Wednesday, November 2, 2016

DNS shenanigans - 3rd party disclosure of non-public data to swing an election

Earlier I posted about the possibility of disclosing private data to change the course of an election or otherwise influence public policy. Little did I know that slate.com was already working on a story to do just that.

A researcher identified only as Tea Leaves disclosed that he had access to passive DNS logs from one or more ISPs.  Using this DNS data, he can see who is communicating with who (as long as they use domain names to communicate).  I'm going to ignore the obvious ethical issues of disclosing private data in this post (more on that later).  I'm also going to avoid the fact that the conclusions of the slate.com story have been debunked.

I do think it's worth discussing what researchers could do with ISP grade passive DNS data so you understand what can be done with it if someone were to abuse the data.  You should know that most researchers with passive DNS data only see that resolutions occurred, not the specific IP addresses that made the requests.  It is this unique data that allowed Tea Leaves to make the Trump server "conclusions."

A few things you could do with similar data:

  • See all the websites you visit and attribute these visits to you specifically and what times you visit them
  • Find all the porn websites visited by your local politician
  • Find out all of the freaky porn sites you visit and blackmail you
  • Figure out who your bank is
  • Track your shopping habits and deliver targeted advertising by snail mail
  • Find out what antivirus software and other third party software is used in a corporate network
  • Discover a publicly traded company that has been compromised by malware and short their stock

I'm sure there are some other ideas out there, this is just a partial list to get you thinking.  Yes, please tell me this is why you use a VPN. I'll say that's better, but doesn't in any way minimize the seriousness of what Tea Leaves did.  Also, anyone with ISP level data access can tell when you are using a VPN and then look for DNS leaving that location as well.  Sure there may not be a 1:1 correlation between a particular DNS request and you (others could be using the VPN server) but given enough data you can probably paint a pretty complete picture.

Malware researchers need access to this data at an ISP level - there are some very important benefits here that help keep the Internet safe.  But in order for this data to continue to be shared, we have to police our own community.  We can't prevent researchers from leaking privileged data (even NSA and FBI can't seem to stop this).  But we can actively dox and shun those who abuse their positions of trust.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.