LAS VEGAS--The same technology that allows Web surfers to locate and connect to computers on the Internet can be used to create covert communications channels, bypass security measures and store distributed content, a security researcher said Saturday.

The security hack essentially uses data transferred by domain name service (DNS) servers to hide additional information in the network communications. DNS servers act as the white pages of the Internet, invisibly transforming easy-to-remember domain names--such as www.cnet.com--into the numerical network addresses used by computers. Moreover, corporate security measures, such as firewalls, tend to ignore DNS data because they assume it's harmless, said Dan Kaminsky, a security researcher for telecommunications firm Avaya and a speaker at the Defcon hacking conference here.

"DNS is everywhere--you cannot communicate over the global Internet without knowing where to go," he said. "No one notices DNS. No one monitors it."

That flaw in most companies' network security leaves a vulnerability that can be used by hackers to sneak intellectual property outside a company, communicate with a compromised server inside the company, or gain free access to many wireless and Internet services found in coffee houses and hotels, he said.

Covert channels are an area of research for both security experts and hackers. Last year, another security expert demonstrated a way to send dribs and drabs of data across the Internet by hiding them in network packets. The concept goes back at least 15 years, but the Avaya security researcher has actually created useful tools for people who want to send covert messages over DNS.

At Defcon, Kaminsky showed off server software that acts as a communications hub for covert messages and a program that can insert data into DNS requests. Using the software, he could send instant messages over an encrypted communications channel carried by spoofed DNS requests. He also showed off broadcasting streaming radio over the covert channel.

The data will not normally be recorded or detected by network security, Kaminsky said, because it appears to just be legitimate DNS servers communicating with one another.

"The user is not actually sending data outside the network," he said. "They (seem to be) requesting data from the local DNS server and it is sending it outside the network."

There are other security side effects to network administrators not paying attention to DNS packets. Online services that allow a user to connect to the Internet after logging into a captive portal--such a system allows wireless users to get on the Internet at Starbucks--allow DNS packets to pass through the security. That means that a hacker could use Kaminsky's software to get free wireless access on most such networks.

Network administrators should pay more attention to DNS, said Kaminsky. Servers infected with the MSBlast worm, for example, used the service to look up the address of Microsoft's Windowsupdate.com server, and that made DNS a good method for detecting compromised computers.

"We have known that this is feasible for years," he said. "It's time to pay attention."

Have an opinion on this story? Share it with other News.com readers.

Track this story's companies and topics

Security	Create alert
Hacking	Create alert

Create your own e-mail alert >

Related stories

• MyDoom variant slams mailboxes, search engines
  July 26, 2004
• 'Zombie' PCs caused Web outage, Akamai says
  June 16, 2004
• VeriSign says .com redirect isn't dead
  October 6, 2003
• Hackers look to hide communications
  July 31, 2003

Get this story's "Big Picture" >

From News.com Extra

• DNS changes to take minutes (instead of hours) from The Register
• ICANN Adds IPv6 to Root DNS from InternetNews.com
• DoubleClick Hit by DDoS Attack from Slashdot

Get more news around the Web with News.com Extra >

White papers, Webcasts and case studies about security  More results

• Security in the Wireless Revolution (white paper)
      Good Technology
• A Successful Look at Wireless Solutions and its Savings (white paper)
      Good Technology
• Enterprise-Class Wireless Messaging & Corporate Data Access (white paper)
      Good Technology

White papers, Webcasts and case studies about hacking  More results

• What to Look for in a Security Firm's Vulnerability Database (white paper)
      TechRepublic
• Making IT Work: Speed up Vulnerability Detection with Web Services (white paper)
      TechRepublic
• Automating Security Patch Management (white paper)
      ManageSoft

Related videos

Microsoft's Trustworthy Computing Initiative still a work in progress July 15, 2004

ICANN chairman and MCI Senior Vice President Vint Cerf shares his hopes for the Internet's future June 18, 2004

Security companies rate their progress at protecting against network threats June 16, 2004

Watch more videos >

Your take

Post a comment

 
Click on a comment to explore replies  (2 total replies - 0 NEW )

This is only the beginning! Justin Gund -- 08/01/04

Top picks from News.com readers

Readers who read Internet's 'white pages' allow data attacks also read....

Hackers plan global game of 'capture the flag'
Bulk of year's PC infections pinned to one man
Microsoft patches three critical browser flaws
Details of Microsoft antivirus software leak out
Group: Linux potentially infringes 283 patents
RFID tags become hacker target
Image flaw pierces PC security
iPod helps police nab alleged car thief
Computer glitch grounds two airlines
Microsoft: Buy 32 bits, get 32 bits free

More Info