2013年5月24日 星期五

Skype with care – Microsoft is reading everything you write

http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html

Anyone who uses Skype has consented to the company reading everything they write. The H's associates in Germany at heise Security have now discovered that the Microsoft subsidiary does in fact make use of this privilege in practice. Shortly after sending HTTPS URLs over the instant messaging service, those URLs receive an unannounced visit from Microsoft HQ in Redmond.
A reader informed heise Security that he had observed some unusual network traffic following a Skype instant messaging conversation. The server indicated a potential replay attack. It turned out that an IP address which traced back to Microsoft had accessed the HTTPS URLs previously transmitted over Skype. Heise Security then reproduced the events by sending two test HTTPS URLs, one containing login information and one pointing to a private cloud-based file-sharing service. A few hours after their Skype messages, they observed the following in the server log:

65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"
Utrace map
Zoom The access is coming from systems which clearly belong to Microsoft.
Source: Utrace
They too had received visits to each of the HTTPS URLs transmitted over Skype from an IP address registered to Microsoft in Redmond. URLs pointing to encrypted web pages frequently contain unique session data or other confidential information. HTTP URLs, by contrast, were not accessed. In visiting these pages, Microsoft made use of both the login information and the specially created URL for a private cloud-based file-sharing service.
In response to an enquiry from heise Security, Skype referred them to a passage from its data protection policy:
"Skype may use automated scanning within Instant Messages and SMS to (a) identify suspected spam and/or (b) identify URLs that have been previously flagged as spam, fraud, or phishing links."
A spokesman for the company confirmed that it scans messages to filter out spam and phishing websites. This explanation does not appear to fit the facts, however. Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.
Back in January, civil rights groups sent an open letter to Microsoft questioning the security of Skype communication since the takeover. The groups behind the letter, which included the Electronic Frontier Foundation and Reporters without Borders expressed concern that the restructuring resulting from the takeover meant that Skype would have to comply with US laws on eavesdropping and would therefore have to permit government agencies and secret services to access Skype communications.
In summary, The H and heise Security believe that, having consented to Microsoft using all data transmitted over the service pretty much however it likes, all Skype users should assume that this will actually happen and that the company is not going to reveal what exactly it gets up to with this data.
Update (17/05/13): Read the latest on this story where third parties verify heise Security's observations and possible explanations raise even more questions:
(djwm)

http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html

So when I saw this article

http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html

I was disappointed the rumoured skype backdoor is claimed to be real, and
that they have evidence.  The method by which they confirmed is kind of odd
- not only is skype eavesdropping but its doing head requests on SSL sites
that have urls pasted in the skype chat!

Now I've worked with a few of the german security outfits before, though not
Heise, and they are usually top-notch, so if they say its confirmed, you
generally are advised to believe them.  And the date on the article is a
couple of days old, but I tried it anyway.  Setup an non-indexed
/dev/urandom generated long filename, and saved it as php with a
meta-refresh to a known malware site in case thats a trigger, and a passive
html with no refresh and no args.  Passed a username password via
?user=foo&password=bar to the php one and sent the links to Ian Grigg who I
saw was online over skype with strict instructions not to click.

To my surprise I see this two entries in the apache SSL log:

65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 -
65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 -

I was using skype on ubuntu, my Ian on the other end was using MAC OSX.  It
took about 45mins until the hit came so they must be batched.  (The gap
between the two requests is because I did some work on the web server as the
SSL cert was expired and I didnt want that to prevent it working, nor
something more script like with cgi arguments as in the article).


Now are they just hoovering up the skype IMs via the new microsoft central
server architecture having back doored skype client to no longer have
end2end encrption (and feedind them through echelon or whatever) or is this
the client that is reading your IMs and sending selected things to the
mothership.

btw their HEAD request was completely ineffective per the weak excuse
microsoft offered in the article at top my php contained a meta-refresh
which the head wont see as its in the html body.  (Yes I confirmed via my
own localhost HTTP get as web dev environments are automatic in various
ways).


So there is adium4skype which allows you to use OTR with your skype contacts
and using skype as the transport.  Or one might be more inclined to drop
skype in protest.

I think the spooks have been watching "Person of Interest" too much to think
such things are cricket.  How far does this go?  Do people need to worry
about microsoft IIS web servers with SSL, exchange servers?

You do have to wonder if apple backdoored their IM client, below the OTR, or
silent circle, or the OS - I mean how far does this go?  Jon Callas said not
apple, that wouldnt be cool, and apple aims for coolness for users; maybe he
should dig a little more.  It seems to be getting to you cant trust anything
without compiling it from source, and having a good PGP WoT network with
developers.  A distro binary possibly isnt enough in such an environment.

Adam

沒有留言:

張貼留言