Palo Alto Networks Research Center » circumvention

Prepare for Soccer Hooliganism 2.0

Matt — Fri, 11 Jun 2010 21:28:30 +0000

World cup soccer is upon us and millions of people world wide will be clamoring for the latest updates on their favorite teams. In the US, the games are being streamed live by ESPN3, an easily accessible website that can deliver updates during common work hours. But theirs a catch. ESPN3 streaming is being supported by a set of dedicated service providers.

So what will an ardent soccer fan do when they want to access ESPN3 and does not know, or cannot find, the employers service provider?

The first reaction will be controlled anger and frustration. Unlike the drunken brawls (hooliganism 1.0) that would result from denying access to the favorite soccer teams, the high tech user will react differently.

I see three options a soccer fan may take (along with potential risks):

Call IT for the information. The biggest risk here is being laughed at by IT for asking. Coming in a close second is the risk of your boss finding out and asking you to get back to work.
Spend time searching the web for other accessible feeds – like Univision. A minor risk here is a lack of productivity. It is minor because in many cases, non-productive employees will find something to waste time on. A more significant risk is threat propagation from random clicking to access unknown video sites (drive by downloads anyone?). FIFA themed attacks are already popping up, one trying to take advantage of the Adobe zero day flaw (CVE-2010-1297) which by the way, was covered Palo Alto Networks on Tuesday of this week.
Use remote access (RDP, LogMeIn!, etc) or tunneling applications (SSH) to access their home machine and watch from there. This avenue is possibly the most threatening because users will not understand the risks. The risks here are that the user will not know what they are doing and will open a back door to the corporate network (unknowingly of course). Too often, organizations will ignore, or minimize the risks that the use of these applications pose to the network.

Luckily, Palo Alto Networks customers will be more prepared to control, or prevent the use of these types of applications. This is not the case for those who use dated security technology, as pointed out in a previous entry.

Beyond Ports and Protocols

Mike — Sun, 20 Sep 2009 06:48:45 +0000

Often we talk about how destination port is not an accurate classification for controlling network traffic. At this point, hopefully that is obvious. Everyone knows that just about anything can get out of an enterprise network via port 80 or 443. Lately I have had several discussions with customers curious about protocol validation and ensuring that only “valid” traffic is being allowed. Being “valid” has become a mostly useless concept. How do you control traffic on 80 and 443? You put in a proxy, right? Hmm. That is useful if you want to make sure non-HTTP applications do not take advantage of a firewall policy that allows 80 and 443 out of the network. However, it is clearly not that simple – and it is not just HTTP that is the issue.

There are dozens of applications out there that allow a user to tunnel just about any application over “valid” HTTP or SSL. The protocol validation available in many products does nothing for this. Lately I have been studying other tunneling applications – applications that correctly utilize a protocol and take advantage of the fact that most networks assume if the flow follows the standard for the protocol then it should be allowed. What are the most likely protocols to be allowed out of the network, even when HTTP may not be? DNS and SMTP. Don’t be confused, I don’t mean to say that all enterprises allow a random PC on the network to begin sending DNS or SMTP traffic directly to the Internet – although some do. I do mean to say that just about any PC in any enterprise can send an email and lookup a hostname, albeit through corporate DNS and SMTP servers. Enter a few creative tunneling applications: dns2tcp and HoSProxy.

dns2tcp is a clever system that essentially allows you to tunnel any TCP traffic inside of valid DNS lookups through any DNS server. It works by taking your application payload and breaking it up into small enough chunks to be able to fit into DNS requests as a hostname. The trick to it is that those “hostnames” need to eventually get resolved by the authoritative DNS for the specified domain. Conveniently, the authoritative DNS happens to be the server side of the dns2tcp system. It receives requests for “hostname” resolution for hosts in its domain or sub-domain and sends back “responses” as requested. The DNS requests and responses are actually the tunneled TCP payload. Pretty slick if you seem to be stuck inside someone’s “restrictive” network. Next time you are traveling and on an airport or hotel wireless network, see if you can do a DNS lookup for google.com before you go through the captive portal sign-in process that is usually required before browsing the web. If you can, you can also tunnel anything you want through that network.

HoSProxy is a similar concept but uses SMTP to transmit HTTP requests and responses. If you can send an email, you can browse the web. I am not sure you will be too happy with the latency of the solution, but in a pinch, it works.

Now, I am not encouraging everyone to run out and setup SMTP or DNS servers at their home so they can start tunneling everything. Rather, I wanted to highlight that validating traffic to ensure that it matches an RFC is only a tiny step more useful than using destination port to classify and control traffic. It’s not about ports and protocols, it’s about the applications running on top of them – and there are lots of creative people writing creative applications using these normally boring protocols. To steal a desktop publishing acronym: WYSIWYG (what you see is what you get). If the firewall or IPS doesn’t see it, it doesn’t get it – and you don’t get to control it.

Hulu Networks’ Battle Against External Proxies

Matt — Tue, 12 May 2009 14:45:47 +0000

This TechCrunch article outlines how Hulu Networks, the rapidly growing purveyor of streaming HD content, is taking some fairly extreme steps to make sure that their content is only accessed by users in the US. Apparently anyone with an anonymous IP address is blocked. An interesting step that will, in all likelihood, fail.

Why? It’s all about numbers. There are millions of users worldwide who want access to their content. And as we discuss in this ThreatPost article, users will proactively circumvent controls. A 45 second search on the web provides a wealth of information on how to circumvent security controls and blocking mechanisms. Some examples:
* There are at least 7700 public proxies that users can access merely by visiting proxy.org.
* Users can build their own private proxy.
* Visit circumventor.net to find a list of circumvention tools.
* There are new encrypted tunneling applications like Gbridge popping up on a regular basis.
I could go on. And while I am sure that Hulu has a very smart and dedicated team of IT professionals, can they win against millions? My view is that they will not because of the sheer numbers. But I do wish them luck. But let’s look on the bright side, they have a good product and people want it.

Thanks for reading.

Found On Lifehacker – an easy way past workplace security controls

Chris King — Tue, 28 Apr 2009 21:27:37 +0000

Here’s an article I found on Lifehacker, a useful, mainstream website. The article points to a step-by-step tutorial on how to circumvent IT’s security controls using FreeProxy. Have a look.

Matt talks a little about circumventing applications in this post, and they are covered extensively in our Application Usage and Risk Report.

Joost Opens 1.0 Beta

Mike — Fri, 05 Oct 2007 22:53:30 +0000

ALERT – The wait is over… No longer do users need a precious invitation to join the closed Joost beta to experience IPTV at its best. Joost has recently opened their 1.0 beta to the public. Enhancements include a slightly revised user interface and open API for 3rd party widget development. Joost has differentiated themselves from other online content providers in both delivery and quality of content. By using a peer-to-peer distributed streaming model to deliver video content, as opposed to relying on a central server, Joost is able to provide more efficient (for them) delivery of video content. Faster streaming of video content is nice, but providing professionally-produced content is a key component as well. Joost has done well securing distribution deals with Viacom, CBS, and Turner Networks for high-quality television content.

Administrators need to be aware that Joost is designed to evade detection from corporate firewalls and usage within their organizations can potentially consume large amounts of bandwidth and productivity. In April 2007 when the private beta started, Palo Alto Networks released an App-ID that gives customers visibility and control over Joost traffic – allowing it to be blocked or simply marked with a QoS tag for prioritization at the WAN gateway.

For more information about Joost click here.

Meebo Adds File Sharing Service

Matt — Fri, 21 Sep 2007 00:45:09 +0000

ALERT – Meebo, the web-based instant messaging service, has now added a file transfer feature that allows users to share files with IM contacts regardless of which IM network they are on. Utilizing Amazon’s S3 (Simple Storage Service), Meebo provides a 2-step file transfer process. When users upload a file with Meebo it is sent to Amazon’s S3, Meebo then sends a link to the file back to the receiver. The receiver has 4 hours to download it before the file expires. Initially, Meebo has limited the file transfer to 10MB per file with a cap of 30MB per month. However, those restrictions may change as Meebo gains user feedback.

Meebo is the latest example of how easy it is to share files with others without having to download client software to do it. Enterprises should maintain visibility and control over web applications in order to mitigate risks and enforce appropriate Internet usage policies.

Click here to view the TechCrunch article on Meebo file sharing.

Fake Tor Application Helps Storm Worm Spread

Matt — Tue, 11 Sep 2007 10:09:54 +0000

ALERT – Capitalizing on user fears of hackers capturing and viewing their internet traffic, the Storm worm’s latest propagation method uses spam email with the subject line “Careful, you.re being watched.” to suggest that users download an application called Tor to provide safety and anonymity in surfing the web. However, when users click on the link to download the Tor file, they are actually downloading malware assumed to be more copies of the Storm worm. Storm worm-infected computers are turned into bots or zombie computers which listen for commands from a central server run by a hacker. Hackers controlling the bots or zombie computers can then use them to send spam, adware, and spyware, launch denial-of-service attacks, and other nefarious activities.

Here’s an image of the spam email body used by the Storm worm:

{mosimage}

Google Desktop Can be a Wolf in Sheep’s Clothing

Matt — Thu, 23 Aug 2007 06:32:31 +0000

ALERT – Google Desktop has become popular in large part due to very painful desktop search functions in Windows. It is able to find documents and email very quickly and accurately. However, it has a feature that should probably be of considerable concern for enterprises. A feature called Search Across Computers ought to raise eyebrows. The feature uploads text versions of all indexed files to Google’s servers in order to allow users to find information they are looking for regardless of which computer they might be using at the time. A quote from the Wikipedia entry on Google Desktop ought to be enough to make you think about updating to App Update 26 in order to understand how Google Desktop is being used in your enterprise:

The EFF advises against using this feature. Also, those who have confidential data on their work or home computers should not enable this feature. There are privacy laws and company policies that could be violated through the installation of this feature, specifically, SB 1386, HIPAA, FERPA, GLBA and Sarbanes-Oxley.

Meebo Repeater: An Evasive Extension to an Already Evasive App

Mike — Mon, 20 Aug 2007 13:52:28 +0000

ALERT – If you are trying to control IM use and haven’t heard of Meebo, it is very likely your users have. Meebo’s purpose in life is to allow people to continue using IM even at companies that have a policy to block it. It is a web-based multi-protocol IM client that is accessed via HTTP or HTTPS. During early adoption, just being web-based was enough to get out of most networks. However, as administrators started blocking access to Meebo’s web servers, Meebo launched the Meebo Repeater – a repackaged proxy that is designed to get around Meebo deny rules. App Update 26 adds support for Meebo Repeater, allowing you to detect its use and control it if so desired.

HTTP Tunneling 101

Mike — Fri, 25 May 2007 16:21:57 +0000

Network administrators are more and more concerned about scrutinizing the traffic that comes in and out of their networks, but applications and attackers know that they won’t block HTTP traffic over port 80.

So if you can't beat'em, join'em. Applications and attacks have quickly learned that they can evade firewalls and other security devices via HTTP tunneling. HTTP tunneling is a method of evading network firewalls and access control policies by encapsulating traffic in HTTP headers and sending it over the most open port in the network – port 80. To learn about how applications and attackers are using this method to bypass firewall and router access control policies, click on the link below.

http://www.securityfocus.com/infocus/1793