RSS

Monthly Archives: March 2010

Skype now available on Verizon with 3G (AT&T) coming soon. But is it worth the risk?

24 Mar

Benefits of Skype Mobile on Verizon – PCWorld Business Center

There is a lot of excitement about having a mobile Skype application that can now take advantage of the cellular network you are on.  It had been recently only available for use over a broadband or other fixed wireless connection.

Given the excitement about this upcoming release, there are bound to be quite a few new users to the Skype community.  

Will users gain the benefit of being able to make reduced price phone calls?  Very likely.

Will they risk giving up some additional privacy in doing so?  Also very likely.

Will most people care?  Probably not.

I will disclose that I am not wearing my tin foil hat as I type this, but, as I see it, the limited benefits of Skype just don’t warrant the risk of its use.

My Skype issues short list:

  1. Skype communicates more like your computer than your traditional phone
  2. A basic Peer to Peer connection is made between you and whomever you call (the Peer).  However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.

Let me break down my concerns with each of these:

1. Skype communicates more like your computer than your traditional phone

This happens to be part of my biggest concern with Skype from it’s inception.  The Skype API is specifically written to “trick” firewalls to make it easier to use the application in environments with typical security controls in place.

For example, most businesses will have rules that only allow certain application to access the Internet.  In most cases, a end user PC will not have direct access to the internet and will go through a proxy device.  The trick used by VoIP software consists of persuading the firewall that a connection has been established, to which it should allocate subsequent incoming data packets. The fact that audio data for VoIP is sent using the connectionless UDP protocol acts to Skype’s advantage. In contrast to TCP, which includes additional connection information in each packet, with UDP, a firewall sees only the addresses and ports of the source and destination systems. If, for an incoming UDP packet, these match an NAT table entry, it will pass the packet on to an internal computer with a clear conscience.  (full explanation by Jurgen Schmidt)

In my world, this is called a trojan or worm.  However since the software is installed by the end user and (presumably) the terms are agreed to upon installation, then this is an infection that people are consciously welcoming to their PCs.

2. A basic Peer to Peer connection is made between you and whomever you call (the Peer).  However some peers are “SuperNodes” and they are bad, bad, bad, bad, bad.

In simplest terms, a Peer to Peer connection is not as direct as most would initially believe.  There are many devices in the path of your connection that intercept at least parts of your transmission.   What makes this particularly alarming are two fold:

  1. Some Skype “peers” are actually “super-nodes.” When Skype is run on a computer that has a public IP address and is not otherwise behind a firewall, it can become a “super-node.” These computers are used as rendezvous points so that computers behind firewalls can receive connections from other Skype users. Although Skype refuses to explain the details of their protocol, it is likely that computers behind firewalls scan the Internet looking for super-nodes, then form and maintain long-term connections with these other computers. The super-nodes then proxy connections to the encumbered connections behind the firewalls.
  2. There are (supposedly) countries who are actively working with Skype (or parent company eBay) regarding the interception of their encrypted communications.  For example:
  • 2008 NYT Article – Canadian privacy group uncovers snooping of Skype and other forms of Internet communication in China.  Not really surprised are we?
  • SlashDot reveals German Govt Docs - Last year alot was made of comments from Germany’s Ministry of Justice.  Documents were found that detailed costs regarding interception boxes, key forwarding trojans and anonymous proxies to hide police communications.
  • In 2005 the New York Times ran articles on how post 9-11 security measures had also given the US Government powers to intercept IP communications.

While Skype clearly states that all communications are encrypted end to end, they seem to be playing a game of semantics there.  Yes it is encrypted, but it is also decrypted in the middle and very likely made available to parties with enough governing power, influence, or money to influence it’s use.

But wait, there’s more…

Even if you don’t have the money or power of a large government to request/buy the proprietary encryption algorithms from Skype, there is new opportunity.  Recent university papers sponsored by the National Sciences Foundation have found that the patterns of spoken words make breaking the encrypted traffic easier that traditional data encryption techniques.  See Wright, Ballard, Coull, Monrose, and Mason of John Hopkins paper on ‘Spot me if you can: Uncovering spoken phrases in encrypted VoIP conversations’

So, will most people care?  I still say probably not.  However I expect that most corporations and government agencies will, especially their security departments.  I would not want an executive of a company speaking to an oversees bank about work they are doing for a large acquisition over this technology.  There are too many parties that could have competing interests that would want to overhear parts of those conversations.

My recommendations:

  • If you really want to use Skype on your cell phone, do so with the understanding that you conversation “could” easily be monitoring anywhere in the world.
  • Do not use your Skype connection to conduct any business transactions
  • Do not discuss any work related items over your Skype connection
  • If you are an IT or Security professional, educate your users on the issues with utilizing the technology.

Of course I expect someone to email me about cell phone encryption and mobile tower surveillance that occurs quite often in the US.  That will have to be another post when I’ve sufficiently stocked up on tin foil.

 
1 Comment

Posted by on March 24, 2010 in mobile, Security, Skype, Technology

 

Tags: , , ,

Faux Facebook emails use password reset ploy

19 Mar

Faux Facebook emails use password reset ploy – SC Magazine US.

Nothing terribly new here, but it is a good opportunity to connect some dots and reiterate a point.  Your best defense against most malicious SPAM is being able to identify it as not a legitimate source.  So that requires using the mail headers, mousing over links, looking at the general “presentation” of the email.

What if you could deliver the messages and hide all of the factors that allow you to discern that it is really SPAM?

In my previous post regarding the use of the Facebook application on your Blackberry it was noted that a well crafted email would show up in your Facebook application as a Facebook notification.  Using the malware email above, a modification to meet the requirements of the Blackberry app bypass and you have a quite convincing backdoor to get passwords or deliver malware.

 
Leave a comment

Posted by on March 19, 2010 in BlackBerry, malware, mobile, Security

 

Tags: , , ,

Hacker Disables More Than 100 Cars Remotely

18 Mar

Hacker Disables More Than 100 Cars Remotely

I would like to say this surprises me.  But unfortunately I’ve heard rumblings for more than a year now about incidents like this.

onstar
Is it safe?

There are various sites about hacking your onstar system so you can utilize the GPS unit.  But that’s a local hack that is truly just a sophisticated modification to your own vehicle (regardless of how much GM dislikes it).  However the hacking (or any abuse) of the onstar service would have far broader ramifications.

The fabled ultimate attack on theses systems is a supposed penetration into the onstar service network.  Understanding that the system has the ability to track and perform fuctions in your car like stopping the engine (in the case of a stolen vehicle) or locking/unlocking doors (if the owner is locked out), imagine the widespread panic if all onstar vehicles were to have their engines disabled and all doors locked.  If this happened on a massive scale all at once, you would strike terror across the country and completely tank confidence.

We know the highest government agencies are under constant attack.  We know that some attacks are successful and they have a tremendous number of resources available to help prevent these attacks.  We also are quite aware of attacks on private corporations every day.  With GM being somewhere between these two entities (and onstar likely somewhere inbetween t00), what is the probability?  We already acknowledge it’s possible.

In the case of the WebTech Plus service, they users were informed to remove the device from their vehicles until the issue was resolved with the network. I’m not proposing that you do it, but should one consider disabling their onstar unit in their vehicle?  Yes I understand it’s there also for a rare safety incident, but does that imply that all those without onstar service are at a higher risk driving their vehicles?  Perhaps this is a case where an once of prevention well outweighs the cure.

If you need me… I’ll be in the garage.

 
Leave a comment

Posted by on March 18, 2010 in crimeware, malware, Security, Technology

 

Tags: , , , ,

Older posts