Wednesday, March 4, 2015

Searching Safely When HTTPS is Mandatory



Nobody wants anyone looking at their search history. I get it. I mean, look at mine  —oh wait, don't—that's quite embarrassing. Those were for a friend, honestly.

Fortunately for us, it's pretty difficult to dig into someone's search history. Google even forces you to log in again before you can view it in its entirety. Most search engines now encrypt our traffic by default, too —some even using HSTS to make sure our browsers always go secure. This is great news for consumers, and means our privacy is protected (with the noticeable exception of the search provider, who knows everything and owns your life, but that's another story).

This all comes a little unstuck though - sometimes we want to be able to see inside searches. In a web filtered environment it is really useful to be able to do this. Not just in schools where it's important to prevent searches for online games during lessons, but also in the corporate world where, at the very least, it would be prudent to cut out searches for pornographic terms. It's not that difficult to come up with a handful of search terms that give potentially embarrassing image results.

So, how can we prevent users running wild with search engines? The first option is to secure all HTTPS traffic with "decrypt and inspect" type technology —your Smoothwall can do this, but you will need to distribute a certificate to all who want to use your network to browse the web. This certificate tells the browser: "trust this organisation to look at my secure traffic and do the right thing". This will get all the bells and whistles we were used to in the halcyon days of HTTP: SafeSearch, thumbnail blocking, and search term filtering and reporting.

Full decryption isn't as easy when the device in question is user-owned. The alternative option here is to force SafeSearch (Google let us do this without decrypting HTTPS) but it does leave you at their mercy in terms of SafeSearch. This will block anything that's considered porn, but will leave a fair chunk of "adult" content and doesn't intend to cover subjects such as gambling —or indeed online games. You won't be able to report on any of this either, of course.

Some people ask "can we redirect to the HTTP site" - this is a "downgrade attack", and exactly what modern browsers will spot, and prevent us from doing. We also get asked "can we resolve DNS differently, and send secure traffic to a server we have the cert for?" - well, yes, you can, but the browser will spot this too. You won't get a certificate for "google.com", and that's where the browser thinks it is going, so that's where it expects the certificate to be for.

In conclusion: ideally, you MITM or you force Google's SafeSearch & block access to other search engines. For more information read our whitepaper: 'The Risks of Secure Google Search'. It examines the problems associated with mandatory Google HTTPS searches, and suggests methods which can be used to remedy these issues.

Tuesday, February 24, 2015

Twitter - Den of Iniquity or Paragon of Virtue... or Someplace in Between?




Recently there's been some coverage of Twitter's propensity for porn. Some research has shown that
one in every thousand tweets contains something pornographic. With 8662 tweets purportedly sent every second, that's quite a lot.

Now, this is not something that has escaped our notice here at Smoothwall HQ. We like to help our customers keep the web clean and tidy for their users, and mostly that means free of porn. With Twitter that's particularly difficult. Their filtering isn't easy to enforce and, while we have had some reasonable results with a combination of search term filtering and stripping certain tweets based on content, it's still not optimal. Twitter does not enforce content marking and 140 characters is right on the cusp of being impossible to content filter.

That said - how porn riddled is Twitter? Is there really sex round every corner? Is that little blue bird a pervert? Well, what we've found is: it's all relative.

Twitter is certainly among the more gutter variety of social networks, with Tumblr giving it a decent run for boobs-per-square-inch, but the likes of Facebook are much cleaner — with even images of breastfeeding mothers causing some controversy.

Interestingly, however, our back-of-a-beermat research leads us to believe that about 40 in every 1000 websites is in some way linked to porn — these numbers come from checking a quarter of a million of the most popular sites through Smoothwall's web filter and seeing what gets tagged as porn. Meanwhile, the Huffington Post reports that 30% of all Internet traffic is porn - the biggest number thus far. However, given the tendency of porn toward video, I guess we shouldn't be shocked.

Twitter: hard to filter, relatively porn-rich social network which is only doing its best to mirror the makeup of the Internet at large. As a school network admin, I would have it blocked for sure: Twitter themselves used to suggest a minimum age of 13, though this requirement quietly went away in a recent update to their terms of service.

Friday, January 30, 2015

Plausible Deniability - The Impact of Crypto Law

So, after the recent terror attacks in Paris, the UK suffered from the usual knee-jerk reactions from the technologically-challenged chaps we have governing us. “Let’s ban encryption the Government can’t crack”, they say. Many people mocked this, saying that terrorists were flouting laws anyway, so why would they obey the rules on crypto? How would companies that rely on crypto do business in the UK (that’s everyone, by the way)?


Well, I’m not going to dwell on those points, because I am rather late to the party in writing this piece, and because those points are boring :) In any case, if the Internet went all plaintext on us, web filtering would be a whole lot easier, and Smoothwall’s HTTPS features wouldn’t be quite so popular!


If the real intent of the law is to be able to arrest someone just for having, or sending encrypted data - the equivalent of arresting someone for looking funny (or stepping on the cracks in pavements). What would our miscreants do next?


Well, the idea we need to explore is “plausible deniability”. For example, you are a De Niro-esque mafia enforcer. You need to carry a baseball bat, for the commission of your illicit  work. If you want to be able to fool the local law enforcement, you might also carry a baseball. “i’m going to play baseball, officer” (may not go down well at 3 in the morning when you have a corpse in the back seat of your car, but it’s a start). You conceal your weapon among things that help it look normal. It is possible conceal the cryptography “weapon” so that law enforcement can’t see it’s there so they can’t arrest anyone. Is it possible to say “sorry officer, no AES256 here, just a picture of a kitteh”? If so, you have plausible deniability.

What’s the crypto equivalent? Steganography. The idea of hiding a message inside other data, such that it is very hard to prove a hidden message is there at all. Here’s an example:



This image of a slightly irritated looking cat in a shoebox contains a short message. It will be very hard to find, because the original image is only on my harddisk, so you have nothing to compare to. There are many steganographic methods for hiding the text, and it is extremely short by comparison to the image. If I had encrypted the text… well, you would find it even harder, because you couldn’t even look for words. It is left as an exercise for the reader to tell me in a comment what the message is.

Monday, November 24, 2014

3 Rules for Cyber Monday




It’s nearly here again folks, and the clues are all there: planning the office Christmas party, your boss humming Rudolph the Red Nosed Reindeer and an armada of Amazon packages arriving.

Which brings me nicely to the topic of this blog: online shopping at work.

It’s official; we are ‘in love’ with online shopping. At this time of the year, it’s harder to resist temptation. Retailers conjure up special shopping events like Black Friday and Cyber Monday - all aimed at getting us to part with our hard earned cash. While online retailers rub their hands in anticipation of December 1st, for companies without proper web security, the online shopping season could turn out to be the nightmare before Christmas.

In a recent survey by RetailMeNot, a digital coupon provider, 86 percent of working consumers admitted that they planned to spend at least some time shopping or browsing online for gifts during working hours on Cyber Monday. That equates to a whole lot of lost productivity and unnecessary pressure on your bandwidth.

To help prevent distraction and clogged bandwidth, I know of one customer, I’m sure there are others, who is allowing his employees time to shop from their desks in their lunch breaks. He’s a smart man - productivity stays high and employees happy.

But productivity isn’t the only concern for the IT department – cyber criminals are out in force at this time of year, trying to take advantage of big hearts and open wallets with spam and phishing emails. One click on a seemingly innocent link could take your entire network down.

To keep such bad tidings at bay, here’s a web security checklist to ensure your holiday season is filled with cheer not fear.

1.  Flexible Filtering. Set time quotas to allow online shopping access at lunchtimes, or outside of core hours. Whatever you decide is reasonable, make sure your employees are kept in the loop about what you classify as acceptable usage and communicate this through an Acceptable Usage Policy.

2.  Invest in Anti-malware and Anti-spam Controls. As inboxes start to fill with special offer emails, it gets more difficult to differentiate between legitimate emails and spam. These controls will go some way towards separating the wheat from the chaff.

3.  Issue Safety Advice to Your Employees. Ask employees to check the legitimacy of a site before purchasing anything. The locked padlock symbol indicates that the purchase is encrypted and secure. In addition, brief them to be alert for phishing scams and not to open emails, or click on links from unknown contacts.

Friday, September 26, 2014

10 Things to Consider Before You Unblock a Website

Just recently, I was asked by a customer to provide some advice for their network administrators on unblocking sites. Sometimes you have to say no, but how do you decide which to give the green light to? Here are some points to bear in mind...

  1. Have you looked at the whole site? There may be different content on some of the links.
  2. Is the domain a generic one? Maybe many sites are served from this domain. Can we limit the unblock into just one specific URL?
  3. Will the content change in future? If it is dynamic, what kind of content might be found there next week?
  4. Is there a better website people could visit for this same purpose? For example, there is no reason to unblock an image search engine other than Google Image Search, as it may not have all the safety features enforced by Smoothwall.
  5. What’s the reason the site was blocked? If it is a misclassification it should be reported to Smoothwall, and  it will get fixed for everyone.
  6. Do you want to unblock just this website, or all websites of this type?  Often it is better to adjust the categorisation (such as allowing all “sports” websites) rather than dealing with one at a time.
  7. Does it allow access to other pages surreptitiously, or draw content from other sites? Translation sites can cause this problem.
  8. You might be able to understand the risks of this site; but do your users? Children, for example, may not be easily able to understand risks of bullying or grooming on a social network, and less technical users might inadvertently leak sensitive information on file sharing sites.
  9. Are there any regulations or risk assessments you need to consider before unblocking this site?
  10. Does the site rely on 3rd party resources?  You can use the advanced Policy Test Tool to examine these. Are these locations also safe with regard to points 1-9?


Thursday, September 11, 2014

Web Filtering Is Not Glamorous, but You May Still Make the Paper

What may be done at any time will be done at no time. 
  ~ Scottish Proverb

Procrastination seems to be built into human nature somehow; some problems become crises before being dealt with. In the beginning, most web content filtering problems are virtually unnoticeable. Maybe it’s because they always seem to start so small they’re nearly innocuous: A slip here, slide there. And who really wants to deal with web filtering and make it a priority?

Web content filtering isn’t glamorous. Other issues feel more pressing, like network failures on testing days. Some issues are just more pleasant to deal with, like procuring new hardware. And let’s face it, students won’t sing your praises for bulletproofing your web filter. It is, however, necessary. Unlike rescheduled test days or network performance issues, a web filter failure will get your name in the paper.

Take Glen Ellyn Elementary District 41 near Chicago, Illinois. After a web filter failure there, in which fourth and fifth grade students were caught viewing pornography on the playground, parents combined forces to bring to light “other instances of inappropriate computer usage at district schools.” All together, the story originally broke in early May, but once on radar with the press, progressive coverage of events becomes standard. The most recent update on Glen Ellyn was published in August.

Another example of this phenomenon happened in Forest Grove, Oregon. A student there was using her IPad to look at erotica through the literature curation website Wattpad. The story was a follow-up in response to an investigational piece by the local news which focused on student agility in filtering circumvention.

And it isn’t just emergencies that get a school noticed for its web filtering policies. Apparently even over blocking of sites is press worthy, as indicated by the Waseca County News, on grounds that it is unfair. Sometimes the discussion even gets political, as it did in Woodbury, Connecticut, where a student doing research noticed that there seemed to be uneven blocking of conservative branded sites.

There are also probably more instances of web filtering gone bad that go unreported, but there’s really no way to tell how a filtering fumble will shake out before it hits the press. Of course, that begs the question; with so much at stake, why take the risk? Like laundry, dishes, or getting your oil changed, making sure your web filter is up to the challenge is the first small step in making sure that your students are protected, but it’s an important one. Perhaps it’s time to schedule some time

Monday, September 1, 2014

Red Letter Day for Onanists and Internet Fraudsters

Yesterday a number of explicit photographs of celebrities, including Jennifer Lawrence, were leaked on the Internet. I'll get to that in a moment. First, if you read no further, read this:

Don't go looking for these photographs, and don't click any links sent to you purporting to be them.

If you must look, we've hosted them all here. Seriously, we have been out a-searching since the news broke, in order to protect our users from the inevitable tide of malware links that have already begun to spring up. The major search engines work hard to keep malicious sites seeded with "current event" keywords from popping up, but this time will be harder, as the sites offering these images will often be similar to those offering the malware.

Now I am going to break from the norm. Most security blogs include the advice "don't take nude photos". I'm not going to ask you to quit. If that's your bag, keep at it — but bear in mind that your photo collection is now worth more. It's now worth more to an attacker who wants to populate their porn site, or to  blackmail you. It is also worth more to you, for the peace of mind of those images being kept private.

If we said the answer was "don't do it" every time doing something on the Internet resulted in a problem, we wouldn't have Internet banking. Or the Internet, come to think of it. So no, you absolutely should store your personal photos on the Internet. You just need to take further steps to ensure they are secure.

These steps include:

1. Make sure you know where your photos are. Many phones now automatically send your images to the NSA/GCHQ etc. under the guise of backup. This can be turned off. Weigh up your dismay at not having your photos any more, vs. the chance of them being stolen. Personally, I vote for backup, as anyone who pinches my pictures will find a heady combination of safari shots, and pictures of serial numbers for things I need to fix. Remember any other backup services (DropBox, Mozy, Backblaze, Crashplan et al) that you use here as well.

2. Secure the photos on-device. If your PC has no password, and your phone regularly sits around unlocked, there's no point hacking your backups. Seems obvious, but the proportion of people who take nude selfies is greater than those who use a lock screen. Apparently.

3. Use a password you use nowhere else. No, really. I mean it this time. I know you ignored me when I said "use a different password everywhere". Look, I forgive you, because I like you. But this one is pretty serious. Don't share the password with the one you use on a messageboard, or for grocery shopping.

4. Turn on "two step verification", "two factor authentication" or whatever anyone's calling it these days.

5. Secure the reset channel. Password resets are a good way to break an account. This could be email (password and 2 factor advice applies here), phone (PIN protect your voicemail!), or silly security questions that anyone with access to your Facebook can answer (make like Graham Cluley and tell them your first pet was called "9£!ttty7-").

A final word on this: watch for those malware links. They're already out there.