Memex 1.1

Answer: probably yes. I’ve long suspected that anyway. Now comes this interesting report from an Austrian online news site…

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This has been confirmed to heise online by a number of the parties present at the meeting. Skype declined to give a detailed response to specific enquiries from heise online as to whether Skype contains a back door and whether specific clients allowing access to a system or a specific key for decrypting data streams exist. The response from the eBay subsidiary’s press spokesman was brief, “Skype does not comment on media speculation. Skype has no further comment at this time.” There have been rumours of the existence of a special listening device which Skype is reported to offer for sale to interested states.

There has long been speculation that Skype may contain a back door. Because the vendor has not revealed details of its proprietary Skype protocol or of how the client works, questions as to what else Skype is capable of and what risks are involved in deploying it in an enterprise environment remain open.

Last week, Austrian broadcaster ORF, citing minutes from the meeting, reported that the Austrian police are able to listen in on Skype connections. Interior ministry spokesman Rudolf Gollia declined to provide heise online with a comment on the matter. He did, however, offer general comments on the meeting, which were, however, contradicted by other attendees…

I use Skype quite a lot and find it very useful for family stuff etc. But I wouldn’t use it for anything that was commercially sensitive.

Skype would be able to charge quite a hefty fee to governments for this, er, feature.

Also, I wonder how this latest speculation squares with an earlier report that I logged claiming the German police were unable to crack Skype encryption. Perhaps the Germans weren’t willing to pay Skype the required fee for entry to the back door?

From the Register…

Selling “installs” is a common practice in the cyber-underworld, the most notable example being in 2005 when Jeanson Ancheta was arrested for building a 400,000-strong botnet and installing adware from 180 solutions for a fee of $60,000. Cybercriminals have since moved on to installing spyware onto compromised machines.

Zombie machines infected with Trojan horse malware can be used to relay spam or launch denial of service attacks. Compromised machines can be also be pointed to websites from which additional items of malware can be downloaded. The practice is normally used to update Trojan code, but it also creates a means for cybercrooks to make a “nice little earner”.

The income that can be earned grows with the numbers of installs, and varies based on the geographical location of an installation. For example, installing spyware on 1,000 machines in Australia earns $100 but only $50 in the US, and a measly $3 in Asia. A sample price list obtained by net security services firm sheds fresh light on the phenomenon.

MeesageLabs culled its figures from a malware distribution site in Russia, the existence of which we’ve verified. The site is loaded with malware and for that reason we’ll refer to it by a shortened version of its name, installscash.org.

Good piece in Slate by Cyrus Farivar…

The Estonia case also shows how easy it is to cause massive panic on a shoestring budget. All you need to deploy a cyberattack is some malicious software, a bunch of zombie computers distributed around the world, and an Internet connection. Sure, you may need to pay for a “professional-grade” botnet—a network of computers that have been surreptitiously infected to run nefarious software. But surely that costs orders of magnitude less than the price of heavy artillery, battleships, and nuclear submarines.

Perhaps the most telling lesson here is how difficult it is to catch the perpetrators of online terrorism. Covering one’s fingerprints and footprints online is relatively simple, compared with getting rid of physical evidence. IP addresses can be spoofed, and an attack that appears to come from one place may actually originate somewhere else. As such, the Kremlin (or anyone else) can plausibly deny that they had anything to do with the attacks, even if the Estonians’ server logs show that the attacks first originated from Moscow. If the Russians don’t want to hand over data or documents—or even pick up the phone, for that matter—there’s not much that Estonia, or anyone else, can do to figure out the real story…