Voice of VOIPSA

Skype today announced that there is a serious security vulnerability in Skype for Windows versions older than 3.6.x.216. As noted:

An exploitable memory corruption may occur during the parsing of URIs which can result in arbitrary code execution under the user rights of the current Windows account.

It turns out that this was fixed in the release back on November 15th, but Skype had an “unintentional communication oversight”:

At Skype, we strive to inform the public of vulnerabilities and malware that may affect Skype software. While this particular vulnerability was fixed, there was an unintentional communication oversight and we failed to bring the case to the public’s attention. All we can do now is to apologize.

Oops!

Thanks for the apology, Skype… and now would be a really good time for any Windows Skype users out there to look at upgrading!

P.S. Tip of the hat to Ryan Naraine’s Zero Day blog where we noticed the item this morning.

Technorati Tags:
skype, voip, voip security, security

Last week I meant to write about this, but Skype is advising people about some malware that is floating around that tries to entice Skype users to click a link that will then infect your computer. The rather despicable fashion the malware uses is to send a chat message that says “Please help me find this girl” referring to Madeleine McCann. Facetime Security Labs has a lengthy writeup that goes into all sorts of details about the particular worm variant. It propagates via IM, so it’s not anything particularly tied into VoIP, but obviously just something people should be concerned about.

Technorati Tags: skype

Skype is certainly taking some punishment recently. Today the news broke that someone has let loose a worm that uses the Skype API to send a chat message to your Skype contacts. The chat message includes a link which (if the user clicks on it) will download the w32/Ramex.A virus, which in turn infects their PC, and will visit their Skype friends. Obviously, this is a big concern for anyone with a user base as large as Skype’s, since even a small percentage of users that click on the link can cause wide distribution.

More: Skype Blog

Well, the official word is out from Skype and it can be summarized: the reboots from Microsoft patches triggered a previously-undetected condition and crashed out network. 

Skype PR staffer Villu Arak writes in “What happened on August 16“:

On Thursday, 16th August 2007, the Skype peer-to-peer network became unstable and suffered a critical disruption. The disruption was triggered by a massive restart of our users’ computers across the globe within a very short timeframe as they re-booted after receiving a routine set of patches through Windows Update.

The high number of restarts affected Skype’s network resources. This caused a flood of log-in requests, which, combined with the lack of peer-to-peer network resources, prompted a chain reaction that had a critical impact.

Okay… I can buy that this type of thing could trigger some kind of chain reaction, but I don’t understand why this month was different than any other month.  For.. what? two or three years now (more?) Microsoft patches have been coming out like clockwork on the second Tuesday of each month.  Each second Tuesday or Wednesday, the millions of computers set to auto-update do so.  All those zillions of computers restart automatically.  Each and every month.  What was so special about this August that was different from every other month?  Was the number or restarts in a short period of time really that much different from other months? Why? Is the issue that there are so many more Windows Skype users than in previous months and years? Was this just the so-called “tipping point” when there were enough Windows Skype users that the normal restarts triggered this chain reaction?

The issue has now been identified explicitly within Skype. We can confirm categorically that no malicious activities were attributed or that our users’ security was not, at any point, at risk.

In other words, it was not a DDoS by Russian hackers, as one rumor had it (which had actually already been dismissed by every security researcher who looked at the alleged exploit code).

This disruption was unprecedented in terms of its impact and scope. We would like to point out that very few technologies or communications networks today are guaranteed to operate without interruptions.

Fair enough statement – if you are looking at data or web technologies… but the PSTN, to which Skype would seem to like to be compared, is designed to operate without interruptions (or with as minimal as possible).  You know, there is this wee little market for “carrier-grade” equipment/software/etc. that is designed to be highly available without downtime.  If a carrier’s network were down for over 48 hours, there would be a zillion lawsuits, intense government inquiries and more.  The carriers that make up what we call the “PSTN” put an incredible effort into ensuring availability.  If Skype wants to play in that game, they have to be ready to play at the same level.

Skype has now identified and already introduced a number of improvements to its software to ensure that our users will not be similarly affected in the unlikely possibility of this combination of events recurring.

Good. We would expect that.

I appreciate that Skype has been as communicative as they have through their blog and heartbeat site.  Thank you, Skype, for communicating – and leaving the comments open.  However, to me the information provided today is still lacking one key piece:

Why were the mass restarts associated with the August 2007 Microsoft updates different from the mass restarts associated with any other month’s Microsoft updates

(Cross-posted from my Disruptive Telephony blog where I’ve been tracking the Skype outage.)

With the rise of new Skype clients for the Blackberry, such as iSkoot and IM+, one of the obvious questions raised by bloggers (including myself) was “what about the security?” Particularly since you have to give the Blackberry client your Skype username and password, essentially giving the client (and its developers) full access to your Skype account. Well, Jim Courtney over at Skype Journal also writes a good bit about Blackberries as well as Skype download, and posted his response to the issue on Friday: “Security, Skype and the Blackberry“.

I still suffer a lingering uncertainty, but I’ll admit that Jim’s digging does seem rather persuasive.

Technorati tags: skype, skype journal, jim courtney, blackberry, rim

According to Silicon.com, Ivan Krstić, Director of Security Architecture for the One Laptop Per Child project, used a keynote speech at AusCERT 2007 to criticize the architecture of modern operating systems, which allow every application to run with maximum access rights to the machine.

This is of course a topic that exercises many security managers these days, since there are so many things that a multimedia PC can do today, including playing, recording and editing music & video; creating and editing images and text; phoning, instant messaging and video calling. What is more there are vast numbers of applications that can be rapidly bought and downloaded from the Internet, giving near instant on-demand installation of nearly any type of application. For convenience, most users run in administrator mode all the time, as it avoids answering pesky questions when we want to install and gratify our need for new software.

Many VoIP users run softphones on their PCs. Softphones are cheap, and can be extremely convenient to use. They also create new possibilities, like being able to record calls or teleconferences without spending a lot of money on recording hardware and software. From a security point-of-view, of course, this is a risk, since the softphone can control all the facilities of your PC, has access to the disk drive, and could potentially record audio, or perhaps even all LAN traffic, without you knowing. From a LAN architectural point of view, some experts say that you should use VLANs, so that VoIP phone handsets and PCs cannot interact with each others’ traffic. This would avoid a PC being able to initiate SIP calls (if, say, a malicious user wanted to run some SIP scanning software on a machine), but if you want the convenience of running softphones, then the PCs must be able to make SIP calls, so really VLANs are out.

So once again it really comes down to security versus convenience. We can lock down PCs completely and make them “safe”, but then you could argue that users will be less productive, if the IS department must get involved whenever any new thing will be installed. At the other end of the scale, letting users install everything they want, from wherever, whenever they feel like it, is a recipe for a security disaster. It’s a balance, and that is one of the reasons that security is a difficult area.

To talk about the One Laptop Per Child project for a moment, this is an effort to build a $100 laptop (the XO) that can be made in the millions to provide to school children everywhere. If you haven’t heard of this before, I strongly recommend that you watch the video from TED 2006 where Nicholas Negroponte explains what they are trying to do. A very worthwhile project and this video is 18 minutes of gold dust. Describing one of their pilot projects in a remote village Cambodia, Negroponte says of the children with their laptops: “They only know Skype, they’ve never heard of telephony.”

IP Softphone specialists CounterPath recently announced that they will license Phil Zimmermann’s ZRTP (Zfone) technology for use in their client products, namely eyeBeam and X-Lite, joining other publicly announced licencees Borderware, PGP Corp, Ripcord and TiVi.

As you may know, ZRTP has done very well in terms of acceptance in the last few months. Zimmermann has many friends in the security community, but also has great credentials in the open source world. ZRTP is an openly published protocol, but also is available as source code, thereby making it possible to test in all kinds of ways, not only closed-box (black box) testing but also in terms of working through the algorithm and even unit testing the code.

At the recent IETF meeting, methods of key exchange were discussed, as subscribers to the Voipsec list (from the VOIPSA site) cannot have failed to miss. The IETF have gone from a list of thirteen proposals down to a final two, and ZRTP is one of those, despite being considered by some as a latecomer.  Many organizations and people that I have come across trust in Zimmermann and believe that ZRTP is the answer.

If we go to the opposite end of the trust scale, we find Skype.  Poor old Skype are still getting weekly batterings from press critics on the security front.  A lot of the same criticisms are brought up time and time again, and in fairness Skype have countered a lot of the concerns, by allowing features to be switched off, changes to the package and so on.  We don’t need to rehearse all those issues here once again.

However, the issues that keep coming up, and which Skype have not argued away are those of security by obscurity and the secrecy of the protocols they use for encryption and key exchange. Famously, Skype hired security expert Tom Berson to write a report based on a long evaluation of Skype’s security provisions, but most academics still desire transparency, and the ability to evaluate the algorithms for themselves.

Academics and commercial security experts both say that simply using a secret algorithm is no guarantee of safety. Furthermore, the fact that it is secret merely means that when someone does compromise Skype, the detection and mitigation of the problem will be slowed down or prevented. Skype at that point becomes a dangerous ‘bot’ sitting behind thousands of firewalls.

What better time, then, for Skype to embrace ZRTP? Licensing ZRTP can hardly be a problem for Skype and its Ebay parent, and there is so much to gain from this. A large community of security and VoIP specialists already believe in ZRTP; the IETF likes it; commercial acceptance exists in licencees in the Softphone and Session Border Controller market. IT Managers, I’m sure, would be happier with Skype usage in the workplace if they were allowed to detect and control it, and (who knows with key escrow) in some way to log and record from it.

Come on, Skype, grab the nettle. The tools are in your hands to silence your critics.

Blue Box podcast #53 is now available covering a range of topics, including a listener’s suggestion for the Skype multiple login issue, Cisco’s IP phone security advisories, network neutrality, EU privacy legislation and, yes, we covered that wacky story about smokers being a threat to VoIP because we just had to… plus the usual listener comments, VOIPSEC review and other VoIP security news. Detailed show notes, links and more over at the Blue Box site.

Last week, in a post entitled “Skype Reads Your BIOS and Motherboard Serial Number” a developer named myria outlined how Skype was calling a file called “1.com” to read your PC’s BIOS. Predictably, this set off a Slashdot firestorm when posted there as well as numerous other mentions throughout the blogosphere and wider web. Ultimately, Skype CSO Kurt Sauer posted an explanation that this was part of the DRM component of the EasyBits framework Skype uses in their Extras Plugin Manager.

If you look at what Skype is doing with their Extras Gallery, they are very clearly making the play to be an application delivery platform – for commercial apps as well as free apps. Leaving the DRM religious war aside, the reality is that the moment you start talking commercial apps typically most vendors also start talking about some form of DRM to ensure that people aren’t just copying the commercial apps and giving them to their friends. Skype’s answer is this “EasyBits framework” and it appears that this framework was reading the BIOS to obtain a unique identifier for the PC. You can read the slashdot trail or the responses to the initial post to see various views on the intelligence of doing this, but suffice it to say that Skype owned up to the fact that this was what was going on.

Kurt Sauer also provided the simple solution – upgrade to the latest Skype 3.0 version, 3.0.0.216, where they now use a version of this framework that no longer reads the BIOS. Kudos to Skype for the quick response and to everyone who is worried about it… you can upgrade now. (Or for those really worried about Skype, just continue to not use it.)

That’s the question Dean Takahashi asks in a column in today’s San Jose Mercury News titled: Wiretapping could stifle VOIP technology. It is not entirely clear to me why Takahashi is writing this today given that there does not seem to be any real “new” news…. but with a headline like that and in the Mercury News, it is bound to get some attention over the next few days. Takahashi points out that US VoIP service providers that connect to the PSTN much comply with the FCC regulation by May 14, 2007 but that pure Internet peer-to-peer/p2p services like Skype are currently exempt. He does provide this teaser:

But it appears from its legal maneuvers that the FBI may also want to find a way to tap peer-to-peer calls, the ones that bypass the telephone system. And the FCC’s analysis of the FBI request suggests it might go along with a move to require wiretapping on any new Internet communications system.

Which leads to the obvious question of how a p2p system would actually do this… which leads to the opinion that some centralization would be required… which leads to the conclusion that this could therefore kill p2p VoIP systems in their true p2p form. The article refers people over to the Center for Democracy and Technology CALEA page where the CDT has copious amounts of info about CALEA (obviously from their point-of-view). Takahashi concludes with:

We have to balance the need to enforce laws with the need to move technology forward and at the same time protect our privacy. If we hobble technology to help law enforcement, we make ourselves vulnerable, not safer.

We faced this kind of issue in the early 1990s, when the debate was about whether to allow encryption technologies strong enough to hide data from the government. The government later decided to allow strong encryption to be used unencumbered, particularly as the technology was allowed overseas. The outcome here may be the same.

Given that VOIPSA is a global organization that encompasses a wide range of companies, people and geographic regions, its not really our place as an organization to wade into the debate of legislation in one particular country. But it is definitely a matter that does merit discussion and attention. There are very legitimate needs by law enforcement. There are also very legitimate privacy concerns – and security concerns. Where do we as nations, companies and individuals strike the balance?