MySecureIsp.com?

Discussion in 'other security issues & news' started by nameless, Sep 5, 2006.

Thread Status:
Not open for further replies.
  1. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Is anyone familiar with http://www.mysecureisp.com ? I just came across it for the first time. It seems that for $10 USD/year, you get a login ID and password, then install plugins for your various internet applications, and use them as a secure proxy.

    McAfee SiteAdvisor raises a spyware flag on the site.

    Just wondering...
     
  2. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Their main application contains adware (KAV scan) and all the rest is "coming soon". There are no technical details of this supposedly works.

    This is a scam site, avoid like the plague.
     
  3. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    If that's true, the irony is that I found this site because it was linked to from a site recommended by Bruce Schneier.
     
  4. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Any pointers at where Schneier recommends blackboxsearch?

    EDIT: never mind, I found it.

    EDIT2: I tried this blackboxsearch and frankly, I find it pretty much worthless. It sits as a proxy between you and the search engine... so what? The connection isn't encrypted; the search terms are sent through a post instead of a get but they can be sniffed by anybody on the route path; your ISP can do it; the only difference is that you're not trusting Google here, you're trusting Blackboxsearch. Use tor if you want something a little more serious than this stuff.
     
    Last edited: Sep 5, 2006
  5. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Going back to the original subject, either this is a false positive by KAV or this software does indeed include adware.

    Even if the former is true, the lack of actual technical documentation of how this supposedly works, what are encryption details, etc, would make me very suspicious about the reliability of this service.
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
  7. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    How the hell can McAfee not detect anything... McAfee SiteAdvisor obviously uses McAfee's engine...

    Rhetorical, since I don't care anymore. (Read: I don't trust the site.) Thanks for the replies. I've been up for 20 hours at this point and I'm fading fast, so I appreciate the input. ;)

    sjfdajfllfwsejjjjjjjjjjjjjjjjjjjjj
     
  8. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    I'm currently trialing this site right now (mostly because I'm a tightwad and wanted to see if there were cheaper alternatives to www.cotse.net and www.findnot.com) and posting from their proxy. Seems legit, with a few caveats:

    I chose to use the Firefox extension. Ironically, the link pointing to the firefox extension was broken, but luckily their site doesn't mind snooping in index pages (http://www.mysecureisp.com/download/). After installing the extension, I first went into the proxy section of the browser to see what happened. They just set the settings to "localhost" and port 3128 for HTTP (their extension didn't extend it to HTTPS and FTP though, which was probably a coding typo, I put in the localhost and port number for those too as going through HTTPS or FTP would give me a Bad Proxy notification otherwise).

    Zonealarm also caught a new program starting up when I installed the extension, "plink.exe" (the command prompt version of Putty). I thought that was a little funny, so I emailed tech support about it and got this:

    So they use opensource stuff to establish the SSH link to their proxy server. Alright. Next I went to www.whois.ws to see what they see. Apparently they buy bandwidth for their proxy from Electric Lightwave Inc based in Washington State. If you take a look at the HTML source on http://www.mysecureisp.com/test.shtml you'll see that it checks your current IP against 208.187.165.xxx.

    They DO seem to hide the address to their proxy, but it was pretty easy to find: p01.mysecureisp.com. I emailed tech support a second time about this and they gave me this (presumably to connect other programs to tunnel into their proxy that isn't Firefox or IE) without any trouble:

    Also note that the whois information physical address for www.mysecureISP.com AND the address they give on their website are both located in Sacramento, CA. Their site has also been active since 06-29-2005 according to www.whois.ws.

    DNS is handled through TUXFARM.COM when the MySecureISP connection is on, regardless of what you have in your network settings.

    Pluses: Email responses were returned within a hour or two. Even one at 8:00 P.M. PST! Probably means this is a startup business with guys monitoring customer support from home, but hey, cotse.net started out like that too.

    My connection actually feels faster too (this is the first time I've used a proxy that fed off my entire throughput, unlike TOR and the like who usually only give you around 40KBps).

    Minuses: Several broken links on their site. Esspecially puzzling was the broken link to the firefox extension (that apparently was written a bit incorrectly as it only filled in proxy info for HTTP and not HTTPS and FTP). I'm sure someone will tell them eventually, but kinda unprofessional, especially for a site that only has 15 or so pages.

    When I paid for a one month trial of their service ($2!!) they only had 7 confirmed good transactions (which probably says they just started offering PayPal as a payment processor, but who knows).

    My opinion: Looks legit to me (especially seeing how they use PayPal, which would give nasty traces to any site owner who starts duping people with a fake proxy site).

    To anyone who thinks I'm a shill for this site because this is my first post: I've been frequenting this security forum for about a year and never posted because I've always found what I need via the forum search. Seeing this post piqued my interest so I thought I would contribute :)
     
    Last edited by a moderator: Sep 5, 2006
  9. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Thanks for such an extensive reply.

    The Firefox link on their site isn't broken (nor was it earlier--at least around the time I started this thread). It opens a pop-up window that initiates the XPI installation.
     
  10. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    If it is legit, then why all the spyware, adware, trojan alerts?
    Are they all false positives?
     
  11. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    Dammit! I totally did not see that my Firefox blocked the pop-up. Thanks for that :blink:

    There still are a few broken links (like in the FAQ when asked about how to use with a P2P program and the 'Download now' link on their plugins page for Internet Settings for ALL other IM & File Sharing Apps). I guess I can take that part off my minus side.
     
  12. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    I just checked with Norton and Ad-Aware SE and I'm not seeing anything of the sort. The only way I could see this as not legit (and subsequently very dangerous) is if the installations (I haven't tried the IE plugin) tried to sneak a keylogger in.
     
  13. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    Did you look at the results from VirusTotal that TNT showed for mysecureisp-1.05.exe?

    If that is from the company itself, I would have serious reservations about anything that the company offers.
    Maybe it is a false positive, but until proved otherwise, it appears very suspicious.
     
  14. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    I scanned that file with Norton and got a adware warning and a link to here:

    http://securityresponse.symantec.com/avcenter/cgi-bin/virauto.cgi?vid=4294906155

    My guess? It is a generic toolbar function that is two years old. MysecureISP used this so they can do what they did with the Firefox extension: make a MySecureISP tab in IE that allows you to connect and disconnect with the proxy server (essentially a tool for people who arn't fluent in cypto). The .exe also probably installed the plink.exe, a reg file with security hashes for the SSH, and a loadserver.

    I'm not too worried about it, but I will email MySecureISP's tech support and see what they have to say.
     
  15. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    Well, I agree. Anyway, yes, I downloaded it from the site. You can test this yourself if you don't trust that image. :D
     
  16. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    Emailed tech support last night and got this:

    Ironically, they did just update their software to 1.10 from 1.05, they just didn't update their link yet (hxxp://www.mysecureisp.com/download/ie/mysecureisp-1.1.exe). I just tested this one and Norton or Ad-Aware didn't have a problem. Looks like I was right :D

    I don't know if it happened to anyone else though, but the program did not update proxy settings in IE for me. I had to add the "localhost" (I suppose 127.0.0.1 would work too) @ port 3128 for it to work.
     
    Last edited by a moderator: Sep 6, 2006
  17. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Well, NOD32 still detects this file as Win32/Adware.Softomate. Half-assed excuses aside, I sure as hell won't be installing it.
     
  18. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    So does KAV. Also BOClean detects it as malware, and detection was just added today for this new file (I checked it) with name "MYSECUREISP2"...
    Definitely not.
     
  19. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    Something else that occurs to me is... How can they possibly offer this service for $2/month or $10/year? Bandwidth and other overhead being what it is, I don't see how such pricing is viable.

    Unless, that is, the service is just an angle on [COUGH] the real business motive, and the pricing is designed to be alluring.
     
  20. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    Worse yet, it wouldn't be the first time a privacy provider offered cheap access because the whole thing was a honeypot! I'm not saying that's what's going on here, but with the other concerns, you have to consider all the possibilities. The cheap pricing makes me wonder. :shifty:
     
  21. studtrooper

    studtrooper Registered Member

    Joined:
    Sep 5, 2006
    Posts:
    6
    Hrm, you guys make valid points. I am now trialing www.http-tunnel.com. They've been in business for over 5 years so trust shouldn't be a issue there.
     
  22. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    The more I read, the less I want to use any of them. Five years, five minutes, what's the difference? The claims of having been taken over by the government or running as a honey pot may not be too far-fetched.

    I'd resort to simply using Tor for what it's worth, but it's so slow it's literally unusable.
     
  23. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    What makes you think "they" could not set up whole networks of TOR servers scattered all over?
    It's easy when they are using our money to fund it.

    Even an honest, legit, trustworthy provider could one day receive a nice NSL (National Security Letter) and suddenly be tongue tied and legally forced to do whatever is requested or go to jail.

    So then some providers have servers in countries outside US jurisdiction.
    Well, if they still have a presence within the US, then they are within US jurisdiction.
    And even if they are outside the reach, who is to say that the government holding the server doesn't have their own NSL setup. So who do you trust more, our government, or some other government?

    Let them listen and be bored to death. :D
     
  24. nameless

    nameless Registered Member

    Joined:
    Feb 23, 2003
    Posts:
    1,184
    I think it would really be something if the government owned every server at every hop in your Tor path. Really something indeed.

    Some other government. :)

    But anyway, I'm unsubscribing from my own thread, because it is devolving into a discussion over how Tor works.
     
  25. Devinco

    Devinco Registered Member

    Joined:
    Jul 2, 2004
    Posts:
    2,524
    I spoke incorrectly.
    I meant to say servers at key points within the TOR network, not the whole network.

    You're right, this is going off topic. There is more than enough devolution as it is in the world.

    Anyway, I won't be considering MySecureIsp.com any time soon. :thumbd:
     
Thread Status:
Not open for further replies.