There are some default remote endpoints declared in Surf library.
This exposes the alfresco.com website through unauthenticated access.
http://loftux.com/demo/proxy/alfresco-network <- This one also exposed, but redirects when called to a page not likely available on that tomcat server.
These declared remote endpoints should be removed from a default alfresco install. I'm not sure this is a security issue, but most likely most Alfresco administrators is unaware of alfresco.com being exposed through their /share web.
Better be safe than sorry here, remove or declare them <identity>admin</identity>