Nytro Posted May 18, 2013 Report Share Posted May 18, 2013 [h=1][cryptography] skype backdoor confirmation[/h]Adam Back adam at cypherspace.org Thu May 16 15:52:24 EDT 2013So when I saw this article Skype with care – Microsoft is reading everything you write - The H Security: News and FeaturesI was disappointed the rumoured skype backdoor is claimed to be real, andthat they have evidence. The method by which they confirmed is kind of odd- not only is skype eavesdropping but its doing head requests on SSL sitesthat have urls pasted in the skype chat!Now I've worked with a few of the german security outfits before, though notHeise, and they are usually top-notch, so if they say its confirmed, yougenerally are advised to believe them. And the date on the article is acouple of days old, but I tried it anyway. Setup an non-indexed/dev/urandom generated long filename, and saved it as php with ameta-refresh to a known malware site in case thats a trigger, and a passivehtml with no refresh and no args. Passed a username password via?user=foo&password=bar to the php one and sent the links to Ian Grigg who Isaw was online over skype with strict instructions not to click.To my surprise I see this two entries in the apache SSL log:65.52.100.214 - - [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 -65.52.100.214 - - [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 -I was using skype on ubuntu, my Ian on the other end was using MAC OSX. Ittook about 45mins until the hit came so they must be batched. (The gapbetween the two requests is because I did some work on the web server as theSSL cert was expired and I didnt want that to prevent it working, norsomething more script like with cgi arguments as in the article).Now are they just hoovering up the skype IMs via the new microsoft centralserver architecture having back doored skype client to no longer haveend2end encrption (and feedind them through echelon or whatever) or is thisthe client that is reading your IMs and sending selected things to themothership.btw their HEAD request was completely ineffective per the weak excusemicrosoft offered in the article at top my php contained a meta-refreshwhich the head wont see as its in the html body. (Yes I confirmed via myown localhost HTTP get as web dev environments are automatic in variousways).So there is adium4skype which allows you to use OTR with your skype contactsand using skype as the transport. Or one might be more inclined to dropskype in protest.I think the spooks have been watching "Person of Interest" too much to thinksuch things are cricket. How far does this go? Do people need to worryabout microsoft IIS web servers with SSL, exchange servers?You do have to wonder if apple backdoored their IM client, below the OTR, orsilent circle, or the OS - I mean how far does this go? Jon Callas said notapple, that wouldnt be cool, and apple aims for coolness for users; maybe heshould dig a little more. It seems to be getting to you cant trust anythingwithout compiling it from source, and having a good PGP WoT network withdevelopers. A distro binary possibly isnt enough in such an environment.AdamSursa: [cryptography] skype backdoor confirmation Quote Link to comment Share on other sites More sharing options...
