German Govt. Skype Interception Trojans Revealed

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

Germany

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still c

Re:

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables t

Re:Germany

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

Re:Germany

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.

No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?

Re:Germany

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

tl;dr - No one has to convince you to pick up a tapped phone.

Re:

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them.

Here in the USA, the police will break into your house to install keyloggers and such. Hardware keyloggers, usually. They will only send something through email if they don't know who you are (such as virus writers) and they do it to find out who, and wh

Re:Germany

I always wondered what that weird looking dongle was hanging out of the USB port....

Your privacy, Your liberty, Your freedom

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

When is it enough, people??

Re:

An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?

Re:

How long before the gestapo packages up a Linux live CD with Skype preinstalled and distrubutes it as secure?

Fixed

Re:Germany

Germany still seems to have a lot of it's old attitudes lying around.

Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

Re:

Skype pretty much admits allowing wire-taps by refusing to answer whether they do or not, and given the law that makes them do it, and the current administration's love of secret Internet monitoring, you pretty much have to assume your Skype calls are abou

Naive people.....

> talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe.

Re:Germany

As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

Re:Germany

My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

Re:Germany

This is not about Germany's past, this is a global issue of today.

According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

so what?

They already have the ability to spy on you for normal phone calls. This just does the same thing for skype. In fact it's less bad since they can't do it on a mass scale; they have to come to the house of the person they want to install on or risk no kn

Re:

The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

In reality, however, one only has to claim that something you

Why should we be surprised?

If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

Re:Why should we be surprised?

If Germany can do it, do we really think it hasn't already been done in the states?
Skype, is very popular and would be a logical means for governments to monitor
conversations---especially when said program touts itself as being encrypted and
secure. So the German revelations are likely a national security goof.

More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.

da

Da, zis ceetezens arse iz goodentite.

Skype and firewalls.

If the German authorities know how to use Skype as a trojan, then I'll bet that others do too.
I'm not too familiar with skype and its relation to firewalls but wasn't there an article or two(and this [cyberciti.biz]) about Skype's ability to use voodoo to penetrate firewa

Man-in-the-middle against SSL?

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.

Re:

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Re:Man-in-the-middle against SSL?

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?

Re:Man-in-the-middle against SSL?

You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

Re:

To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The on

Re:

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

Probably in the same way that governments perform any other interception methods, full cooperation from corporations.

Look at who Narus, the manufa

It's NOT the german gov,...

it's the bavarian government, a federal state of germany.

http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype [heise.de]
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype [heise.de]

Re:It's NOT the german gov,...

For Americans, just think of Texas with lederhosen instead of cowboy garb.

How does this affect admissibility?

Germany has/had some wonderful privacy legislation, but in the last year or so they're heading in the other direction...

What's interesting here is the collection of evidence by installing spyware: if forensic analysis of a disk means absolutely nothing may

"how are they allowed to install their own..."

"....software?"

Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan

Re:

I don't think the common 15-$-earphones match the price to contain the logic for encryption between computer an earphone/mic. But a hardware solution is not the question here, because the ministry said explicitely that they want to use software. hides much

Re:

Maybe it was may fault and my English isn't good enough ;-D But somewhere between Skype and the earphone's driver (you probably need one) the data must be "clear speak" to handle it over to Skype, and at this point the trojan could hook into. Or there mus

Skype is not securely encrypted.

Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

http://en.wikipedia.org/wiki/Skype [wikipedia.org]

Re:

I would have to take issue with your statement.

According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf [ossir.org]

Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.

Naturally, although AES is an exce

Re:

It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

I couldn't agree with you more.

However, there was an "independent" review of Skype, which I understand was able to review the source code.

You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:

You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security

Skype thinks they ar

Re:

Yes, I did quote "independent", because of the conditions under which the inspection was made.

However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementa

Source Audit

I don't believe for 1 minute that the "encryption" included with Skype is secure or should we say "escrow key free", do you?

The classic /. question.....

Yeah, but does it run on Linux ? Anyone know if said software will end up on your linux box ?

Re:

According to http://www.esrockt.com/bayerntrojaner-hoert-skype-gespraeche-ab/ [esrockt.com] (German language), it only works on Windows.

Skype on linux is a bad idea

It's closed, proprietary crap after all.

I for one

am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

That is why I am proud to be an American. They what, Oh damn.

What about China?

As pointed out in a comment above, if Germany does it, why not the USA? (Especially with all the secrecy and propensity to spy on citizens that the USA feds have these days)

I'm wondering now about China. I remember that Skype was, for a short time, on sli

anybody who believes skype to be safe, ....

is an idiot. Do you think that the USA, England France, Germany, China, and Russia would allow its citizen to communicate without their knowing? ALL of them have the ability to listen in on the calls. Heck the fact that the calls exist in China tells you

To paraphrase Carlin

We should prick a hole in the stiff trojan front erected to cover these pricks.

End to End Only

The only encryption worth trusting is end-to-end, where at least one end is verified secure by you (because inevitably you'll have to trust the person at the other end, no matter how secure their tech is). Why would I trust Skype to be the middleman? Eithe

Maybe, but...

...they were never hired by the CIA/NSA. They were all hired by the German Government to found the Bundesnachrichtendienst (Germany's Federal Secret Service) and the MAD (Military Counter Intelligence Service) in 1956 ;-)

Fascism

Anyone who thinks fascism in Germany ended with the fall of Nazism is severely mistaken.

Re:

an the public

Schiesse. Maybe next they'll show us how to proofread. :(