Senate Closes Accidental Anonymizer (Open Proxy Server at www.senate.gov!)

Security Focus ^ | Dec 10 2002 1:24PM | Kevin Poulsen

[Dominic Harr]

Senate Closes Accidental Anonymizer By Kevin Poulsen, SecurityFocus Dec 10 2002 1:24PMNever let it be said that the United States Senate has done nothing for Internet privacy. Network administrators for the U.S. government site www.senate.gov shut down an open proxy server over the weekend that for months had turned the site into a free Web anonymizer that could have allowed savvy surfers to launder their Internet connections so that efforts to trace them would lead to Capitol Hill. A proxy server is normally a dedicated machine that sits between a private network and the outside world, passing internal users' Web requests out to the Internet. But they're sometimes misconfigured to accept and forward connections from the outside as well, allowing anyone on the Internet to route through the proxy with a simple browser configuration change. Because server logs at destination sites show only the IP address of the proxy server, and not the end user, some hackers and privacy-conscious netizens catalog open proxies and use them to anonymize their surfing. Tracy Williams, director of technology development for the Senate Sergeant-at-Arms, blamed the Senate's accidental public service on misconfigured devices "associated" with the Web site. "Those have been taken offline until they can be configured correctly," said Williams. Although open proxies sometime allow unauthorized ingress to an internal network, Williams said that in this case the Senate's networks were not exposed. The proxy was discovered by hacker Adrian Lamo, who's still free, and wandering the San Francisco Bay Area with a new laptop. The hacker said he noticed the Senate Web site's undocumented feature while reviewing a list of proxy servers he scanned and cataloged last April. Uncharacteristically, Lamo said he made no effort to hack the Senate's internal network through the system. Instead, late last week he used it to send a message to any administrators monitoring the site. "I went to a non-existent Web site with a longly-structured URL consisting of a sentence indicating that they had an open proxy, and giving my name and contact information," said Lamo. Williams said administrators found and closed the proxy last weekend after "we picked up anomalous behavior on our intrusion detection system."

[Dominic Harr]

It absolutely would have been illegal to use.

But oh, what fun it might have been to know that was open.

Wonder how long it was open? What kind of evidence might have been available during the Clinton years to someone willing to risk it?

[Dominic Harr]

"Open" Govt ping.

[lawdude]

Accidental, my tush!

[Fish out of Water]

bump

[Excuse_My_Bellicosity]

I'm sure this happened by accident... < /sarcasm >

[altair]

Although open proxies sometime allow unauthorized ingress to an internal network, Williams said that in this case the Senate's networks were not exposed.

While it may look to the outside world that you're coming from the Senate, the www.senate.gov proxy logs have your IP address.

[altair]

So you think it was a sting?

[Excuse_My_Bellicosity]

Nope, I think it was an inside job done by a computer-savvy intern or low-profile employee.

[altair]

Why do you think it was deliberate? The proxy logs on www.senate.com will show who accessed the proxy. They said the internal network was not exposed. This could only have been used to attempt US Senate ID theft via a mail service that leaks incoming IP numbers (ie. hotmail.com) and making mischief in the Senator's name.

[altair]

See my post #9.

I think it was an inside job done by a computer-savvy intern or low-profile employee.

A jilted lover, perhaps?

[Dominic Harr]

They said the internal network was not exposed.

Of course they said that. That's what they *have* to say. It's what I would say in their place.

Call me a skeptic, but I don't really believe them. I've been involved in this kind of thing before.

Their network was *certianly* exposed, in my experience, even if it might have taken a little work to 'hack' into. The article says as much when it comments on how the hacker who found this "uncharacteristicaly" didn't hack the network. But it's highly possible that thier derriers were completely exposed. If so, they'd deny it loudly.

And I don't believe their claim that it was only open for a few months, either.

Just based on past experiences with such IT gaffes. Your mileage may vary.

[HAL9000]

Because server logs at destination sites show only the IP address of the proxy server, and not the end user, some hackers and privacy-conscious netizens catalog open proxies and use them to anonymize their surfing.

That is not always true. Many proxy servers do report the address of the client to the remote site in a separate field.

It's a good idea to test a proxy server before assuming it provides anonymity.

[Dominic Harr]

Many proxy servers do report the address of the client to the remote site in a separate field.

Thanks, yes, you're right, of course.

To me, this isn't so much about 'anonymous surfing' as it's about a govt network being open to access by hackers.

If this were open during the impeachment trial, it might have been *very* interesting to search the Senate Network for interesting documents . . .