Security Watch

Skype Security Hype?

Findings show that the popular VoIP service is full of security problems -- some of which are intentional.

• By Russ Cooper
• 04/03/2006

Cybertrust has written our own report on Skype that clearly outlines the numerous security issues of Skype. These include its tenacity at defying perimeter restrictions by modifying the protocol it uses to traverse firewalls; its proprietary encryption mechanisms, which make monitoring the content virtually impossible; and its peer-to-peer trust model that would permit a compromised Skype installation to compromise other Skype installations. In fact, Skype has so many issues regarding security in an enterprise environment that eBay, its recent purchaser, has acknowledged it doesn't intend on marketing an enterprise-ready version. There are many other solutions that offer better and more effective enterprise features, making Skype something that should definitely be avoided.

Coverity, Stanford University and Symantec recently released the results of a study they conducted looking for software bugs in open source code. The study used bug-finding techniques defined by Stanford, and searched the code of 40 popular software packages including Linux and Apache. The average result was 0.43 flaws per thousand lines of code, and none of the 40 packages had zero bugs.

Yeah, OK, so what? It took $1.2 million of taxpayer money to figure this out? Besides, what does anyone learn from such a study, other than the fact that all software has bugs and the more lines of code you have the more of them there will be? All this study does is allow me, as the resident Windows bigot, say, "See, millions of potential code reviewers and open source software still has bugs!"

Symantec recently decided that its product, L0phtcrack, "no longer fits into [the company's] future product strategy."

Interesting! Does Symantec think password auditing is past being needed?

Human Factors
A group of MIT engineers created the company SiteAdvisor in 2005 intent on protecting consumers from malware, spam and adware. The result of their work is now available as a free plug-in for your browser. The SiteAdvisor toolbar overlays the results of their scans of sites on search results from popular search engines like Google or MSN. A green checkmark means they've checked the site fully and found nothing awry, a red "X" warns of potential problems. More details about scans can be found by simply clicking on the icon next to the search result. The company says it has personally scanned 95 percent of all Web traffic.

Anything we can get to give us a heads up is a good thing, no doubt about it. Certainly one could argue the pros and cons over the methods and results SiteAdvisor displays, and we'll certainly see some company complain about its ranking in the future in the way some adware vendors have complained about AV program ratings. Regardless, it's hard to deny the power of a page full of red Xs.

IBM and Novell have announced their support for the Higgins Trust Framework, an open source project under Eclipse that states as its design goals a set of APIs that will allow the exchange of identity, profile and relationship information across disparate environments.

Some stories suggest that Higgins will interoperate with Microsoft's InfoCard effort, an identity management system evolving out of Microsoft Live, which is a replacement for Microsoft Passport and currently in use in the Xbox environment.

The stated goals of Higgins are lofty indeed, but the project still lacks significant support, software development and even well-defined use criteria. IBM has stated it hopes to change that and "kickstart" the project as well as bring more vendors into the fold.

IBM hopes to leverage Higgins for its Tivoli product, and Novell obviously wants to extend its Directory services into a realm that can compete with Microsoft's InfoCard proposals.

With the backing of supporters like IBM and Novell, Higgins may well turn into something, but it still looks to be a long way off.

A Virginia U.S. Department of Education Auditor has admitted to installing surveillance software on his boss' computer without permission. Prosecutors state they believe the man did so for his own amusement, not profit. The man faces five years in prison and fines up to $250,000.

Of most interest to me in this case was the fact that prosecutors believed the defendant was acting "for simple amusement" and not for profit. The reasons that someone hacks someone else shouldn't, in my opinion, be a part of their prosecution. It has seemed, however, that it has often played a mitigating role in sentencing in the past. As this case falls under federal sentencing guidelines, there's a strong chance he'll still get a stiff sentence, serving as a strong warning to others who think their "fooling around" isn't going to yield tough sentences.

Physical Security
A Finnish military security researcher has announced that he can steal fingerprints from the Microsoft Fingerprint Reader. The new Microsoft device is actually licensed from Digital Persona, and Microsoft states that the device should not be considered a security device nor should it be used to protect sensitive information.

This is another one of those situations where a researcher has performed research that would appear more intended to garner media attention than expand anyone's knowledge. For example, the device in question, when sold by its original manufacturer Digital Persona, includes an option to encrypt all images scanned. Microsoft's implementation doesn't include this option. In my opinion, Microsoft was either not permitted to OEM the encrypted version because Digital Persona hopes to up-sell users of the Microsoft version, or, Microsoft purposely wanted to avoid complaints over the device's ability to secure what it scanned.

Either way, such a device and its operation are never likely to be 100 percent securable given that the entire transaction (e.g., scan to authentication) is likely to happen within the PC itself, meaning replay is likely impossible to prevent. Encryption certainly can add security to the equation, but there would have to be verification of the fact that a warm finger was on the device when a scan was taken and a certificate chain ensuring the image scanned of that warm finger wasn't altered end-to-end.

I think Microsoft's position on the device's security role is accurate, namely that it shouldn't be thought of as having one.