Did you know that a recently discovered security flaw in Skype makes your location and file-downloading activity accessible to parties unknown? This flaw has brought home the point that no Web-accessible software or service can be truly secure. The very nature of software relies on a seemingly countless number of variables to be in perfect alignment for all expectations to be met. Security is one of the biggest concerns for software engineers, and also one of their biggest challenges.
Not only does Skype’s internal system need to be secure, but the connection between the server and the client, the client itself, and the operating system that the client depends on to run. A change to any one of these factors can throw off security measures and expose new exploitable flaws that may (or may not) be discovered by people with malicious intent.
In the case of this flaw discovered by a team from New York University, the risk is to a user’s location and peer-to-peer file sharing activity. From there, a clever investigator can build a profile that expands to the user’s Facebook account and other public information. All they really need to know is your IP address, and this flaw allows them to grab it without even alerting you.
When you configure your Skype client, you can direct it to automatically block calls from anyone not currently on your contacts list. Unfortunately, this block is implemented at the client which means that the caller’s machine has to successfully shake hands with your client and receive the denial in order to block the flow of packets. By calling another user, blocking certain packets from being received, and hanging up quickly, the exploiter receives your IP information and you are none the wiser because your blocked call never even gives you a pop-up.
I have yet to see an announcement from Microsoft or Skype indicating that this particular flaw has been fixed.
This isn’t the first time this year Skype has been under fire for having exploitable security flaws. Earlier this year, it was discovered that a Windows user’s password could be reset through a cross-scripting bug. In this case, the issue was resolved, an update was sent to the community through the Skype Security Blog, and a new version of the Windows client was made available to users.
Skype, like any cloud-based service, depends a great deal on user habits and precautions to remain secure. There is a point in which the responsibility of Skype to maintain your privacy and system security stops, and your habits begin.
Here are some tips to help you use Skype more safely.
Set a Strong Password
No matter what cloud-based (public cloud) service you’re using, your password should always be as complex and hard to guess as possible. A strong password is a great first defense against script-running hackers that will run through the dictionary on your account in seconds. If you have an easy-to-guess password, someone can crack it.
Ideally, your password should include both lower and upper-case characters, special characters (!@#$%^&*), and numbers. Each variation on your character set increases the chances of someone guessing your password exponentially. If it’s long and complex enough, it could take the time to guess from seconds to decades.
Update Skype Often
Skype, as mentioned before, has exploits that crop up from time to time. This doesn’t mean the service itself is inherently less secure than any other. It does, however, mean that you should pay attention to updates as they become available. Update often, and check at least once per week in addition to any automatic checking that’s done within the program.
Users of older versions of Skype may be opening themselves up to exploits without even knowing it. For that reason, never use Skype on someone else’s computer until you’ve checked the version number.
Make Your Computer Secure
Your Skype client is only as secure as your computer. If viruses, intruders, and other malicious software can access your computer, no password or extra precaution in the world will keep your privacy safe. Your computer itself should be updated regularly and protected by a hardware or software firewall whenever possible. Antivirus programs may not be entirely necessary on all platforms, but they are an added safety net that only increases the security of your system. Never trust any one point of security to keep you safe. The antivirus program may be tricked (and consequently compromised), the firewall may fail, and the network in your favorite coffee shop might be inhabited by a less than friendly individual with an appetite for personal information.
Configure Skype Correctly
The Skype client has a variety of different security configuration options available. In the Preferences menu, you can access an array of various settings to customize and secure your personal data. In addition, you may want to check out the Advanced tab and turn off Wi-Fi if you are visiting any public or otherwise insecure locations.
The Skype Client protects your privacy in most cases, and shouldn’t be ignored in light of any exploits that may be in the wild. It’s still important to keep the client locked down.
Never answer a call that comes from someone you don’t know, unless you’re expecting it. Phishing scams are being pulled on Skype all the time, including a recent attempt by scammers to get money from unsuspecting victims to fend off an imaginary hacking attack. These scammers posed as Microsoft employees, promising a quick resolution in exchange for a fee.
Close Skype when you’re not using it. Your Skype connection may be encrypted, but that doesn’t mean you should leave the window open more than it needs to be. Skype relies on peer-to-peer connections to maintain speed and reliability. Because of this, an idle Skype account may be used as a supernode by the service. An exploit on this feature would put you at risk even when you’re not actively on a call. Not to mention, it can gobble up your bandwidth.
Don’t give too much information about yourself on your profile. Like any social site, you should expect that anything and everything you post publicly on Skype is there for the world to see. Don’t be surprised when your embarrassing drunken profile photo or taboo list of hobbies comes back to bite you during a job interview.
Skype is a large and widely-used VoIP service that can be quite useful if you follow a set of simple precautions. The UI itself is constantly being worked on, and that can create exploits as hackers continue to chip away at the service with each new update.
Skype itself is inherently secure. Despite its flaws, phone calls and other communications are encrypted and harder to tap into than you might think. Millions of businesses and private individuals continue to use the service without any issues, but there is no substitution for good habits on the part of the user.