attacks, leak of information on classified networks)
  • Performance problems/bottlenecks while using Social Networking Sites (direct impact on business/enterprise operations)

I don’t wan’t to talk with you about the sense of banning Social Networking Sites, but please let me loose a few words about it:

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ;)). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5’000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

  • You don’t know who run these proxies
  • You don’t know if these proxies are secure and clean from any malware and drive-bys
  • You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

*** The facts ***
Fact is that there are a lot of insecure servers out there running Glype: I was able to retrive the logs of several Glype proxies – and the results are really interesting. Some statistical information first:

# of checked proxies: 20
# of Logfiles retrived: 1’700
# of hits: 64’063’377
# of unique IPs: 1,05 Mio
Total Size of logfiles : ~10GB

I took a few hours to analyse the logfiles. The result of my analysis didn’t suprised me much (Top countries by unqiue IPs):

Most of the top countries shown above are explainable like China (for building a great firewall around its internet users), Turkey (for banning most favorite websites like Facebook, MySpace, WordPress and Blogspot) and Germany (for the planed Data Retention Law).

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

  • Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
  • Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)

Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

  • Ministry of Foreign Affairs
  • Ministry of Finance
  • Ministry of Economy
  • Ministry of Statistics
  • Ministry of Administration and Interior
  • Ministry of Industry
  • Ministry of Interior and Justice
  • Ministry of Labour and Social Policy
  • Ministry of Social Development
  • Department of Defense
  • Department of Atomic Energy
  • Department of Health
  • Department of Science and Technology
  • Department of Home Affairs
  • Department of Water Affairs and Forestry
  • Department of Environment and Conservation
  • National Labratory
  • National Police Service
  • Residence of the President
  • Atomic Energy Comission
  • Centre for Atomic Research
  • State police
  • National Telecommunications Commission
  • Supervision and Administration Commission
  • State-owned news agency
  • Various Military Test- and Command Centres around the globe
  • Various networks which are just named as “Government of xxxx”

Let’s have a look at the Top websites accessed by those Glype proxies:


# of hits Domain Descripton
6’799’818 www.aisex.com Chinese porn site
5’195’698 www.facebook.com Facebook (incl. fbcn.net)
1’019’967 doubleclick.net Advertising
629’881 www.t66y.com Chinese porn site
619’020 change.menelgame.pl Online game
582’162 whitepages.com.au Australian Address / Telephone directory
565’832 www.wretch.cc Chinese Social Network / News site
489’843 www.manyway.net Advertising
477’499 www.youtube.com Youtube
473’341 www.google-analytics.com Tracker / Webstatistics
363’371 www.xvideos.com Porn site
348’057 notification.pennergame.de Online game
318’106 www.pidown.com Free file hosting (missused for Torrents)
297’981 www.highba.com Chines porn site
295’866 www.google.com Google
267’695 www.palacemoon.com Chinese porn site
266’117 i1.hk Unknown
265’410 www.divshare.com File sharing / Webdriver (supported by Amnesty International)
259’349 www.mycould.com Chinese Forum
255’328 www.jword.jp Unknown
229’032 www.denic.de German domain registrar (whois missuse)
198’225 www.139flash.com Online games

As we know most users of these Glype proxies are located in China. But for those of you who thought that the chinese users are searching for “free speach” and “tibet” – I have to disappoint you: The chinese folks seems not to be different than the folks from the west. So don’t be suprised that the top website is a chinese porn site (you didn’t know? China also blocks access to various porn sites).

*** Glype proxies as security risk ***
As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

  • Glype- (and other script based proxies) aren’t really anonymous
  • You don’t know who runs these proxies
  • Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
  • But there are many users from governmental and military organizations using those proxies too
  • In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
  • Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
  • If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?



economics-recluse
Scene
Urgent!