funsec mailing list archives
Re: Skype with care
From: Juha-Matti Laurio <juha-matti.laurio () netti fi>
Date: Fri, 17 May 2013 00:36:43 +0300 (EEST)
A different point of view also: http://www.zdnet.com/is-microsoft-reading-your-skype-instant-messages-7000015388/ Juha-MattiJeffrey Walton [noloader () gmail com] kirjoitti:
A couple of follow ups on this.... "Skype backdoor confirmation," http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html and "All Your Skype Are Belong To Us," http://financialcryptography.com/mt/archives/001430.html On Wed, May 15, 2013 at 10:20 PM, Jeffrey Walton <noloader () gmail com> wrote: > (Thanks to KW in a private email). > > http://www.h-online.com/security/news/item/Skype-with-care-Microsoft-is-reading-everything-you-write-1862870.html > > Anyone who uses Skype has consented to the company reading everything > they write. The H's associates in Germany at heise Security have now > discovered that the Microsoft subsidiary does in fact make use of this > privilege in practice. Shortly after sending HTTPS URLs over the > instant messaging service, those URLs receive an unannounced visit > from Microsoft HQ in Redmond. > > A reader informed heise Security that he had observed some unusual > network traffic following a Skype instant messaging conversation. The > server indicated a potential replay attack. It turned out that an IP > address which traced back to Microsoft had accessed the HTTPS URLs > previously transmitted over Skype. Heise Security then reproduced the > events by sending two test HTTPS URLs, one containing login > information and one pointing to a private cloud-based file-sharing > service. A few hours after their Skype messages, they observed the > following in the server log: > > 65.52.100.214 - - [30/Apr/2013:19:28:32 +0200] > "HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1" > > Source: Utrace They too had received visits to each of the HTTPS URLs > transmitted over Skype from an IP address registered to Microsoft in > Redmond. URLs pointing to encrypted web pages frequently contain > unique session data or other confidential information. HTTP URLs, by > contrast, were not accessed. In visiting these pages, Microsoft made > use of both the login information and the specially created URL for a > private cloud-based file-sharing service. > > In response to an enquiry from heise Security, Skype referred them to > a passage from its data protection policy: > "Skype may use automated scanning within Instant Messages and SMS to > (a) identify suspected spam and/or (b) identify URLs that have been > previously flagged as spam, fraud, or phishing links." > > A spokesman for the company confirmed that it scans messages to filter > out spam and phishing websites. This explanation does not appear to > fit the facts, however. Spam and phishing sites are not usually found > on HTTPS pages. By contrast, Skype leaves the more commonly affected > HTTP URLs, containing no information on ownership, untouched. Skype > also sends head requests which merely fetches administrative > information relating to the server. To check a site for spam or > phishing, Skype would need to examine its content. > > Back in January, civil rights groups sent an open letter to Microsoft > questioning the security of Skype communication since the takeover. > The groups behind the letter, which included the Electronic Frontier > Foundation and Reporters without Borders expressed concern that the > restructuring resulting from the takeover meant that Skype would have > to comply with US laws on eavesdropping and would therefore have to > permit government agencies and secret services to access Skype > communications. > > In summary, The H and heise Security believe that, having consented to > Microsoft using all data transmitted over the service pretty much > however it likes, all Skype users should assume that this will > actually happen and that the company is not going to reveal what > exactly it gets up to with this data. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Skype with care Juha-Matti Laurio (May 16)
- Re: Skype with care Jeffrey Walton (May 16)
- Re: Skype with care Joel Esler (May 17)