Category Archives: Skype

Are your Skype username and password completely exposed if you use iSkoot?

UPDATE #1: Ironically, email to “security@iskoot.com” bounced. I did send it to several other addresses, though.

UPDATE #2: The iSkoot FAQ indicates that passwords are encrypted using SSL. So either the FAQ is now wrong or Dameon’s capture is wrong.

UPDATE #3: Dameon has now posted a packet trace clearly showing a Skype user name (“insecure-user”) and a password (“insecure-password”).

UPDATE #4: iSkoot CEO Mark Jacobstein has commented on this post stating unequivocally that they always encrypt with SSL.

UPDATE #5, April 27, 2008: As Jim Courtney notes in a comment to this post, iSkoot CEO Mark Jacobstein sent messages to several of us indicating that after further research on their end, there IS an issue with the Symbian version of the iSkoot software and that will be addressed quickly.

UPDATE #6, April 28, 2008: For those interested, I’ve published a chronology of the communication that occurred around this issue.

UPDATE #7, April 28, 2008: As noted here, iSkoot now has issued a formal statement and plan for a fix.


——–

iskootlogo.jpgIf you use iSkoot to put Skype on your mobile phone, could it be that your Skype credentials (username, password) are transmitted in the clear? Based on some disturbing news from Dameon Welch-Abernathy, a.k.a. “PhoneBoy”, it certainly looks that way. In his post late last night, “iSkoot Transmits Your Data In The Clear“, he discusses his tests of capturing network traffic from both the new Skype for Mobile client and also from iSkoot. The difference is disturbing:

First of all, Skype appeared to use a TCP connection on a non-standard port. Fine with me. I looked at the raw packets generated by Skype Mobile and saw an opaque blob–exactly what I expected to see.

iSkoot uses TCP port 80–the same port used by HTTP, the lingua franca of downloading web pages. It sends various things as a series of HTTP GET calls. The scary part of this that your text chat messages–and lots of other interesting information, including your Skype credentials–is being transmitted in the clear. That’s right, iSkoot takes all that perfectly good encryption that Skype employs and throws it out the window. For no good reason.

If true (and I have no reason to doubt Dameon), this is obviously of great concern. Someone using iSkoot from their mobile over WiFi is effectively allowing their Skype credentials to be seen by anyone who can intercept their traffic (i.e. is either on the local WiFi network or is between them and iSkoot’s servers). Yes, Skype chats can also be intercepted (but that’s been a known issue with iSkoot) and while that is of concern, especially because users may assume the chats are encrypted as they are with Skype, the larger concern is interception of credentials… if someone gets your Skype username and password they can obviously login to Skype.

I am a bit surprised by the exposure of credentials (and did email Dameon back to confirm he could definitely see them) because when I raised my concerns about iSkoot last July, Jacqueline Van Meter from iSkoot Product Management responded to my concerns in a comment (left, actually, to a subsequent post I made about iSkoot) and stated this:

Of course, we take the issue of password security very seriously. Login and password information are always encrypted. The information is stored on the handset only—never the server—and only in cases where the user selects the auto sign-in option. The communication from the client to our server is also encrypted and secured, using https.

Jim CourtneyPhil Wolff, in his excellent review of iSkoot last October when it was announced that it would be used in the 3 Skypephone also says this about Skype chats over iSkoot:

Downside 5: Because Skype hasn’t shared their encryption algorithms with iSkoot, your Skype chats aren’t encrypted, although your login is.

If Skype credentials are now exposed, this is indeed a serious matter that iSkoot needs to address, especially given the millions of users of the 3 Skypephone which uses the iSkoot client. Did something change during one of the releases and the protection referenced above was inadvertantly removed? If HTTPS was used for encryption why didn’t Dameon see that? (Or did Dameon see the unencrypted chats but miss that the login was encrypted?)

Before we jump to conclusions, though, it strikes me that we need to do a couple of things:

  1. Verify again with a packet trace that the Skype username and password are visible during the iSkoot login (or subsequent message exchange). This is what I’ve asked of Dameon but with time differences, he is asleep right now. If anyone else has the capacity to test this, it would be good to have that confirmation. Unfortunately, I can’t personally as I don’t have any WiFi devices on which to run iSkoot.
  2. Understand how often the Skype credentials are sent by the iSkoot client. Is it only at the very first login? Or are they sent with every transaction?
  3. Contact iSkoot to see what they say. (I’ve just sent an email.)

After all of that, we can understand what risk is here right now.

Regardless of the outcome (and I hope that the credentials are not in the clear), this whole experience does show a stark difference between Skype’s new Mobile version and the iSkoot client. Skype, obviously, can secure all of the chats and communication in general. iSkoot, being a third-party app, can’t. Will that matter in the market place? Or does iSkoot have a friendlier model for carriers?

Meanwhile, let’s do some testing… I’ll update this post with more info as we can get it.


Technorati Tags:
, , , , ,

Blue Box Podcast #76 now available – Cisco, Skype and BT vulnerabilities, when SIP looks like SPIT, VoIP security threat predictions and the FBI forgets to pay their bills

MD_bluebox157-2.jpgBlue Box Podcast #76 is now available discussing Cisco, Skype and BT
vulnerabilities, when SIP looks like SPIT, VoIP security threat
predictions and the FBI forgets to pay their bills, plus listener
comments and more…

Jonathan and I recorded the show on January 22nd and I’m now *almost*
caught up with 1 main show still in the production queue (and about
10 special editions!)

Technorati Tags:
, , , ,

Oops… Skype failed to mention this wee minor security update…

B9C2EAA9-B78E-4378-9433-6D6EC2DEC3B4.jpgSkype today announced that there is a serious security vulnerability in Skype for Windows versions older than 3.6.x.216. As noted:

An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.

It turns out that this was fixed in the release back on November 15th, but Skype had an “unintentional communication oversight”:

At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public’s attention. All we can do now is to apologize.

Oops!

Thanks for the apology, Skype… and now would be a really good time for any Windows Skype users out there to look at upgrading!

P.S. Tip of the hat to Ryan Naraine’s Zero Day blog where we noticed the item this morning.

Technorati Tags:
, , ,

Malware tries to entice Skype users with chat msg about lost girl…

Last week I meant to write about this, but Skype is advising people about some malware that is floating around that tries to entice Skype users to click a link that will then infect your computer. The rather despicable fashion the malware uses is to send a chat message that says “Please help me find this girl” referring to Madeleine McCann. Facetime Security Labs has a lengthy writeup that goes into all sorts of details about the particular worm variant. It propagates via IM, so it’s not anything particularly tied into VoIP, but obviously just something people should be concerned about.

Technorati Tags:

Skype’s Chat Worm

Skype is certainly taking some punishment recently. Today the news broke that someone has let loose a worm that uses the Skype API to send a chat message to your Skype contacts. The chat message includes a link which (if the user clicks on it) will download the w32/Ramex.A virus, which in turn infects their PC, and will visit their Skype friends. Obviously, this is a big concern for anyone with a user base as large as Skype’s, since even a small percentage of users that click on the link can cause wide distribution.

More: Skype Blog

It’s official – Skype blames the outage on Microsoft (indirectly)

Well, the official word is out from Skype and it can be summarized: the reboots from Microsoft patches triggered a previously-undetected condition and crashed out network

Skype PR staffer Villu Arak writes in “What happened on August 16“:

On Thursday, 16th August 2007, the Skype peer-to-peer network became unstable and suffered a critical disruption. The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.

The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.

Okay… I can buy that this type of thing could trigger some kind of chain reaction, but I don’t understand why this month was different than any other month.  For.. what? two or three years now (more?) Microsoft patches have been coming out like clockwork on the second Tuesday of each month.  Each second Tuesday or Wednesday, the millions of computers set to auto-update do so.  All those zillions of computers restart automatically.  Each and every month.  What was so special about this August that was different from every other month?  Was the number or restarts in a short period of time really that much different from other months? Why? Is the issue that there are so many more Windows Skype users than in previous months and years? Was this just the so-called “tipping point” when there were enough Windows Skype users that the normal restarts triggered this chain reaction?

The issue has now been identified explicitly within Skype. We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk.

In other words, it was not a DDoS by Russian hackers, as one rumor had it (which had actually already been dismissed by every security researcher who looked at the alleged exploit code).

This disruption was unprecedented in terms of its impact and scope. We would like to point out that very few technologies or communications networks today are guaranteed to operate without interruptions.

Fair enough statement – if you are looking at data or web technologies… but the PSTN, to which Skype would seem to like to be compared, is designed to operate without interruptions (or with as minimal as possible).  You know, there is this wee little market for “carrier-grade” equipment/software/etc. that is designed to be highly available without downtime.  If a carrier’s network were down for over 48 hours, there would be a zillion lawsuits, intense government inquiries and more.  The carriers that make up what we call the “PSTN” put an incredible effort into ensuring availability.  If Skype wants to play in that game, they have to be ready to play at the same level.

Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring.

Good. We would expect that.

I appreciate that Skype has been as communicative as they have through their blog and heartbeat site.  Thank you, Skype, for communicating – and leaving the comments open.  However, to me the information provided today is still lacking one key piece:

Why were the mass restarts associated with the August 2007 Microsoft updates different from the mass restarts associated with any other month’s Microsoft updates

(Cross-posted from my Disruptive Telephony blog where I’ve been tracking the Skype outage.)

Technorati tags: , ,

Skype Journal: "Security, Skype and the Blackberry"

With the rise of new Skype clients for the Blackberry, such as iSkoot and IM+, one of the obvious questions raised by bloggers (including myself) was “what about the security?” Particularly since you have to give the Blackberry client your Skype username and password, essentially giving the client (and its developers) full access to your Skype account. Well, Jim Courtney over at Skype Journal also writes a good bit about Blackberries as well as Skype download, and posted his response to the issue on Friday: “Security, Skype and the Blackberry“.

I still suffer a lingering uncertainty, but I’ll admit that Jim’s digging does seem rather persuasive.

Technorati tags: , , , ,

Security: A Question of Balance

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

Skype with a ‘Z’

IP Softphone specialists CounterPath recently announced that they will license Phil Zimmermann’s ZRTP (Zfone) technology for use in their client products, namely eyeBeam and X-Lite, joining other publicly announced licencees Borderware, PGP Corp, Ripcord and TiVi.

As you may know, ZRTP has done very well in terms of acceptance in the last few months. Zimmermann has many friends in the security community, but also has great credentials in the open source world. ZRTP is an openly published protocol, but also is available as source code, thereby making it possible to test in all kinds of ways, not only closed-box (black box) testing but also in terms of working through the algorithm and even unit testing the code.

At the recent IETF meeting, methods of key exchange were discussed, as subscribers to the Voipsec list (from the VOIPSA site) cannot have failed to miss. The IETF have gone from a list of thirteen proposals down to a final two, and ZRTP is one of those, despite being considered by some as a latecomer.  Many organizations and people that I have come across trust in Zimmermann and believe that ZRTP is the answer.

If we go to the opposite end of the trust scale, we find Skype.  Poor old Skype are still getting weekly batterings from press critics on the security front.  A lot of the same criticisms are brought up time and time again, and in fairness Skype have countered a lot of the concerns, by allowing features to be switched off, changes to the package and so on.  We don’t need to rehearse all those issues here once again.

However, the issues that keep coming up, and which Skype have not argued away are those of security by obscurity and the secrecy of the protocols they use for encryption and key exchange. Famously, Skype hired security expert Tom Berson to write a report based on a long evaluation of Skype’s security provisions, but most academics still desire transparency, and the ability to evaluate the algorithms for themselves.

Academics and commercial security experts both say that simply using a secret algorithm is no guarantee of safety. Furthermore, the fact that it is secret merely means that when someone does compromise Skype, the detection and mitigation of the problem will be slowed down or prevented. Skype at that point becomes a dangerous ‘bot’ sitting behind thousands of firewalls.

What better time, then, for Skype to embrace ZRTP? Licensing ZRTP can hardly be a problem for Skype and its Ebay parent, and there is so much to gain from this. A large community of security and VoIP specialists already believe in ZRTP; the IETF likes it; commercial acceptance exists in licencees in the Softphone and Session Border Controller market. IT Managers, I’m sure, would be happier with Skype usage in the workplace if they were allowed to detect and control it, and (who knows with key escrow) in some way to log and record from it.

Come on, Skype, grab the nettle. The tools are in your hands to silence your critics.