[LACNIC/Seguridad] Fwd: On Skype URL eavesdropping

Fernando Gont fernando en gont.com.ar
Lun Mayo 20 22:53:21 BRT 2013 

Estimados,

FYI. -- Las malas lenguas dicen que Skype ha sido "Microsoft'ed" :-)



-------- Original Message --------
   4. On Skype URL eavesdropping (Kirils Solovjovs)
   5. Re: On Skype URL eavesdropping (Jeffrey Walton)
   6. Re: On Skype URL eavesdropping (Bruce Ediger)
   7. Re: On Skype URL eavesdropping (Alex)


----------------------------------------------------------------------

Message: 4
Date: Fri, 17 May 2013 00:41:09 +0300
From: Kirils Solovjovs <kirils.solovjovs en kirils.com>
To: full-disclosure en lists.grok.org.uk
Subject: [Full-disclosure] On Skype URL eavesdropping
Message-ID: <51955275.5090106 en kirils.com>
Content-Type: text/plain; charset=UTF-8; format=flowed

You may have read about this in another list.
http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
http://financialcryptography.com/mt/archives/001430.html


I'd like to give out some observations and point out some not so obvious
risks (as if Microsoft Skypying? on your conversations is not enough).

Requests always come from the same IP 65.52.100.214.
They have referrer and user agent set to a dash "-".
They are always HEAD requests which immediately follow 302 redirects.
They access both http and https links despite some speculations saying
that they do it one way or the other.
This is a relatively new phenomena that by my accounts is happening
since the end of April 2013.


Sidenote: A couple of years ago before acquisition by Microsoft, Skype
expressed unhealthy level of interest in my work, so I decided to run a
privacy test trying to catch them red handed. I set up some traplinks,
but to this day noone has triggered them. Maybe it had to do with me
using a Linux version of their client at that time...


Back to the point. Now that it's clear that [at least] links from users'
private chats somehow magically end up at Redmond, it's obviously a
privacy issue of having some usernames/password/sessions/whatever
embedded in the URL.

But this also allows the sysad/webmaster to see when a link is shared on
Skype. And with a little magic logic, to see the IP address(es) of
people receiving that link.
To give you an example, I was able to learn that just around midnight of
May 7 the paper
http://kirils.org/skype/stuff/pdf/2011/ms_thesis_analysis.pdf was shared
between a student of Chalmers University and a student of Comenius
University via Skype (oh,the irony)

Who shared what when? Skype knows.



Now how about some trolling... er, I mean security implications for
Microsoft themselves....

RewriteCond %{REMOTE_HOST}  65\.52\.100\.214
RewriteCond %{REQUEST_METHOD} HEAD
RewriteRule .* http://123 [R=302,L]

where 123 can be either one of:
1) an offensive url, e.g. goatse
2) a redirect loop
3) a CSRF to a local device, see
http://nakedsecurity.sophos.com/2013/04/11/anatomy-of-an-exploit-linksys-router-remote-password-change-hole/


Kirils Solovjovs



------------------------------

Message: 5
Date: Thu, 16 May 2013 19:17:55 -0400
From: Jeffrey Walton <noloader en gmail.com>
To: Kirils Solovjovs <kirils.solovjovs en kirils.com>
Cc: full-disclosure en lists.grok.org.uk
Subject: Re: [Full-disclosure] On Skype URL eavesdropping
Message-ID:
	<CAH8yC8=4CukKVT_s9iie=FBxGJq-+z=RFMAfVCx-5T8KbkqwTg en mail.gmail.com>
Content-Type: text/plain; charset=UTF-8

On Thu, May 16, 2013 at 5:41 PM, Kirils Solovjovs
<kirils.solovjovs en kirils.com> wrote:
> You may have read about this in another list. 
> http://lists.randombit.net/pipermail/cryptography/2013-May/004224.html
>
> 
http://financialcryptography.com/mt/archives/001430.html
> 
> 
> I'd like to give out some observations and point out some not so
> obvious risks (as if Microsoft Skypying? on your conversations is
> not enough).
> 
> Requests always come from the same IP 65.52.100.214. They have
> referrer and user agent set to a dash "-". They are always HEAD
> requests which immediately follow 302 redirects. They access both
> http and https links despite some speculations saying that they do
> it one way or the other. This is a relatively new phenomena that by
> my accounts is happening since the end of April 2013.
...
> Back to the point. Now that it's clear that [at least] links from
> users' private chats somehow magically end up at Redmond, it's
> obviously a privacy issue of having some
> usernames/password/sessions/whatever embedded in the URL.
There could be legal concerns here too (if a prosecutor takes interest
if folks besides the Swartz's of the world).

I can't wait to see the first CFAA violation brought against
interception services like these. Consider: the owner of the remote
server surely did not authorize the interception service to access the
site with a user's username and password. That's a clear violation of
exceeding one's authority under the CFAA since the interception
service had no authority from the server's owners.

Jeff



------------------------------

Message: 6
Date: Thu, 16 May 2013 19:53:43 -0600 (MDT)
From: Bruce Ediger <bediger en stratigery.com>
To: full-disclosure en lists.grok.org.uk
Subject: Re: [Full-disclosure] On Skype URL eavesdropping
Message-ID: <alpine.LNX.2.00.1305161937090.14566 en dagoo.intranet>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed

On Fri, 17 May 2013, Kirils Solovjovs wrote:

> Requests always come from the same IP 65.52.100.214.

Oddly, I have an HTTP request from 65.52.100.214 in my apache log files.
It asked for http://stratigery.com/scripting.ftp.html by far the most
popular page on my web site.  It used a HEAD.  Referer and user agent
both '-'

That much is the same as everyone else.  I have a little more to add.
I have p0f version 2 running at the same time.  I can match up the
65.52.100.214 with this from p0f:

UNKNOWN [8192:56:1:48:M1460,N,N,S:.:?:?]

p0f also claims an "ethernet/modem" link.

I find 1 other hit in my p0f log file with that OS guess, from
1.23.166.134, which was also asking for
http://stratigery.com/scripting.ftp.html, but with a GET.

1.23.166.134 had a referer of http://www.google.co.in
1.23.166.134 had a user agent of " Mozilla/4.0 (compatible; MSIE 7.0;
Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR
1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C; .NET4.0E)"


65.52.100.214 hit my web server at 2013-04-30 07:26:26-06
1.23.166.134  hit my web server at 2012-04-09 11:26:00-06

Note that I do not use Skype at all.



------------------------------

Message: 7
Date: Fri, 17 May 2013 11:53:54 +0200
From: Alex <fd en daloo.de>
To: full-disclosure en lists.grok.org.uk
Subject: Re: [Full-disclosure] On Skype URL eavesdropping
Message-ID: <c8743373e1c6cb63706da31f49279b28 en daloo.de>
Content-Type: text/plain; charset=UTF-8; format=flowed

Its funny to see Microsoft using SSH ;)

22/tcp  open   ssh     VanDyke VShell sshd 3.8.6.476 (protocol 2.0)

Btw, nmap thinks it is Vista

Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista

Have 2 log entries:
[29/Apr/2013:15:09:36 +0200]
[18/Apr/2013:14:46:29 +0200]

HEAD, no user agent and so on. Don't use Skype.





Am 2013-05-17 03:53, schrieb Bruce Ediger:

> On Fri, 17 May 2013, Kirils Solovjovs wrote:
> 
> Requests always come from the same IP 65.52.100.214.
> 
> Oddly, I have an HTTP request from 65.52.100.214 in my apache log 
> files. It asked for http://stratigery.com/scripting.ftp.html [1] by
> far the most popular page on my web site. It used a HEAD. Referer
> and user agent both '-'
> 
> That much is the same as everyone else. I have a little more to
> add. I have p0f version 2 running at the same time. I can match up
> the 65.52.100.214 with this from p0f:
> 
> UNKNOWN [8192:56:1:48:M1460,N,N,S:.:?:?]
> 
> p0f also claims an "ethernet/modem" link.
> 
> I find 1 other hit in my p0f log file with that OS guess, from 
> 1.23.166.134, which was also asking for 
> http://stratigery.com/scripting.ftp.html [1], but with a GET.
> 
> 1.23.166.134 had a referer of http://www.google.co.in [2] 
> 1.23.166.134 had a user agent of " Mozilla/4.0 (compatible; MSIE
> 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.30729;
> .NET CLR 1.1.4322; .NET CLR 3.5.30729; InfoPath.1; .NET4.0C;
> .NET4.0E)"
> 
> 65.52.100.214 hit my web server at 2013-04-30 07:26:26-06 
> 1.23.166.134 hit my web server at 2012-04-09 11:26:00-06
> 
> Note that I do not use Skype at all.
> 
> _______________________________________________ Full-Disclosure -
> We believe in it. Charter:
> http://lists.grok.org.uk/full-disclosure-charter.html [3] Hosted
> and sponsored by Secunia - http://secunia.com/ [4]



Links:
------
[1] http://stratigery.com/scripting.ftp.html
[2] http://www.google.co.in
[3] http://lists.grok.org.uk/full-disclosure-charter.html
[4] http://secunia.com/



------------------------------


-- 
Fernando Gont
e-mail: fernando en gont.com.ar || fgont en si6networks.com
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1

Más información sobre la lista de distribución Seguridad