Proxy Sites Offer Secret Passage to Myspace

JafSquared writes "As sites like MySpace.com gain popularity in young adults, schools all over are finding that taking measures to keep kids blocked out of these websites is becoming increasingly difficult. As this hype continues, proxy servers such as "Box of Prox" are springing up like wildfire. While system admins furiously work to diminish the strain placed on their school's local networks from sites like MySpace, these proxy sites are enabling easy access to restricted areas. However, schools aren't the only places that are feeling the heat. Proxies have also been becoming a bit of a complication in the workplace. To the more advanced user, the proxy server can become a tool for malicious intent as this article, delivering an anecdote with the termination of an employee, so poignantly details."

Needs more attentive blocking.

[celardore]

It is possible to filter out these sites with a little more work. For example, my company blocks any url that contains 'proxy'. It also filters most proxy sites that you can find on Google.

Also, if an admin notices they're getting a load of traffic to say http://surfinsecret.com/index.php?q=d3d3Lm15c3BhY2 UuY29t&hl=1111101001 then they could just visit that link, see what it was and block away.

I got around it by installing my own copy of phpproxy on my server and use it infrequently for certain sites. There's a lot of traffic to my domain anyway because I run an application my department uses on there, so it's fairly safe for me.

Re:welcome to 1995?

better news would have been to mention anonet since its vpn based it can transverse 99% of firewalls, not for malicious activity but to stop network admins spying on what you do, with the ability to use with randomly assigned ip addresses its also a great way to connect home to work securly.

Re:Proxies?

[onebuttonmouse]

This isn't flamebait. Proxies have been a problem for years and years, the advent of web two-point-oh does not have any bearing on the problem.

Recent Joyous Discovery

[Balthisar]

Despite years of fiddling with my own home networks and hearing about ssh tunnelling, I'd never set up an ssh tunnel and never "got" the reasons for it. That's changed recently, and now I'm a convert. I know this is basic crap among most of the /. crowd, but here's how I can anonymously surf at work:

I have Proxomitron at work to get through the firewall. It acts as a local proxy server, and works with our something-Point firewall. It seems like only ports 80 and 23 are open. No port 22 for ssh, and no ports for email.

Using puTTY configured to look at the local proxy server, I establish the appropriate ssh tunnels to my Linux box at home. I don't know why this works, so any explanation would be cool. I'm using port 22 via the Proxomitron local http proxy over the corporate http proxy to my plain vanilla Linux box. Fscking mystery to my how it works, but it does. Setting up puTTY to work directly with the company firewall doesn't work, and I have no idea why. Proxomitron is required.

Of course now with all the right tunnels, I can use FireFox on my Linux box or even Safari on my Mac (if I leave it on) via VNC, and I have instant anonymous surfing. Yeah, I know I'm using a helluvalot of bandwidth, and I generally don't need or do any anonymous surfing anyway.

So, what's my traffic look like to my company IT boys for my interesting setup? I'm assuming that my secure ssh connection doesn't let anyone know what I'm doing over ssh; that's the point. But yet I have this traffic flowing out of Port 80 to Port 22 somehow, and it's either little tiny bursts when I'm working in bash, or it's a bandwidth hog if I'm using SAMBA or VNC over the connection.

-----
The whole initial point of the excercise was to talk to my MythTV box while on the road. All I wanted to do was ssh in to check my RAID status. I also had all kinds of ports open on my router so I could http into MythWeb, and Webmin, and MythStream, and SMB, and the router itself, and ftp, and generally a big mess. Now all I need is my single ssh port, and I'm good for everything without all of those open doors. At work I use puTTY, at the hotel I've got my iMac (remind myself to look for an ssh tunnel control panel so I don't have to keep using the shell).

Even with ssh, I'm subject to brute force attack, right? Wasn't there something like a magic knock I can setup so that I ping a certain sequence of ports in the right order, my ssh port opens up, otherwise being closed? Probably won't work for me, as I have a proprietary hardware router...

Re:Recent Joyous Discovery

It sounds like the firewall admins at your work are taking it pretty easy.....

Checkpoint (and any 'decent' firewall these days) has the ability to do protocol inspection and enforcement of things like HTTP and if the admins at your work either upgrade to an appropriate version of Checkpoint or simply enable the protocol inspectoin (if already running appropriate code) they can easily enable the function to stop you doing what your're doing.
 
...which then means you have to try to tunnel your traffic within a TLS session (over tcp 443). Because the payload is encrypted when passing the border firewalls there's nothing they can do to inspect the traffic besides ensure conformance with TLS/SSL standards (and your tunneled traffic does). It takes a bit more work to setup the local and remote proxies but works a treat once properly configured (and I support the Checkpoint and PIX firewalls at work and previously worked for Cisco in the security team). There's simply no way to stop it as long as HTTPs traffic is permittted by your work proxy and there's very few that would block it these days.
 
...but then your IT team should have fully locked down SOE images to prevent you installing and running your own apps (Cisco CSA works well), have disabled USB, CD and floppy drives to prevent other OSes being booted and be running with locked down switchport security to prevent unauthorised systems from attaching to the network etc etc etc. You know, the whole blended security thing....

...but then who of us works for a company that's willing to kick down dollars for sensible security measures?

Re:Security

[generic-man]

For Yahoo Messenger and other IM programs, there are JavaScript clients like Meebo that have garnered a good reputation for being trustworthy. (How do you know it's secure? You don't, of course, but you don't do anything secure over IM anyway)

Similarly, it's only a matter of time before the MySpace cottage industry cranks out a few JavaScript programs to read and reply to MySpace messages, post to blogs, and whatever other services MySpace offers.