DBSA:2013-0003

From Digibase Knowledge Base
Revision as of 17:06, 21 May 2013 by Kradorex Xeron (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

DBSA ID: 2013-0003

Regarding: Microsoft Probing Sites Linked in Skype Chats

Related to: DBSA:2013-0002

Writeup: Kradorex Xeron (talk) 16:52, 21 May 2013 (EDT)

Date: 2013 05 21

Last Modified: 20130521170611 by Kradorex Xeron

Who should take note: Web Server Operators, Web Hosts, System Administrators, Webmasters

Classification

Priority: MEDIUM

Rationale: Operators should be at minimum aware that Microsoft may probe potentially confidential sections of sites.

Severity: LOW

Rationale: There has been no observed impact to operations of webservers.

Spread of Issue: CROSS-PLATFORM HIGH

Rationale: Millions of users use Skype across multiple platforms and any and all webservers accessable on the routable Internet are potential recipients of probing.

Description

Microsoft, the vendor of Skype has been observed probing websites linked in Skype chats. Such probings may be against potentially confidential or otherwise normally "off-limits" sections of websites. Microsoft does not provide an "opt out" mechanism to disable these probings and robots.txt bot control is not respected by Microsoft in these automated probings.

Technical Details

Digibase has directly observed that vendor of Skype has been probing websites that are posted as links in Skype chats. These are performed as HEAD requests transmitted (as per RFC 2616) against the webserver for an unknown reason. the request is typically transmitted from the IP address 65.52.100.214.

An example of such a request is as follows as per Apache HTTPD logs:

<domain> 65.52.100.214 - - [20/May/2013:02:57:49 -0400] "HEAD / HTTP/1.1" 200 - "-" "-"
 

No notable robots.txt requests have been attempted and the useragent section does not contain any relevant information as to why the HEAD request is being performed or what tool or bot is performing it.

Which the address has the whois:

NetRange:       65.52.0.0 - 65.55.255.255
CIDR:           65.52.0.0/14
OriginAS:       
NetName:        MICROSOFT-1BLK
NetHandle:      NET-65-52-0-0-1
Parent:         NET-65-0-0-0-0
NetType:        Direct Assignment
RegDate:        2001-02-14
Updated:        2012-03-20
Ref:            http://whois.arin.net/rest/net/NET-65-52-0-0-1


OrgName:        Microsoft Corp
OrgId:          MSFT
Address:        One Microsoft Way
City:           Redmond
StateProv:      WA
PostalCode:     98052
Country:        US
RegDate:        1998-07-10
Updated:        2011-04-26
Ref:            http://whois.arin.net/rest/org/MSFT

OrgAbuseHandle: MSNAB-ARIN
OrgAbuseName:   MSN ABUSE
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@msn.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/MSNAB-ARIN

OrgNOCHandle: ZM23-ARIN
OrgNOCName:   Microsoft Corporation
OrgNOCPhone:  +1-425-882-8080 
OrgNOCEmail:  noc@microsoft.com
OrgNOCRef:    http://whois.arin.net/rest/poc/ZM23-ARIN

OrgTechHandle: MSFTP-ARIN
OrgTechName:   MSFT-POC
OrgTechPhone:  +1-425-882-8080 
OrgTechEmail:  iprrms@microsoft.com
OrgTechRef:    http://whois.arin.net/rest/poc/MSFTP-ARIN

OrgAbuseHandle: HOTMA-ARIN
OrgAbuseName:   Hotmail Abuse
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@hotmail.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/HOTMA-ARIN

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName:   Abuse
OrgAbusePhone:  +1-425-882-8080 
OrgAbuseEmail:  abuse@msn.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/ABUSE231-ARIN

RTechHandle: ZM23-ARIN
RTechName:   Microsoft Corporation
RTechPhone:  +1-425-882-8080 
RTechEmail:  noc@microsoft.com
RTechRef:    http://whois.arin.net/rest/poc/ZM23-ARIN
 

Mitigation/Solution

Operators may wish to set up firewall rules, .htaccess or other Access Control List (ACL) provisions or filter traffic originating from the IP address noted and/or advise their clients and users to not link confidential information in Skype chats.

References