DBSA:2013-0003

From Digibase Knowledge Base
Revision as of 16:52, 21 May 2013 by Kradorex Xeron (talk | contribs) (Created page with "'''DBSA ID:''' {{PAGENAME}} '''Regarding:''' Microsoft Probing Sites Linked in Skype Chats '''Related to:''' DBSA:2013-0002 '''Writeup:''' ~~~~ '''Date:''' 2013 05 21 ...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

DBSA ID: 2013-0003

Regarding: Microsoft Probing Sites Linked in Skype Chats

Related to: DBSA:2013-0002

Writeup: Kradorex Xeron (talk) 16:52, 21 May 2013 (EDT)

Date: 2013 05 21

Last Modified: 20130521165200 by Kradorex Xeron

Who should take note: Web Server Operators, Web Hosts, System Administrators, Webmasters

Classification

Priority: MEDIUM

Rationale: Operators should be at minimum aware that Microsoft may probe potentially confidential sections of sites.

Severity: LOW

Rationale: There has been no observed impact to operations of webservers.

Spread of Issue: CROSS-PLATFORM HIGH

Rationale: Millions of users use Skype across multiple platforms.

Description

Microsoft, the vendor of Skype has been observed probing websites linked in Skype chats. Such probings may be against potentially confidential or otherwise normally "off-limits" sections of websites. Microsoft does not provide an "opt out" mechanism to disable these probings and robots.txt bot control is not respected by Microsoft in these automated probings.

Technical Details

Digibase has directly observed that vendor of Skype has been probing websites that are posted as links in Skype chats. These are performed as HEAD requests transmitted (as per RFC 2616) against the webserver for an unknown reason. the request is typically transmitted from the IP address 65.52.100.214.

An example of such a request is as follows as per Apache HTTPD logs:

<domain> 65.52.100.214 - - [20/May/2013:02:57:49 -0400] "HEAD / HTTP/1.1" 200 - "-" "-"
 

Which the address has the whois:

NetRange:       65.52.0.0 - 65.55.255.255
CIDR:           65.52.0.0/14
OriginAS:       
NetName:        MICROSOFT-1BLK
NetHandle:      NET-65-52-0-0-1
Parent:         NET-65-0-0-0-0
NetType:        Direct Assignment
RegDate:        2001-02-14
Updated:        2012-03-20
Ref:            http://whois.arin.net/rest/net/NET-65-52-0-0-1


OrgName:        Microsoft Corp
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2011-04-26
Ref:            http://whois.arin.net/rest/org/MSFT

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName:   MSN ABUSE
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@msn.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/MSNAB-ARIN

OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation
OrgNOCPhone:  +1-425-882-8080 
OrgNOCEmail:  noc@microsoft.com
OrgNOCRef:    http://whois.arin.net/rest/poc/ZM23-ARIN

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  iprrms@microsoft.com
OrgTechRef:    http://whois.arin.net/rest/poc/MSFTP-ARIN

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@hotmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@msn.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE231-ARIN

RTechHandle: ZM23-ARIN
RTechName:   Microsoft Corporation
RTechPhone:  +1-425-882-8080 
RTechEmail:  noc@microsoft.com
RTechRef:    http://whois.arin.net/rest/poc/ZM23-ARIN
 

Mitigation/Solution

Operators may wish to set up firewall rules, .htaccess or other Access Control List (ACL) provisions or filter traffic originating from the IP address noted and/or advise their clients and users to not link confidential information in Skype chats.

References