Vendor Accent

Risks posed by anonymous proxies

Shailendra Sahasrabudhe explains how anonymous proxies work and how they should be handled

An anonymizer also known as an anonymous proxy is a tool that attempts to make activity on the Internet untraceable. It accesses the Internet on a user’s behalf, protecting personal information by hiding the source computer’s identifying information.

Anonymous proxies are growing as a result of the ‘fighting Internet censorship’ movement and today have become one of the leading security threats to corporations, educational institutions and other organizations, as well as end-users worldwide.

2007 witnessed a drastic increase in the number of anonymous proxy services on offer. The anonymous proxies started in 2002 with a few sites offering users anonymous access to Internet resources, and today more than 90,000 registered Web sites and an approximate 250,000 private, home-based Web sites offer anonymity services.

The main reason for this dramatic increase is that there has been an increase in the number of users desiring such services. Many business-minded individuals have seized the opportunity to make money through charging users a monthly fee for anonymity services. Another reason for the increase in these services relates to technology. Software running on proxy anonymizer sites has become open source, making Web-based proxies available to anyone who wants to access them. This new open-source approach gives even relatively non-technical users the ability to create anonymous proxies on the fly. These proxies are then placed on newly created or home-based Web sites, bypassing Internet filters.

How anonymous proxies work

Anonymous proxies are popular and effective way for users to bypass Internet filters. Appearing as an unblocked Web page, a proxy anonymizer site allows a user to enter any URL into a form. When the form is submitted, the proxy server retrieves the Web page even if it is blocked by the organization’s Internet filter.

Access to open-source anonymous proxies is based on two main methods:

• CGI-proxy. Through a CGI Script, users can retrieve any resource that is accessible from the server on which it runs. When an HTML resource is retrieved, it is modified so that all links in it refer back to the same proxy, including images and form submissions. Configurable options include text-only support, SSL support, selective cookie and script removal, simple ad filtering, access restriction by server, and custom encoding of target URLs and cookies.
• PHP-proxy. A Web HTTP proxy programmed in PHP can easily be installed on any PHP-enabled Web server. It allows users to browse through the Web server itself as a proxy for bypassing firewalls and other content filter restrictions. PHP-proxy uses a Web interface that is very similar to the popular CGI-proxy.

Circumventor

A circumventor is a method of defeating blocking policies implemented using proxy servers. Ironically, most circumventors are also proxy servers, of varying degrees of sophistication, which effectively implement “bypass policies”.

A circumventor is a Web-based page that takes a site that is blocked and Circumvents it through to an unblocked Web site, allowing the user to view blocked pages. A famous example is ‘elgooG’, which allowed users in some country to use Google after it had been blocked there. elgooG differs from most circumventors in that it circumvents only one block.

Students are able to access blocked sites (games, chatrooms, messenger, offensive material, Internet pornography, etc.) through a circumventor. As fast as the filtering software blocks circumventors, others spring up. It should be noted, however, that in some cases the filter may still intercept traffic to the circumventor, thus the person who manages the filter can still see the sites that are being visited.

Circumventors are also used by people who have been blocked from a Web site. Another use of a circumventor is to allow access to country-specific services, so that Internet users from other countries may also make use of them. An example is country-restricted reproduction of media and Webcasting.

Circumventor sites run by an untrusted third party can be run with hidden intentions, such as collecting personal information, and as a result users are typically advised against running personal data such as credit card numbers or passwords through a circumventor.

The malicious aspect

Analysis of publicly available anonymous proxies found that 5% of these servers contained malicious content. Server directories were found to contain infected files including trojans, script viruses and exploits, spyware and adware. Vulnerability analysis carried out by a leading company on 1,000 registered anonymous proxy Web sites showed that 70% of these sites were vulnerable to remote code execution and cross-site scripting attacks. Vulnerabilities found on anonymous proxy sites included:

• Cross-site scripting (high severity)
• PHP Zend_Hash_Del_Key_Or_Index (high severity)
• PHP HTML entity encoder heap overflow (high severity)
• CRLF injection/HTTP response splitting (high severity)
• SQL injection (high severity)
• PHP version older than 4.4.1 (high severity)
• Apache chunked encoding exploit (high severity)
• OpenSSL ASN.1 deallocation (high severity )
• SSL PCT handshake overflow (high severity)
• PHP version older than 4.3.8 (medium severity)
• Apache 2.x version older than 2.0.55 (medium severity)
• Apache error log escape sequence injection (medium severity)
• Apache Mod_Rewrite Off-By-One buffer overflow (medium severity)
• PHP unspecified remote arbitrary file upload (medium severity)
• Remote directory traversal (medium severity)

These vulnerabilities can potentially be exploited for malicious purposes including: remote code execution, cross-site scripting, Denial of Service attacks, privilege escalation and poisoning of the Web cache.

The latest variants of the Storm worm launched a new kind of social-engineering attack, using spam to urge users to use online anonymity system Tor for their communications. The message contained a link to download a malicious version of Tor.

Where content-filtering fails

Most currently deployed and widely believed defenses against the rise in Web-borne threats are reactionary. The most common technology (wrongly trusted) at the Web gateway is URL filtering. However, URL filtering was designed to monitor employees’ Internet activity and enforce acceptable usage policy to avoid litigation at the workplace. In short it was a productivity improvement tool rather than a security tool.

URL filtering suffers a fundamental flaw to be an effective security filter: All URL filters do not monitor threats in real time. URL filters must make a point-in-time decision about the safety of a site. The Internet is a big universe. It is impossible for URL filters to categorize all domains and pages on the Internet, thereby leaving significant amounts uncategorized. Security best practices would indicate that organizations should block all uncategorized sites, but this might temporarily block access to Intranet and extranet sites and increase the administrative burden of managing an active whitelist.

Although most Internet-filtering solutions include an ‘anonymous proxy’ or ‘proxy avoidance’ category in their databases, they actually fail to block access to Web-based proxies due to their list-based approach. List-based products cannot keep up with the increasing number of new proxy sites. The fact that users can easily install anonymous proxies on their private computers makes it even harder. The most crucial element that makes anonymous proxies a leading security threat and problematic for security products is the SSL support offered by many of these servers. Over 30% of the Web sites that offer anonymous surfing allow SSL connection.

Handling anonymous proxies

There are several things that can be done to block access to anonymous proxies within organizations:

Analyzing form methods and Meta tags will prevent access to an estimated 40% of these Web sites.

Pattern-based detection and HTTP header analysis will catch requests for anonymous proxies on the fly, providing organizations with protection against circumvention and anonymity techniques.

Only 5% of the SSL-enabled anonymous proxies we analyzed provided a valid certificate. All others presented expired, self-signed, mismatched or otherwise doubtful credentials. Validating the SSL certificate and assuring a trusted certificate issuer will prevent access to 95% of these SSL-enabled Web sites.

Most of the customers have been paying heavy money n renewals of URL filters. Use URL filtering renewals and budget money to upgrade to a secure Web gateway product that can analyze the SSL traffic and anonymous proxies

In the future we may see a serious threat as a result of the continued growth of malicious anonymous proxies. The popularity of anonymous proxies is rising rapidly and the number of Web sites offering anonymous proxy services is increasing dramatically, bringing with it a growing concern in the form of high severity vulnerabilities on most of these sites. Phishing and social-engineering-based attacks aiming to lure users to use or install anonymous proxy services will increase exponentially.

The author is Country Manager - India, Aladdin Knowledge Systems shailendras@aladdin.com