Saturday, May 04, 2013

Recent Skype hijacks -- a lesson in security vulnerabilities (especially through "social engineering")

In today's online world, everything is under attack by hackers -- which first and foremost means that we should think twice about putting any personal details online or in emails, text chats, etc. for yourself or anyone else.

So, it is in a sense unsurprising to learn of vulnerabilities with Skype, the popular 'net calling/chatting software. 

(Before I go on, let me note that I think it is wise to host something like that in a second operating system on your computer i.e. I OFFICIALLY RECOMMEND DUAL BOOT [--> Try Jolicloud, an easy-use version of Linux], or on your smart phone, or the like and to make sure you can therefore control when it is on and off, and what it is connected to. This should be noted, as there is a report that Christians in danger zones use Skype for communications because the actual calls are encrypted, sufficiently so that it seems it is hard for intelligence services to hack. (BTW, I suggest that a shower running hard in the background is a good masking noise source against eavesdropping, where also the vibrations of window panes or louvres can in principle be captured using a pulsed laser reflected off the windows; generating something called pulse position modulation; so use heavy drawn curtains to reduce this high-end eavesdropping possibility. Beyond such levels you are talking about things like needing nonlinear junction detectors and Spectrum Analyser scanners to pick up bugs and microwave driven passive bugging. [At one point the new US Embassy building in Moscow was reportedly bugged by embedding diodes in the concrete mix, to be "lit up" as I have just indicated.]) But, if your password is easily guessed, or the like, that can be a problem. If you have any reason whatsoever to be concerned on security, follow Microsoft's advice on logging in to Skype through a Microsoft account. And use a monster of a password for that: long, mixing letters, numbers and special symbols, preferably unconnected to guessable or personal info that police or hackers depending on threats, could get at. Cf. here. If things are really serious, go with diceware word lists, and yes, do the whole deal, drawn curtains, silently memorise the result, and burn, crumble and flush the paper used in the meanwhile. That is the only basically uncrackable approach to codes, a one time random assignment message pad. And, you need to go long: at least seven words based on five-dice rolls, and make sure the cumulative string is at least 14 characters long. In a crunch you can make dice out of a bit of wood -- or solid food (raw potato or the like?) -- that is cubed and marked with dots. If the dice are not usual for you to have around, get rid of them. Soak in 5.25% bleach first, to kill off DNA and finger prints etc, and handle with similarly sterilised materials. Remember, if you forget your phrase, you are locked out. If you are not looking secret police in the eye, keep the pass phrase in a really really safe place, in some odd corner of your home. NOT a bank vault. If things get serious, you are not going to be able to access a bank vault. This is one case where a dose of paranoia is helpful. And to get rid of storage media -- Hard Drives can reportedly be recovered up to eight erasures deep due to remanent flux -- use a sledge hammer and scatter the finely ground results of some vigorous swings.)

A couple of days ago, the following story was making rounds, here I pick up from Violet Blue -- sounds like a pseudonym to me, a good idea especially if you are of female persuasion -- of ZD Net:
According to security researcher @TibitXimer (A.K.A. Dylan) his Skype account was stolen six times [in one and the same day!], and now claims all Skype user accounts are vulnerable to the same fate due to Skype's flimsy account recovery practices - which are especially thin, as he discovered the hard way, when contacting customer service.

When he contacted Skype support, reps didn't appear to acknowledge that the issue was immediate... and repeating.
Perhaps that is because his account had been hijacked through basic social engineering techniques and not hacked - as then he learned that the problem was with contacting customer service itself.
 Yup, the "I've forgotten, help" desk was the vector for the attack, by spoofing the help folks into thinking the recovery info request was legit. In response, Microsoft now encourages logging into Skype by going through a Microsoft network account. And yes, guess Who now owns Skype.

This points to a much wider problem, one so important that I will use the linked info graphic from Ms Blue's article: 

Hacking the Mind with Social Engineering
Infographic by Veracode Application Security

Let us learn and let us beware. END