Biggest Microsoft Security Lapse in Recent History – Skype’s achilles heel

1 Comment

Yet again I come to you with rant, but this time seems like the reason is Microsoft’s huge lapse in basic Skype account security. Probably like mst of you, I have created my Skype account Many years ago.

About a week ago a message popped up on my phone (where Skype is installed also) saying that my account is now suspended. Surprised, I followed their instructions to fill out Microsoft support “Un-suspend form”. That only prompted email 24 hours later requesting an even Bigger un-suspend form for me to fill.

I of course suspected potential Skype account compromise from the beginning, but checking history of access in my Microsoft account showed no unusual activity. I have switched to using my Microsoft user the moment Microsoft started the migration from Skype to Microsoft accounts.

This ridiculous cycle continues now for 3 or 4 times at least. I fill out same Un-suspend form that Skype support emails me, and they email me same form link again 24 hours later, asking me to fill it out. Worse yet, it is clear that they aren’t even trying to read anything I write, as every time they say “be sure to request password reset”, which is not at all what I need! I fully know my password and confirmed that it’s fully secure!

So I took a step back and analyzed things further and the only logical conclusion is that Microsoft is STILL allowing login to Skype using 10 year old credentials that existed before Microsoft accounts! Worse yet, Even for users that already migrated away from using Skype login, the old Insecure password!

I am pretty sure that by now, with so many industry compromises, old insecure passwords some of us used 10+ years back are “Floating” out there for sale or otherwise. For Microsoft to allow that old login to still be active is borderline Criminal! There are no indications in one’s Skype account that old Skype credentials stay active, nor Ever any requests to update/replace that old password yearly. To confirm my theory I in-fact tried to login with those old insecure credentials, only to see that I do still go through and face the evil “Account Suspended” message!!!

Skype provides no customer service phone number to contact, not even Chat support. Their email/forms to fill out only return after 24 hours or so, and as mentioned, no-one even tries to read what I put on that form. Truth is, there isn’t much for me to fill out in that form. It asks what month and year did I open my account – would any of us remember? It also asks about any financial transactions I made with Skype, which I never did (since other VoIP services were always cheaper and more convenient, working from real phones). It asks for date of birth, which I never submitted to Skype as even back in a day I registered I already was concerned with online security. It asks for billing address, which they obviously don’t have because again – I never paid for anything. So that form is fully useless, of course, as seems to be their whole customer service. Sadly, Microsoft is probably paying good money for that “offshore support” (responses always come at night), but obviously they don’t have any iota of understanding how to actually provide it or even when to know to escalate to someone who can help.

I will update this post if something develops, but meanwhile – here’s something you should do Right Now. If you have registered like me, Many Years Ago, go to Skype.com and see if there is any way to change/disable any old credentials you may have used before switching to secure Microsoft account. If there isn’t any way to disable that old insecure login, at least see if you can change that old password to some jumble of letters and digits, that won’t be easy to crack as our 1999 passwords used to be…

UPDATE: I was finally able to restore my Skype access. It is as I suspected, the old Skype account is still active “underneath Microsoft account”, even if you never use it. Please ensure it has complex or even “random jumble” style password. Furthermore, looks like Skype’s own password policy has been greatly improved over the years and my old password was Not Even Nearly secure enough to meet their current policies. However, there was never an alert to change it, not a single email reminding me that old password is too short or too old. Nor any notice ever came out when new device in Africa logged into my account – not a single email on that. So Skype seriously needs to update their security practices, and so should we all.

My Sandbox! (aka: Liability Fiasco)

Comments Off on My Sandbox! (aka: Liability Fiasco)

Mac App Store IconIt is that time again – time to decide how much credit we should allot to our users, versus how much we should “protect the user from him/her self”. Ah, the eternal dilemma – but wait, Apple to the rescue? Didn’t they pioneer the “we know what you want better than you do” model?

Actually, today’s post is a bit more technical than that simple discussion, but stick around and join the discussion, you’re sure to learn something (and contribute!)

The latest news from our (recently) beloved Apple is that (amazing) Sandbox technology is on the horizon, which will run App Store apps inside their own Sandboxes. Here are few words about sandboxing – it is basically a mechanism for computer to protect itself (and the user) from (potentially) malicious or misbehaving application that user wants to use. As security experts will tell you, there are plenty of supposedly useful applications which are just a (shameless) wrapper around virus delivery mechanism or an even simpler system that quietly looks at what you browsing to and captures user/pass you put into your (financial) website and silently sends it via the Internet to the perpetrator. After reading some interesting discussion on the subject, I decided to weigh in here.

Granted – I am as paranoid as the next guy, and you should ALWAYS know the source of Any Application you download and (even try to) run. And the issue is complex, as so far all I have seen is that users become mostly victims of increased security – how often did you call your bank because you forgot your password?! In fact, I once left a financial institution because their login procedure became 5 screens long, with pictures, symbols, pins, sentences, etc…

The punch line: if Apple Approves an App and grants it Sandbox Permissions, but later we discover that App still had Malicious Password stealer hidden deep inside? I say – We Sue Them! They performed a Paid service — developers Pay to get into App store and share cut of profit. Given that the aforementioned paid service had Primary purpose of Vetting an app for our (naive) users’ consumption, I see door wide open for Class Action. Seriously, given the size of Fiasco (millions of accounts stolen?), no 100 page License agreements we all carelessly click through will protect them.

So, Apple – for your own good – let the users free! Or better yet – Respect that they (sometimes) know what they’re doing!

Cyber Terrorists have Won

Comments Off on Cyber Terrorists have Won

It is becoming increasingly clear to me that Cyber Terrorism has won. It has all of us running scared, increasingly not trusting our own PCs, we are afraid to visit even secure bank web sites, and overall don’t trust the Internet.

Today I was trying to get ToonTown going on an old laptop. Actually, it was the second PC where I had to struggle with the same fiasco. Internet Explorer 7 upgrade made ActiveX controls, even approved and signed ones, unusable! I knew enough to move toontown.com domain to trusted status, but that did not suffice! Apparently, even in Trusted domain, signed ActiveX controls aren’t simply ‘allowed’ any longer. I had to manually reconfigure IE security settings for trusted site to make ToonTown work.

How would your average joe user, trying to setup ToonTown for his impatient child, supposed to figure this out?!? The usual end result would be very annoyed parent, and traumatized child, left without a game and with agitated screaming/cursing parent.

Internet FirewallIs this a technology issue? I don’t believe so, same technology worked just fine when I first installed ToonTown for my kids a year or so ago. And this isn’t just Microsoft and IE crazy security. The most popular Linux distribution today, Ubuntu, also uses similar UAC features.

And you think it’s just the Internet that has us running for hills? Endless productive corporate hours are lost waiting for PC to respond while it’s too busy trying to scan for "viruses", and "trojans" and other such pests. The Antivirus that is probably installed on your computer as you read this, isn’t keeping you safe as much as it’s there to kill the speed of your computer, in half, and sometimes more!!

Are there any good news?

I say we stop running and take charge. It is clear that security software is a necessity in these turbulent times, but lets be smart about it! As companies, don’t release Antivirus software to all your desktops that endlessly scans all file accesses. Scan once a week, or only overnight, and NEVER in real-time!

As home users, lets be smart about web sites we visit, software we and our kids download and what antivirus programs we use on our PCs. Turn off your real-time protection, most often it’s just there to kill your whole PC experience. If you are going to click on that urgent email from "PayPal" and give out your username/password to a phishing site, No Amount Of Real-Time Protection can help you!!! Configure your antivirus software Not to run all the time, and only scan on schedule, overnight or once a week is usually plenty! Really, the only thing you need in real-time is that built-in Windows Firewall, just make sure to REVIEW any prompts asking you to open it ;-).

To summarize, I want to pimp Windows Vista a little. Even with it’s quirks, it is a more secure alternative to XP today. Furthermore, if you insist on running that Antivirus, Windows Vista introduces background priority scheduling for disk access. This feature should make your computer much more responsive, even as Antivirus is chopping away at it’s resources trying to "protect" you in real-time.

Let us prepare for round 2 of the cyber-wars, and let’s make sure we, the good guys Win this time!