Web sites work to punch holes in corporate Web filters

By Bill Brenner, Senior News Writer 27 Apr 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

In an enterprise like Washington Group International Inc., which has 20,000 employees and locations across the globe, there's always the chance someone will try to visit Web sites or use programs that are forbidden by company policy.

Ed Biancarelli, senior IT security director for the Boise, Idaho-based engineering, construction and management firm, has strict Web-use policies banning peer-to-peer (P2P) programs as well as porn and gambling Web sites. He uses an intrusion prevention (IPS) appliance to block workers from violating that policy, but he's found that even the strongest of security tools can't keep everyone from doing what they shouldn't.

"We are not a high-tech company, so the threat of people circumventing the policies is not widespread," he said. "But we have had instances of uncovering P2P file sharing and there are people using IM and we don't allow that."

For Biancarelli and other IT pros, there's another problem: office Web surfers who may not be malicious, but think security blocking programs are a tool of Big Brother. Employees of this mindset are finding places in cyberspace where they can get help with circumventing corporate security measures, according to Joseph Cortale, senior VP of worldwide sales and marketing for Vericept Corp.

"Companies are trying to protect customer data and intellectual property, and they're concerned [because] so many breaches are perpetrated by people on the inside," said Cortale, whose Denver-based company helps Biancarelli monitor the content employees access online. "There's URL filtering technology that prevents employees from going to various sites," Cortale said, "but there are some Web sites that tell employees how to circumvent these programs."

Peacefire is mainly about fighting censorship... If you choose to work for someone, on the other hand, you kind of have to play by their rules. Bennett Haselton freelance programmer, Peacefire.org

He said one of those sites is the popular BoingBoing blog. Indeed, BoingBoing has an entire page dedicated to showing people how to "defeat censorware."

"If your employer or corrupt, undemocratic, dictator-based government uses a filtering service … to block access to BoingBoing.net or anything else online," the blog said, there are a variety workarounds. One of which is a piece of proxy software called Circumventor, created by Peacefire; a group that represents "the interests of people under 18 in the debate over freedom of speech on the Internet," according to its Web site.

"Install this software on your home computer and allow others to use your proxy to access the Web," BoingBoing said, "or use your proxy from work or school to access any Web site."

The Peacefire Web site and mailing lists are managed by Bennett Haselton, a freelance programmer based in Seattle. In an e-mail interview, Haselton said his group's goal isn't to undermine information security. In fact, he said some of the sites enterprises choose to block are far from threatening.

"With regard to BoingBoing specifically, it's highly unlikely that they would knowingly link to something that could harm someone's computer, at least not without giving the user a warning of what could happen," he said. "And a URL linked from BoingBoing is probably less likely to be dangerous than a URL selected from the Web completely at random."

Besides, he said, even if an outside attacker were to use a malicious Web page to run an unauthorized program on someone's computer, nearly any corporate firewall would make that task almost impossible. Furthermore, he said, companies should have internal network restrictions in place so that even if one person's machine were compromised, "their user account should not be able to access sensitive information unless they've been specifically approved to access it."

He said people who have access to sensitive information should only be those educated enough to follow rules that protect them from things like spyware.

Haselton stressed that his group does not advocate circumventing enterprise security controls.

"Peacefire is mainly about fighting censorship aimed at young people or citizens of oppressed countries, in both cases because they're the ones who don't have a choice," he said. "If you choose to work for someone, on the other hand, you kind of have to play by their rules."

However, Cortale said, even when the intentions of a group like Peacefire or an organization's employees are good, there's always the risk that some company insider will take a tool meant for legitimate use and twist it for malicious purposes.

"Our customers recognize there are employees who will try stealing assets for monetary gain," Cortale said. For those in the workplace who feel they should be able to browse any Web site they want, he said, "That's what home computers are for."

Tags: Web Authentication and Access Control,  Security Industry Market Trends, Predictions and Forecasts,  Security Awareness Training and Internal Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Web Authentication and Access Control Group to shed light on secure identity management threats How to confirm the receipt of an email with security protocols Schneier-Ranum Face-Off: Is Perfect Access Control Possible? Kaminsky reveals key flaws in X.509 SSL certificates at Black Hat Changing times for identity management How to use single sign-on for Web access control to prevent malware IBM USB banking device stops keyloggers, malware Can mutual authentication beat phishing or man-in-the-middle attacks? Could someone place a rootkit on an internal network through a router? Sun launches open source OpenSSO for identity management Security Industry Market Trends, Predictions and Forecasts Hackers to sharpen malware, malicious software in 2010 Part 1: Marcus Ranum on the state of information security Part 2: Marcus Ranum on the state of information security Part 4: Marcus Ranum on the state of information security Part 3: Marcus Ranum on the state of information security Part 5: Marcus Ranum on the state of information security Layoffs prompt insider threat fears, cybersecurity survey finds Healthcare security spending remains sluggish, report shows How to use Internet security threat reports M86 buys Web security gateway vendor Finjan Security Industry Market Trends, Predictions and Forecasts Research Security Awareness Training and Internal Threats Health Net breach failure of security policy, technology Health Net healthcare data breach affects1.5 million Massive T-Mobile UK security breach involves insiders Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Creating a HIPAA employee training program Successful rogue antivirus hinges on social engineering External attacks start with unintentional mistakes, survey finds Security technologies fail to address insider threat management

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary access log  (SearchSecurity.com) anonymous Web surfing  (SearchSecurity.com) authentication, authorization, and accounting  (SearchSecurity.com) identity chaos  (SearchSecurity.com) knowledge-based authentication  (SearchSecurity.com) multifactor authentication (MFA)  (SearchSecurity.com) walled garden  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary