Blacklisting useless?

We use a blacklisting system to prevent our users form accessing unwanted sites from the office pc's. Quite effective, although, of course, such a system always lags behind.

I just ran into Officesurfer. It lets a user surf to their own home system and reach unwanted sites from that system (it just requires running the Badblue webserver on that pc). It looks like blacklisting is no longer any protective measure...

 

Excuse my ignorance, but couldn't you accomplish the same thing by simply using Microsoft's Telnet? (Which has been around since at least Win95) You can open IE on a remote computer and surf away. That's what it boils down to or am I missing something?

 

Telnet often is not allowed through a corporate firewall, surfing is.

 

Thank you. Don't tell my boss that. OK?
Just kidding. Telnet is allowed because that is how the guys in the field contact our server. He probably missed blocking the outgoing connections.

So with this Officesurfer the connection to the surfer-server (lol) is made through IE? Using your home computer as a proxy.
Then I understand your fears.

 

We'll be testing this... so far we have seen a url that ends in =secsurf.htx. Perhaps a firewall can detect such traffic. We'll report back later

 

Just curious but is this a publicly accessible blacklist that is being used, or is it more or less unique and built around the needs of your network? I feel the major problems with blacklists is that they are sometimes too restrictive and may block legitimate traffic (whether it be email or websites).

I have never heard of this OfficeSurfer program but as StAnger eluded too, couldn't this just present new concerns to the network?

 

Among other numerous methods.....

 

Our testing:

we installed this webserver and plugin on a home pc: http://www.test.com

From our secure network (firewall and blacklist protected) we surfed to our newly created home site.
This results in a page with an input box. We entered http://www.usuallyblocked.com and, behold, the site is shown in a frame in the browser. The blacklist is effectively defeated.

In the firewall logs we found a request for a page secsurf.htx on the http://www.test.com server.
Next there's a line that shows a request for a page called: http://www.test.com/http://www.usuallyblocked.com/, followed by lines where this site is references by a session code and encrypted filename instead of a name: http://www.test.com/http://sessioncode_and_codedpagename

So, catch those secsurf.htx requests and the http://x.y.z/http:// lines in your firewall logs.

(I suppose that in the final version this secsurf name will be user configurable )