Thursday, October 28, 2010

When You Think You Surf Anonymously But You Don’t

From Roman Huessy at ...

Many companies, military- and governmental-networks have banned social networking sites like Facebook, Twitter, MySpace &Co from their networks. For instance in August 2009 the U.S. Marine corps just banned Social Networking Sites (SNS) from their classified network.

Roman continues,

Often there are (legal and comprehensible) reasons to ban SNS from coperate- an governmental networks. But the problem is that often the responsible persons and/or administrators who decided to ban SNS don’t know the consequences that such a ban can trigger. Let me ask you: Do you really think that users will accept a ban of their *most-favorite-websites*? Of course most of the user won’t, so they will start trying digging holes in your coperate firewall and webproxies/gateways. The point I would like to outline in this post are the consequences you will trigger when banning social networks as well as the risks/threats which result out of this.

As said before, most user won’t accept a ban of SNS (and please belive me: that’s fact ). The first thing they will do after your ban becomes active is googling about by-passing your security infrastructure. The first thing your users will come accross are PHP-based web proxy scripts. One of the most popular PHP-based proxy script is called Glype: It’s a tiny, powerful and fast web proxy which is based on PHP. You just have to download the ZIP file, upload the “upload” folder to a webspace and start using your brand new webproxy. But WOW – hey, you even don’t have to install your own web proxy, you just can use sites like proxy[dot]org and get a fresh list of 5’000+ working web proxies!

What sounds like honey being poured down their back to your users is purly pain for the administrators and security folks of companies and governmental organizations: Within a few minutes users will be able to bypass security gateways easily. But let’t talk about the security risks of such Anonymous web proxies.

*** The bad things you don’t know about such proxies ***
Unfortunately the other site of the coin looks much worse:

You don’t know who run these proxies
You don’t know if these proxies are secure and clean from any malware and drive-bys
You don’t know the intentions of the persons who runs these proxies (maybe they have mean ill?)

But you have must be aware of one fact: Those proxies aren’t anonymous! Web Proxy scripts like Glype&Co have a free configurable option wheter the administrator of the (glype-) proxy wants to log the requests which are passing his proxy or not. And you can be sure that the most Glype administrators will do.

Let’s take a deeper look at the origin IP addresses which are using such Glype proxies. A huge part of the Glype users are users from:

Educational networks like schools and univiersities (trying to break the blockade of Facebook&Co on Edu-Networks)
Home users from DSL- and dialup accounts (trying to bypass the internet censoreship of their ISPs/country)
Beside those (mostly) legitimate traffic (generaly I don’t support internet censorship in any country – so in my opinion this is some kind of legitimate traffic), there is a lot of noise coming from governmental and military networks around the world. I wont name any countries, but you can be sure that dozens of countries are affected. Some of the affected departments and ministries are listed below (I have translated the most of them from other languages, so don’t assume all of them belongs to the US – they don’t):

Ministry of Foreign Affairs
Ministry of Finance
Ministry of Economy
Ministry of Statistics
Ministry of Administration and Interior
Ministry of Industry
Ministry of Interior and Justice
Ministry of Labour and Social Policy
Ministry of Social Development
Department of Defense
Department of Atomic Energy
Department of Health
Department of Science and Technology
Department of Home Affairs
Department of Water Affairs and Forestry
Department of Environment and Conservation
National Labratory
National Police Service
Residence of the President
Atomic Energy Comission
Centre for Atomic Research
State police
National Telecommunications Commission
Supervision and Administration Commission
State-owned news agency
Various Military Test- and Command Centres around the globe
Various networks which are just named as “Government of xxxx”

And Roman hammers his point home,

As I already pointed out I don’t see a problem in users bypassing internet censorship per se. They just have to know that they don’t really surf anonymously when they use such script based proxies (like Glype) and that those logfiles are propably accessible by anyone from anywhere.

But such proxies are becoming a problem as soon as they are used by employees of governmental and military organistaions (like shown above): These proxies could be a great resource for terroristic organization and foreign intelligence services! Many of the governmental traces I’ve seen are on facebook – so I was able to catch the names of employees of various governmental and military organizations. To show you the threat of such ‘information’ I will make real example which I saw in those logfiles.

You might have noticed that I mentioned Ministry of Foreign Affairs before (of a country which I won’t name here). While checking the logs I just came across a user who surfed on Facebook. The Logfiles provides a link to a profile of a employee of the Ministry of Foreign Affairs. When I checked the profile, I just noticed that this user is obviously a employee of the Security Service at the Ministry of Foreign Affairs. In fact, this person is now a high value target for terroristic organization and foreign intelligence services who are now able to get personal information about this person easily. This allows them to apply pressure and blackmail the person in order to gain access to classified information and documents.

*** Conclusion ***
My research on these Glype proxies allow me to make the following conclusions:

  • Glype- (and other script based proxies) aren’t really anonymous
  • You don’t know who runs these proxies
  • Most users for those proxies just want to bypass internet censoreship of their country or schools/universities
  • But there are many users from governmental and military organizations using those proxies too
  • In those cases you may be able to hide your web traffic from your administrator but you will leave traces in other places which are probably a threat of your whole company!
  • Administrators and security folks have to know about these risks and have to adopt compensating measures and/or providing awareness to its users
  • If you run such a Glype proxy you have to know that you will propably be responsible for any illegal activites which are passing your proxy. Are you sure that your Glype proxy is not being abuse to access ilegal content like Childporn?


Christina O'Tousa said...

This article reminds me of when I was an intern at State Farm last summer. Because I was just doing a lot of files and faxing (etc.), there were many days when I sat there doing nothing and wanted to just log onto Facebook. The problem was that State Farm had banned Facebook probably because it was on the same computer as all the information that was kept for all of it's clients (and also to keep workers like me from slacking). Before, knowing nothing about the lack of privacy on the internet, I actually contemplated finding another way to access Facebook like people had done at my high school. THis would have required me to find a proxy and gain access to Facebook that way. I am very thankful I didn't do that now, because if used someone's proxy who had bad intentions, they could have accessed every file in my computer. The files in the computer had extremely personal and confidential information because they were necessary for their insurance policies. If I had somehow given access to the malicious author of the proxy I used to access Facebook, this could have been IMMENSELY damaging to the policy holder's lives. Also, even if the author of the proxy I used wasn't malicious, I could have clicked on malware while surfing Facebook, allowing the user to have complete access to all the contents of my computer. I agree with this article that there needs to be more awareness in companies and government agencies to teach their employees about the importance of banning networking sites from their classified networks. Companies need to accept the fact that it is human nature to stray at work, and cover the basis of how harmful it could be to give information to an outsider. Ignorant workers like me who work at places like insurance companies or credit cards companies are the reasons people privacy and identity's are at risk. This could be solved by simple education of new workers as to why going on social networking sites at work is dangerous.

OPIM Majors Group Board said...

Does the author imply that foreign governments and agencies are operating script-based proxies for their own use and to catch people who are bypassing content filters (i.e. are they setting a trap for the unwitting user)? While I don't want my actions being recorded by anyone, my concerns would be different depending on whom I think is monitoring me.

Also, why would the server admins keep their logfiles publicly available? Does the proxy program really make this the default option? Regardless, I can't understand the reasoning here.