IP cloaking becoming a business necessity

By Anne Saita, News Director 09 Dec 2005 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

SAN DIEGO -- So much for trade secrets. Not long ago, a company unwittingly tipped its hand when planning to buy another business.

How? Lawyers, investment bankers, consultants, executives and directors suddenly hammered the investor relations section of the targeted firm's Web site. Their IP addresses gave them away.

Realizing it was going to be bought, the targeted firm called another company and shared its rival's still-secret plans, thus launching a bidding war. In the end, the first company won the battle, but it paid $15 million more than it should. A more covert search for information may have prevented that.

"This seems to be a very common scenario," explained Lance Cottrell, founder, president and chief scientist for San Diego-based Anonymizer Inc., at Thursday's Usenix Large Installation System Administration conference. Though his 11-year-old company is best known for consumer privacy, enterprise interest has surged regarding cloaking online activity used to gather intelligence and prevent information leakage.

Such behavior is nothing new. For years companies have tracked nosey competitors' through reverse IP address lookup sites like whois.com, which provide an IP address's domain, physical location and sometimes even contact information and clipboard contents of site traffic. That data can then analyzed for patterns. "You're really advertising to people what you're doing and what your interests are," Cottrell said during a presentation on Internet counter-intelligence.

For more information Download our white paper on the art of spoofing: attack and defense. View our tips on fun with security.

But masking such activity is gaining in popularity, particularly by using tools and services that run traffic through a different network. By creating a new IP addresses, it prevents a competitor from counterstriking.

Another basic countermeasure is IP-based blocking, where certain addresses are barred from accessing a site. One retail tire store found itself in a frustrating situation due to this technique, Cottrell recalled. The company advertised that it would match any competitor's price, but when a customer would come in and cite someone else's online deal, the tire shop couldn't look it up on the Web because its IP address had been blocked. When they tried to call for the information, it also was blocked by Caller-ID. "It was a big problem for them," Cottrell said.

IP-based spoofing, on the other hand, directs certain IP addresses to fake Web sites containing false or misleading information. The tactic can be used to throw off rivals. During the IT boom of the late 1990s, a Fortune 500 company set up its site so that anyone coming from a competitor's IP address was sent to a different home page -- one opening with a job offer. Another, similar technique is IP-based cloaking, which configures a legitimate Web site to display inaccurate or incomplete information only when it is accessed from certain IP addresses.

Spoofing, though, is more common and comes in different flavors. Multi-server spoofing sets up several servers -- usually DNS- or router-based -- to create duplicate Web sites. Redirect spoofing sends specific traffic to an alternate page within the site. One such method, called pagejacking, redirects traffic to another site to improve search engines rankings.

Among the more interesting tricks is dynamic spoofing, which culls select criteria from known IP addresses to alter or hide pages, individual links, ads or banners and even price and availability information. For instance, if one airline knows a competitor checks its site for fares daily, it can jack up the price only when a rival's IP address tries to access the site. This can cause the other airline to advertise higher, unattractive tickets.

Major retailers sometimes employ this technique by displaying only expensive merchandise based on customers' past buying habits. If you've paid full price for an item in the past, you're less apt to find sales when you access the site later. "Each time you show a willingness to pay X, you are only shown that going forward," Cottrell explained. "Unfortunately, it's a system that's explicitly designed to screw loyal customers."

Less aggressive counter-intel involves tracking users via log analysis and Web bugs. The companies most at risk of information leakage through online use are those involved in mergers and acquisitions, research and development teams, attorneys and their clients and anyone handling intellectual property.

In each of these situations, their online activity -- what sites they visit and when and how often -- could clue in others on their intentions. As Cottrell described, "You're playing poker with your hand face-up."

Tags: Security Awareness Training and Internal Threats,  Web Authentication and Access Control,  Information Security Policies, Procedures and Guidelines,  Network Protocols and Security,  Web Server Threats and Countermeasures,  Web Application and Web 2.0 Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Awareness Training and Internal Threats Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management Data breach avoidance begins with security basics, panel says Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Information Security Policies, Procedures and Guidelines How to protect distributed information flows Essential guide: Pandemic planning for H1N1 Whitelists, SaaS modify traditional security, tackle flaws Melissa Hathaway urges more cooperation, government attention to cybersecurity Reuters: Obama ready to select cyber security czar How a corporate Twitter policy can combat social network threats Should enterprises be concerned with Twitter in the workplace? Information security management hype: Debunking best practices Data breach avoidance begins with security basics, panel says Expert: Information security spending often restricts innovation

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary dumpster diving  (SearchSecurity.com) Honeynet Project  (SearchSecurity.com) insider threat  (SearchSecurity.com) National Computer Security Center  (SearchSecurity.com) pretexting  (SearchCIO.com) shoulder surfing  (SearchSecurity.com) single-factor authentication (SFA)  (SearchSecurity.com) social engineering  (SearchSecurity.com) Total Information Awareness  (SearchSecurity.com) trusted computing  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary