The same technology that allows web surfers to
locate and connect to computers on the internet can be used to create
covert communications channels, bypass security measures and store
distributed content, according to a security researcher.
The security hack essentially uses data
transferred by domain name service (DNS) servers to hide additional
information in the network communications. DNS servers act as the white
pages of the internet, invisibly transforming easy-to-remember domain
names - such as www.silicon.com - into the numerical network addresses
used by computers.
Moreover, corporate security measures,
such as firewalls, tend to ignore DNS data because they assume it's
harmless, said Dan Kaminsky, a security researcher for
telecommunications firm Avaya and a speaker at the Defcon hacking
conference in Las Vegas.
"DNS is everywhere - you cannot communicate over the global internet
without knowing where to go," he said. "No one notices DNS; no one
That flaw in most firms' network security leaves a vulnerability that
can be used by hackers to sneak intellectual property outside a
company, communicate with a compromised server inside the company, or
gain free access to many wireless and internet services found in coffee
houses and hotels, he said.
Covert channels are a common area of research for security experts and
hackers. Last year, another security expert demonstrated a way to send
dribs and drabs of data across the internet by hiding them in network
packets. The concept goes back at least 15 years, but the Avaya
security researcher has actually created useful tools for people who
want to send covert messages over DNS.
At Defcon, Kaminsky showed off server software that acts as a
communications hub for covert messages and a program that can insert
data into DNS requests. Using the software, he could send instant
messages over an encrypted communications channel carried by spoofed
DNS requests. He also showed off broadcasting streaming radio over the
The data will not normally be recorded or detected by network security,
Kaminsky said, because it appears to just be legitimate DNS servers
communicating with one another.
"The user is not actually sending data outside the network," he said.
"They [seem to be] requesting data from the local DNS server and it is
sending it outside the network."
There are other security side effects to network administrators not
paying attention to DNS packets. Online services that allow a user to
connect to the internet after logging into a captive portal - such a
system allows wireless users to get on the Internet at Starbucks -
allow DNS packets to pass through the security. That means that a
hacker could use Kaminsky's software to get free wireless access on
most such networks.
Network administrators should pay more attention to DNS, said Kaminsky.
Servers infected with the MSBlast worm, for example, used the service
to lookup the address of Microsoft's windowsupdate.com server, and that
made DNS a good method for detecting compromised computers.
"We have known that this is feasible for years," he said. "It's time to pay attention."
Robert Lemos writes for CNET News.com
The silicon.com CIO Forum, 27 September 2004
Drive your IT strategy forward with the upcoming silicon.com CIO Forum.
Enhance your knowledge on major issues facing the UK IT industry, hear
from high-profile speakers, and network with industry peers.
Register today to secure the Early Bird Rate (offer expires after 31 August).