You can still be detected if using a proxy
Setting your proxy settings in Firefox or Internet Explorer does not mean that you are undetectable. In fact, with most websites today embedding applications that provide video, audio, gaming and other services, it is more common than ever before to find evidence in logs and databases that can reveal who you are. Most involved with network security already know this, but if you are not you may think you are anonymous when in fact you are not.
I was talking to a individual recently who was involved in an investigation. They assumed that by using a proxy, the target site would not have an IP address or any other data logged that could link them to the target site. I explained this is false assumption and why, but it got me thinking about others that may be in law enforcement or corporate security conducting investigations and feel comfortable they are hidden via a proxy service when they are actually exposed.
If a target site wants to detect you, there are many ways it can accomplish this easily, and often they obtain identifying information unintentionally. Here is a quick and simple example I put together. First, I shutdown all the servers and clients on my home network except a single computer and the gateway. On the gateway, I captured all the traffic entering and leaving the network. Next, I configured Firefox to use a SSH proxy. SSH has the ability to emulate a SOCKS4 or SOCKS5 proxy. A side note to using SOCKS4 or SOCKS5 is DNS is not proxied. This is not a concern for this particular investigative scenario, but could be a concern for other investigations, so it is important to be aware of that issue should it become a concern during an investigation.
Firefox was configured to proxy via Socks 5:
Next, I visited a site that hosted the latest Britney Spears video entitled ‘3′. The page load is shown below.
The initial page loads along with the embedded video player. Up to this point, the logs show that the packets are ingressing and egressing via the configured proxy server only which is our desired behaviour.
The communication as shown above between the proxy server and the client continues until the video player application loads. Once the player loads, it first does a DNS request for the the video service.
The player then directly connects to the video service bypassing the proxy at this point you have been identified. This continues as the audio and video is streamed to the client.
Keep in mind that you may already have been identified through the proxy itself. It is entirely possible and likely that the website or player has transmitted other information about your system within the RTMP stream itself or even HTTP. The problem stems from the fact that these embedded objects are in fact executable programs that can bypass the browser and other system settings.
If you are involved in an investigation where you don’t want to be detected by the target, do not assume that by using a proxy you are safe from detection. There are ways to avoid detection in this way, but they require more sophisticated network and client configuration. Regardless of your setup and configuration I would suggest always capturing the data transmitted and received. Even if you don’t analyze every packet, it provides a detailed log of what actually was transmitted and received allowing you to go back and verify if necessary.
