Potential security breach in Anonymizer's Total Net Shield

Discussion in 'privacy technology' started by raco, Mar 13, 2007.

Thread Status:
Not open for further replies.
  1. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    Hello,

    I think that I might have found a security flaw in Total Net Shield (from Anonymizer.com). I need help to find out wether I'm wrong or not. I emailed Anonymizer but their answer is not satisfaying (read below).

    Total Net Shield provides an encrypted tunnel from your computer to their HTTP proxy, using the SSH protocol. You are supposed to use the provided software to use the tunnel, but I found out that any SSH client will work (Anonymizer used to inform people about this but it's not the case anymore).

    If you use their software, then you won't notice anything particular. But if you use for example OpenSSH, here is what you get (I changed sensitive informations into fake ones):

    Code:
    bash$ ssh raco@10.10.10.10
    raco@10.10.10.10's password:
    Last login: Mon Mar 12 13:42:15 2007 from xxx.xxx.xxx.xxx
     (...welcome message...)
    
    Where 10.10.10.10 is the (fake, though I could have used the real one as it's not really private) address of anonymizer's SSH server and xxx.xxx.xxx.xxx is some IP address. If I logout, then login again, then xxx.xxx.xxx.xxx becomes my IP address. If I logout and come back later, xxx.xxx.xxx.xxx will be again another completely different address.

    The weird thing is that xxx.xxx.xxx.xxx is always very different from any Anonymizer's IP addresses that I know of, and usually belongs to some ISP in some place (so far, I have seen addresses from Indonesia, Vietnam, USA). I even got some addresses in the reversed form, for example xxx-xxx-xxx-xx.c3-0.frm-ubr1.sbo-frm.ma.cable.rcn.com.

    Of course, when you log with your username and your password into any UNIX machine, you should see the time and IP address of your last connection and nothing concerning others users. Maybe Anonymizer made a mistake with their authentication system.

    I noticed this just after having bought Total Net Shield, so my account couldn't be hacked and used by several people around the world only 5 minutes after it has been created.

    So I emailed Anonymizer about this. Their reply was "Those IP address are randomized for your protection. [...] None of these belong to a certain person.".

    Weird. It would be more simple to always use a fake address like 10.0.0.0. Or not to display anything, especially considering that their software does not display this information at all. And how come those randomized IP addresses always belong to some ISP somewhere ? Why would someone create a system that randomly generates an IP address that exists, belong to some ISP, just to have his SSH server sending a fake "Last login" line ? And why do I see my own IP address if I quickly logout then login again ?

    Either they lied to me, or they assumed that it was yet another script kiddie that emailed them announcing that he found a security flaw but in reality found nothing, and they didn't investigate further. By the way, if this is really a security flaw, then any script kiddie could discover it. I would rather call it "big mistake" than "security flaw".

    There's only one way for me to know for sure: buying a second account. But if anyone here has an account, he could help me. I would just log into my account and tell him what my IP address is, and then he would log into his account just after me, and tell me if yes or no he can see my address. Can anyone do that ?

    It can look like a small flaw, but a web site administrator could quite easily find out the real IP address of a frequent visitor because of it (it may be out of subject, but the administrator could cross check several informations to do this, such as time of visit, user-agent, tcp/ip fingerprinting... possibly using automated processes).
     
  2. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    If you see your own address listed, then they are clearly not randomising the addresses immediately though they could be doing so at a later point. I'd suggest asking them to confirm exactly how and when this randomisation occurs - if you have any means of varying your IP address (changing it with your ISP or connecting via a separate method, e.g. dialup), this may help confirm matters.

    I don't use Anonymizer myself so can't suggest anything further.
     
  3. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    Thanks, Paranoid2000.

    I sent 3 emails to the Anonymizer support, and 2 different people replied to me. I'm waiting the answer to my third email. When I told them that it would be easier not to display anything or to display a fake IP address like 0.0.0.0 rather than creating a random true IP address which is useless, they answered this to me:
    It seems that they don't get the point at all. They act like I'm a newbie who don't know how it works. They must be trained to help people with the Windows software provided by Anonymizer, and I guess they don't know how all this works "behind the scene". They probably never used a UNIX shell and don't know what this "Last login..." line is.

    And they don't forward my email to the people at Anonymizer's who could understand it. They just keep saying to me that everything is ok.

    I tried to connect from some IP address, then re-connect from another IP address. I can see the first address the second time I login. Moreover, host names I can see which are not mines sometimes look like xxx.adsl.some-ISP.com so I'm really starting to think that there is a huge security flaw in their system.

    But they don't want to listen to me and I can't find another email address than the one for the support. I hope I won't have to buy another account to prove what I'm saying (and they probably wouldn't understand the proof either).
     
  4. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    They do seem to be missing the point - although this is pretty limited (allowing one Anonymizer account holder to discover the real IP address of another), it should be easy to fix and you would expect an anonymity service to take such matters more seriously.

    If they don't then voting with your feet would seem the best option - if they fail to address this then how likely are they to act on more serious issues?
     
    Last edited: Mar 14, 2007
  5. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    This is a serious issue.

    They use DNS load balancing for their SSH server and have 12 machines. I noticed that each machine is not used very often: usually I can see that the "Last login" line still shows my own last login after one or more hours (I just checked for the server I'm using now and nobody used it for the last 3 hours).

    Let's say you are a web site admin and want to find out the real IP of some anonymized visitor. You manage to make a web page with a cgi that, when it sees an IP of Anonymizer (easy to recognize), runs a shell script that will get the 12 last IP addresses. Do this for each visit of the guy and you'll certainly find the IP.

    You could even try to list all the IP used this day by Anonymizer users (their whole system doesn't seem to get more than 100 or 150 incoming connections per day), knowing that any user gets disconnected after 24 hours.

    If you end with several IP addresses without knowing which is the one you want, you can go further. Use TCP/IP fingerprinting to find out which operating system is used on each computer and compare with what you have in the logs of your web server (usually you can tell the OS from the User-Agent). Compare the location and the langage used on your web site, time of visit, etc.

    I think that in the worst case, you'll have the good IP amongst a few others. This flaw really can take your anonymity away.
     
  6. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    The "previous IP" address is only shown after a successful Anonymizer login which means that the webmaster in your example would need to have a working Anonymizer account - even then he has no way of being sure that the IP displayed is yours rather than that of another Anonymizer user. Whether these limitations still make the problem serious is down to personal perspective.
     
  7. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    I paid 100 dollars to the self-proclaimed world leader in anonymity in order to hide my IP address, and 5 minutes later I found out that my IP address is given to the first user that comes after me. Guess how my perspective is ;) .
     
  8. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    It should be addressed - today.

    Have you tried calling the Anonymizer's offices? Tell them you have an urgent security issue for Lance Cottrell. He's the founder and now the "Chief Scientist." He knows his stuff and I am certain would want to know about this ASAP. Another good way to reach the powers-that-be is to get in touch with their PR people. Tell them it is urgent that someone other than telephone support call you.

    PR for Anonymizer is handled by Paula Dunne with ContosDunne Communications. 408.776.1400


    Good catch, raco!

    GP
    -------------------------
     
  9. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    Thank you Genady, but I prefer not to phone because my spoken english is really bad. I never really had the occasion to speak in this langage and I fear I won't be understandable.

    I'll try to send another email. Each new email will be tailored more specifically to the recipient's abilities :D. At least they will (hopefully) realize that any message talking about a security problem should be transferred to the proper people.

    I'm glad to hear that Lance Cottrell knows its stuff, but what a pity that he didn't do what I did: use the service for the first time and wonder "whose IP address is this ?". Yes I'm (slightly) teasing him but I could ask for a refund. ;)
     
  10. Genady Prishnikov

    Genady Prishnikov Registered Member

    Joined:
    Mar 9, 2006
    Posts:
    350
    raco...

    I understand.

    Try this:
    paula (at) contosdunne.com

    Say in your email what I suggested you say in a phone call.

    BTW, as per Lance Cottrell.... Ever heard of the Mixmaster protocol? The original Mixmaster Remailer? He designed it all - by himself. He would want to know if there is a security breach with Anonymizer. Trust me. Again, good catch. Let us know!
     
  11. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    Ok, I'll try this if my last email doesn't work. Thanks. I'll let you know if anything happens.

    I believe you. I can't blame him, he may have nothing to do with this problem.
     
  12. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    I sent another email more than one day ago. The recipients were the Anonymizer support, Lance Cottrell (found his email on the web) and Paula Dunne. I got no answer. I gave them this thread's URL.

    Maybe they don't want to admit that they made such a big mistake.
     
  13. LanceCottrell

    LanceCottrell Registered Member

    Joined:
    Mar 16, 2007
    Posts:
    1
    Not at all. It just takes a while for me to get through the volume of email I receive. I certainly appreciate having this brought to my attention. I am sorry you had trouble escallating this issue to me. I will try to streamline that process. As you might imagine there are many false reports for every serious issue like this.

    As you know, the purpose of the "Last login:" field is to alert you to a security breach in your account. If the last login IP address is not familiar it tells you that your account has been accessed by someone else. Because the average user has no idea what their IP is or what it means, we don't show that in the normal interface. It is really a power-user feature.

    We have tested the system from many different accounts to try to reproduce the described behavior, and have never seen an unfamiliar IP address.

    From the description of the problem it appears that your account has in fact been breached. I suggest the problem is most likely to be a weak password. Please try this experiment. Change your password to something very strong, then continue to monitor for this behavior.

    Please contact me directly with the results of your tests.
     
  14. saycure

    saycure Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    1
    wow,
    everybody has said everything, but nobody's mentioned, if this software isn't sufficient enuf to our needs, what else do we need to use
    what is a better replacement
    would anyone suggest?
    i'm currently using jap and it's great
    trust me guys it's great
    but they have now released a beta version and soon it would be final,
    Currently it's totally free with fictional payment but soon they'll charge by the kilobyte,
    this total net shield has a benefit it's a one time payment for the year,
    now would anybody suggest what is needed to access the internet, using a better replacement to the total net shield plus which offers, anonymity as well as privacy in surfing like the jap to be able to access anysite , blocked or not, by your isp,
    i would suggest FREEDOM,
    it's good
    but if anybody has any ideas , they're most welcome to reply
     
  15. raco

    raco Registered Member

    Joined:
    Mar 12, 2007
    Posts:
    12
    Hello,

    First of all, I should say that the problem is fixed. The "Last login" line has been removed. This "power-user feature" doesn't exist anymore ;-). According to Mr Cottrell, a small fraction of the users was concerned by this problem. I still don't know what exactly caused this, and it seems that Anonymizer don't know either or don't want to tell.

    Anonymizer's web site still says that "Anonymizer identity protection solutions have been used to protect billions of Web pages without a single security breach since the company's inception in 1995", but several security flaws have been reported (just search the web).

    Total Net Shield may be a good product if you just need to browse the web or send an email with a good level of anonymity. The speed is quite good (though it can be slow at times). Unfortunately, it is unable to provide anonymity for a lot of things, like IRC (where it would be quite needed). You can only anonymize web, email, newsgroup, ICQ, and that's all.

    I found another anonymity service, www.findnot.com but I have not tested it yet. It cost the same price as Anonymizer, and it has many, many advantages:
    - You can register anonymously, without providing your name or credit card number (by sending cash, but you can also pay by credit card via google checkout or egold).
    - They have 34 servers on 10 IP blocks in 7 different countries, and you can choose the server you want to use at any time. For example, you can pretend you're located in Germany or Malaysia. Anonymizer always uses the same IP block and is blacklisted on some websites.
    - They have a clear log policy (logs are kept 5 days then deleted).
    - They offer Socks Proxy, SSH Proxy, PPTP VPN or OpenVPN, so you can fully anonymize every single Internet application, not just web and email.
    - They offer an anonymous file storage service.
    - Their offer support 7 days a week.

    Just look at the competitive analysis on the findnot website. You can request a free trial account.
     
Loading...
Thread Status:
Not open for further replies.