March 1, 2010 at 18:36Torrents, skype and security
Disclaimer: all of the following are my personal thoughts, not intended to discredit the mentioned systems and their manufacturers.
About myself: I am involved in network security. 8 years. I specialize in cisco (CCIE Security).
I myself am wary of both systems (Torrent, Skype). But I still could not formulate what I did not like so much. And now I’ll try to tell as objectively as possible what worries me.
But for starters, I remind dear habratchitelam what botnet, what it is eaten with and why it is so dangerous.
Botnet - an association of scattered computers under one malicious control. Botnets are divided into active and passive. Computers in the active botnet know that they are remotely controlled. In the passive - no.
How do computers get into the botnet? As a rule, Trojans are used for this (you install one on the computer, but you place the unordered one), sent via mail, worms (malicious code spreading across the network), programs on self-starting flash drives, etc. The main task is to install a program on the computer that will "knock" (try to connect) from the inside of the firewall to the control hosts (call-home). As soon as the infected computer reaches the management server, it can be controlled by the established session.
Attempts to connect are made, as a rule, by name (s), and these names are dynamically changed in DNS every day.
And the ports of these applications (dog-kids!) Choose different, random ones in the hope that they are open on the firewall.
But why are they dangerous?
A good botnet and in good hands is a powerful weapon for conducting a distributed denial of service (DDoS) attack, spamming and other attacks. There is no effective weapon against DDoS yet (the channel “plugged” by the provider, the client cannot “pick through” by any means). Do you want to be part of a botnet?
And now some facts about the torrent :
1. Torrents (many clients) can connect to many ports
2. Torrents use many addresses to which they register
3. You put the client yourself, initiate a connection from under the firewall
4. Activity on download (when the traffic is taken from the client) can easily hide any actions with the client
and about skype :
1. When installing Skype, everyone is given a certificate signed by the Skype server
2. When adding a new subscriber, his certificate is added
3. When connecting to the server, all traffic is encrypted with the server certificate (public key). I tried to filter it using cisco IPS a week ago and was put to shame :( I filtered the old (unencrypted) version of IPS by templates.
4. Skype can cling (to unknown addresses and unknown ports) to different servers
5. Skype session (service) is not monitored , as well as colloquial, because it is encrypted ...
What is my conclusion from this?
And the fact that both services from a network point of view resemble painfully botnet actions ...
I am not discouraging anyone from anything. Moreover, I admit that skype is a simple and ingenious thing, combining several simple and smart ideas (encryption, certificates for automatic trust, "paranoid" connection by brute force, opening 2 sessions from 2 clients from inside the firewalls). And user friendly. But this is a headache for the security guards, if necessary.
And the torrent, I think, is useful to many (although IMHO its influence and popularity is greatly inflated and I’m not very clear) ...
Only one “but”: I’m not at all sure that at one awesome moment millions of computers of users of popular services will not turn into one giant a botnet from which there will be no salvation ... It is enough to “update the version”.
I would be very glad to be mistaken. Refute my words. And you can call me paranoid and alarmist :)
Sincerely, Sergey Fedorov
About myself: I am involved in network security. 8 years. I specialize in cisco (CCIE Security).
I myself am wary of both systems (Torrent, Skype). But I still could not formulate what I did not like so much. And now I’ll try to tell as objectively as possible what worries me.
But for starters, I remind dear habratchitelam what botnet, what it is eaten with and why it is so dangerous.
Botnet - an association of scattered computers under one malicious control. Botnets are divided into active and passive. Computers in the active botnet know that they are remotely controlled. In the passive - no.
How do computers get into the botnet? As a rule, Trojans are used for this (you install one on the computer, but you place the unordered one), sent via mail, worms (malicious code spreading across the network), programs on self-starting flash drives, etc. The main task is to install a program on the computer that will "knock" (try to connect) from the inside of the firewall to the control hosts (call-home). As soon as the infected computer reaches the management server, it can be controlled by the established session.
Attempts to connect are made, as a rule, by name (s), and these names are dynamically changed in DNS every day.
And the ports of these applications (dog-kids!) Choose different, random ones in the hope that they are open on the firewall.
But why are they dangerous?
A good botnet and in good hands is a powerful weapon for conducting a distributed denial of service (DDoS) attack, spamming and other attacks. There is no effective weapon against DDoS yet (the channel “plugged” by the provider, the client cannot “pick through” by any means). Do you want to be part of a botnet?
And now some facts about the torrent :
1. Torrents (many clients) can connect to many ports
2. Torrents use many addresses to which they register
3. You put the client yourself, initiate a connection from under the firewall
4. Activity on download (when the traffic is taken from the client) can easily hide any actions with the client
and about skype :
1. When installing Skype, everyone is given a certificate signed by the Skype server
2. When adding a new subscriber, his certificate is added
3. When connecting to the server, all traffic is encrypted with the server certificate (public key). I tried to filter it using cisco IPS a week ago and was put to shame :( I filtered the old (unencrypted) version of IPS by templates.
4. Skype can cling (to unknown addresses and unknown ports) to different servers
5. Skype session (service) is not monitored , as well as colloquial, because it is encrypted ...
What is my conclusion from this?
And the fact that both services from a network point of view resemble painfully botnet actions ...
I am not discouraging anyone from anything. Moreover, I admit that skype is a simple and ingenious thing, combining several simple and smart ideas (encryption, certificates for automatic trust, "paranoid" connection by brute force, opening 2 sessions from 2 clients from inside the firewalls). And user friendly. But this is a headache for the security guards, if necessary.
And the torrent, I think, is useful to many (although IMHO its influence and popularity is greatly inflated and I’m not very clear) ...
Only one “but”: I’m not at all sure that at one awesome moment millions of computers of users of popular services will not turn into one giant a botnet from which there will be no salvation ... It is enough to “update the version”.
I would be very glad to be mistaken. Refute my words. And you can call me paranoid and alarmist :)
Sincerely, Sergey Fedorov