A department responsible for IT Security should, obviously, follow those practices it expects others to follow. Sometimes you come across situations where tasks that should fall under an IT security umbrella are handled by an external department which might not even be familiar with Security practices. These situations can cause a lot of problems and it is therefore essential that when a similar need arises you make sure that the proper knowledge and security procedures are made available to that team. A recent story highlights this problem.
Techdirt.com reported that the Danish police accidentally blocked access to thousands of legitimate internet sites due to human error. Denmark ‘censors’ the Internet through a DNS blacklist system. This list is provided by The National High Tech Crime Centre of the Danish National Police and is used by all ISPs periodically.
I won’t delve into issues of Internet censorship, especially through the use of a DNS blacklist, but I’ll be focusing on the operational failings that led to this mistake. There are so many bad practices in this incident that I don’t know where to start. The most important thing to keep in mind when you have such a process is that if you’re doing an important task like blacklisting web sites nationwide, you must make sure that the environment where such an operation takes place is secured. No one except authorized personnel should have access to the system, and you need both physical and logical checks in place. Secondly, if your task is critical (and blocking access to a website for everyone definitely is), you need to employ division of labour to ensure there is no abuse. No one person should have total access and the ability to perform the task from start to finish. The last thing you want is to give the power to a sole person to decide and implement which sites citizens can access and which they cannot.
There also needs to be a secure path between whoever is pushing the updates and whoever is pulling the updates. Public key cryptography can be used to ensure updates are really issued by the person responsible for that role. This will ensure that even if someone were to gain access to the issuer system, or even hijack the connection on the receiver side, the updating system would not implicitly thrust any input but it would first verify if the source is genuine.
These stories trouble me. It is obvious that there was only a basic security design in place for events to have unfolded this way. To a certain extent it was fortunate that such high profile sites were accidentally blocked as it would not be easy to reverse a blocked site if this were not important. In any case, I hope this story turns out to be an eye opener for those involved in such important exercises to do things properly or we’ll hear of other cases where innent sites are blocked – accidentally or intentionally.