Potential security breach in Anonymizer's Total Net Shield

Hello,

I think that I might have found a security flaw in Total Net Shield (from Anonymizer.com). I need help to find out wether I'm wrong or not. I emailed Anonymizer but their answer is not satisfaying (read below).

Total Net Shield provides an encrypted tunnel from your computer to their HTTP proxy, using the SSH protocol. You are supposed to use the provided software to use the tunnel, but I found out that any SSH client will work (Anonymizer used to inform people about this but it's not the case anymore).

If you use their software, then you won't notice anything particular. But if you use for example OpenSSH, here is what you get (I changed sensitive informations into fake ones):

Code:

bash$ ssh raco@10.10.10.10
raco@10.10.10.10's password:
Last login: Mon Mar 12 13:42:15 2007 from xxx.xxx.xxx.xxx
 (...welcome message...)

Where 10.10.10.10 is the (fake, though I could have used the real one as it's not really private) address of anonymizer's SSH server and xxx.xxx.xxx.xxx is some IP address. If I logout, then login again, then xxx.xxx.xxx.xxx becomes my IP address. If I logout and come back later, xxx.xxx.xxx.xxx will be again another completely different address.

The weird thing is that xxx.xxx.xxx.xxx is always very different from any Anonymizer's IP addresses that I know of, and usually belongs to some ISP in some place (so far, I have seen addresses from Indonesia, Vietnam, USA). I even got some addresses in the reversed form, for example xxx-xxx-xxx-xx.c3-0.frm-ubr1.sbo-frm.ma.cable.rcn.com.

Of course, when you log with your username and your password into any UNIX machine, you should see the time and IP address of your last connection and nothing concerning others users. Maybe Anonymizer made a mistake with their authentication system.

I noticed this just after having bought Total Net Shield, so my account couldn't be hacked and used by several people around the world only 5 minutes after it has been created.

So I emailed Anonymizer about this. Their reply was "Those IP address are randomized for your protection. [...] None of these belong to a certain person.".

Weird. It would be more simple to always use a fake address like 10.0.0.0. Or not to display anything, especially considering that their software does not display this information at all. And how come those randomized IP addresses always belong to some ISP somewhere ? Why would someone create a system that randomly generates an IP address that exists, belong to some ISP, just to have his SSH server sending a fake "Last login" line ? And why do I see my own IP address if I quickly logout then login again ?

Either they lied to me, or they assumed that it was yet another script kiddie that emailed them announcing that he found a security flaw but in reality found nothing, and they didn't investigate further. By the way, if this is really a security flaw, then any script kiddie could discover it. I would rather call it "big mistake" than "security flaw".

There's only one way for me to know for sure: buying a second account. But if anyone here has an account, he could help me. I would just log into my account and tell him what my IP address is, and then he would log into his account just after me, and tell me if yes or no he can see my address. Can anyone do that ?

It can look like a small flaw, but a web site administrator could quite easily find out the real IP address of a frequent visitor because of it (it may be out of subject, but the administrator could cross check several informations to do this, such as time of visit, user-agent, tcp/ip fingerprinting... possibly using automated processes).

 

If you see your own address listed, then they are clearly not randomising the addresses immediately though they could be doing so at a later point. I'd suggest asking them to confirm exactly how and when this randomisation occurs - if you have any means of varying your IP address (changing it with your ISP or connecting via a separate method, e.g. dialup), this may help confirm matters.

I don't use Anonymizer myself so can't suggest anything further.

 

Thanks, Paranoid2000.

I sent 3 emails to the Anonymizer support, and 2 different people replied to me. I'm waiting the answer to my third email. When I told them that it would be easier not to display anything or to display a fake IP address like 0.0.0.0 rather than creating a random true IP address which is useless, they answered this to me:

It seems that they don't get the point at all. They act like I'm a newbie who don't know how it works. They must be trained to help people with the Windows software provided by Anonymizer, and I guess they don't know how all this works "behind the scene". They probably never used a UNIX shell and don't know what this "Last login..." line is.

And they don't forward my email to the people at Anonymizer's who could understand it. They just keep saying to me that everything is ok.

I tried to connect from some IP address, then re-connect from another IP address. I can see the first address the second time I login. Moreover, host names I can see which are not mines sometimes look like xxx.adsl.some-ISP.com so I'm really starting to think that there is a huge security flaw in their system.

But they don't want to listen to me and I can't find another email address than the one for the support. I hope I won't have to buy another account to prove what I'm saying (and they probably wouldn't understand the proof either).

 

They do seem to be missing the point - although this is pretty limited (allowing one Anonymizer account holder to discover the real IP address of another), it should be easy to fix and you would expect an anonymity service to take such matters more seriously.

If they don't then voting with your feet would seem the best option - if they fail to address this then how likely are they to act on more serious issues?

 

This is a serious issue.

They use DNS load balancing for their SSH server and have 12 machines. I noticed that each machine is not used very often: usually I can see that the "Last login" line still shows my own last login after one or more hours (I just checked for the server I'm using now and nobody used it for the last 3 hours).

Let's say you are a web site admin and want to find out the real IP of some anonymized visitor. You manage to make a web page with a cgi that, when it sees an IP of Anonymizer (easy to recognize), runs a shell script that will get the 12 last IP addresses. Do this for each visit of the guy and you'll certainly find the IP.

You could even try to list all the IP used this day by Anonymizer users (their whole system doesn't seem to get more than 100 or 150 incoming connections per day), knowing that any user gets disconnected after 24 hours.

If you end with several IP addresses without knowing which is the one you want, you can go further. Use TCP/IP fingerprinting to find out which operating system is used on each computer and compare with what you have in the logs of your web server (usually you can tell the OS from the User-Agent). Compare the location and the langage used on your web site, time of visit, etc.

I think that in the worst case, you'll have the good IP amongst a few others. This flaw really can take your anonymity away.

 

The "previous IP" address is only shown after a successful Anonymizer login which means that the webmaster in your example would need to have a working Anonymizer account - even then he has no way of being sure that the IP displayed is yours rather than that of another Anonymizer user. Whether these limitations still make the problem serious is down to personal perspective.

 

I paid 100 dollars to the self-proclaimed world leader in anonymity in order to hide my IP address, and 5 minutes later I found out that my IP address is given to the first user that comes after me. Guess how my perspective is .

 

It should be addressed - today.

Have you tried calling the Anonymizer's offices? Tell them you have an urgent security issue for Lance Cottrell. He's the founder and now the "Chief Scientist." He knows his stuff and I am certain would want to know about this ASAP. Another good way to reach the powers-that-be is to get in touch with their PR people. Tell them it is urgent that someone other than telephone support call you.

PR for Anonymizer is handled by Paula Dunne with ContosDunne Communications. 408.776.1400


Good catch, raco!

GP
-------------------------

 

Thank you Genady, but I prefer not to phone because my spoken english is really bad. I never really had the occasion to speak in this langage and I fear I won't be understandable.

I'll try to send another email. Each new email will be tailored more specifically to the recipient's abilities . At least they will (hopefully) realize that any message talking about a security problem should be transferred to the proper people.

I'm glad to hear that Lance Cottrell knows its stuff, but what a pity that he didn't do what I did: use the service for the first time and wonder "whose IP address is this ?". Yes I'm (slightly) teasing him but I could ask for a refund.

 

raco...

I understand.

Try this:
paula (at) contosdunne.com

Say in your email what I suggested you say in a phone call.

BTW, as per Lance Cottrell.... Ever heard of the Mixmaster protocol? The original Mixmaster Remailer? He designed it all - by himself. He would want to know if there is a security breach with Anonymizer. Trust me. Again, good catch. Let us know!

 

Ok, I'll try this if my last email doesn't work. Thanks. I'll let you know if anything happens.

I believe you. I can't blame him, he may have nothing to do with this problem.

 

I sent another email more than one day ago. The recipients were the Anonymizer support, Lance Cottrell (found his email on the web) and Paula Dunne. I got no answer. I gave them this thread's URL.

Maybe they don't want to admit that they made such a big mistake.

 

Not at all. It just takes a while for me to get through the volume of email I receive. I certainly appreciate having this brought to my attention. I am sorry you had trouble escallating this issue to me. I will try to streamline that process. As you might imagine there are many false reports for every serious issue like this.

As you know, the purpose of the "Last login:" field is to alert you to a security breach in your account. If the last login IP address is not familiar it tells you that your account has been accessed by someone else. Because the average user has no idea what their IP is or what it means, we don't show that in the normal interface. It is really a power-user feature.

We have tested the system from many different accounts to try to reproduce the described behavior, and have never seen an unfamiliar IP address.

From the description of the problem it appears that your account has in fact been breached. I suggest the problem is most likely to be a weak password. Please try this experiment. Change your password to something very strong, then continue to monitor for this behavior.

Please contact me directly with the results of your tests.

 

wow,
everybody has said everything, but nobody's mentioned, if this software isn't sufficient enuf to our needs, what else do we need to use
what is a better replacement
would anyone suggest?
i'm currently using jap and it's great
trust me guys it's great
but they have now released a beta version and soon it would be final,
Currently it's totally free with fictional payment but soon they'll charge by the kilobyte,
this total net shield has a benefit it's a one time payment for the year,
now would anybody suggest what is needed to access the internet, using a better replacement to the total net shield plus which offers, anonymity as well as privacy in surfing like the jap to be able to access anysite , blocked or not, by your isp,
i would suggest FREEDOM,
it's good
but if anybody has any ideas , they're most welcome to reply

 

Hello,

First of all, I should say that the problem is fixed. The "Last login" line has been removed. This "power-user feature" doesn't exist anymore ;-). According to Mr Cottrell, a small fraction of the users was concerned by this problem. I still don't know what exactly caused this, and it seems that Anonymizer don't know either or don't want to tell.

Anonymizer's web site still says that "Anonymizer identity protection solutions have been used to protect billions of Web pages without a single security breach since the company's inception in 1995", but several security flaws have been reported (just search the web).

Total Net Shield may be a good product if you just need to browse the web or send an email with a good level of anonymity. The speed is quite good (though it can be slow at times). Unfortunately, it is unable to provide anonymity for a lot of things, like IRC (where it would be quite needed). You can only anonymize web, email, newsgroup, ICQ, and that's all.

I found another anonymity service, www.findnot.com but I have not tested it yet. It cost the same price as Anonymizer, and it has many, many advantages:
- You can register anonymously, without providing your name or credit card number (by sending cash, but you can also pay by credit card via google checkout or egold).
- They have 34 servers on 10 IP blocks in 7 different countries, and you can choose the server you want to use at any time. For example, you can pretend you're located in Germany or Malaysia. Anonymizer always uses the same IP block and is blacklisted on some websites.
- They have a clear log policy (logs are kept 5 days then deleted).
- They offer Socks Proxy, SSH Proxy, PPTP VPN or OpenVPN, so you can fully anonymize every single Internet application, not just web and email.
- They offer an anonymous file storage service.
- Their offer support 7 days a week.

Just look at the competitive analysis on the findnot website. You can request a free trial account.