?ERROR. The requested URL could not be retrieved. Access Denied?. Reads familiar? This message has greeted many of us when we try to log onto Facebook, Orkut, Twitter, YouTube and many other social networking websites from office. Many organisations have blocked these websites and some have even prohibited messenger services and generic e-mail services like Gmail and Yahoo, all to ?help employees put their distracted heads to work rather than tweeting, updating their status or tagging photographs?.
However, in this time and age, it is tough to limit anything, especially the Internet. And thus enter open proxy websites or third party proxy websites or anonymisers or, in common jargon, proxy websites. More and more people are resorting to using these open proxy sites to bypass their office network firewalls and to happily surf whatever they feel like, right under the noses of their network administrators and engineers. Though they might be a little annoying with umpteen number of pop-up advertisements, they are the only resort. But there’s a flip side too. These open proxy sites are not just the key to the forbidden worldwide web domain for many, they can also open doors to a lot of trouble. Your accounts can be the targets of phishing attacks and other personal data related security threats.
So what are the threats you face in this internet adventure? To begin with, use of open proxy websites can lead to data loss and breach of security. Worse, it can lead to a phishing too. Phishing, also referred to as brand spoofing or carding, is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Security analysts point out the perils of using a ‘harmless’ looking proxy website. ?It is doubtless that the use of third-party proxy servers could result in loss of sensitive data, which could include logins and passwords of different accounts. Besides, cybercriminals could set up a proxy server so that it could redirect users to fake web pages. These web pages could look very trustworthy and it would be very difficult for an average user to understand this replacement,? explains Alex Gostev, chief security expert of the global research and analysis team at KasperSky Lab.
Surendra Singh, regional director (SAARC) of computer security solutions company Websense, feels that monitoring these open proxies is no joke. ?Hackers can get confidential data from client machines through these websites. Many organisations have started using decryption tools so that open proxy websites can be monitored. But hackers continuously find new ways to make these websites accessible,? he says. Singh adds that hackers and the open proxy website developers have their own research and development facilities, most of which are more sophisticated than any company’s technical cell. Thus if the companies are finding new ways to block these websites, so are these open proxy portals to thrive.
Companies that have blocked social networking websites, messenger services and even generic e-mail websites concede that they know some employees use open proxies, but are still content with their policy of prohibition. ?We feel that out of the total staff, just about 10% access sites through these third parties, and that is still an achievement for us as we succeed in restricting 90% of the Internet traffic to be strictly work related. Those 10% would always be there, but if they realise how dangerous these sites can be for their accounts and information, even they would stop using them,? says the chief technology officer (CTO) of a leading media house, on condition of anonymity. ?These social networking sites become heavy users of the bandwidth of the network, which frankly should be used only for professional work. By blocking them, we also reduce the pressure on our bandwidth,? he adds.
And what is the rationale behind prohibiting employees from surfing these sites? ?The reasons for banning such sites exist at two levels. First and the foremost is the security concern for organisations. They might ban a particular e-mail or a social networking site to prevent private and confidential company data from leaking on the Internet in the public domain and to keep it within the limits of the home network,? says Nitin Khanapurkar, executive director, advisory services, KPMG. ?Second, of course, is related to efficiency and performance issues. If people spend time on social networking sites and randomly surfing the net, organisations believe that productivity might go down,? he adds.
The second concern is also reflected in Assocham’s Social Development Foundation (ASDF) survey in December 2009, in which nearly 4,000 corporate employees were interviewed in cities such as Delhi, Bangalore, Chennai, Mumbai, Cochin, Ahmedabad, Pune, Chandigarh, Lucknow and Kanpur. The survey reflects a loss of 12.5% in daily productivity of an employee, as the average time an employee spent on social networking sites was found to be one hour. It was also found that 19% of companies allow social networking use only for business purposes, while 16% allow limited personal use. Only 40% of the employee interviewed said their companies allow employees full access to social networks during work hours.
However, many believe that blocking websites and acting on a policy of prohibition would serve no purpose as those who want to access the blocked sites will find thousands of open proxies ready for service, however unsuspecting these users might be of the associated danger. ?Such restrictions are always futile. If there is access to Internet, employees find a way to access their chosen sites anyway. Such policies create a sense of alienation among employees. This sends out a signal that the company does not trust the behaviour of its employees. In most mid-sized, modern companies, which have grown in the post-Internet era, there are no such restrictions,? says Gaurav Mittal, CEO, DMC International.
And while they might or might not be aware of the dangers associated with surfing through an open proxy, employees don?t see the prohibition policy working one bit. ?Frankly for me, it doesn’t really matter if it is blocked or not. At my present job, there aren’t these restrictions. However, at my earlier workplace, everything from Gmail to Facebook was blocked, but that really didn’t bother me or affect my work. There, I used to access these websites through my phone. You really can’t stop anyone as everyone is now aware of the alternatives. They might use Internet on their phones or use open proxy sites. It’s just like fooling yourselves by blocking these websites,? says Gunjan Piplani, who works in a publishing company.
In fact, in the face of the alternatives available to employees, many experts believe that instead of letting people expose their personal data to threats through open proxies, companies should not follow a policy of blocking websites. Deepak Gupta, associate vice-president (technology) of offshore product development company GlobalLogic, believes that regulating the net is different from being intrusive. ?Our company has not blocked any website, as it believes that employees will find ways to access them by using proxy servers. A company’s IT policy’s role should be restricted to being that of a regulator without being intrusive,? he says. Khanapurkar concurs. ?Those who want to circumvent rules will find many ways to do so. Organisations should look at addressing the issues and create awareness among their staff. The employees should not feel the need to use open proxies at all. Banning is never a solution. When you get a personal call in office from a friend, won’t you take the call? Now that is also social networking. Tomorrow can offices go to the extent of banning cellphones inside office?? he says.
So what can be the ways to address the issue? ?Companies can probably decide a time during the day when people can visit the social networking sites or probably have kiosks where they can take turns and surf the net for short periods of time,? he says. GlobalLogic for one is trying something innovative. Apart from not blocking any social networking site, it has gone a step ahead with its enterprise social networking platform called ?Glo?. The site essentially works like Facebook and has been developed to restrain employees from using generic social media websites, at least for interacting with those within the organisation. So while the debate would go on between various schools of thought on the matter and on the policy of prohibition and blocking websites, an employee just has three options really?to forget about surfing sites like Facebook and Twitter in office, or to use Internet on his phone as the happy hunting ground, or lastly, to use a an open proxy, with all its associated threats. Choose what you may.
How do proxy sites work
Internet is populated with open proxy servers, which communicate a dynamic IP address with the web sites you visit while also helping you to bypass firewalls and censorship filters, because your Internet service provider (ISP) is no longer able to know where you are connecting from. For example, if facebook.com is blocked by your office proxy and firewall, as soon as you type http://www.facebook.com on your browser, the firewall or the office proxy blocks it immediately. But if you log on to an open proxy site, say abc.com, it communicates a dynamic IP address to the website being visited, as well as your network. Therefore, now since the IP address blocked for Facebook is different from the one being communicated by abc.com, the network doesn’t block the content coming through the open proxy site, and doesn’t realise that the content coming from abc.com is actually Facebook content being routed through abc.com. Bingo!
