The Dark Side Of The Internet Revolution

Skype has been attacked because of its apparent lack of security. Eric Doyle thinks there are legal dark forces that are far more threatening

Skype has come under attack from privacy advocates for making it easy to find the true identities hidden behind users’ screen names.

Skype’s interface uses the full name of a subscriber on its contact list instead of a (sometimes) cryptic username, making it easy for people to impersonate them, said Privacy International. It also criticises Skype for not using encrypted HTTPS for downloads of its system. The privacy organisation claims this could allow an attacker to slip in a Trojanised version of Skype.

The issue has come to the fore because of the unrest around the world where people battling against repressive regimes are using the Internet and mobile phone systems to co-ordinate acts of civil disobedience. Skype makes it easier for the authorities to identify these people by name and take action against them.

Documentary Evidence

Despite the warning flares from Privacy International, it may not matter what action Skype might take in the future to address these complaints. Anti-malware company F-Secure has been sent copies of documents found among the shredded portfolios at the former Egyptian State Security Service headquarters – or at least that is what the informant claimed.

The official-looking document from UK firm Gamma International offers to sell and support software that would allow the Egyptian government to monitor the Internet. Within the documents are texts of communications between the security service and Gamma discussing whether and how Skype, Google, Yahoo and Hotmail accounts could be monitored.

Included in the documents is a quote or, perhaps, a pro-forma invoice for two software packages from a suite called FinFisher, produced by German software house Elaman. Elaman styles itself as a “German based company with more than 15 years of experience in communication and security requirements for law enforcement agencies”.

In the Egyptian documentation, Gamma claims that FinFisher can place monitoring software on any system on the Internet. It is all legitimate business, as solicitors acting for Gamma said, but it is all part of the international arms race of the cyber war.

The fact that such offers are made is therefore not surprising but Mikko Hypponen, chief research officer for F-Secure, wrote in a blog on the subject: “The obvious question here is: do we detect FinFisher? And the answer is: we don’t know, as we don’t have a sample at hand we could use to confirm this.”

Zero Day Has No Time Limit

What he means is that zero day, the gap between when an exploit has been launched and someone finds it and discovers a way to block it, can last forever – if the anti-malware professionals remain oblivious to its existence. It is a problem for all security specialists, not just F-Secure.

Hypponen softens his stark comment with a comforting assurance: “The obvious follow-up question is: if somebody gets us a known copy of FinFisher, would we knowingly add detection for it? And the answer is: yes we would.”

In an email to eWEEK Europe, he wrote: “Lawful interception has been around forever. Originally it meant just tapping landline phone calls, by the operator. Eventually it expanded to mobile calls and text messages. And then it expanded to tapping emails and web surfing information.

“However, if the website uses SSL (like, say, Gmail), the operator can’t tap it. This created a need to use malware and backdoors and infect the target’s computer with those. Then it would be possible to gain access to any information on the computer.”

Once in control of a computer, the attacker would find it easy to monitor passwords that would allow access to any network the user can log onto.

Hypponen added, “There’s nothing wrong in lawful interception. When it’s done by the police. In a democratic nation. With a court order. And where the suspect is actually guilty. In all other cases, it is problematic.”

No Security Guarantees

Privacy International is badgering Skype to make things secure for the individual. To keep them safe from fairly random attacks through Skype. But there is a bigger concern for politically active users. You can never be sure that your “secure” connection is secure.

Despite complex routines hidden in most anti-malware packages to detect anomalous behaviour in systems, they are not 100 percent reliable. With governments, professional hackers and talented amateurs looking for ways to infect systems with Trojans, the Internet world is still like the Wild West.

Malware is only detectable when it reaches sufficient volume to become obvious or when it triggers an action that makes someone question what is going on in their computer. The real malware out there leaves no fingerprints and, if a security company like EMC’s RSA Security can fall prey to these slick hackers, everyone is vulnerable and should be wary of what they do during their next browsing session or when signing up to download their next package.