[LACNIC/Seguridad] Fwd: Skype with care – Microsoft is reading everything you write

Fernando Gont fernando en gont.com.ar
Mie Mayo 15 01:18:39 BRT 2013

FYI. Fuente:

---- cut here ----
Skype with care – Microsoft is reading everything you write

Anyone who uses Skype has consented to the company reading everything
they write. The H's associates in Germany at heise Security have now
discovered that the Microsoft subsidiary does in fact make use of this
privilege in practice. Shortly after sending HTTPS URLs over the instant
messaging service, those URLs receive an unannounced visit from
Microsoft HQ in Redmond.

A reader informed heise Security that he had observed some unusual
network traffic following a Skype instant messaging conversation. The
server indicated a potential replay attack. It turned out that an IP
address which traced back to Microsoft had accessed the HTTPS URLs
previously transmitted over Skype. Heise Security then reproduced the
events by sending two test HTTPS URLs, one containing login information
and one pointing to a private cloud-based file-sharing service. A few
hours after their Skype messages, they observed the following in the
server log: - - [30/Apr/2013:19:28:32 +0200]
"HEAD /.../login.html?user=tbtest&password=geheim HTTP/1.1"

They too had received visits to each of the HTTPS URLs transmitted over
Skype from an IP address registered to Microsoft in Redmond. URLs
pointing to encrypted web pages frequently contain unique session data
or other confidential information. HTTP URLs, by contrast, were not
accessed. In visiting these pages, Microsoft made use of both the login
information and the specially created URL for a private cloud-based
file-sharing service.

In response to an enquiry from heise Security, Skype referred them to a
passage from its data protection policy:

"Skype may use automated scanning within Instant Messages and SMS to (a)
identify suspected spam and/or (b) identify URLs that have been
previously flagged as spam, fraud, or phishing links."

A spokesman for the company confirmed that it scans messages to filter
out spam and phishing websites. This explanation does not appear to fit
the facts, however. Spam and phishing sites are not usually found on
HTTPS pages. By contrast, Skype leaves the more commonly affected HTTP
URLs, containing no information on ownership, untouched. Skype also
sends head requests which merely fetches administrative information
relating to the server. To check a site for spam or phishing, Skype
would need to examine its content.

Back in January, civil rights groups sent an open letter to Microsoft
questioning the security of Skype communication since the takeover. The
groups behind the letter, which included the Electronic Frontier
Foundation and Reporters without Borders expressed concern that the
restructuring resulting from the takeover meant that Skype would have to
comply with US laws on eavesdropping and would therefore have to permit
government agencies and secret services to access Skype communications.

In summary, The H and heise Security believe that, having consented to
Microsoft using all data transmitted over the service pretty much
however it likes, all Skype users should assume that this will actually
happen and that the company is not going to reveal what exactly it gets
up to with this data.
---- cut here ----
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Más información sobre la lista de distribución Seguridad