Category: Security
-
/
Skype Issues 2nd Mac 5.1 Hotfix for “Security Issues” – But What Are Those Issues?
Continue Reading: Skype Issues 2nd Mac 5.1 Hotfix for “Security Issues” – But What Are Those Issues?Today, Skype issued a new Skype 5.1 for Mac “hotfix” for more “security issues”. The problem?We don’t know what those “security issues” are?
We don’t know, for instance:
- Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
- What is the severity of these “security issues”? Remote compromise? Denial of service? What?
- What is the priority that we should place on getting this update in place? Is it a “UPDATE NOW!” kind of priority? or a “Update when you can”?
- What kind of mitigating circumstances are there for these security fixes?
- Are there any workarounds that could be put in place at a network layer (or any other layer) to prevent attacks on individual systems? (i.e. as a safety measure until the individual clients are all updated?)
We need to know this kind of information.
Particularly as Skype looks to try to move more into the “business” or “enterprise” market space, this level of NON-disclosure is unacceptable.
In comparison, take a look at any of the recent Microsoft security bulletins, like, oh, this one, and you can see the kind of information that…
- Are they related to the remote exploit that was publicly disclosed on Friday? Or to related attacks on the same theme? (as discussed on SecNiche today)
-
/
Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?
Continue Reading: Skype’s Security Communication FAIL – Why Issue a HotFix If You Don’t Tell Anyone?What is the point in issuing a hotfix that addresses a security vulnerability… if you don’t tell anyone that the hotfix is available?Tonight Skype published a blog post saying that back on April 14th they released a “hotfix” for this problem in Skype for Mac version 5.1.0.922. That’s great… it’s good that the fix is out there, but…
how were we Mac users supposed to know about it?
Hmmm… let’s see… Could we find out about the Skype for Mac hotfix…
- … using the “Check for Updates” feature? Nope, doesn’t work for me. Maybe it works for others out there, but not for me.
- … from the Skype for Mac Release Notes page? Nope, that page STILL hasn’t been updated, three weeks later, to indicate that a new version is out. Nothing on there at all about 5.1.0.922.
- … from Skype’s Twitter account? Nope, no mention of a hotfix back on April 15th, although they did talk about the fact that Skype was mentioned twice on 30 Rock and that there was Skype call on the Rachael Ray show.
- … from Skype’s skypesecurity Twitter account? Nope, no mention.
- … on Skype’s Mac blog? Nope. Last post there was April…
- … using the “Check for Updates” feature? Nope, doesn’t work for me. Maybe it works for others out there, but not for me.
-
/
Sorry, Skype, But Your Auto-Update Feature Is A Fail!
Continue Reading: Sorry, Skype, But Your Auto-Update Feature Is A Fail!According to Skype’s Security Blog post right now, I’m supposed to just do an “auto-update” that will give me the latest version 5.1.0.922 of the Skype for Mac client. When I check what version I have, it is 5.1.0.914:
So I go up to the Skype menu and choose “Check for Updates…”
And this is what I get…
So if, as Skype indicates, this security issue was fixed a month ago, how was I supposed to get it?
Sure… it now seems that I can go to the main page and download the software directly, but why would I ever think of doing that?
C’mon, Skype… if you are going to send out security updates as optional updates, please make sure your “Check for Updates” feature works!
P.S. When I first heard of the security issue, after checking the Skype blogs and Twitter streams, the first thing I did was to go into my Skype 5.1 client and do this “Check For Updates”. The next thing I did was check the Skype for Mac Release Notes, which still do not list this update that was apparently fixed in April. After that I did some more poking around and then wrote…
-
/
UPDATED: Skype for Mac Has Dangerous Security Vulnerability… and There’s No Public Word From Skype
Continue Reading: UPDATED: Skype for Mac Has Dangerous Security Vulnerability… and There’s No Public Word From SkypeUPDATE: Skype has now published a blog post indicating that a Skype 5.1 update is available for download. As I noted separately, the auto-update process is NOT working for me. It appears that I will need to download the new version directly from Skype’s website.Separately, Skype PR indicated to me that version 2.8 is not vulnerable – although I note that this information is not in Skype’s security blog post. (Skype has now confirmed in a tweet that Skype 2.x is not vulnerable.)
It’s great that Skype claims they fixed this in mid-April… but if they didn’t tell anyone – including, apparently, the security researcher who reported the issue – what value is it that they fixed the issue?
I have a longer piece that I need to write on this… but I’ll leave that for another post.
Meanwhile, we finally do have some information and a fix – many hours after it would have been helpful to have had it.
The original post remains below… From the Can-We-Please-Communicate-Better Department… there is apparently an open vulnerability in the Skype for Mac client that lets an attacker send a message to a Skype user and gain remote access. As reported…
-
/
Where Was I in the Summer of 2010? My iPhone Tells Me! (Courtesy of iPhoneTracker)
Continue Reading: Where Was I in the Summer of 2010? My iPhone Tells Me! (Courtesy of iPhoneTracker)Where did I travel with my iPhone? Given all the recent kerfuffle over the logging of location data on an iPhone, I naturally had to try it out. First stop was getting the Mac OS X app at:http://petewarden.github.com/iPhoneTracker/
The app itself is super simple… simply launch the app and it goes off and finds your iPhone backups, extracts the location data and shows you a map.
In my case, the Mac I ran the app on only had data from my iPhone 3G and only for the period of time from when I updated it to iOS 4 in July 2010 through when I stopped using it in September 2010 (because I replaced it with an iPhone 4). Still, the data is kind of fun to see. Here’s what it looked like overall:
During that time period, I traveled down to Voxeo’s corporate office in Orlando, went to a SIPit test event over on the New Hampshire seacoast, and spent a chunk of time in New York City attending SpeechTEK 2010.
Diving into the data a bit more, here’s a close-up of the northeast. It’s amusing to see the train trip I took down to NYC (for SpeechTEK) as…
-
/
Speaking at SIPNOC Next Week on SIP Interoperability and Security (and Joining an IPv6 BOF)
Continue Reading: Speaking at SIPNOC Next Week on SIP Interoperability and Security (and Joining an IPv6 BOF)Next week in the DC area (Herndon, VA) there will be a unique event taking place – SIPNOC: The SIP Network Operators Conference. This event is organized by the SIP Forum and will bring together a great collection of service providers and carriers to share and learn from each other about the realities behind providing SIP-based services today. It will be a great place for those providing real-time communications over IP networks to look at how we can continue to expand and improve the services.There’s a packed agenda at the event that includes many great sessions I’m looking forward to attending. I’ll be there speaking about SIP interoperability and some of the lessons we’ve learned at Voxeo as we’ve interconnected our SIP cloud to that of so many carriers. I’ll also be donning my VOIP Security Alliance (VOIPSA) hat to participate on a panel about security.
And naturally given my intense interest in IPv6 these days (and all my writing about IPv6, I’ll of course be joining in to the “IPv6 Readiness” BOF planned for Tuesday, April 26.
I’m very much looking forward to this first SIPNOC event… if you are already planning to be there please do say…
-
/
I’ll be in Miami next week speaking at ITEXPO, Cloud Communications Summit, etc.
Continue Reading: I’ll be in Miami next week speaking at ITEXPO, Cloud Communications Summit, etc.If any of you will be in South Beach, Miami, next week I’ll be there speaking as part of the Cloud Communications Summit and SIP Trunking Workshops. I’ve got a page up on Voxeo’s site that shows my schedule at:http://blogs.voxeo.com/events/itexpo-east-2011/
I know a good number of other folks from the VoIP/UC/Cloud Telecom/Voice Mashups/SIP/etc. world are all going to be down there, so I’m looking forward to catching up with some folks there.
If you are down in Miami for ITEXPO, the Cloud Communications Summit, Digium/Asterisk World or any of the other events, please do stop by and say hello… or find me down at one of the sessions I’m in (my schedule is online). You can always email me or ping me on Twitter.
If you found this post interesting or useful, please consider either:
-
/
Looking for a Last Minute Gift for A Telecom or Security Person?
Continue Reading: Looking for a Last Minute Gift for A Telecom or Security Person?<shameless self-promotion>
With Christmas fast approaching, are you looking for a last-minute gift for someone you know working with telecommunications or security?
If so, may I suggest a book written by a certain someone called, oh, Seven Deadliest Unified Communications Attacks? You can order it from sites like Amazon.com and have the book delivered this week before Christmas!
The book will help whomever you give it to understand what the real threats to communications networks are today – and also what the real solutions are. Here’s a video I made to explain why I wrote the book:
</shameless self-promotion> 🙂
If you found this post interesting or useful, please consider either:
-
/
Speaking at Voice Biometrics Conf next Tues, Weds, May 4-5, in NY
Continue Reading: Speaking at Voice Biometrics Conf next Tues, Weds, May 4-5, in NYIf any of you will be at the Voice Biometrics Conference next week (May 4-5) in the New York area (Jersey City, actually), I’ll be there speaking on Wednesday about ‘Seeding the Cloud – Authentication as a Service’. I’m arriving Monday evening and will be there through early Thursday morning.“Voice Bio Con”, as it is called, is a rather comprehensive gathering of the major players in the voice biometrics / voice authentication / voice verification space. Great agenda with some excellent speakers (and yeah, I’m on that list, too). I wrote over on the VOIPSA blog about the number of case studies and real world deployments that will be discussed.
It should be a great event… I’m on that panel and will also be talking about Voxeo’s voice biometric partner program where you can try out voice biometric solutions for free using our hosted platform and the hosted services from four of the major voice biometric vendors. I’m looking forward to meeting up with some friends there and undoubtedly having some great conversations and learning a good bit.
If you are at the event, please do say hello! If you want to go and haven’t registered yet, there’s a…
-
/
Video interview from ITEXPO about Voxeo, cloud, security…
Continue Reading: Video interview from ITEXPO about Voxeo, cloud, security…As I mentioned on a Voxeo blog yesterday, the good folks at TMC recently posted a video interview I did with them at ITEXPO back in January in Florida. In the interview, I discussed:- the Cloud Communications Summit and pushing communications out into “the cloud”
- security issues related to cloud communications
- what’s next in communications, including multi-channel communications (a component of what we refer to at Voxeo as Unified Self-Service)
Anyway, for folks who wonder what it is I do, part of it is telling stories in forms like this…
If you found this post interesting or useful, please consider either subscribing to the RSS feed or following me on Twitter or identi.ca.