Tuesday, 21 May 2013 14:48

Microsoft Lync, Um We Mean Skype Is Not As Private or Secure As You Might Think

Written by

Reading time is around minutes.
MS-Myth

About a month ago a memo was “leaked’ by the DEA to CNET that started a storm of articles about how secure some online messaging systems were. The memo appeared to indicate the Apple’s iMessage service was so secure that it could not be broken by government agents. They claimed that they were not able to get message details or information. Sadly, the memo ended up making the DEA look incompetent and showed that it was just an attempt to sway public opinion on the need for more surveillance powers for law enforcement.

Apple’s iMessage is not a form of end to end encryption; it still requires intermediate servers to send messages and connect users. Now there is something of a storm as we are finding out that Microsoft also keeps information about your chats and verifies links you send. Why this is shocking to anyone we are not sure, just because Microsoft is using a UI that looks and acts like Skype does not mean that is what you are getting. Link blocking, scanning message arbitration, and worse, are all parts of Microsoft’s own internal messaging system Lync.

Lync 2013 is the current generation of Microsoft’s enterprise class messaging server. It has some great features inside that allow a corporate network to maintain communication between employees and even others outside the network. As with most corporate applications there is a need for security; data and malware. You need to ensure that your employees are not saying anything improper, giving away corporate secrets, or downloading malware. Microsoft incorporated features in the back end servers that allow for link blocking/checking as well as conversation capture where all conversations are captured and stored on the server. These are not new features though, even going back to Microsoft Office Communications Server 2007 you had these options and MOCS 2007 was SIP based just like Skype is. Going further back Microsoft was caught browsing and blocking links to suspected pirated material in their live messenger client. They were also caught storing conversation information on their servers even if the local client was not setup to do so. MOCS and Windows Live Messenger were the same platform.

Microsoft knew that their Messenger/Communication Server network was not efficient. In large environments it could bog down and it was also not secure from outside penetration. It was also overly complex to keep running (you had to have three different external IPs to use all of the features). They needed something new and more powerful; they bought their biggest competitor, Skype. Buying Skype was not just about taking out a competitor, it was also because Microsoft was looking to take their own messaging system in the direction that Skype had already been.

Once they had the technology, they moved all of the SuperNodes into Microsoft’s data centers and these SuperNodes became the back bone for their cloud Lync server as well as servicing regular Messenger and Skype Clients. Doing this was critical for Microsoft’s future plans for cloud based services (Lync is part of Office 365). They knew they needed something that would allow them to offer a cloud based corporate messaging system that included federation (the ability to connect the corporate network to other messaging services). Skype was ready made and fit well with their Lync project. All they needed to do was to include the message arbitration (message logging), link blocking/scanning and a few other nice security features in the mix. They knew they had to offer them to corporate clients who might want to use their cloud services, so there was no reason not to use them on everyone.

So the next time you fire up your Skype client just remember that you are only using a different front end client for Microsoft’s public Lync network. You can see this integration by simply looking at the new integration with “Microsoft” accounts in the 2012 Windows Serve System. You can now log into corporate networks with a Microsoft Account if your network admin is dumb enough to let you. Of course, Microsoft is not the only one doing this, Apple has been doing this type of message cataloging for a while as has Facebook and many others. You do not have any right to private conversations when you use their services. The fact that they do not come out and specifically state this is concerning, but we are guessing they had a team of lawyers make sure they did not have to before they wrote their terms and conditions.

On the downside: when companies catalog user information like this, those servers become a target for attack. We have already had a few exploits for Skype that allow for accounts to be easily compromised with images or links. How hard would it be to get into the servers that maintain conversation logs? They also becomes a target for data collection and surveillance freaks who want to sift through everything you do. Message history could have been shared by Microsoft in the name of “cyber security” if bills like CISPA (Cyber Intelligence Sharing and Protection Act) were passed. The chats that you thought were private have never actually been private, they are and have always been stored somewhere. We are just becoming more aware of these issues as consumers grow more informed on the technology they use.

Although these revelations are not likely to stop people from using Skype or any other cloud service they do show us how little real privacy we have when using them. What many people would have thought was a secure point-to-point service is nothing of the kind. The fact that Microsoft and others have never clarified this is just par for the course.

Tell us what you think about this in our Forum

Read 8304 times Last modified on Tuesday, 21 May 2013 15:11

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.