04 May 2013

Internet Filtering Series -- Part III (Client-Side "Lab")

This first lab is primarily concerned with testing (and circumventing) a client-side filter. As discussed previously, a client-side filtering solution is one that is installed locally on the client computer. It's also geared primarily for individual, family, small-school/library, and very-small office deployments, as each client needs to be licenced and configured individually.

Further, the entire lab is done within VMware Workstation, which enables the emulation of a suitable 32-bit PC with generic/typical hardware.

Typical Real-World Scenarios Addressed: 
  • Older PC in a home that's designed to be used by kids and/or guests
  • A small school or public library in a rural area, where there are only a few computers that need filtering
  • A small "mom-and-pop" business with only five or six PCs in the entire office.
Specific Lab Scenario Details: 

Tim and Erika Jackson recently bought a new PC to replace an older one that Tim had bought through work. When their new computer arrived, they decided to move their old one to the playroom so that their three kids (two sons, ages 14 and 10, and a 7 year old daughter) can use the PC to play games and do their homework. Being conservative Christians, Tim decides to get filtering software for this particular PC to prevent his children from accessing websites that he believes are harmful.

Technical Details:
  • PC Hardware Simulated: Generic x86 PC with 1GB RAM, and using a hard drive with a 30GB partition
  • OS: Windows Vista Business with SP2
  • PC is fully-updated through Microsoft Update
  • Anti-Malware: Microsoft Security Essentials; definitions current
  • Several programs are installed including LibreOffice, iTunes, some basic kids games, and a Bible application
  • IP address of PC:
  • Netmask: (/24 in CIDR notation) 
  • Fictional ISP: Acme Internet Services (Anytown, USA) with a basic residential broadband connection
  • Filtering Software: K9 Web Protection (put out by BlueCoat)
Filtering Policy: Restrictive (e.g. to simulate a "family/kids-safe" filter, or one commonly found in K-12 schools and some public libraries; the defaults are used along with some other things that may be against the family's beliefs). Sites that are unrated by K9 are blocked. In addition, Tim has set K9 to block all web traffic from 11pm to 7am every day.

  • Physical access to the box is assumed, including the probability of unsupervised access. Often, the kids can just play and Erika checks up with them every so often (which can be between 20-60 minutes)
  • There's no password for the limited kids' account, but there is one for the parents, who have administrator rights
  • Neither Tim nor Erika Jackson are particularly "computer savvy," but both do know how to use a Windows PC for basic functions, and they both personally know and trust a PC repair shop owner--they met him through church 
  • Jared, their 14 year old son, plays video games quite often and may be the most technically-inclined person in the household   

Goals of This Lab: 

Demonstrate the relative simplicity of bypassing or otherwise overcoming a local Internet filter even by a non-administrative user, and the relatively-little amount of skill required, such as by:
  • Usage of Linux/BSD/UNIX Live CD or DVD
  • Usage of any proxy sites that the program may not have caught yet 
  • Software alternatives loaded from a USB stick
  • Seeing what limitations exist on the filtering program (e.g. failure to block https or using the IP address)
[In short: You are Jared and want to get around the filter your dad set up on the kids' PC so you can get to Facebook and a couple of other sites that your parents don't want you on.]

Test Sites Used: 
  • Facebook (https://www.facebook.com) 
  • DNC Official Website (http://www.democrats.org)
  • American Atheists (http://www.atheists.org)
All three sites were verified to be blocked after the filter was set up.


Methods used to successfully circumvent: 
  • Live Media. I successfully used the 2009.06 live CD of OpenSolaris that I got from Sun Microsystems as well as an ISO image of Slax 6.1.2. In both cases, I was able to open all the test sites without being blocked, and at regular speed. 
  • Teamviewer. I managed to connect to a regular PC running Teamviewer and from there access all of the blocked sites. In this scenario, it wouldn't be difficult for a friend who has an unfiltered Internet connection to set up a computer and have Jared use Teamviewer to access it remotely. 
  • Remote Forwarding. 
    • Using a computer that I controlled and put Gentoo Linux on, I used a portable version of MobiXTerm to SSH into the Linux machine and call up Firefox on the portable X server, wherein I was able to access all three of the test sites. 
    • Microsoft's Remote Desktop Protocol (RDP), VNC, and NoMachine's NX technology could also be used in a similar manner (though I note that I did not use this technique in this lab). 
Methods attempted with mixed results: 
  • Onion Routing (e.g. Tor): K9 managed to block a few of the Tor directory servers. It's also worth noting that after about 30 minutes (and restarting the bundle a couple of times) the Tor bundle still couldn't finish establishing the directory connection and begin constructing its circuits; the log shows it stalls around 10%. 
    • However, I have had success with this method in previous trials; it took anywhere from 15-35 minutes for Tor to kick in, and even then not everything worked (i.e. Torbutton). 
    • It's also worth noting that the directory servers were blocked because "Unrated" sites were blocked by default; this would imply that if the administrator allows unblocked sites, it's more likely that this method would work. 
  • Proxy sites. This method only works with new proxy sites that literally came out in the last 24 hours. I set up a test circumventor site on another PC and got through. The filtering companies though are often great at weeding them out by IPv4 address rather quickly (which turned out to be true as two days later my setup proxy site was blocked).
Methods attempted, but unsuccessful:

  • HTTPS edit. K9 stopped that one dead in its tracks. Merely changing a Web address to HTTPS doesn't work as it often did in the past. In fairness, more and more filtering and security companies are catching on and including that by default, in no small part because more sites that are often blocked (such as social-networking sites) are using HTTPS by default.
  • IP address instead of domain name: K9 also stopped this one right away. 

Methods Not Tried (mostly involves cracking or other means of unauthorised access):

[NOTE: All of these methods involve getting access to an administrator account. These won't work if the computer is hooked up to a formal network such as a Windows domain or a UNIX directory server--but that's highly unlikely in this type of situation. Finally, there's a good chance that these methods will be detected at some point, most likely far sooner rather than later.]

  • Obtaining administrator access to the PC
    • Reset Login Passwords. This would work in most home environments, and would enable anyone to access the designated administrator account on the computer.
    • Built-in Administrator account. Windows has a built-in administrator account. Up through Windows 7, the default password is blank (however, this account is disabled by default from Vista onward, and most PC vendors have been disabling it even before Vista shipped). Thus, if it is enabled, and not an ancient copy of Windows, it's probably set. Other modern operating systems (Mac OS X, most flavours of Linux, BSD, UNIX, etc.) don't have a built-in account like Windows does--and if more than one person may use the computer, there's a login to these systems.
    • After that's done and admin access is obtained, the following options emerge:
      • Removing the filtering program. 
        • Sometimes, this can easily be done, others (like K9) require an administrator's password that was established when the software was installed.
      • Moving or deleting files used by the program. Find where the program is and delete the files in it.
        • This often will only result in showing that somebody tried to tamper with the PC and not really achieve the objective of bypassing the filtering
      • Checking to see if the administrator account is somehow unfiltered. 
        • This is rarely the case with client-side solutions, but still something to double-check.
  • Replacing the hard drive
    • This is quite time-consuming and would have to be exacting in order for this kind of tampering to not be discovered quickly
      • For example, if I'd have shoved a hard drive with Windows XP, Windows 7, or any sort of Linux or UNIX system, the difference would be obvious even to Mrs. Jackson
    • You'd also have to ensure that you maintain control of the OS on the drive and that the actual "owner" or administrator doesn't just wipe the drive and start from scratch. 

Recommendations to Help Avoid Successful Circumvention of Client-Side solutions:

  • Keep monitored computers in public view. In a house, have the "kids" computer in the den, living-room, or some other place where it's easily visible.
  • Don't set very restrictive policies and say "them's the rules." Be prepared to be flexible with the filtering policy. For example, could it be revised to be looser, or perhaps unfiltered? It might also be more constructive to simply be reasonable when it comes to what's filtered and have a valid reason why certain sites are being filtered. Indeed, sometimes less is truly more and less filtering may be a very good way of building and demonstrating trust.
  • BIOS settings. It is possible on most every computer to prevent it from booting from other devices. Many computers allow for options that disable booting from all devices except the hard drive. If you cannot do this, lock the boot order such that the machine boots from the hard drive first AND set a VERY STRONG password in the BIOS. This effectively prevents casual bypass attempts via using live CDs, DVDs, floppies, and USB devices to boot other systems.
  • Control what programs go on the computer. Some vendors offer additional products or services that can enhance the web filtering by scanning USB drives. It's also possible to get an IT guy to write policies or scripts that will prohibit non-administrators from running install programs and "portable" apps.
  • The circumvention method involving the Tor browser bundle can be prevented in some, but not all filtering programs. It might pay to do research and find out if the vendor supports blocking Tor and other anonymising (i.e. proxy) services.
  • Locking down the firewall can make running portable apps (such as portable RDP, VNC and NX clients) difficult to run without tampering, though I should note that one's firewall should be able to block the programs themselves by communicating and not just by specifying the ports (SSH, for example, can run on just about any port even though it by default runs on port 22)
  • Remember that no method is foolproof, and that anyone with sufficient resources and time WILL figure out ways to get in and circumvent the filtering.
Finally, a few screencaps: 

First three showing the sites are blocked...

...and via the X11 forwarding, the sites are accessible.
Filter is defeated.

No comments:

Post a Comment