Re: [funsec] Skype with care – Microsoft is reading everything you write

[Jeffrey Walton <noloader () gmail com>]

A couple of follow ups on this....

"Skype backdoor confirmation,"
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html

and

"All Your Skype Are Belong To Us,"
http://financialcryptography.com/mt/archives/001430.html

On Wed, May 15, 2013 at 10:20 PM, Jeffrey Walton <noloader () gmail com> wrote:
> (Thanks to KW in a private email).
>
> http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html
>
> Anyone who uses Skype has consented to the company reading everything
> they write. The H's associates in Germany at heise Security have now
> discovered that the Microsoft subsidiary does in fact make use of this
> privilege in practice. Shortly after sending HTTPS URLs over the
> instant messaging service, those URLs receive an unannounced visit
> from Microsoft HQ in Redmond.
>
> A reader informed heise Security that he had observed some unusual
> network traffic following a Skype instant messaging conversation. The
> server indicated a potential replay attack. It turned out that an IP
> address which traced back to Microsoft had accessed the HTTPS URLs
> previously transmitted over Skype. Heise Security then reproduced the
> events by sending two test HTTPS URLs, one containing login
> information and one pointing to a private cloud-based file-sharing
> service. A few hours after their Skype messages, they observed the
> following in the server log:
>
> 65.52.100.214 - - [30/Apr/2013:19:28:32 +0200]
> "HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"
>
> Source: Utrace They too had received visits to each of the HTTPS URLs
> transmitted over Skype from an IP address registered to Microsoft in
> Redmond. URLs pointing to encrypted web pages frequently contain
> unique session data or other confidential information. HTTP URLs, by
> contrast, were not accessed. In visiting these pages, Microsoft made
> use of both the login information and the specially created URL for a
> private cloud-based file-sharing service.
>
> In response to an enquiry from heise Security, Skype referred them to
> a passage from its data protection policy:
> "Skype may use automated scanning within Instant Messages and SMS to
> (a) identify suspected spam and/or (b) identify URLs that have been
> previously flagged as spam, fraud, or phishing links."
>
> A spokesman for the company confirmed that it scans messages to filter
> out spam and phishing websites. This explanation does not appear to
> fit the facts, however. Spam and phishing sites are not usually found
> on HTTPS pages. By contrast, Skype leaves the more commonly affected
> HTTP URLs, containing no information on ownership, untouched. Skype
> also sends head requests which merely fetches administrative
> information relating to the server. To check a site for spam or
> phishing, Skype would need to examine its content.
>
> Back in January, civil rights groups sent an open letter to Microsoft
> questioning the security of Skype communication since the takeover.
> The groups behind the letter, which included the Electronic Frontier
> Foundation and Reporters without Borders expressed concern that the
> restructuring resulting from the takeover meant that Skype would have
> to comply with US laws on eavesdropping and would therefore have to
> permit government agencies and secret services to access Skype
> communications.
>
> In summary, The H and heise Security believe that, having consented to
> Microsoft using all data transmitted over the service pretty much
> however it likes, all Skype users should assume that this will
> actually happen and that the company is not going to reveal what
> exactly it gets up to with this data.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.