Along with keyloggers that track what you type, now we have to worry about malicious software that listens in on our voice over Internet Protocol conversations.
Gerry Egan
(Credit: Joris Evers/CNET)A Symantec security blog on Thursday disclosed a new Trojan horse, Tojan.Peskyspy "that records VoIP communications, specifically targeting Skype." The posting, based on analysis from Symantec's Karthik Selvaraj, pointed out that "its existence isn't due to any problems with Skype itself" but that Skype may have been targeted "simply because it has such a large install base."
Gerry Egan, Symantec's director of security response, says the Trojan is capable of "hooking...through some Windows APIs into some audio streams" that "can be intercepted, turned into MP3 files, and then sent over a remote channel to a remote electronic eavesdropper."
A PC can be infected through the usual channels for malware, including an executable file in an e-mail you click on and a "drive by download" that's automatically triggered when you visit an infected Web site. The most recent trend, Egan said, "is a shift toward socially engineered attacks like a fake video site."
The code has been published on the Web by a Swiss researcher, Egan said, adding that "we've not seen any indications of it being used maliciously, but the published code opens up endless possibilities in the mind of a hacker."
The code would affect Skype or any other VoIP software on a Windows PC that uses an audio stream, Egan said.
Unlike most malware, Symantec does not anticipate the code being used to launch widespread attacks.
"To do this en masse really isn't practical," Egan said. Even if a "piece of malware gets on the machine of someone who is using (VoIP), and they are talking about interesting things, finding those interesting things among the many hundreds of thousands of hours of phone calls would be like trying to find a needle in a haystack." He said it might be more valuable in a targeted attack against a specific individual.
Eavesdropping is a risk, when it comes to industrial espionage, prying spouses or significant others, and political campaigns, as well as political dissidents. U.S. law requires a court order before a phone or a computer can be legally tapped by government or law enforcement officials.
The best way to avoid being infected with this or any other malware is to use good up-to-date security software and to be sure that your operating system and browser are updated. It's also a good idea to avoid clicking on e-mail attachments and consider using security software that warns you when you're about to visit a potentially malicious Web site.
You can listen to my interview with Gerry Egan here:
Listen now: Download today's podcast
An investigation into the possibility of tapping Internet telephony conversations has been launched by the European Union's Judicial Cooperation Unit, also known as Eurojust.
Italy is leading the Europe-wide feasibility study, announced on Friday. The Italian government has cited concerns that organized criminals and arms and drug traffickers are using VoIP services such as Skype to avoid traditional, more easily tapped phone networks.
"The possibility of intercepting Internet telephony will be an essential tool in the fight against international organized crime within Europe and beyond," said Carmen Manfredda, Eurojust's acting national member for Italy, in a statement. "Our aim is not to stop users from taking advantage of Internet telephony, but to prevent criminals from using Skype and other systems to plan and organize their unlawful actions. Eurojust will make all possible efforts to coordinate and assist in the cooperation between Member States."
Manfredda and Eurojust's Italian desk are coordinating the VoIP-tapping investigations, at the request of Italy's national anti-Mafia directorate. According to Eurojust's statement, the investigation will try to "overcome the technical and judicial obstacles to the interception of Internet telephony systems, taking into account the various data protection rules and civil rights."
Skype told ZDNet UK on Friday that it has given an extensive explanation of its law enforcement program and capabilities to Eurojust. It rejected press reports that it had refused cooperate with the authorities, and said that it works with law enforcement agencies where legally and technically possible.
"Skype remains interested in working with Eurojust despite the fact that they chose not to contact us before issuing this inaccurate report," a spokesperson for the eBay-owned Internet telephony company said.
David Meyer of ZDNet UK reported from London.
Skype's president said that the company was largely unaware of a major security breach affecting Skype users in China.
In a blog published Thursday, Josh Silverman, Skype's president, explained he did not realize that TOM-Skype, Skype's partner in China, was logging and storing users' instant messages that were deemed offensive by the Chinese government.
He said the company knew that instant-messaging chats were monitored by the government, as all communications in China are. And he explained that Skype disclosed this to users in 2006, explaining that a text filter was being used to block certain words in chat messages. But he added that his understanding was that messages deemed unsuitable were "simply discarded and not displayed or transmitted anywhere."
"It was our understanding that it was not TOM's protocol to upload and store chat messages with certain keywords," he writes in the blog. "And we are now inquiring with TOM to find out why the protocol changed."
Earlier this week, Canadian researchers at the Citizen Lab at the University of Toronto published a report in which they said that "TOM-Skype was censoring and logging text chats that contain specific, sensitive keywords and may be engaged in more targeted surveillance."
The report also said the service was logging and capturing millions of records that include personal information and contact details for any text chat and voice calls placed to TOM-Skype users, including calls from Skype users. In addition, TOM was storing this information in a way that was inadequate in protecting the privacy of TOM-Skype users, the report said.
Silverman said that once Skype became aware of the problem it contacted executives at TOM, and the security issue regarding stored personal information has been resolved. But he also noted the company's concern that TOM has been storing this information.
"We were very concerned to learn about both issues and after we urgently addressed this situation with TOM, they fixed the security breach," he said. "In addition, we are currently addressing the wider issue of the uploading and storage of certain messages with TOM."
Silverman pointed out in his blog that TOM, like all other ISPs in China, is required by the Chinese government to monitor all communication. And he said it is "common knowledge that censorship does exist in China." Keywords that triggered action included words related to Taiwanese independence, the banned religious group Falun Gong, and political opposition to the Chinese Communist Party.
But he tried to reassure Skype users that Skype's computer-to-computer voice calls are completely secure.
"(The security breach) does not affect communications where all parties are using standard Skype software," he said. "Skype-to-Skype communications are, and always have been, completely secure and private."
TOM-Skype, eBay's joint venture in China, is recording customer text chats and censoring them if they contain certain keywords related to topics the government deems objectionable, according to a report released on Wednesday (PDF) by researchers in Canada.
"TOM-Skype is censoring and logging text chat messages that contain specific, sensitive keywords and may be engaged in more targeted surveillance," the report concludes. "What is clear is that TOM-Skype is engaging in extensive surveillance with seemingly little regard for the security and privacy of Skype users. This is in direct contradiction of Skype's public statements regarding their policies in China."
The keywords that trigger action include words related to Taiwanese independence, the banned religious group Falun Gong, and political opposition to the Chinese Communist Party, says the report from the Citizen Lab at the University of Toronto.
The service also routinely logs and captures millions of records that include personal information and contact details for any text chat and voice calls placed to TOM-Skype users, including calls from Skype users, the researchers found.
Not only is the data collection suspect, but there are inadequate safeguards to protect the privacy of the TOM-Skype users, according to the report. The records and information needed to decrypt the log files are kept on servers that are accessible by the public.
"This is the worst nightmares of the conspiracy theorists around surveillance coming true," Ronald J. Deibert, an associate professor of political science at the University of Toronto, told The New York Times. "It's X-Files without the aliens."
Representatives from eBay did not immediately respond to e-mails seeking comment on the report.
Jason Ostrom of VoIP Hopper on Saturday plans to release his next-generation VoIP sniffer at Toorcon in San Diego to help raise awareness of the type of vulnerabilities businesses face as they adopt unified communications (UC) technology.
He told CNET News that the tool, UCSniff, has two settings. One is a learning mode, sniffing all the IP traffic then mapping telephone extensions to specific addresses. By default, it is capturing all the calls and saving them to wave files.
The other setting is a bit more creepy: targeting conversations. After learning the IP addresses of the phone system, someone using UCSniff can listen to all the VoIP, or voice over Internet Protocol, conversations made by a specific user, say the CEO. That's user mode. A second mode, conversation mode, allows someone to monitor calls made exclusively between two extensions, say only when the CEO calls the CFO.
"So it's like dynamic ARP poisoning," Ostrom explained, referring to Address Resolution Protocol spoofing. "The tool, on the fly, figures out how to do the ARP poisoning for you so you're not intercepting the traffic of phones that you do not want to intercept."
Ostrom, who now works for Sipera Systems, said the flaw, if any, is within the structure of the system and not specific to any platform, such as that of Cisco Systems. Two other, related tools are also set to be released by Ostrom on Saturday. Combined, the tools can allow one to create a man-in-the-middle attack on VoIP networks in an enterprise.
Some of the pieces are already available on the Internet, he said. However, UCSniff "brings together what is lacking, what is needed to be the most effective and secure VoIP security assessment tool available."
Ostrom's talk will be followed with a discussion of best practices for enterprises. "You can apply security controls to mitigate this vulnerability within your infrastructure and in how you design your network," he said.
- prev
- 1
- next
