Blacklisting useless?

Discussion in 'other security issues & news' started by meneer, Dec 4, 2003.

Thread Status:
Not open for further replies.
  1. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    We use a blacklisting system to prevent our users form accessing unwanted sites from the office pc's. Quite effective, although, of course, such a system always lags behind.

    I just ran into Officesurfer. It lets a user surf to their own home system and reach unwanted sites from that system (it just requires running the Badblue webserver on that pc). It looks like blacklisting is no longer any protective measure... :rolleyes:
     
  2. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Excuse my ignorance, but couldn't you accomplish the same thing by simply using Microsoft's Telnet? (Which has been around since at least Win95) You can open IE on a remote computer and surf away. That's what it boils down to or am I missing something?
     
  3. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Telnet often is not allowed through a corporate firewall, surfing is.
     
  4. StAnger

    StAnger Registered Member

    Joined:
    Jun 8, 2003
    Posts:
    84
    Thank you. Don't tell my boss that. OK? :D
    Just kidding. Telnet is allowed because that is how the guys in the field contact our server. He probably missed blocking the outgoing connections.

    So with this Officesurfer the connection to the surfer-server (lol) is made through IE? Using your home computer as a proxy.
    Then I understand your fears.
     
  5. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    We'll be testing this... so far we have seen a url that ends in =secsurf.htx. Perhaps a firewall can detect such traffic. We'll report back later :)
     
  6. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Just curious but is this a publicly accessible blacklist that is being used, or is it more or less unique and built around the needs of your network? I feel the major problems with blacklists is that they are sometimes too restrictive and may block legitimate traffic (whether it be email or websites).

    I have never heard of this OfficeSurfer program but as StAnger eluded too, couldn't this just present new concerns to the network?
     
  7. JayK

    JayK Poster

    Joined:
    Dec 27, 2002
    Posts:
    619
    Among other numerous methods.....
     
  8. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    Our testing:

    we installed this webserver and plugin on a home pc: http://www.test.com

    From our secure network (firewall and blacklist protected) we surfed to our newly created home site.
    This results in a page with an input box. We entered http://www.usuallyblocked.com and, behold, the site is shown in a frame in the browser. The blacklist is effectively defeated.

    In the firewall logs we found a request for a page secsurf.htx on the http://www.test.com server.
    Next there's a line that shows a request for a page called: http://www.test.com/http://www.usuallyblocked.com/, followed by lines where this site is references by a session code and encrypted filename instead of a name: http://www.test.com/http://sessioncode_and_codedpagename

    So, catch those secsurf.htx requests and the http://x.y.z/http:// lines in your firewall logs.

    (I suppose that in the final version this secsurf name will be user configurable :( )
     
Loading...
Thread Status:
Not open for further replies.