Who’s Flying Under Your Radar?
Anonymizing technologies pose increasing threat to enterprise security
By Shimon Gruper, CISSP
Quick Quotes Box:
• Anonymizer technologies cost organizations millions of dollars each year
• 2,000% increase in anonymizers since 2002
• 70% of anonymizers are vulnerable to remote code execution and cross-site scripting attacks
• 5% of anonymizers contain malicious content
• 90% of pornographic Web sites contain malicious content
• 12% of U.S. employees in companies with 100,000+ employees use anonymizers to bypass corporate Internet policy
• 15% of U.S. employees know someone who uses anonymizers
• 8.23% of personal Web surfing poses the risk of legal liability to organizations
• 19.42% of personal Web surfing poses a security threat to networks
1 Aladdin Annual Content Security Research Survey (2007)
2 Aladdin Anonymous Proxies Survey
3 Business & Legal Report
One of every 10 American employees in large enterprises admits to using anonymizers to bypass corporate Internet policy. One of every six knows a coworker who routinely visits blocked Web sites at the office using anonymizers1. Ignoring costs associated with productivity loss, the influx of malware to networks due to anonymizers costs organizations millions, if not billions, of dollars every year. With numbers like these, CIOs and CSOs are quickly realizing that anonymizers pose a serious threat to enterprises, schools and other organizations.
“Anonymizer” refers to various tools and online services that commonly integrate proxy technologies to conceal a user’s Web activities, enabling employees and students to circumvent existing Web filtering solutions and bypass Internet safety policies to surf the Web anonymously from within an organization. Initially, anonymizers emerged as “anonymous proxy servers” designed to keep user activity on the Web private, and to avoid various Internet censorship initiatives. Now, anonymizers are primarily to browse illicit and unauthorized Web content without being detected or blocked by an organization’s Web filter or firewall. While many users simply want to access their MySpace page or play online games, they are unaware of the dangers posed to the entire network by their actions.
In the past few years, anonymizing technologies have grown to become a frequent and serious risk factor to both corporations and educational organizations. Since 2002, the number of registered anonymizer sites has grown more that 2,000 percent with an additional estimated 300,000 home-based Web sites offering anonymity services. There are two main reasons for the drastic increase. As organizations created more stringent Internet usage policies, user demand for anonymous surfing capabilities opened new opportunities for Internet entrepreneurs to sell anonymizing services – usually for a small monthly fee.
With 98 percent of U.S. schools blocking or limiting Web sites according to the CDW-G School Safety Index, more students are using anonymizers to work around the network gateway. The second reason for the increase is directly related to the increase in availability of anonymizers in the open-source community. These Web-based proxies are available at no cost and provide almost anyone with basic technical skills to create their own anonymous proxy in just a few hours or less. Anyone can then place their anonymizers on hosting sites or even on their home PC. This allows employees and students to access the anonymous proxy from anywhere on the Internet, including from within businesses and organizations equipped with firewalls and other Web security, enabling users to completely bypass existing Internet filters.
How Anonymizers Work
Anonymizers open a tunnel around network security so that the user is able to access blocked sites with no inhibitors. Appearing as an unblocked Web page, an anonymizer site allows users to enter a URL address using a form that, when submitted, causes the proxy server to retrieve the Web page despite being blocked by the organization’s Internet filter. A CGI-Proxy uses a CGI Script to retrieve Web material, and then modify it so that all links refer to the same proxy, including images and form submissions. Configurable options include text-only support, SSL support, selective cookie and script removal, simple ad filtering, access restriction by server, and custom encoding of target URLs and cookies. A PHP-Proxy is easily installed on any PHP-enabled Web server, allowing users to browse through the Web server as a proxy for bypassing firewalls and other content filtering restrictions.
Both types of anonymizers effectively create a hole in the network’s security, leaving the door wide open to viruses, malware, spyware, Trojans and other Web-based attacks to enter an organization’s network. With 27 percent of personal Web surfing posing a legal or security threat to corporate networks, as reported in Business & Legal Reports, allowing employees to browse these sites unfiltered creates a serious risk to an organization. In addition, the sites accessed through an anonymizer are inherently more prone to malicious content since they are blocked by the enterprise or school in the first place.
The Aladdin Content Security Research Team (CSRT) found that 90 percent of pornographic sites carry malicious content, and 70 percent of anonymizer sites are vulnerable to remote code execution or cross-site scripting attacks, drastically increasing the chance that employees or students using an anonymous proxy will allow malicious Web threats to enter the network. In a study conducted by Business & Legal Reports, the industry with the lowest incidence rate, health care, still experienced 18 percent of its overall malware incidents from employee Web use.
In addition to violating organizational internet policy, the use of anonymizers in the corporate or school environment poses an even greater violation of government regulations set in place to bring businesses up-to-date with the latest threats from inside the organization. Almost all regulations surrounding information security address the issue of Internet safety policies. Most notable is CIPA (Children’s Internet Protection Act) that was passed by the U.S. Congress in December of 2000. CIPA requires both schools and public libraries to create and enforce Internet safety policies that address:
• Access by minors to inappropriate content on the Internet
• Safety and security of minors when using electronic communication
As part of CIPA enforcement, there have been several instances that teachers were held personally and legally liable for allowing children to view unsuitable content on schools computers. Section 404 of the Public Company Accounting Reform and Investor Protection Act of 2002, commonly called Sarbanes-Oxley or SOX, addresses Internal controls. Section 404 of Sarbanes-Oxley places personal responsibility on corporate management to establish and maintain an adequate internal control structure and procedures for financial reporting. Among other things, these controls include security measures that must ensure employee Internet access is compliant with the company’s established policy, without any ability to bypass it. Company executives are held personally and legally liable for failing to comply with SOX regulations, which makes the deliberate circumvention of corporate Internet use policy a critical concern for organizations.
Protecting Your Network
The simple solution to protecting a network is to use the existing URL filter to block all known anonymous proxy sites. However, anonymizers are anything but simple. With anonymizer use increasing exponentially and more than two-thirds of anonymizers residing on home computers or unknown servers, developing and maintaining a comprehensive list of anonymous proxy sites in order to block them is nearly impossible. Even the small delay for the filter to find and catalogue a new anonymizer is enough time to infect several thousand organizations. In addition, most anonymous proxies frequently change URLs, so the proxy blocked yesterday is accessible to your employees or students again today.
One of the most problematic elements of anonymizers for security products is the HTTPS/ SSL support offered by many anonymizer technologies. In tests, the Aladdin CSRT found that 30 percent of anonymizers offering anonymous surfing allow HTTPS/ SSL connections, making them virtually impossible to detect and block using existing tools. Not only do these sites encrypt the Web content, but the URL itself is encrypted, leaving the filter nothing to block but the IP address — an ineffective technique due to the ease of falsifying or changing the IP address. New trends use social engineering techniques to bypass URLs completely by incenting users to download malicious content through application add-ons, making them impossible to block using a list-based filter.
In order to prevent network exposure through anonymizer use, it is important to employ a Web gateway capable of filtering network traffic on several different levels. This includes URL filtering for known anonymous proxy sites and other malicious or unproductive content. A good Web gateway goes beyond strict list-based filtering and step into the gray areas of the Web to provide proactive, real-time security based on site code and behavior, even when the anonymizer is encrypted with SSL protocols. By combining a protocol filter with HTTPS/ SSL inspection, a secure Web gateway solution is able to identify anonymizers even if they are not registered on any list. Protocol filtering uses specific algorithms for specific characteristics including signatures, tunneling applications and certificates to determine if the requested program has similar characteristics to known anonymizer behavior, even if that particular anonymizer has never been used before. This is extremely efficient in blocking anonymizing applications hosted on home computers, as well as the exponentially-increasing number of new anonymizers available every day.
Shimon Gruper is CTO of the Aladdin eSafe Business Unit at Aladdin Knowledge Systems, receiving numerous awards for the product’s uniquely powerful, gateway-based content security capabilities for the enterprise. Shimon is a respected, noted expert in the fields of anti-virus, anti-spam, anti-spyware, email security, vulnerabilities and numerous other content security threats and is certified by the CISSP. A speaker at numerous worldwide industry events, Shimon was one of the first industry experts to discover malicious code contained in Active-X, Java, etc. He is also the creator of the “generic” process to trap and nullify malicious code. Shimon was formerly the founder of eSafe Technologies, acquired by Aladdin in 1998.