Feeds

Skype Trojan wiretap plan leaks onto the net

We have ways of hearing you talk

Secure remote control for conventional and virtual desktops

German cops are pushing ahead with controversial plans, yet to be legally approved, to develop "remote forensic software" - in other words, a law enforcement Trojan.

Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks.

As previously reported, the German government is looking to recruit coders to develop "white hat" malware capable of covertly hacking into the PCs of suspects in investigations of terrorism or other serious crimes.

Proposals to give explicit permission for law enforcement officials to plant malware stem from a Federal Court ruling last year declaring clandestine searches of suspects' computers to be inadmissible as evidence, pending a law regulating the practice. Germany's Federal Court of Justice said the practice was not covered by existing surveillance legislation.

Joerg Ziercke, president of Germany's Federal Police Office (BKA), expressed frustration about their inability to decipher the encryption used by Skype in order to tap into the VoIP calls of suspected terrorists. Digitask, if the leaked documents are to be believed, has stepped into the breach.

Skype is widely used by consumers to make VoIP calls. The firm has commissioned security experts to audit the encryption and security of its software.

However, other experts have contested the security of Skype's software. Skype uses widely trusted encryption techniques, such as Advanced Encryption Standard, to encrypt conversations and RSA for key negotiation. But unlike Zfone, its source code has not been publicly released.

In a presentation (pdf) at Black Hat Europe 2006 Philippe Biondi and Fabrice Desclaux argued that without access to the source code we can't be sure if Skype is secure. The researchers also expressed concerns that Skype has the keys to decrypt calls or sessions, a claim the firm itself denies.

Often law enforcement agencies are just as interested in who someone is talking to and for how long. Skype offers confidentiality, but not anonymity.

In 2006 a fugitive chief exec was tracked down to Sri Lanka after a Skype call. Quite how he was tracked down remains unclear, beyond the availability of papers on tracking anonymous peer-to-peer VoIP traffic.

El Reg has been seeking to speak to someone from Skype about security and VoIP systems for over a week since news of flaws involving the interaction between Skype and video-sharing sites such as DailyMotion broke in mid-January. Skype blocked this particular exploit as a workaround pending the arrival of a more complete fix.

Petko Petkov, a UK-based penetration tester and one of those most vocal about warning of the poison movie peril also expressed concerns about Skype's security architecture more generally. He suggested that unencrypted data within Skype's ads created a means for hackers to taint ad traffic with malware by using packet injection tools such as Airpwn in environments such as public wireless hotspots.

Skype has since declined to set up an interview about VoIP security, saying no one was available. It offered to respond to email questions but is yet to respond to a question on Petkov's concerns either.

Even alerting it that we were planning to write about the wikileaks story on Monday failed to elicit a response from the ostrich-like eBay subsidiary. ®

Intelligent flash storage arrays

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Go beyond APM with real-time IT operations analytics
How IT operations teams can harness the wealth of wire data already flowing through their environment for real-time operational intelligence.
The total economic impact of Druva inSync
Examining the ROI enterprises may realize by implementing inSync, as they look to improve backup and recovery of endpoint data in a cost-effective manner.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.