RE: Skype & IPS vendor claims



These sigs were triggered, from installation all the way through the test
call that skype provides. The user-agent detections are triggered when
opening the client and closing the client, it calls back to a home server.
As far as I can tell this server is semi-random probably goes to some round
robin dns. Bleeding-snort will take a look at the capture from this session
and see if we can improve the signatures at all.


May 17 13:48:58 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2450 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2001595:6] BLEEDING-EDGE Policy
Skype VOIP Checking Version (Startup) [Classification: Potential Corporate
Privacy Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80
May 17 13:49:37 10.20.XX.XX snort[20246]: [1:2002157:1] BLEEDING-EDGE POLICY
Skype User-Agent detected [Classification: Potential Corporate Privacy
Violation] [Priority: 1]: {TCP} 10.20.XX.XX:2466 -> 212.72.49.131:80

William B.
CWIE Security
williamb@xxxxxxxx
CWIE LLC

------------------------------------------
If you spend more on coffee than on IT security, you will be hacked.
What's more, you deserve to be hacked.
-- former White House cybersecurity czar Richard Clarke
Vladimir Parkhaev <vladimir@xxxxxxxxxx> >>>
Quoting Matt Jonkman (mjonkman@xxxxxxxxxxx):
What these vendors may be doing it trying to block access to
centralized
login or directory servers by known IP ranges... I don't know if
that'll
be completely effective.


If I understand the protocol correctly, central servers are contacted only
on a first run (after install). I(D|P)S systems can have sigs with IP
addresses of those servers, but if user X installs Skype client on his corp.
laptop at home... it doesn't help much.

--
.signature: No such file or directory

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE
IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
------------------------------------------------------------------------

Attachment: smime.p7s
Description: S/MIME cryptographic signature



Relevant Pages

  • Threes Skype system revealed, and how to use unsupported phones
    ... In the "Skype to SIP on non-Skypephones" thread (message ID ... Unfortunately I can't make it offer a client when pretending to be an HTC ... The N95 client appears to be written by iSkoot, ...
    (uk.telecom.mobile)
  • Re: Android or Symbian ?
    ... I have limited experience with Android, but from a play I get the ... mail client or wifi. ... I've posted about Three Skype elsewhere on this newsgroup (Three Skype is ... how about a unlocked Android phone from elsewhere plus PAYG/SIM-only ...
    (uk.telecom.mobile)
  • Re: Android or Symbian ?
    ... I have limited experience with Android, but from a play I get the ... mail client or wifi. ... I've posted about Three Skype elsewhere on this newsgroup (Three Skype is ... how about a unlocked Android phone from elsewhere plus PAYG/SIM-only ...
    (uk.telecom.mobile)
  • Re: [opensuse] SKYPE on 13.1 64bits (audio issues)
    ... rpm package or from dynamic version, I noticed issues on audio which is ... rpm installation of skype: ... requiring audio all works perfectly, is it a specific SkyPe needs? ...
    (SuSE)
  • Re: iChat, one mans meat ...
    ... Hmm, can't see where. ... OK, as I said, I have never noticed an issue using trillian so not ... I can't use skype. ... And because of that I can't have a single IM client for all ...
    (uk.comp.sys.mac)