So when I saw this article:
I was disappointed the rumoured skype backdoor is claimed to be real, and that they have evidence. The method by which they confirmed is kind of odd
– not only is skype eavesdropping but its doing head requests on SSL sites that have urls pasted in the skype chat!
Now I've worked with a few of the german security outfits before, though not Heise, and they are usually top-notch, so if they say its confirmed, you generally are advised to believe them. And the date on the article is a couple of days old, but I tried it anyway. Setup an non-indexed /dev/urandom generated long filename, and saved it as php with a meta-refresh to a known malware site in case thats a trigger, and a passive html with no refresh and no args. Passed a username password via ?user=foo&password=bar to the php one and sent the links to Ian Grigg who I saw was online over skype with strict instructions not to click.
To my surprise I see this two entries in the apache SSL log:
220.127.116.11 – – [16/May/2013:13:14:03 -0400] "HEAD /CuArhuk2veg1owOtiTofAryib7CajVisBeb8.html HTTP/1.1" 200 –
18.104.22.168 – – [16/May/2013:14:08:52 -0400] "HEAD /CuArhuk2veg1owOtiTofAyarrUg5blettOlyurc7.php?user=foo&pass=yeahright HTTP/1.1" 200 –
Here is the IP details:
I was using skype on ubuntu, my Ian on the other end was using MAC OSX. It took about 45mins until the hit came so they must be batched. (The gap between the two requests is because I did some work on the web server as the SSL cert was expired and I didnt want that to prevent it working, nor something more script like with cgi arguments as in the article).
Now are they just hoovering up the skype IMs via the new microsoft central server architecture having back doored skype client to no longer have end2end encrption (and feedind them through echelon or whatever) or is this the client that is reading your IMs and sending selected things to the mothership.
btw their HEAD request was completely ineffective per the weak excuse microsoft offered in the article at top my php contained a meta-refresh which the head wont see as its in the html body. (Yes I confirmed via my own localhost HTTP get as web dev environments are automatic in various ways).
So there is adium4skype which allows you to use OTR with your skype contacts and using skype as the transport. Or one might be more inclined to drop skype in protest.
I think the spooks have been watching "Person of Interest" too much to think such things are cricket. How far does this go? Do people need to worry about microsoft IIS web servers with SSL, exchange servers?
You do have to wonder if apple backdoored their IM client, below the OTR, or silent circle, or the OS – I mean how far does this go? Jon Callas said not apple, that wouldnt be cool, and apple aims for coolness for users; maybe he should dig a little more. It seems to be getting to you cant trust anything without compiling it from source, and having a good PGP WoT network with developers. A distro binary possibly isnt enough in such an environment.