Updates

A compilation of the latest information about viruses and worms, security issues and patches to rectify the same

Skype warns its Windows users

PC based communications come with some security pitfalls. To prove that, eBay’s Skype sent out warnings to users of a fast-spreading worm affecting users of Skype for Windows.

According to Skype, the worm spreads through the peer-to-peer phone service’s instant chat application and is activated when users clicks on a link in an instant message that they receive. Those messages may appear to be from the Skype user’s contact list or from an unknown person. The messages are in the form of an attachment that appears to be a JPEG file but in reality is executable code.

The worm is dubbed as ‘0W32/Ramex.A’ and uses code within Skype’s application programming interface to access files on the PC. According to Skype, only users who download the link and run the malicious code have their PCs infected. The chat message is cleverly written and it may appear to be a legitimate chat message that may fool some users into clicking on the link.

Skype is working with major PC security vendors to ensure that patches are issued to shield users against the worm and several major firms had updated their anti-virus engines to stop the worm within hours of it being confirmed.

Skype encourages users to ensure that they are running anti-virus software on their computers and to download the latest anti-virus updates in order to provide the best protection against attacks of this nature.

The worm attempts to replicate itself and send out more instant messages to the contact lists of the infected machines and may be able to stop users from visiting some Web sites or using some programs. Still, most security watchers were describing the worm as a modest threat. This latest attack comes at a difficult time for Skype because just last month it endured an outage that lasted for almost two days, the longest widespread outage in its four-year history.

Skype confirmed the worm after users began posting about problems with their PCs to various online security forums. The security issue comes just days after Skype marked the fourth anniversary of its public beta launch late last month.

Some Skype users have been quick to come to the service’s defense in the wake of that two-day problem. Still, the outage and the security issues underscore the fact that VoIP (Voice over Internet Protocol) services remain less secure and reliable than traditional phone lines.

With many users originally employing Skype as a service to use alongside their land lines, occasional outages were not as much of a problem. Now that many have given up their phone services to enjoy the cost-savings of VoIP, reliability has become more of an issue.

The Skype outage was seen as something of a surprise because the nature of the distributed peer-to-peer network relies not on a single centralized server but on millions of individuals PCs, with software used to link them together.

Skype was quick to acknowledge the worm’s presence and to move to correct the situation. Similarly, it was upfront with users about the outage, regularly posting updates to the Skype Blog about progress toward correcting it.

Skype has been growing rapidly since it was founded in 2002 by Zennstrom and Janus Friis, Skype gained instant legitimacy in 2005 when eBay bought it for $2.5 billion.

Peer-to- Peer theft on the rise

Recently, federal grand jury indicted a man who purportedly used peer-to-peer file-sharing networks to obtain individuals’ tax returns, credit reports and bank statements in order to commit identity theft and fraud.

Gregory Kopiloff, 35, of Seattle allegedly used file-sharing software including LimeWire to steal a variety of sensitive information, which was then used to create bogus credit card and bank accounts and illegally purchasing thousands of dollars’ worth of products. He allegedly even filed for a victim’s 2007 tax refund, which he used to fund online credit accounts.

Kopiloff was indicted by a federal grand jury in the Western District of Washington for mail fraud, two counts of aggravated identity theft, and accessing a protected computer without authorization to further fraud. Law enforcement has so far linked Kopiloff’s efforts to about 80 victims and more than $70,000 in fraud.

According to a U.S. attorney, law enforcement knew for some time that criminals were exploiting peer-to-peer file-sharing to secretly gain remote access to victims’ computers to search for personal information. This case highlights the diligent work of Computer Hacking and Intellectual Property (CHIP) unit to identify and prosecute those who use technology against innocent consumers.

Mail fraud is punishable with up to 20 years in prison and a $250,000 fine. Accessing a protected computer without authorization to further fraud is punishable by up to five years in prison and a $250,000 fine. A conviction for aggravated identity theft mandates a two-year prison sentence to run consecutive to the prison time imposed on the underlying conviction.

The Electronic Crimes Task Forces of the US Secret Service, the US Postal Inspection Service, the Seattle Police Department and Poulsbo, and Washington Police Department investigated the case and Assistant US Attorney Kathryn Warma of the CHIP unit are prosecuting this case.

The use of file-sharing networks for identity theft and fraud is an emerging class of crime that has only recently been recognized. According to some of the security experts, this arrest is just the tip of the iceberg. Millions of consumers, while using P2P file-sharing networks, expose their sensitive information and thousands of potential criminals a day search and find this information and misuse it to commit ID theft and fraud.

Most individual consumers unknowingly expose their sensitive personal, financial and health information. This arrest demonstrates what a ring of focused ID thieves could do if they obtain your information.

Makers of file-sharing software recognize the seriousness of the problem and plan to step up their efforts to make file-sharing safer. The industry has done a bit in terms of taking steps to help protect users from inadvertent sharing of personal data which includes providing consumers with disclosures and recommendations for using the technology in a safe manner.

One of the simplest solutions concerned file-sharing that users can employ is to simply keep sensitive data on a separate computer from the one that the file-sharing software is running upon.

To reduce the problem of identity theft in general, the necessary step should be for businesses and other groups to stop relying solely on Social Security Numbers for identification.

Even a password-protected Social Security number system would go a long way toward protecting consumers better, if consumers contact credit agencies such as TransUnion and tell them they are concerned about identity theft. The companies will generally provide a password for their credit records.

Those same agencies also allow consumers to opt out of credit preapproval offers, which can help if a consumer’s mail is stolen. While some packages are safer than others, using file-sharing software has always been risky.