RE: Yahoo Messenger Stale Sessions

[<Leonard.Ong () nokia com>]

Hi,

Of course, logically, you would offload your server. ICQ, MSN, Yahoo, will try its best to connect directly between 
peers, and if they can't, they will have to route it through their server.  I tried Yahoo Voice chat, if I use 
unrestricted Public IP, I can see I have direct connection with peers.  However, If i'm behind NAT and enables 
firewall, it will contact Yahoo Server as intermediate hop between peers.

It is exploitable, since your peer might tbe using a dial-up ip address.  The next user can get this IP address, run 
sniffer, find that yahoo in sending a packet to you (even if you dont' have yahoo), then use the knowledge to exploit 
the established session.  Like saying ' Hi, I don't like you', identity impersonation - repudiation


Regards,
Leonard Ong
Network Security Specialist, APAC
NOKIA

Email.  Leonard.Ong () nokia com
Mobile. +65 9431 6184
Phone.  +65 6723 1724
Fax.    +65 6723 1596



-----Original Message-----
From: ext phani () myrealbox com [mailto:phani () myrealbox com]
Sent: Thursday, November 14, 2002 1:14 PM
To: security-basics () securityfocus com
Subject: Re: Yahoo Messenger Stale Sessions


On Mon, Nov 11, 2002 at 11:04:50AM +0800, Leonard.Ong () nokia com wrote:
hi,
   It is surprising that Y! makes a direct connection to the peer. I thot that Y! connects to the server and that 
handles the communication.
  And what is the vulnerability that u look at. Since the connection is a p2p connection, I think there can be no 
vulnerabilities. Correct me if i am wrong.
thx
phani

> Hello All,
>
> During my observation in daily use of Yahoo Messenger, my computer has "stale/zombie" sessions.  For example, If i 
> have received/message a friend, yahoo will normally make a direct connection from my PC to my friend.  From Netstat 
> result, you can see a high port on my computer is having an Established session with my peer's:5101 port.
>
> The issue is, after a contact has gone offline (dial-up), the state established in the netstat will remain until the 
> next day.  I wouls see this as a vulnerabilities, since an arbitrary user can assume the IP Address was used 
> (dial-up->dynamic ip assignment), and use this established session to assume it.
>
> Any idea ?
>
>
> Regards,
> Leonard Ong
> Network Security Specialist, APAC
> NOKIA
>
> Email.  Leonard.Ong () nokia com
> Mobile. +65 9431 6184
> Phone.  +65 6723 1724
> Fax.    +65 6723 1596
>
>
>
> -----Original Message-----
> From: ext Joey [mailto:josefhuggins () hotmail com]
> Sent: Saturday, November 09, 2002 9:32 PM
> To: Security Basics
> Subject: Re: Biometric question
>
>
> To clarify:retinal scanning is about as effective as fingerprints. Retinal
> scanning uses a laser light, often in the green part of the spectrum to scan
> the blood vessels of the internal eye. Both methods scan around 90 metric
> points. They can easily read false depending on whether or not the
> biological sample (in this case eyeball or finger) is placed exactly in the
> same position as it was when it was initially scanned. There is, of course,
> with most software a threshold setting which will allow readings to require
> either a very precise ( a finger must be placed in exactly the same spot
> every time on a reader ) or very minimal ( a finger can be placed anywhere
> near the center of the reader, but the accuracy drops proportionately )
> setting. The best way to go from everything I've seen and read is with iris
> scans. Whereas fingerprint and retina scans read around 90 metric points, an
> iris scan reads about 250. Iris scans are non-invasive whereas retina scans
> require a laser light or other strong light source directed through the
> cornea in order to read the vessel pattern in the back of the eye. While
> it's allot more expensive, if security, and not money is your concern, I
> think iris scanners are the way to go. If you can't "hack" it and you have
> to settle w/fingerprint or retinal scanners, I would go for the fingerprint
> scanner.
>
> -J
>
> ----- Original Message -----
> From: Naveed Ahmed <naveed.ahmed () vinciti com>
> To: <msconzo () tamu edu>; <security-basics () security-focus com>
> Sent: Thursday, November 07, 2002 11:05 AM
> Subject: RE: Biometric question
>
>
> > Michael is right.
> > the better ones are ( at least relatively more difficult to fake) retina
> > scans and  voice recognition.
> > dont go by what tom cruise does in 'minority report' with the eye
> balls.!!!
> > rgds
> > -Naveed
> >
> > -----Original Message-----
> > From: Michael Sconzo [mailto:msconzo () tamu edu]
> > Sent: Thursday, November 07, 2002 10:43 PM
> > To: security-basics () security-focus com
> > Subject: RE: Biometric question
> >
> >
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > One of the more memorable things that I have read about fingerprint
> > scanners is:
> > http://www.counterpane.com/crypto-gram-0205.html#5
> >
> > You can basically fake a fingerprint biometric machine with a gummi
> > bear.  If I remember correctly, the majority of fingerprint scanners
> > are vulnerable to this type of attack. One of the big things to look
> > for is one that samples SHAPES not POINTS, and remember the more the
> > merrier.
> >
> > As for other types of biometrics, I am not too sure, hopefully
> > somebody else can shed some light on those.
> >
> > - -mike
> >
> >
> > - -----Original Message-----
> > From: Felix Cuello [mailto:felix () qodiga com]
> > Sent: Wednesday, November 06, 2002 1:27 PM
> > To: security-basics () security-focus com
> > Subject: Biometric question
> >
> >
> >
> > Hello list!
> >
> >    I will work in a project where phisical security will be based on
> >    biometrics, in fact only will be based on fingerprints biometric.
> >
> >    How secure are fingerprints?, what biometric are more secure?
> > (voice,
> >    eye, ??? what else).
> >
> >    I'm not a security expert :-)
> >
> >    Thanks a lot,
> >
> >    Felix
> >    [my english is bad... please sorry :-)]
> >
> > - --
> > Felix Cuello
> > felix () qodiga com
> >
> > Qodiga/its
> > Av.Santa Fe 882 P.13 Of. "E"
> > C.P. ABP1059C
> > Tel.: (54) 011 - 4312-1698
> > Buenos Aires - Argentina
> >
> > -----BEGIN PGP SIGNATURE-----
> > Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
> >
> > iQA/AwUBPcqfKy76iJsaBRvcEQJ4GQCg8IIGDvldPOk6Bll7RV8spScjPDAAoPuy
> > DzeFhJhhlLBeyqWGS/NABATs
> > =kUtf
> > -----END PGP SIGNATURE-----