PLUG Security Team/HackFest: Skype

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Lisa Kachold
Date:  
To: Main PLUG discussion list
Subject: PLUG Security Team/HackFest: Skype
How to Download and Call out for Free:
http://www.youtube.com/watch?v=rdyuqhht1Mg

How to Hack Skype, MSN, Yahoo Apreve 1.1
http://www.youtube.com/watch?v=cLum8STUHDw

Obtaining Password Recovery of Skype:
http://www.youtube.com/watch?v=bg0Z0ixjpjc&feature=fvw

Free Calls from Skype:
http://www.youtube.com/watch?v=wzHeDvcuOBI&feature=related

Password Skype:
http://www.youtube.com/watch?v=-aRW30zzZ1o

Full Skype Security Bulletins:
http://www.skype.com/intl/en/security/

Password Stealer Article:
http://share.skype.com/sites/security/2007/12/password_stealer.html

How to tell if your account is being "shared":
You will see a great deal of connection attempts to other systems when
logging on and off; these are on non-standard Skype ports - random.
Skype also will attempt to use 80/443 if the "regular port" (in
Preferences) is "busy" or unavailable.

They look like this (from my ipfw logs):

Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63526 98.161.42.149:443 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63527 114.43.40.111:443 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63528 98.200.69.177:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63529 99.246.145.62:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63530 208.66.89.74:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63531 118.233.196.104:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63532 98.242.11.173:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63533 98.161.42.149:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63534 114.43.40.111:80 out via en1
Jul 16 03:51:34 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63535 128.146.83.124:443 out via en1
Jul 16 03:51:37: --- last message repeated 1 time ---
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63536 71.239.210.232:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63537 94.113.162.66:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63538 173.93.246.158:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63539 77.235.110.66:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63540 216.8.195.134:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63541 96.232.29.224:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63542 128.146.83.124:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63543 71.239.210.232:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63544 94.113.162.66:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63545 173.93.246.158:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63546 77.235.110.66:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63547 216.8.195.134:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63548 96.232.29.224:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63549 96.30.170.131:443 out via en1
Jul 16 03:52:07: --- last message repeated 6 times ---

We also see these:

Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60732 from 74.125.19.101:80
Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60733 from 74.125.19.101:80
Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60734 from 74.125.19.101:80
Jul 15 06:23:02 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61299 from 74.125.19.113:80
Jul 15 06:23:02 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61299 from 74.125.19.113:80
Jul 15 06:23:32: --- last message repeated 4 times ---
Jul 15 14:48:00 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61847 from 74.125.19.103:443
Jul 15 14:48:30: --- last message repeated 5 times ---
Jul 15 14:53:48 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61863 from 74.125.53.138:80

sh-3.2# nslookup 98.242.11.173
Server:        204.13.248.75
Address:    204.13.248.75#53


Non-authoritative answer:
173.11.242.98.in-addr.arpa    name = c-98-242-11-173.hsd1.ca.comcast.net.



Verify your profile has not been overwritten with binary special.

Note: These logs are directly after logging in, with no active calls,
no chats and no one logged on in my contact list who owns these
addresses. They are private NAT addresses, not servers or non-RFC
1918 P2P Skype systems.

Skype's security team is very responsive in tracking issues, when logs
are sent. Evidently the prosecute swiftly and with federal database
cross reference as part of the giant EBay.

An full explanation of the ports and security issues:
http://www.securityfocus.com/columnists/357

Other Skype Security:
http://share.skype.com/sites/security/

In summary, there are quite a lot of Skype P2P exploits; however,
Skype is worth it.

Change your password regularly, and like with any phone, be very aware
that none of your communications are really truely private.

Keep your Skype version updated, and/or regularly reinstall as needed.

Turn off your file sharing!
--
(623)239-3392 Skype: obn0sis
(503)754-4452 www.obnosis.com
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss