Just after I published my last post, I got a Google alert on another blog post “HIPAA & Hijacked SKYPE Passwords: Another Security Violation that Brings Viability of Online Counseling via SKYPE into Yet More Questioning” at Telehealth.net in which the author talks about Skype password hijacking. Password hijacking means that someone else basically breaks into your Skype account after finding out your password and then goes on to do nefarious things like masquerading as you or charging things to a credit card number that you might have on file with Skype.
I think the blog post’s author is rightfully worried about some of the clinical implications of things like this. With Skype, it’s not just the security of my password that’s important, but of the patient’s as well. If the patient uses an insecure password, then their privacy may be impaired. The post’s author also brings up the idea that mental health professionals who use Skype should probably say something about this in their informed consent form, and I agree.
I discussed bad passwords in a previous post, so I won’t go over that again. In a future post, I’ll talk about ways for people to generate passwords that aren’t so easy to hack, but can be remembered.
However, on one point, I think that the author of the post on telehealth.net is probably off the mark. At least one of the examples she describes in which a person’s Skype password was hijacked is a hacker exploit called “social engineering.” Social engineering is basically manipulating people into divulging confidential information. In that case, the victim clicked on a file attachment for an untrustworthy source. In the other case, the victim was apparently using a chat room, and I wonder how good the security was in that room.
Somehow though, her concerns about these cases then segue into a concern about unencrypted wireless networks as a Skype security risk. The scenario is that you go, laptop in tow, to your local coffee place, make a Skype call there, and the bad guys use something like a packet sniffer to capture your Skype password as it goes across the unencrypted wireless network.
This scenario assumes that Skype doesn’t encrypt the password you type in when it transmits it over the network. That’s probably not true. According to this post, Skype uses a public key encryption technique to set up the channel over which users communicate. If that’s true, then whether or not the wireless network is encrypted should make no difference, at least in terms of Skype security. Skype gets a lot of attention from hackers and from security people because so many people use it. If Skype were sending passwords in the clear, I think there would be numerous articles on this on the Internet, and I wasn’t able to find one. This kind of hacking is at the level of the script kiddies, and I’ll bet hundreds of them have tried (and failed) to use the exploit that the author at telehealth.net is worried about.
So, I suspect worries about Skype on an unencrypted wireless network are off base, but I’m glad someone brought it up.
{ 2 } Comments
Thanks for your post. I thought the flow of the information on that telehealth.net post seemed off base so thanks for taking us through it.
Doug,
You’re welcome. I thought the telehealth.net post brought up a good question though. Just the wrong conclusion.
Post a Comment