PLUG Security Team/HackFest: Skype
Lisa Kachold
lisakachold at obnosis.com
Thu Jul 16 05:03:35 MST 2009
How to Download and Call out for Free:
http://www.youtube.com/watch?v=rdyuqhht1Mg
How to Hack Skype, MSN, Yahoo Apreve 1.1
http://www.youtube.com/watch?v=cLum8STUHDw
Obtaining Password Recovery of Skype:
http://www.youtube.com/watch?v=bg0Z0ixjpjc&feature=fvw
Free Calls from Skype:
http://www.youtube.com/watch?v=wzHeDvcuOBI&feature=related
Password Skype:
http://www.youtube.com/watch?v=-aRW30zzZ1o
Full Skype Security Bulletins:
http://www.skype.com/intl/en/security/
Password Stealer Article:
http://share.skype.com/sites/security/2007/12/password_stealer.html
How to tell if your account is being "shared":
You will see a great deal of connection attempts to other systems when
logging on and off; these are on non-standard Skype ports - random.
Skype also will attempt to use 80/443 if the "regular port" (in
Preferences) is "busy" or unavailable.
They look like this (from my ipfw logs):
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63526 98.161.42.149:443 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63527 114.43.40.111:443 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63528 98.200.69.177:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63529 99.246.145.62:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63530 208.66.89.74:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63531 118.233.196.104:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63532 98.242.11.173:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63533 98.161.42.149:80 out via en1
Jul 16 03:51:33 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63534 114.43.40.111:80 out via en1
Jul 16 03:51:34 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63535 128.146.83.124:443 out via en1
Jul 16 03:51:37: --- last message repeated 1 time ---
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63536 71.239.210.232:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63537 94.113.162.66:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63538 173.93.246.158:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63539 77.235.110.66:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63540 216.8.195.134:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63541 96.232.29.224:443 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63542 128.146.83.124:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63543 71.239.210.232:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63544 94.113.162.66:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63545 173.93.246.158:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63546 77.235.110.66:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63547 216.8.195.134:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63548 96.232.29.224:80 out via en1
Jul 16 03:51:37 lisa-kacholds-mac-mini Firewall[39]: 15400 Deny TCP
192.168.9.66:63549 96.30.170.131:443 out via en1
Jul 16 03:52:07: --- last message repeated 6 times ---
We also see these:
Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60732 from 74.125.19.101:80
Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60733 from 74.125.19.101:80
Jul 14 16:53:18 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:60734 from 74.125.19.101:80
Jul 15 06:23:02 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61299 from 74.125.19.113:80
Jul 15 06:23:02 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61299 from 74.125.19.113:80
Jul 15 06:23:32: --- last message repeated 4 times ---
Jul 15 14:48:00 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61847 from 74.125.19.103:443
Jul 15 14:48:30: --- last message repeated 5 times ---
Jul 15 14:53:48 lisa-kacholds-mac-mini Firewall[39]: Stealth Mode
connection attempt to TCP 192.168.9.66:61863 from 74.125.53.138:80
sh-3.2# nslookup 98.242.11.173
Server: 204.13.248.75
Address: 204.13.248.75#53
Non-authoritative answer:
173.11.242.98.in-addr.arpa name = c-98-242-11-173.hsd1.ca.comcast.net.
Verify your profile has not been overwritten with binary special.
Note: These logs are directly after logging in, with no active calls,
no chats and no one logged on in my contact list who owns these
addresses. They are private NAT addresses, not servers or non-RFC
1918 P2P Skype systems.
Skype's security team is very responsive in tracking issues, when logs
are sent. Evidently the prosecute swiftly and with federal database
cross reference as part of the giant EBay.
An full explanation of the ports and security issues:
http://www.securityfocus.com/columnists/357
Other Skype Security:
http://share.skype.com/sites/security/
In summary, there are quite a lot of Skype P2P exploits; however,
Skype is worth it.
Change your password regularly, and like with any phone, be very aware
that none of your communications are really truely private.
Keep your Skype version updated, and/or regularly reinstall as needed.
Turn off your file sharing!
--
(623)239-3392 Skype: obn0sis
(503)754-4452 www.obnosis.com
More information about the PLUG-discuss
mailing list