National governments are increasingly powerful stakeholders on the internet, changing and filtering the digital landscape in the process. Recently we saw instances of Twitter and YouTube access blocked, performed by Turkish authorities due to circulation of a series of confidential recordings with evidence of alleged corrupt practices.
Once the genie is out of the bottle, however, the challenge becomes to divert, evade and undermine such measures and its outcome may be just what they tried to avoid. Censorship will educate many ordinary citizens a craft usually limited to the hacker, namely bypassing security. And in doing so, they may very well use the IT resources present at their employers, bringing the organization in the line of fire.
Lawmakers in Turkey and elsewhere seem unaware of inviting this risk, however, as they granted the authorities far-reaching measures to police the internet earlier this year. Blocking websites, for instance, can now be done without getting a court order.
That this scale is expanding and its techniques proliferating is demonstrated by a whopping 966% increase of Turkish requests sent to Google to remove content. Not that Google complied with anything near those numbers, but it tells of a wider trend toward increased governmental control measures, happening worldwide.
Core Operations Taken Out
Before delving into the why and how, it’s important to consider the scope and its implications. Such as it is, governmental censorship is becoming a trend with security implications that businesses should not ignore. In the case of Twitter, it experienced its core operations taken out for a significant share of its users, even after a local administrative court in Ankara ruled the blockade should be lifted.
Immediately, potential advertising income is obstructed and so are involved companies’ online marketing campaigns, and, where applicable, e-commerce activities. But there’s more to it. Consider the following scenario: The Turkish government ordered national ISP’s and 3G mobile internet operators to shut down access.
Many sizable organizations such as multinationals reserve their own fiber cable to ensure sufficient bandwidth. An employee who works at one of those companies discovers he can reach blocked websites using his company’s LAN connection. When the stakes are high, and raised even further by draconian countermeasures, finding ways around inevitably becomes a crowdsourcing environment.
Now it won’t take long for everyone to be able to access the forbidden pages via an unfiltered connection, routed through your local server that maintains a LAN connection with abroad. This imposes a security risk in its own right, as well as a performance issue. If the proxy connection is passed on further, a host of unscreened users might try to connect and overload the company servers, grinding it to a sudden halt as happens in DoS attacks.
Even though losing a single server might not be a pressing issue, think about what would happen if a member of your technical staff turns your local website, or multiple resources into such proxies. The results could be devastating to your organization in terms of business continuity. And it may very well have legal repercussions, too.
Stealth and Bandwidth
Information security professionals should realize the implication, which is that the company infrastructure may not be the target but the actual means of an assault. Hacktivists (and cyber-criminals alike) seek out proxies to create distance between themselves and the target, and corporate infrastructures offer both the stealth and bandwidth to do so successfully. Being a stepping-stone for an attack-by-proxy may involve liabilities on the network owner’s end, while reclaiming damages incurred will be virtually impossible.
To make matters even less transparent, the methods governments apply to filter, block and censor may have further repercussions for data in transit. The Syrian government, for instance, has activated a Bluecoat PacketShaper, which is a device that inspects traffic passing through it.
The inspection may be tuned to find encrypted traffic, over SSL or dedicated tunnels like VPNs suspect and block it, even report it the operator. With customers for surveillance and filtering tools worldwide, secure channels may be diverted, halted and ultimately, with such efficiency loss, business logic may impose insecure communications to be instated.
Technically, such a filter is an SSL Man-in-the-Middle attack, the exact means used by cyber criminals in hijacking online banking sessions. This types of filtering actually breaks all security means a company has for securing internet traffic. Users can no longer see whether their secure connection has been compromised, defeating the purpose of HTTPS. Which in effect means that governmental inspection obfuscates whether cyber-criminals are attacking end-users up the chain. This a striking illustration of one security measure defeating another.
For Information Security professionals it has always been key to take stock of what resides on their servers, what is transmitted over corporate networks in real-time, and the operationalization of securing its lines of communication.
However, it’s high-time to look further outward and foresee unwanted situations of getting caught in the crossfire between ill-construed governmental digital border patrols and globalized reality of the online era. Therefore, absenteeism in collecting information on local politics is plainly bad form.
Censorship online with the potential for backfiring needs to be a trigger for increasing such awareness. The level of anger on the factory floor will be indicative of how alert the information security team should be.
About the Authors:
Diederik Perk is a business consultant at Traxion, involved in policy, research and publishing in the fields of Information Security, Computer Security and Cyber Security. After previous employment at the Department of Defense, Office of the Public Prosecutor and several other organizations, he’s currently operating within IAM and RBAC-centered projects in the financial sector. His publications include regular contributions to Cyberwarzone.com and TheHollandBureau.com.
Bram van Pelt is a technical security consultant at Traxion consultancy. In the last 4 years Bram has been involved with several large scale security projects. As a technical subject matter expert Bram has also given talks and written papers on both Identity & Access management and penetration testing.
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
- Death to Windows XP
- Be Wary: Hackers are Readying Security Updates for XP Users
- Attacking the ROI of Advanced Persistent Threats
- 4 Clues to Get Executive Support for Information Security
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock