27/09: Attend silicon.com’s CIO Forum

click to register

forgot your password

silicon.com > software > security strategy Thursday 26th August 2004
top stories of the week
"Highly critical" IE flaw unplugged by XP SP2
IM the prime suspect in City leaks
Biometrics: Your questions answered
'Email drug dealers' sacked from Pru HQ
Devil's Advocate: Fighting back against dodgy emails
Leader: Sorry, your work email's an open book
Biometrics: Your questions answered
Virus writers shouldn't get off so easy
A turning point for CRM - where next for the customer-focused business?
BEA and Intel Meet the Needs of Enterprise Customers
JetBlue relies on Unisys ES7000 and Microsoft Windows Server 2003, Datacenter Edition to support mission-critical operations
Server Consolidation and Mid-Tier Application Servers
latest headlines
RFID on drugs: Are cloning worries the major problem?
ISPs feeling frustrated with Ofcom's BT price hike 'support'
Motorola and DoCoMo announce 3G business phone tie-up
Linux 10 times more expensive? Get the facts, watchdog tells Microsoft
Cambridge companies confident about coming year
Newspaper websites loving paid search ads
Microsoft launches DIY XP SP2 app compatibility test kit
Wanadoo unveils £18 1Mb broadband
silicon.com CIO Forum offer - need the ear of an IT chief?
E-voting OK'd in most of California

DNS hack leaves corporate networks wide open
August 02 2004
by†Robert Lemos
Covert channels can bypass security measures…
E-mail to a friend
Printer friendly
Reader Comments
Post your comment here

The same technology that allows web surfers to locate and connect to computers on the internet can be used to create covert communications channels, bypass security measures and store distributed content, according to a security researcher.

The security hack essentially uses data transferred by domain name service (DNS) servers to hide additional information in the network communications. DNS servers act as the white pages of the internet, invisibly transforming easy-to-remember domain names - such as www.silicon.com - into the numerical network addresses used by computers.

Moreover, corporate security measures, such as firewalls, tend to ignore DNS data because they assume it's harmless, said Dan Kaminsky, a security researcher for telecommunications firm Avaya and a speaker at the Defcon hacking conference in Las Vegas.

"DNS is everywhere - you cannot communicate over the global internet without knowing where to go," he said. "No one notices DNS; no one monitors it."

That flaw in most firms' network security leaves a vulnerability that can be used by hackers to sneak intellectual property outside a company, communicate with a compromised server inside the company, or gain free access to many wireless and internet services found in coffee houses and hotels, he said.

Covert channels are a common area of research for security experts and hackers. Last year, another security expert demonstrated a way to send dribs and drabs of data across the internet by hiding them in network packets. The concept goes back at least 15 years, but the Avaya security researcher has actually created useful tools for people who want to send covert messages over DNS.

At Defcon, Kaminsky showed off server software that acts as a communications hub for covert messages and a program that can insert data into DNS requests. Using the software, he could send instant messages over an encrypted communications channel carried by spoofed DNS requests. He also showed off broadcasting streaming radio over the covert channel.

The data will not normally be recorded or detected by network security, Kaminsky said, because it appears to just be legitimate DNS servers communicating with one another.

"The user is not actually sending data outside the network," he said. "They [seem to be] requesting data from the local DNS server and it is sending it outside the network."

There are other security side effects to network administrators not paying attention to DNS packets. Online services that allow a user to connect to the internet after logging into a captive portal - such a system allows wireless users to get on the Internet at Starbucks - allow DNS packets to pass through the security. That means that a hacker could use Kaminsky's software to get free wireless access on most such networks.

Network administrators should pay more attention to DNS, said Kaminsky. Servers infected with the MSBlast worm, for example, used the service to lookup the address of Microsoft's windowsupdate.com server, and that made DNS a good method for detecting compromised computers.

"We have known that this is feasible for years," he said. "It's time to pay attention."

Robert Lemos writes for CNET News.com

The silicon.com CIO Forum, 27 September 2004
Drive your IT strategy forward with the upcoming silicon.com CIO Forum. Enhance your knowledge on major issues facing the UK IT industry, hear from high-profile speakers, and network with industry peers.

Register today to secure the Early Bird Rate (offer expires after 31 August).

Microsoft patches three "critical" IE security holes
Is Google the hacker's best friend?
Firms patching internet security holes faster
Microsoft - the antivirus vendor?
E-mail to a friend
Printer friendly
Reader Comments
Post your comment here
†Reader Comments
Post your
comment here
When posting articles on your site it would be gre...
top searches | site map | help | contact us | how to advertise | get silicon news on your site | silicon rss feeds
about silicon your privacy about cnet networks ZDNet UK Builder UK