A Web-Based Proxy Server Is As Safe and Useful As a Frontal Lobotomy!
by Kevin M. Nixon, MSA, CISSP, CISM
Open, anonymous web based proxy servers may be honeypots to steal your information, or may be an incorrectly configured server (belonging to someone else) which has been left open accidentally. This allows the honeypot operator to snag your data on the fly, while appearing to be a legitimate "business". Do you really want your most confidential information "protected" by a business that "operates soley off money derived from advertising shown during the proxy session"?
Hello, is anyone in there?!? Why was the State of Alaska's Information Security Officer allowing private, non-public information to be transmitted by the State's "Executive Officer" via an uncertified, non-FISMA compliant, non-HIPAA compliant, non-FACTA compliant, non-GLBA compliant, non-NIST compliant, public, web-based, proxy server?
Need more proof just ask the maverick from Alaska, Sarah Palin who had her email hacked because she was using Ctunnel.com.
The Alaska governor could face charges for conducting official state business using her personal, unarchived e-mail account (a crime); some critics accuse her of skirting freedom-of-information laws in doing so.
Why would anyone hand over trusted TCP/IP addresses (along with data being transmitted) to any company that has a policy like Ctunnel.
Ctunnel.com's disclosure statement:
"To earn your trust I will be as open and honest with you as possible. See below for information about who I am and why I run this service. Open proxies may be honeypots to steal your information, or may be left open accidentally and be down tommorow, or be otherwise unreliable. Ctunnel however, operates soley off money derived from advertising shown during the proxy session, and therefore will not be down tommorow. Because our visitors value their privacy, it is not in our interests to spy on you, lest we lose traffic and advertising revenue. Because government subpenoa could require us to hand over our server access logs, access logs are regularly deleted to protect your privacy."
Most web based proxy server operators are not FISMA, FACTA, HIPAA, GLBA or SOX compliant. These are the laws and regulations we depend on to protect our privacy and require specific steps to be taken to insure protection.
If State Governments or Federal Agencies use these types of unsafe services, how can we expect Banks, Corporations, Hospitals and the Executives and Senior Managers of those institutions to take the laws, regulations, fines and punishment seriously. A lack of knowledge or understanding of the law does not, (repeat DOES NOT) provide relief from prosecution.
Now, think about the current state of the global economy. If publicly-traded Corporations use these services and do not disclose the risk in their Sarbanes-Oxley (SOX) disclosures to the Securities and Exchange Commission (SEC) they are committing a Crime and deserve the fines and deserve to serve the time in prison as stipulated by law. We hear calls for stiffer regulations, oversight and transparency, but; do we really know how much of our private information is "out walkin' around" already?
In short, you get what you pay for. A "protection product" that earns money from web ads or charges $9.95 per month should be a great big red flag.
Companies, executives and security folks need to stop doing things on the cheap. All anyone has to do is view the hacker web sites and read how easy it is to obtain the info off of web based proxy servers. There are even new browser plug-in "toolz" that make hacking a "point and click" operation.
Anyone that considers open, anonymous web based proxy servers totally safe should simply post all of their bank account numbers, passwords and any other highly confidential data on a wide open website for all to see.
Copyright © 2008 - Kevin M Nixon - All Rights Reserved.
This article may be referenced, quoted, reprinted in whole or part provided that the author is credited.
Related Links:
"Sarah Palin's E-Mail Hacked" By M.J. Stephey, TIME.com, Wednesday, Sep. 17, 2008