Disruptive Telephony

Today, Skype issued a new Skype 5.1 for Mac "hotfix" for more "security issues". The problem?

We don't know what those "security issues" are?

We don't know, for instance:

• Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
  
  
• What is the severity of these "security issues"? Remote compromise? Denial of service? What?
  
  
• What is the priority that we should place on getting this update in place? Is it a "UPDATE NOW!" kind of priority? or a "Update when you can"?
  
  
• What kind of mitigating circumstances are there for these security fixes?
  
  
• Are there any workarounds that could be put in place at a network layer (or any other layer) to prevent attacks on individual systems? (i.e. as a safety measure until the individual clients are all updated?)

We need to know this kind of information.

Particularly as Skype looks to try to move more into the "business" or "enterprise" market space, this level of NON-disclosure is unacceptable.

In comparison, take a look at any of the recent Microsoft security bulletins, like, oh, this one, and you can see the kind of information that a security professional is looking for. Now, sure, Skype doesn't necessarily need to go to the level of detail that Microsoft has... but something more than just "Security issues" is necessary.

Letting Us Know?

Additionally, why again is Skype issuing a "hotfix for security issues" without telling anyone about it? Just like they did back in April?

Once again the hotfix is mentioned only on Skype's Garage blog. Nothing on Twitter on either @skype or @skypesecurity. Nothing on the Mac blog (although they finally updated that blog about the issue on Friday). Nothing on the Security blog.

And once again, the "Check for Updates..." feature in Skype 5.1 does not show a new update available:

So apparently the only way we can get this hotfix for unknown "security issues" is to go to Skype's main download site and download it!

C'mon Skype! You can do better than this!

Recommendations for Skype

So rather than just rant, let me offer these suggestions to Skype for what they should do when they have a "security hotfix":

1. Provide More Info - Saying it is simply "security issues" doesn't cut it. We need to know things like:

• what is the severity of the security issue? if an attacker could compromise the Skype client, what could he or she do?
• how easy is it for an attacker to execute an attack? can the attacker be remote? do they have to be a contact?
• are there mitigating circumstances that would make an attack less likely?
• are there workarounds that could be put in place at a larger level than just the client?
• what is the potential exposure of NOT upgrading?

Skype should look seriously at tools like the Common Vulnerability Scoring System (CVSS) used by many software/hardware providers (see also the CVSS FAQ). And while perhaps the full CVSS process may be too heavy for a smaller organization like Skype, the document at least gives insight into the type of questions security professionals want.

Similarly, the Cisco Security Vulnerability Policy and associated links is worth a read. Again, it may be too heavy a system for a smaller company like Skype... but then again perhaps in all of the new hires Skype is looking to do they could hire some folks specifically to work on this process.

2. Let People Know About The Security Hotfix - Skype has a "security" blog and specific @skypesecurity Twitter account. They should be used to communicate the availability of security hotfixes. Security professionals associated with companies using Skype could then know that they need to subscribe/follow those sites to know when there are new issues needing attention.

3. Make The Security Hotfix EASY To Obtain - Make the "Check for Updates..." process work from the beginning. The blog post or other update should be able to state that Skype users can simply go up to "Check for Update..." to download/install the new version. Perhaps this means that the blog post has to be delayed until the new version is uploaded to whatever update servers Skype has... but so what? Wait a bit - or improve the internal process so that these uploads happen faster. The end result will be that MORE people will update sooner, which, I would think, should be the goal.

Those three steps would help people feel a whole lot better about Skype's concern for security - and would also make sure that Skype users are better protected. It would also help Skype's reputation, brand, etc.

And it would stop people like me from writing blog posts like this. ;-)

Seriously, Skype... security matters... and even more, communication about security matters. We all know that with any system there are security issues... no system is perfect and attackers will always try to compromise systems. We get that. It is how you react and communicate about those security issues that is so incredibly critical.

What is the point in issuing a hotfix that addresses a security vulnerability... if you don't tell anyone that the hotfix is available?

Tonight Skype published a blog post saying that back on April 14th they released a "hotfix" for this problem in Skype for Mac version 5.1.0.922. That's great... it's good that the fix is out there, but...

how were we Mac users supposed to know about it?

Hmmm... let's see... Could we find out about the Skype for Mac hotfix...

• ... using the "Check for Updates" feature? Nope, doesn't work for me. Maybe it works for others out there, but not for me.
  
  
• ... from the Skype for Mac Release Notes page? Nope, that page STILL hasn't been updated, three weeks later, to indicate that a new version is out. Nothing on there at all about 5.1.0.922.
  
  
• ... from Skype's Twitter account? Nope, no mention of a hotfix back on April 15th, although they did talk about the fact that Skype was mentioned twice on 30 Rock and that there was Skype call on the Rachael Ray show.
  
  
• ... from Skype's skypesecurity Twitter account? Nope, no mention.
  
  
• ... on Skype's Mac blog? Nope. Last post there was April 14th, the day before this hotfix came out.

No mention of a "hotfix" for Skype 5.1 for Mac OS X on any of those communication vehicles.

In The Garage?

Ah, but wait... Skype did mention the hotfix, over on the Skype Garage blog, which is all about "Experiments and pre-releases". Here's a screen capture of the notice:

So they posted news of this important "hotfix" on a blog for "experiments and pre-releases", didn't tweet it out, and didn't update release notes or put it anywhere regular Mac users would find it.

And a curious thing...

THERE IS NO MENTION OF A SECURITY ISSUE!

Nothing whatsoever.

I am guessing that "Minor bug fixes" must include this security issue. And maybe the fix was simply a "minor bug fix". Maybe someone forgot to do bounds checking on some part of the chat system and as a result a buffer overflow occurred. Maybe it was some simple little fix.

But labeling it in this way gives absolutely no incentive for anyone to upgrade. Even had I seen this notice, I probably wouldn't have bothered to upgrade (unless the Check for Updates had worked). There is no urgency on this.

And... call me crazy, perhaps, but I guess I don't consider a security issue where someone could send me a chat message and gain complete control of my Mac to be a "minor bug"!

Did Skype not think that at some point the security researcher would publish his findings?

And why in the world didn't Skype communicate with this security researcher to tell him that they had fixed the bug he found and would be issuing (in fact had issued a fix)? Now maybe they thought they did... but whatever the situation was, he didn't know and out of frustration published his post today.

It Didn't Have To Be This Way

In other words...

... everything that happened today was COMPLETELY PREVENTABLE had Skype only communicated more.

Skype would not have had the negative coverage in ZDNet, CNet, ComputerWorld, Mashable, TheNextWeb, my own blog ... and many other sites, let alone all the tweeting and retweeting.

Instead of having all this negative activity, they could have jointly come out with a statement with the security researcher or at least crediting the researcher. It would have shown that Skype was serious about security and protecting us - and also serious about working with the security community.

And even after the story broke early today, Skype could have tweeted out a response... or posted the blog post earlier... they could have cut off all the discussions and concerns simply by being more transparent and providing some information - or even just communicating that they were in the process of getting an answer.

Instead, there is only one word to summarize Skype's communications:

FAIL!

The thing that kills me is that Skype employs a ton of truly brilliant engineers. They have on their payroll a couple of the leading SIP/VoIP security researchers that are out there. And these guys know how the security community works.

Knowing some of those folks personally, I have to think that the process broke down somewhere in the external communications side of the house. Because of the IPO and the "silent period", I know that people at Skype are ultra-cautious about saying anything. And maybe that's part of it, but in this case, it truly failed them.

Too bad... because none of all this communication today had to happen.

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

According to Skype's Security Blog post right now, I'm supposed to just do an "auto-update" that will give me the latest version 5.1.0.922 of the Skype for Mac client. When I check what version I have, it is 5.1.0.914:

So I go up to the Skype menu and choose "Check for Updates..."

And this is what I get...

So if, as Skype indicates, this security issue was fixed a month ago, how was I supposed to get it?

Sure... it now seems that I can go to the main page and download the software directly, but why would I ever think of doing that?

C'mon, Skype... if you are going to send out security updates as optional updates, please make sure your "Check for Updates" feature works!

P.S. When I first heard of the security issue, after checking the Skype blogs and Twitter streams, the first thing I did was to go into my Skype 5.1 client and do this "Check For Updates". The next thing I did was check the Skype for Mac Release Notes, which still do not list this update that was apparently fixed in April. After that I did some more poking around and then wrote the blog post...

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

---

From the Can-We-Please-Communicate-Better Department... there is apparently an open vulnerability in the Skype for Mac client that lets an attacker send a message to a Skype user and gain remote access. As reported today by Gordon Maddern on the PureHacking blog:

The long and the short of it is that an attacker needs only to send a victim a message and they can gain remote control of the victims Mac. It is extremely wormable and dangerous.

Given that I basically live inside of Skype for Mac and use it extensively every day, this is obviously extremely concerning. Particularly because I do let anyone on Skype send me messages... and my Skype ID is easily found on my websites and many other locations (and since is rather obvious - "danyork"). I also tend to leave Skype running on a Mac in my home office that is online all the time. Mostly this provides a way to quickly catch up on chats as I have all the messages already there on that system (rather than waiting for Skype to sync up after it is launched).

Maddern indicates that he contacted Skype over a month ago about this and no fix has come out yet. In his post, he says:

Pure Hacking wont give specifics on how to perform this attack untill a patch from skype is released. However we will give a full disclosure after skype takes action or a resonable responsible disclosure time.

Which is great... except that now attackers will be out there trying to figure out what kind of "payload" he sent that created this condition. There is always the chance that someone may discover the attack.

Where is Skype's Statement?

ZDNet UK covered the story today and received this update from Skype:

Skype has just sent ZDNet UK a statement promising a fix next week. The statement reads: "We are aware of this and will release a fix early next week to resolve the issue. We take our users privacy very seriously and are working quickly to protect Skype users from this vulnerability."

What is concerning, though, is that there is no other public comment on this from Skype...

• ... nothing on Skype's blogs, particularly their Security blog
• ... nothing on Skype's Twitter account
• ... nothing on Skype's SECURITY Twitter account

It's Friday afternoon here in the US... people are about to leave their offices and some % of those who use Macs may in fact leave their computers on and leave Skype running. Are those machines vulnerable? Can someone really just send someone a message and gain control of their Mac?

Which version of Skype for Mac is vulnerable? Is this only in the newer 5.x client? Or does this impact the older 2.8 client?

We need answers, Skype! I can understand that a fix may take some time, but in the meantime we need to understand what the risk is. Are there mitigating circumstances? Or actions we can take in the meantime?

How To (Maybe) Protect Yourself

So what are we to do until there is either a fix or a helpful statement?

1. QUIT OUT OF SKYPE - Obviously this is one option (and one I might pursue on that computer in my office). But that may not be practical for folks... and isn't for me in my work context.

2. CHANGE PRIVACY SETTINGS - It seems to be the biggest change we can make is to only allow chat messages from people in our contact list. This would mean that a random attacker out on the Internet couldn't just send you a message and take over your Mac. You will only get chat messages from your contacts, not random people.

In Skype 5.x for the Mac, you go to the Skype menu and then Preferences and then make sure that the settings are that only Contacts can contact you:

On the Skype 2.8 for Mac client, the layout is a bit different but the choices are similar:

Now, in these images I'm only suggesting you restrict chat messages. In the blog post about the attack, it is very clear that the attack vector is a chat message, so in theory you should only need to change the one privacy option for chat messages. Whether or not you also want to restrict calls to be from your contacts is up to you. Absent a clear statement about the vulnerability from Skype, we have very limited information to go on... but again the blog post was very clear that the attack was through a chat message with a particular payload.

Will that protect your system? I don't know... I'm guessing along with you all.

Now, depending upon how paranoid your mind operates, there is, of course, the case that an attacker could take over a Mac operated by one of your contacts, and then potentially use the Skype client on that machine to then contact you. Maybe that's possible, maybe that's not.

3. RUN AN OLDER SKYPE VERSION - Does this only affect the newer Skype 5.x for MacOS X? Could we be protected by reverting to the older 2.8 client? (which I'm still running on one of my systems)

I don't know... and I wouldn't use this as my only protection mechanism.

Give us a clue, Skype!

We don't know... and that's not a good space to be in.

What can you tell us who are Mac users, Skype?

---

UPDATE #1 - The Register also covered the story and pointed out that perhaps the attacking chat message could cause other chat messages to be sent out. Again... possible... but we just don't know.

Also, someone pointed out that Skype did have a "public statement", so my title is not accurate. Sure... they gave a statement to ZDNet UK and perhaps other media outlets... but where is that on Skype's public presence? Why not on one of their blogs or on Twitter?

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

Where did I travel with my iPhone? Given all the recent kerfuffle over the logging of location data on an iPhone, I naturally had to try it out. First stop was getting the Mac OS X app at:

http://petewarden.github.com/iPhoneTracker/

The app itself is super simple... simply launch the app and it goes off and finds your iPhone backups, extracts the location data and shows you a map.

In my case, the Mac I ran the app on only had data from my iPhone 3G and only for the period of time from when I updated it to iOS 4 in July 2010 through when I stopped using it in September 2010 (because I replaced it with an iPhone 4). Still, the data is kind of fun to see. Here's what it looked like overall:

During that time period, I traveled down to Voxeo's corporate office in Orlando, went to a SIPit test event over on the New Hampshire seacoast, and spent a chunk of time in New York City attending SpeechTEK 2010.

Diving into the data a bit more, here's a close-up of the northeast. It's amusing to see the train trip I took down to NYC (for SpeechTEK) as well as the corridor of travel I take from Keene over to Manchester, NH, to fly out of the airport there:

It's curious to see that it shows me wandering around Vermont. We did make a number of day trips around that area and I do carry my iPhone with me (even though I often don't have coverage in some of those areas). No clue what those icons are out on Long Island as I never traveled out there. Obviously the phone must have picked up some signal from towers out there or something like that.

Zooming in on New York is also interesting because you can see, I guess, where AT&T towers must be:

Zooming in on Orlando also shows where I traveled in that region:

Now, it would be great if Apple would get around to telling us WHY they are collecting all this data... but in the meantime it's also quite fascinating to take a look at it and see where my phone thinks I've been. :-)

Another day, I'll have to run this app on my laptop where I sync my iPhone 4. Should have lots more interesting data.

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

Next week in the DC area (Herndon, VA) there will be a unique event taking place - SIPNOC: The SIP Network Operators Conference. This event is organized by the SIP Forum and will bring together a great collection of service providers and carriers to share and learn from each other about the realities behind providing SIP-based services today. It will be a great place for those providing real-time communications over IP networks to look at how we can continue to expand and improve the services.

There's a packed agenda at the event that includes many great sessions I'm looking forward to attending. I'll be there speaking about SIP interoperability and some of the lessons we've learned at Voxeo as we've interconnected our SIP cloud to that of so many carriers. I'll also be donning my VOIP Security Alliance (VOIPSA) hat to participate on a panel about security.

And naturally given my intense interest in IPv6 these days (and all my writing about IPv6, I'll of course be joining in to the "IPv6 Readiness" BOF planned for Tuesday, April 26.

I'm very much looking forward to this first SIPNOC event... if you are already planning to be there please do say hello, and if you are interested in attending, you can still register to attend.

We need events like these to help improve the overall IP infrastructure and help move us faster to the time when we can have even more of our connectivity all happen over IP. Great to see!

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

If any of you will be in South Beach, Miami, next week I'll be there speaking as part of the Cloud Communications Summit and SIP Trunking Workshops. I've got a page up on Voxeo's site that shows my schedule at:

http://blogs.voxeo.com/events/itexpo-east-2011/

I know a good number of other folks from the VoIP/UC/Cloud Telecom/Voice Mashups/SIP/etc. world are all going to be down there, so I'm looking forward to catching up with some folks there.

If you are down in Miami for ITEXPO, the Cloud Communications Summit, Digium/Asterisk World or any of the other events, please do stop by and say hello... or find me down at one of the sessions I'm in (my schedule is online). You can always email me or ping me on Twitter.

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

<shameless self-promotion>

With Christmas fast approaching, are you looking for a last-minute gift for someone you know working with telecommunications or security?

If so, may I suggest a book written by a certain someone called, oh, Seven Deadliest Unified Communications Attacks? You can order it from sites like Amazon.com and have the book delivered this week before Christmas!

The book will help whomever you give it to understand what the real threats to communications networks are today - and also what the real solutions are. Here's a video I made to explain why I wrote the book:

</shameless self-promotion> :-)

---

If you found this post interesting or useful, please consider either:

• subscribing to my email newsletter;
• following me on Twitter; or
• subscribing to the RSS feed

---

If any of you will be at the Voice Biometrics Conference next week (May 4-5) in the New York area (Jersey City, actually), I'll be there speaking on Wednesday about 'Seeding the Cloud - Authentication as a Service'. I'm arriving Monday evening and will be there through early Thursday morning.

"Voice Bio Con", as it is called, is a rather comprehensive gathering of the major players in the voice biometrics / voice authentication / voice verification space. Great agenda with some excellent speakers (and yeah, I'm on that list, too). I wrote over on the VOIPSA blog about the number of case studies and real world deployments that will be discussed.

It should be a great event... I'm on that panel and will also be talking about Voxeo's voice biometric partner program where you can try out voice biometric solutions for free using our hosted platform and the hosted services from four of the major voice biometric vendors. I'm looking forward to meeting up with some friends there and undoubtedly having some great conversations and learning a good bit.

If you are at the event, please do say hello! If you want to go and haven't registered yet, there's a discount code you can use to save $200.

See (some of) you in the Big Apple...

P.S. And yes, you can safely assume that I'll be tweeting (probably both @danyork and @voxeo) and blogging from the event...

---

If you found this post interesting or useful, please consider either subscribing to the RSS feed, following me on Twitter or subscribing to my email newsletter.

---

As I mentioned on a Voxeo blog yesterday, the good folks at TMC recently posted a video interview I did with them at ITEXPO back in January in Florida. In the interview, I discussed:

• the Cloud Communications Summit and pushing communications out into "the cloud"
• security issues related to cloud communications
• what's next in communications, including multi-channel communications (a component of what we refer to at Voxeo as Unified Self-Service)

Anyway, for folks who wonder what it is I do, part of it is telling stories in forms like this...

---

If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.

---