Drawing the line between paranoia and real risks

security

After being involved in security for a while it’s natural to see certain threats without even thinking about it. Sometimes you wonder whether you’re being paranoid or if you’re being pessimistic but then something happens and you realise that maybe your fears were not so farfetched after all.

In a previous article I mentioned how the United States senate approved a plan to provide President Obama with an internet kill switch. When hearing such a story a red flag is raised. What if it’s abused? And even if it’s not, how would it affect my business if it is ever used? These are obviously valid questions; however, the voice of reason can’t help but wonder if this is really something you need to worry about. Even if such power is ever provided to the President of the United States, would he ever use it? Just like the “it can never happen to me” way of thinking, you wonder if your concerns are really justified.

But then, soon afterwards something happens that shows you that such a scenario is not so farfetched after all. I am obviously talking about the unrest in Egypt that for a couple of days had the government shut down the entire internet infrastructure of the country. That was only the start. Wherever the unrest moved to, governments took the same step of blocking all or a big portion of the internet for the country. Such an action has wide reaching implications on business in the country as well as outside and is also quite the risk to mitigate.

An action such as blocking the whole country’s internet access would have greater consequences if it were to happen in the US or any other country which offers a range of IT services that your business or your clients might rely on. What if your infrastructure is based in the cloud and suddenly you find that your service provider has been cut off from the internet without even knowing when it will be reconnected? What if your government decides to cut all internet access in your country?

One might try to safeguard against this by staying away from services that are run in volatile countries, but unfortunately governments are increasingly meddling with the internet and not just in volatile/controlling countries.

Homeland security’s Immigration and Customs Enforcement Agency has of late started seizing domain names associated with Piracy, Counterfeiting and Child Pornography. They are just petitioning judges to approve long lists of domain names which they then seize without any hearings or court cases. Allegedly when seizing some domain associated with Child Pornography they also seized Mooo.com as reported by techdirt.

Mooo.com is a dynamic DNS system which means that the seize affected everyone using this system, reported to be over 84,000 sites and not just the single site that broke the law. Each one of these sites was then redirected to a web page hosted by Homeland security which advises that the advertisement, distribution, transportation, or possession of child pornography is illegal. Can you imagine the damage it could cause where your customers to find such a page when trying to access your site?

Once a country starts exercising its powers on the internet you can be sure that others will follow suit. The UK police have already set plans in motion to try to get similar domain seizing powers. The voice of reason here would like to dismiss this threat because law enforcement organizations go after sites that are breaking the law and legitimate businesses should have nothing to worry about, but what happens in scenarios were a website that is legal in my country but illegal in the US gets seized?

Not a likely scenario? Well, apparently has already happened for rojadirecta.com – a Spanish website accused of copyright infringement. It went through a court case in Spain and was declared not guilty but was nonetheless still seized by homeland security. What if after being done with copyright infringement this same procedure is applied to other sectors as well? The United States has a bad history with online gambling so what if they decide to seize all domains associated with online casinos?

Mitigating a risk such as having the entire internet access of your country blocked by your government is not easy thing. I am no lawyer but it might also be illegal going around the block itself. In any case the only few options that come to mind which might offer some security here is by having links to the internet using different service providers – mirroring your websites through multiple providers in different countries as well as (if it justifies the costs) having a satellite internet link as a backup. With the satellite option it is essential to make sure that the link will be adequately protected if you will be running your whole business through it.

Defending yourself against domain seizers is even trickier. Each Top Level Domain (TLD) (.com, .net, .org, etc.) are maintained by a specific registrar (Verisign) while other country domains are generally maintained by a body in that country.

Holding multiple domain names is a possible safeguard but your customers are still likely to access your site with the name they know best. Maintaining a domain name handled by your country (or the countries whose laws you’re following) might be your safest bet against a domain seizer however .com TLDs are generally the most popular so one must decide which trade-off is the most desired – is it safety or popularity?

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Emmanuel Carabott CISSP heads security research at GFI Software. He has over 12 years’ experience in the security field and is a regular contributor to several websites and blogs. For more information about the benefits of using email usage reporting.