Skype

Skype is getting more and more famous and the among of users is rapidly increasing. Mainly because it is the first well working VoIP software where one can make free phone calls over the Internet. Even video conferencing is available on Windows and MacOSX, and recently added to the Linux port.

But not only in the private environment Skype gets more and more famous. Even companies use the software to hold meetings via video conference and have a company wide communication platform. This is a reason to look at the security of Skype.

Skype uses for communication and speech forwarding the ports 80 and 443 (http and https). If these ports are prohibited Skype has no problem to work behind NAT routers or to drill holes into the corporate firewall. This is done by the STUN protocol and tricky procedures to allow UDP packets passing Statefull Firewalls.

Generally Skype works as a peer-to-peer network. Data is not only transferred directly with the communication partner, but also over other Skype nodes. And not only communication, also the contact list for Skype is distributed to many computers of other Skype users.

If the user has a fast Internet connection (>256k upload) and is long-term connected; he will become automatically a Supernode. Then, not only contact data of others is stored in the computer, also telephone calls are routed through these Supernodes. Until now this behaviour can be disabled.

To protect the privacy of their users Skype uses encryption with AES-256. Everything which can be found about the security implementation of Skype is a study which is paid from Skype itself! This document states that the AES implementation is standard conform and well done.

However, Skype is closed source and nobody can have a look into the source code. Skype even has techniques to avoid debugging and reverse engineering.

The fact that this implementation is not as compliant as proposed shows a document which appeared in the German press. In this document the German company DigiTask offers to the German government a product to sniff and decode Skype VoIP traffic.

Generally one should consider using alternatives like wengo or gizmo which provide the same functionality like video conferencing and encryption with AES - the main difference is that they are Open Source and everybody can verify the proposed security.

Clemens Kurtenbach
S21sec Labs

TrueCrypt 5.0 is out

After a long 9 months wait, TrueCrypt 5.0 was released yesterday. This major version upgrade (up from 4.3a) is mainly justified by the inclusion of a new feature which allows an entire system drive or partition helding a Windows OS (XP/2003/Vista) to be encrypted with a pre-boot authentication interface, as most commercial full disk encryption software do. But there are other important improvements in this new version, like the new GNU/Linux GUI (older versions only had a command line interface and third party front-ends) and the MacOS X port. How many multi-OS FDE tools are out there? Not many I guess.

I would like to introduce anyone who didn't know about this open source software. TrueCrypt is a tool which can easily encrypt hard drive, flash (USB, memory cards...) and other storage media. It was programmed with Windows in mind, and it's not focused on being a commercial FDE software competition. These products shine on their own thanks to their centralized administration console to control many computers, and their data rescue tools for recovering encrypted files which password was lost or data from an employee who left the company.

There are two main operational modes: file container based and partition/drive based. There is no recommended mode, as it depends on the storage media where encrypted data is being saved. File based containers are ideal if mobility is the main concern (it is a simple file at all which can be copied, moved...), whereas drive/partition containers have an important speed edge. The final decision has to be made having in mind the main use of the encrypted data.

This storage space can be encrypted using three different symmetric key algorithms (AES, Serpent or Twofish) or a combination of those two/three with a cascade. These algorithms are patent free so they should be unsuspicious of having some extra backdoor code (paranoid people can look through TrueCrypt source code and compile it instead of using precompiled binaries). TrueCrypt maps decrypted data on a drive letter or a mountable mapper device (depending on the OS).

There are other interesting features that I would like share with you. Hidden volumes are useful to protect data within an inner container which is decrypted using a different password than the normal contanier. This is useful in case of a coercion scenario. Last but not least, you can complement the encryption password by using a second authentication factor, a keyfile. This keyfile provides the encrypted data owner with an additional security layer (something you have in addition to something you know), making keyloggers useless for intruders. If you decide to use keyfiles, it's extremely important to have it properly stored in a removable memory device and kept away from the computer where the data is, when not in use.

I highly recommend our readers to have a look at this fine software that will protect our most sensitive data from undesired eyes. It can be intimidating at first due to the high amount of advanced options available, but it isn't necessary to learn them all. Most important features are quickly learnt thanks to its complete tutorial and documentation.

Álvaro Ramón
S21sec labs