347-878-3837

security

Here are articles on security

Skype is better, but still problematic

My article on Skype exposing address books to the world has gone mini-viral. Written in 2017, it’s gotten dozens of citations in early 2019. A reporter approached me, asking if the problem still exists. After doing some research, here’s what I’ve found.

Microsoft’s article is incorrect (probably by accident)

Microsoft explains how People You May Know suggestions are generated in this article. At the time of this writing (February 14, 2019), the article is incomplete. The article claims you or the contact must both take action to be visible to each other through People You May Know. For example, you must add each other in your address books. Or you must exchange an invite and acceptance.

Microsoft doesn’t mention the problem case: mutual connections

The problem case exists, but is not listed here: if you have a mutual connection, then you’ll show up in each other’s People You May Know list. The mutual connection is someone who fits the you-both-take-action criteria.

So if Sam is connected to Ash, and Ash is connected to Stacy, then Sam and Stacy will show up in each others’ People You May Know list even though they’ve never taken any action with respect to each other.

Sam and Stacy will see each other without a direct connection

Deleting Still Doesn’t Solve The Problem

I deleted all my contacts. Skype is still suggesting dozens of people. I don’t know any of them. As mentioned on Microsoft’s list above, Skype remembered my past connections and is still suggesting their people to me. I don’t know any of these suggested people, but now I know one of my prior contacts knows them.

This no longer works for strangers, thank goodness

When I first found this issue (Dec 2017), I created a new test account. Browsing a stranger’s profile was enough to get suggestions of people with the same last name who looked the same (presumably family members). As of today (Feb 2019), it seems like Microsoft has reined this in a bit … from my very brief testing, it seems you need a common contact to start the suggestion engine.

I still consider this a security problem, though not as bad as it was before.

You can only figure out the contacts of someone you are or have been connected with. You can’t do it to a complete stranger, you need to have one contact—invite, connection, or chat—with them first. This isn’t as big a hurdle as you might think.

Journalists still shouldn’t use Skype

Journalists beware! If you’re a journalist, using Skype can compromise your sources. JournalistChris interviews source LittleSnitch on Skype. If JournalistChris later interviews source MafiaDon, MafiaDon will have LittleSnitch suggested as a contact. After all, they both have you as a mutual contact. If MafiaDon knows about this bug, then MafiaDon may agree to Skype with you precisely to see if LittleSnitch then shows up on MafiaDon’s People You May Know list. You really don’t want MafiaDon knowing you’ve been talking with LittleSnitch.

Even with strangers, you can get some information. When you browse random profiles, Skype will tell you how many mutual contacts you have. If you only have a few contacts in Skype, you can guess with some certainty who the mutual contact is.

if MafiaDon did your interview and then immediately looked up LittleSnitch‘s profile, MafiaDon would see that they have one mutual connection—you. That might be enough to tip off MafiaDon that LittleSnitch has been talking to the press.

Lawyers and Consultants, you beware too

The problem I outline for consultants and lawyers in my article remains. If you’re BankruptcyLawyer and you chat with MicrosoftCEO, then later chat with LogitechCEO, LogitechCEO will start seeing MicrosoftCEO as a suggested contact. LogitechCEO might even Skype with you deliberately to see who else gets suggested after the chat.

Indeed, you can imagine someone doing this very deliberately. If EvilBoy seriously wants to do research they could do this:

  1. EvilBoy creates a new skype account, live:innocent_journalist2
  2. EvilBoy approaches BankruptcyLawyer and says “I’m a journalist. I wish to interview you for an article. Connect to me on Skype as live:innocent_journalist2
  3. EvilBoy interviews BankruptcyLawyer
  4. Because BankruptcyLawyer is now the only contact in the live:innocent_journalist2 account, the People You May Know will suggest BankruptcyLawyer’s contacts to EvilBoy
  5. Furthermore, EvilBoy can now look up anyone’s profile on Skype and see if they have a mutual contact. If so, they know that person is in BankruptcyLawyer’s addressbook

This requires a concerted effort on the part of EvilBoy, and it also requires that BankruptcyLawyer add EvilBoy as a contact, accept a connection request from EvilBoy, or chat with EvilBoy at least once.

This Can Still Be Awkward Personally

This is still a problem. Let’s say Ashley uses Skype to meet people for online dating. Ashley might answer personal ads and chat with Syd and Alex. Ashley probably doesn’t want Syd and Alex to start showing up in each other’s contact lists. That could be awkward, especially if one (or both) of the relationships goes farther than a Skype chat. It seems like the privacy problems here are pretty evident.

In summary: the hurdle has risen since I wrote that article. Instead of being able to reverse engineer a stranger’s address book, you can only reverse engineer someone you’re connected to or have chatted with. Once. EvilBoy can still use Skype to work mischief, but now it takes a bit more work. For some people, this may still be too much of a privacy breach from a product that was founded on the premise of confidentiality.


Sign in using…

I just went to ScreenR to try out this download-less screencasting site. It requires me to log in using my Google, Twitter, LinkedIn, etc. account. Creating a separate account on ScreenR.com isn’t possible.

Am I the only one who is vaguely disturbed by this? This puts Google, Yahoo, etc. in the position of having an accumulated list of all the sites I use and the login credentials I use to access them. I simply don’t know if I want every site I use, every email I receive, and every person I contact conveniently located in a single database. While I’m not particularly worried about Google or Yahoo, history is full of cases of databases being hacked, stolen, or subpoena’d by people and groups that have political or social agendas.

For those who think such things just don’t happen in America, as recently as 2004 administration, congressional aides hacked into the opposing party’s computer files and leaked them to the press. Never mind the “outing” of CIA agent Valerie Plame as a political maneuver designed to put pressure on her husband.

So I’m cautious. We’re putting more and more of our personal, private information into the hands of fewer and fewer companies. Do I want to log in using my Google account? No. I want to log in using credentials that connect only to that web site. Sadly, that’s becoming a rarer option.

“Challenge questions” on websites reduce security.

I just got finished answering nine security questions for my payroll processing login. You know the kind, “What was the first name of the person you first kissed on the lips (pets don’t count)?”

Supposedly, these questions make us all more secure. I think they make us less secure.

They used to say, “Choose a really hard-to-guess password. Don’t use your mother’s maiden name, or anything that would be easy for someone to guess.” In those days, if a thief wanted to break into your account, they had to figure out two things: 1) what easy-to-remember password you chose—for example, your mother’s maiden name—and 2) what it actually was, for example, Judy Dench.

Now, banks and other “secure” institutions happily take half of the effort out of that equation. By virtue of the challenge question, they already tell a would-be hacker which piece of information they need. All the hacker needs to do is find that piece of information. It shouldn’t be hard, given that 99% of the sites that use these challenge questions ask for the same paltry, easily-obtained pieces of information.

I make up random answers to these “secure” questions, so they’re really pretty much impossible to guess. But since I had to do nine of them for my payroll service, I had to write all nine down. I’ll never remember them otherwise.

And now the universe collapses on itself: The ridiculously convoluted, insecure challenge question system is silly and insecure. To make it secure, I had to choose hard-to-guess answers. But I can’t commit nine to memory, so I had to write them down, making them insecure again.

It shouldn’t surprise me, though. My payroll company’s HTTPS security certificate had the wrong hostname on it, and their system only worked on Internet Explorer. With technical prowess like that, I can imagine that deep down inside, they haven’t the foggiest clue what constitutes security.

Sadly at this point, neither do I.