Skip to main content

A Web-Based Proxy Server Is As Safe and Useful As a Frontal Lobotomy!

by Kevin M. Nixon, MSA, CISSP, CISM

Open, anonymous web based proxy servers may be honeypots to steal your information, or may be an incorrectly configured server (belonging to someone else) which has been left open accidentally. This allows the honeypot operator to snag your data on the fly, while appearing to be a legitimate "business".  Do you really want your most confidential information "protected" by a business that "operates soley off money derived from advertising shown during the proxy session"?

Hello, is anyone in there?!? Why was the State of Alaska's Information Security Officer allowing private, non-public information to be transmitted by the State's "Executive Officer" via an uncertified, non-FISMA compliant, non-HIPAA compliant, non-FACTA compliant, non-GLBA compliant, non-NIST compliant, public, web-based, proxy server?

Need more proof just ask the maverick from Alaska, Sarah Palin who had her email hacked because she was using Ctunnel.com.

The Alaska governor could face charges for conducting official state business using her personal, unarchived e-mail account (a crime); some critics accuse her of skirting freedom-of-information laws in doing so.

Why would anyone hand over trusted TCP/IP addresses (along with data being transmitted) to any company that has a policy like Ctunnel.

Ctunnel.com's disclosure statement:

"To earn your trust I will be as open and honest with you as possible. See below for information about who I am and why I run this service. Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tommorow, or be otherwise unreliable. Ctunnel however, operates soley off money derived from advertising shown during the proxy session, and therefore will not be down tommorow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy."

Most web based proxy server operators are not FISMA, FACTA, HIPAA, GLBA or SOX compliant. These are the laws and regulations we depend on to protect our privacy and require specific steps to be taken to insure protection.

If State Governments or Federal Agencies use these types of unsafe  services, how can we expect Banks, Corporations, Hospitals and the Executives and Senior Managers of those institutions to take the laws, regulations, fines and punishment seriously.  A lack of knowledge or understanding of the law does not, (repeat DOES NOT) provide relief from prosecution.

Now, think about the current state of the global economy.  If publicly-traded Corporations use these services and do not disclose the risk in their Sarbanes-Oxley (SOX) disclosures to the Securities and Exchange Commission (SEC) they are committing a Crime and deserve the fines and deserve to serve the time in prison as stipulated by law. We hear calls for stiffer regulations, oversight and transparency, but; do we really know how much of our private information is "out walkin' around" already?

In short, you get what you pay for. A "protection product" that earns money from web ads or charges $9.95 per month should be a great big red flag.

Companies, executives and security folks need to stop doing things on the cheap. All anyone has to do is view the hacker web sites and read how easy it is to obtain the info off of web based proxy servers. There are even new browser plug-in "toolz" that make hacking a "point and click" operation.

Anyone that considers open, anonymous web based proxy servers totally safe should simply post all of their bank account numbers, passwords and any other highly confidential data on a wide open website for all to see.

Copyright © 2008 - Kevin M Nixon - All Rights Reserved.  
This article may be referenced, quoted, reprinted in whole or part provided that the author is credited.

Related Links:

"Sarah Palin's E-Mail Hacked" By M.J. Stephey, TIME.com,   Wednesday, Sep. 17, 2008

Originally posted to Mr Sandman on Thu Oct 16, 2008 at 11:55 AM PDT.

Poll

Do you feel confident that everyone that has your private information is protecting it?

41%5 votes
25%3 votes
25%3 votes
8%1 votes
0%0 votes
0%0 votes
0%0 votes

| 12 votes | Vote | Results

EMAIL TO A FRIEND X
Your Email has been sent.
You must add at least one tag to this diary before publishing it.

Add keywords that describe this diary. Separate multiple keywords with commas.
Tagging tips - Search For Tags - Browse For Tags

?

More Tagging tips:

A tag is a way to search for this diary. If someone is searching for "Barack Obama," is this a diary they'd be trying to find?

Use a person's full name, without any title. Senator Obama may become President Obama, and Michelle Obama might run for office.

If your diary covers an election or elected official, use election tags, which are generally the state abbreviation followed by the office. CA-01 is the first district House seat. CA-Sen covers both senate races. NY-GOV covers the New York governor's race.

Tags do not compound: that is, "education reform" is a completely different tag from "education". A tag like "reform" alone is probably not meaningful.

Consider if one or more of these tags fits your diary: Civil Rights, Community, Congress, Culture, Economy, Education, Elections, Energy, Environment, Health Care, International, Labor, Law, Media, Meta, National Security, Science, Transportation, or White House. If your diary is specific to a state, consider adding the state (California, Texas, etc). Keep in mind, though, that there are many wonderful and important diaries that don't fit in any of these tags. Don't worry if yours doesn't.

You can add a private note to this diary when hotlisting it:
Are you sure you want to remove this diary from your hotlist?
Are you sure you want to remove your recommendation? You can only recommend a diary once, so you will not be able to re-recommend it afterwards.
Rescue this diary, and add a note:
Are you sure you want to remove this diary from Rescue?
Choose where to republish this diary. The diary will be added to the queue for that group. Publish it from the queue to make it appear.

You must be a member of a group to use this feature.

Add a quick update to your diary without changing the diary itself:
Are you sure you want to remove this diary?
(The diary will be removed from the site and returned to your drafts for further editing.)
(The diary will be removed.)
Are you sure you want to save these changes to the published diary?

Comment Preferences

  •  huh? (2+ / 0-)
    Recommended by:
    SilverWings, Mr Sandman

    I'm confused.  I thought it was the hacker who was using the Ctunnel browser proxy to break into Palin's yahoo accounts, not the state of Alaska.  Am I missing something?

    I think the bigger privacy issue is that Ctunnel has the logs of the hacker's activity, and that they will turn that data over to law enforcement.  Which in this case is probably the right thing to do, of course, but the implication is that anonymous proxy servers do keep logs and that it's not inconceivable that an admin could pinpoint an individual user's activities.

    •  Palin was using Ctunnel.com (1+ / 0-)
      Recommended by:
      SilverWings

      Hey "tully monster",
      Thanks for the question. I included the CNN & Time.com article from Wednesday, Sept 17th as a related link for reference (bottom of article).

      You are 100% correct, it was a Yahoo! email account, however, that account was used to conduct official state business.  That happens to be in violation of Federal law.  The Secret Service had already "hacked in" to all of her email accounts to determine if she was able to be spoofed.

      State law does not supercede Federal law especially when it comes to the Federal Information Security Management Act (FISMA) and NIST-800 Standards.  Which require that states and state agencies that accept Federal Funds to follow the Federal Standards.

      Forwarding your government email to your Yahoo! email box is a violation.  It exposes confidential data to an unsecured environment.

      Good question.  Thanks for keeping me on my toes.
      Sandman

      Kevin M Nixon, MSA CISSP CISM

      by Mr Sandman on Thu Oct 16, 2008 at 12:30:18 PM PDT

      [ Parent ]

  •  Infosec risks = next iceberg to hit markets. IMHO. (1+ / 0-)
    Recommended by:
    Mr Sandman
    (Disclosure: I know & work with the author.)

Subscribe or Donate to support Daily Kos.

Click here for the mobile view of the site