Inside Internet Filtering

On Monday, September 22nd 2008, McAfee and Secure Computing announced they had signed a definitive merger agreement.  While the deal still needs to obtain the blessing of Secure Computing’s stockholders, it is anticipated that it won’t be a problem.

Secure computing has over 22,000 customers in 160 countries and is the number 1 player in the web security appliance market and the number 2 player in the message security appliance market.  The combination will create one of the largest security companies in the world.

The all cash deal is estimated at about $465 Million and expected to close around the end of Q408.  Through significant cost and revenue synergy, McAfee expects to break even on the investment in 2009, with full cost synergies being realized through 2010 and 2011.

While reading this article from KSL TV for one of my previous posts I noticed near the end of the article that often secure sites are not filtered by Internet filtering software.

Clayton Ostler the IT Manager for ContentWatch (the company behind NetNanny) made the statement:

“The (filters) can detect that the data is coming from an encrypted site, but they can’t actually read the content of that data.”

Basically he is saying that because they can’t see unencrypted the content, that they can’t filter it.  Which is true for a dynamic filter like NetNanny, but isn’t true for a hybrid list-based filter like Safe Eyes.  Safe Eyes has been filtering secure sites for over a year now.

Mr. Ostler also hinted that a new version of NetNanny which can filter secure sites would be out later this month.  So have they created a system that is capable of inspecting the encrypted data?  If they have, doesn’t that defeat the purpose of having encryption in the first place?  Maybe they are using some other technique, we will have to wait and see.

There has been some talk that the new IE 8 feature called InPrivate has the ability to bypass Internet filters.  When I first heard this I dismissed the idea since Safari has a similar “Private Browsing” mode and it doesn’t allow you to bypass Internet filtering.  FilterFacts.org thought the same thing but asked for someone from a filtering company to weigh in, so I figured I would share what we have found.

Internet Explorer 8 with InPrivate Browser enabled does not bypass the filtering in Safe Eyes.  Since there are so many varying technologies used by different vendors, I can’t make the blanket statement that it doesn’t circumvent all Internet filters.  However, I find it very unlikely.

Basically all that InPrivate does is limit the browser from storing browsing history, cookies, browser cache (Temporary Internet Files), etc.  The idea is that it leaves fewer tracks about where you visit.  The nickname “Porn Mode” doesn’t come from its ability to help you access porn, but rather for its ability to help you cover your tracks if you don’t want someone to know.

But being able to delete your web history, cookies and browser cache isn’t anything new.  You have been able to do this with pretty much every browser out there.  InPrivate just makes that process a little easier.  This is one reason why we recommend to parents that they don’t rely on simply checking the browser history as a means for keeping track of where their kids go online.  But rather use a system like Safe Eyes, which runs at a much lower level than a browser.  These lower level systems are still going to be able to log where you visit even if InPrivate is enabled.

After my post about CyberPatrol’s new SiteSURV product, one of my readers emailed and asked “What is DNS Poisoning?”  Instead of responding personally, I thought it would make a good blog post.

First a little background on the Domain Name System or DNS.  Basically every computer on the Internet has an IP address, for instance this site is 72.54.145.200.  But it is a whole lot easier to reference these computers by name, like www.insideinternetfiltering.com.  So the Domain Name System was created to turn these names into the numbers that our computers understand.

This system works as a hierarchy of DNS servers.  At the top are the root servers, they have .com, .org, .net etc.  When you register a domain, an entry is added to these root servers that tells computers looking for your domain where to look next.  So at the root servers there is a entry for insideinternetfiltering.com that tells them to look to my two DNS servers for more information about my domain.  My DNS servers have an entry for www that describes my IP address.

For your computer to work properly on the Internet you need to at least one DNS server entered in your network settings.  Most of the time this happens automatically for you when you connect to your Internet Service Provider or corporate network.  Then when you enter a URL in your browser, www.insideinternetfiltering.com for example, your computer consults that DNS server behind the scenes.  If that DSN server doesn’t know the IP address for www.insideinternetfiltering.com it then typically consults the root server looking for insideinternetfiltering.com, which in turn sends it to my DNS server, which returns the IP address for my site.  This is known as an authoritative response.

So with that as background, what is DNS poisoning?  Quite simply it is technical jargon for changing the normal flow of the DNS system and introducing results that aren’t authoritative.  This term is often applied to malicious types of attacks as the DNS poisoning article wikipedia article points out.  However, it has also traditionally be used to describe a method of Internet filtering in which DNS return values are altered from their authoritative value for the purposes of filtering content.

For instance, lets say that the DNS server that is configured on my computer is programmed with a blacklist of bad websites.  On this list is a site called www.badsite.com.  When you try to visit www.badsite.com, your computer asks the DNS server for the IP address of www.badsite.com.  The DNS server is programmed to look at the blacklist and if it finds www.badsite.com it does not consult the root DNS server, but instead returns an invalid value that causes your computer to not connect to the site.  It could even return a new valid IP address that would send you to a server that has been configured to display a “this site has been blocked” page.

This was a long post.  If there is something that doesn’t make sense, please comment.

CyberPatrol today announced a new business-level filtering product called SiteSURV (Press Release).

The product uses a DNS poisoning technique to accomplish the filtering by checking DNS lookups against CyberPatrol’s site database.  While this type of filtering is easy to deploy by simply changing your DNS settings, it is also among the easiest to bypass (I won’t go into details on how).

They have two versions currently: the standard version and a self hosted version for larger organizations (SiteSURV Plus).  The plus version seems to have more customization capability than the standard version, such as choosing your categories, and creating your own list of allowed/blocked sites.  However, with the plus version you also will need to furnish your own windows based server to run the software on.

The NetNanny for Mac website is now online at http://www.netnanny.com/mac.  It appears that the new product is a branded version of Intego’s ContentBarrier X4 product.  If you compare the screen shots from here: http://www.netnanny.com/mac/features and http://www.intego.com/contentbarrier/ you will find them pretty much the same with NetNanny branding instead of Intego branding.

ContentWatch, the developer of NetNanny, announced the release of NetNanny for Mac.
From the release it appears the product will contain:

• Content Filtering
• Usage Reports
• Time Limits

The new Mac version of NetNanny will be available in English, French, German, Spanish, Italian and Japanese for $39.99 for one computer and $20 for each additional computer.

More information is supposed to be availabe online at: www.netnanny.com/mac However, the link was not working at the time of this posting.

The government of Australia, under the leadership of Stephen Conroy, have been pushing forward on the concept of creating and ISP-level “cleanfeed” for the entire country of Australia.  It is envisioned that this system would replace the free filter scheme currently in place in Australia.

In support of this system, the UK Cleanfeed system deployed by British Telecom is often referenced as proof that Internet Filteirng at the ISP-level can be effective and won’t slow down an Internet connection.  However, if you take a deeper look at the system deployed by British Telecom, you find that there are some key differences.

The BT System Only Blocks Illegal Content.
The cleanfeed system in the UK was built and designed to block a fairly small number of sites that contain illegal content (mostly child pornography).  It seemed at the time of launch it was blocking somewhere around 3,600 sites and it was cited as growing at a rate of between 60-100 sites a month.  So today, that would put the total list size at an estimated 6,000 sites today.

So will Stephen Conroy and the Department of Broadband, Communications and Digital Economy only block illegal content or provide for protection for minors from inappropriate content.  The lab-based test was run on both by ACMA and Stephen Conroy has made statements that he wants the cleanfeed to be free of inappropriate and pornographic content.

I mention this because it is much easier and less costly to filter out a small number of sites than it is to filter all sites to determine if they are inappropriate or pornographic.  So if you extend the blocking to include inappropriate content, you can’t point to the UK cleanfeed system as a previous success story as Stephen Conroy does.

The BT Cleanfeed was not government mandated.
British Telecom came up with the cleanfeed system of their own accord.  It wasn’t required by the government.  The list of sites that is blocked by the UK cleanfeed system is created by the Internet Watch Foundation a non-government Internet watchdog group.  So the government doesn’t have to deal with censorship issues head on.

On the other hand the Australian clean feed system, even if it only blocked illegal content, would likely be blocking the list built by the Australian Communications and Media Authority (ACMA).  This combined with the fact that the system will be mandatory and likely funded by the government to offset the ISP’s operational expenses directly links the government to the filtering.  This of course raises all kinds of issues of Internet censorship.  Electronic Frontiers Australia is already opposing the system on their site nocleanfeed.com.

BT System can only block web content.
The system designed by British Telecom was designed to block only web traffic.  This means that they don’t block peer-2-peer file sharing, Instant Messengers, FTP or a number of other type protocols.

The test conducted by ACMA looked at the blocking capabilities of other protocols.  However, this was only done by “Expert Review”, meaning someone looking at the features of the software.  No test were run to determine the scalability of blocking additional protocols at the scale an ISP would have to be able to deal with.

So what does all this mean?
A low cost system to simply block illegal content on an ISP-level could be built.  However, if you look at this from the angle of Internet safety for kids, you will find that the ISP-Level system potentially reduces the level of protection offered to Australian parents today through the NetAlert free filter scheme.

With an ISP-level filtering system will a parent be able to control the time spent online, review instant messenger conversations, block peer-2-peer filesharing or games?  These are all things that parents can do today with the free filters offered by NetAlert.

Stephen Conroy claims that the new ISP-level filteirng initiative will provide better protection for kids, but is this really true?

The city council for Birmingham, England, recently installed new Internet monitor and filtering software.  However, the filtering policy they have created is meeting with some opposition.

The city council has blocked sites relating to Atheism and the Occult, which fall under what they call “a long-standing Internet usage policy for staff”.  The policy bans sites “that promote witchcraft, the paranormal, sexual deviancy and criminal activity.”

The opposition is coming from the Lawyers at the National Secular Society, who claim the move violates the Employment Equality (Religion or Belief) Regulations 2003.  The regulations make it unlawful to discriminate against employees on the basis of thier religious belief.

One element that the ACMA ISP-Level Filtering Report touched on, was the different circumvention possibilities between PC and ISP based Internet Filtering solutions.  It presented a table of possible work-arounds to both systems, indicating a high, moderate, or low level of possibility to circumvention.

After looking at this table, you are left with the impression that ISP level filtering is nearly bullet proof.  This is not the case though.  They didn’t include in the table at least two methods that I am aware of for bypassing an ISP level Internet filter, and there are possibly more depending on the particular ISP’s deployment model.

It wouldn’t be appropriate for me to go into details about how to circumvent ISP level Internet filters here. But I will say that for at least one of the methods a PC based filter is actually able to filter when an ISP level filter would not.