Wednesday, 23 May 2012

Skype's fault may lead to crucial attacks

An imperfection in Skype apparently permits consumers to learn the Internet protocol addresses of other consumers. Finding out that someone's snooped your IP address may not sound as alarming as finding out your Social Security number's been exposed, but the data could be consumed by a determined and talented hacker to build up more sophisticated attacks.

Skype is investigating a tool published just now on Pastebin that captures the final-known IP address of the VoIP service's consumers . This particular flaw was discussed in a paper presented by an international team of researchers in November at the Internet Measurement Conference 2011 in Berlin.

The fault could lead to crucial attacks, warned Randy Abrams, a security consultant. "There's a lot more at risk than just IP disclosure," Abrams. "The ability to restraight to other Web page implies the ability to frame someone for accessing child pornography, among other non-trivial attacks, for example."  The tool exploits a patched version of Skype 5.5. Skype's flaw permits anyone see other person's vCard and get that person's real consumer IP address and the IP address of the internal network card on that person's PC.  A vCard is a file structure standard for electronic business cards.

More data about the target, such as the city and country where he or she is located, and the Internet service provider the target is using, can be obtained by going to a Whois service. Whois is consumed to get data on registered consumers or assignees of domain names and IP address blocks, among other things. The researchers stated that the flaw could permit Voice over IP phone systems, including Skype, be exploited by third parties to asparticular consumers' identities, locations and digital files. The flaw can be exploited by a sophisticated hacker of high school age, they spoke.

Tracking Skype accounts and combining this with commercial geo-location services permit the researchers construct a detailed account of a consumer's daily activities even if the consumer had not accessed Skype for 72 hours. By repeatedly calling targets over Skype and terminating the calls regularly, perhaps hourly, attackers could realize the locations and movements of any Skype consumer over weeks or months without the targets' knowledge, the researchers spoke. They could discover which digital files targets downloaded by combining this attack with tracking targets' activities on popular peer-to-peer file sharing systems such as BitTorrent.

Linking data obtained from VoIP systems through the flaw to personal data from social media sites would permit marketers create profiles on large numbers of people, the researchers spoke. They estimate it will price a marketer only about US$500 a week to track 10,000 consumers.

The researchers notified both Skype and Microsoft , which purchased Skype final year, of their findings.

Skype service is now available on the Windows Phone and the PlayStation Vita, and this may open up fresh areas of attack. "The potential of abconsume on these platforms wants to be carefully reviewed," Abrams warned. "The problem itself may well exist in other undiscovered areas, as programming logic errors are commonly repeated." The researchers recommended various tactics VoIP service providers can consume to protect consumers.

One approach is for the designer of the VoIP signaling protocol to ensure that a consumer's IP address is not showed to callers unless the consumer accepts the call. If a consumer blocks all calls from people not on their contact list then anyone not on that list won't be able to determine the consumer's IP address. The researchers recommend this solution for all VoIP applications. Think of this as Caller ID in reverse.

Users may also need to block people on their contact list from getting their IP address. To do this, the researchers recommended VoIP service providers pass all calls through relays. This will attach the IP address of the relay to the data. However, this solution increases VoIP traffic and slows P2P communication.

No comments:

Post a Comment