FWIW, midnightblue@gmail.com is my email address

There are apparently many like it, but this one is mine -> midnightblue@gmail.com

Apparently some nonce is using it for their porn postings on Usenet.
Looks accidental, but certainly explains some of the spam I've gotten
of late.

/I realise that posting the above is going to invite more spam, but l
don't see how I can get any more than I already recieve on that addy.

//Not the first time this issue has annoyed me lately - This is not your email address.



So.... Paypal

New Paypal emails - Well of the two payments Skype yanked out of my account via Paypal, if I read between the lines it looks like Skype refunded one of them, but Paypal cancelled my claim on the second.  Paypal's autoresponder says I cancelled the claim on it, actually, so I guess their autoresponder robots are still a bit confused.
It's tricky unless you can pull together some facts from all the disparate threads from the autoresponder emails. If this was to in any way to make sense, its because the first set of credits purchased by the attacker isn't going to be refunded by Skype (sucks to be you, remember?) after all those calls were made to whereever.  

I'm too sick to deal with this today, I'll try to make some sense of this tomorrow.   



I just recieved the standard Skype level 1 canned response (fraud's not our problem, we're not refunding your money, sucks to be you, see this link  ) so while I get that sorted, I've installed the Mac password safe desktop client 1Password . I was using it on iPhone, but the desktop version of course provides a nice user interface. If you want all of your passwords to be random line noise, this is a great way to manage it.
I don't think my password was lame enough to be guessed, but my paranoia is up a few clicks this week. 
The iPhone client can be used solo, and it has a nice feature besides password sync - the ability to run a little web server over wifi from which you can download and upload encrypted backups of your safe - see http://agilewebsolutions.com/products/iphone/user_guide  . Obviously, this works great for Windows too.  Apple doesn't give you any granular way to restore data from apps, so this is necessary and appreciated.


Skype/Paypal fraud, update

Paypal have responded that the charges were not unauthorized, so I'm not sure where to go from here other than to chargeback via my card issuer. I'll be interested to see if Skype ever respond.

Its worth mentioning that Paypal are not a signatory to the EFT Code Of Conduct so I don't know what protection is in place for consumers, if any.

Black clouds, or my sobering experience with a Skype account hijack

My Skype account was broken into a few days back. The password wasn't changed, but after a flurry of email notifications from Paypal telling me that my account had been debited twice for Skype credit purchases, I logged into my Skype account and found that my email address had been changed to a nonsense Gmail address. My call history now showed a long list of numbers I'd never seen before, places like Afghanistan, Ethiopia and the States.

Later I put one of the numbers from the US into Google. It came back with the name of a man in Maryland.

At the time, my blood ran cold. I'm not what you'd call a naive user. My password wasn't quite random and could have been changed more often, admittedly. I'd never given it out.

The last time I used Skype, in fact the last time I'd used it in months, was about four days before it had been used to steal funds from my Paypal account.I'd used the iPhone app to check my voicemail. Previously, I'd used it from my Mac. While both these platforms have vulnerabilities, it makes a Skype password stealing trojan much more unlikely.

I wasn't logged into a public wifi network, and there's a few layers of security controls on my WLAN. In any event, my own analysis of the packets exchanged when a user logs on to Skype indicates that the usernames and passwords are not sent in cleartext.

I hastily changed the email address and then the password. I then logged into Paypal, changed *that* password (though the account looked okay) and disputed the transactions. Paypal hasn't gotten back to me on those yet, according to the status they're waiting for Skype to get back to them. I also cancelled the billing agreement with Skype from Paypal.

There's several worrying aspects to Skype's service, from the perspective of a paying user. For one thing, Skype don't seem to provide any notification when the contact email address is changed.

I changed my password a couple of times, after I noticed the hijack, and again after I installed and logged in to Skype from my netbook to see if there were any obvious clues as to how the account got hijacked. I recieved no notifications from Skype that my password was changed.

Skype *do* notify you when they change the billing currency on your account, and add credit to your account from Paypal. By the time you get these notifications though, the fraud has already taken place and you're left submitting a trouble ticket via their website.

Skype don't seem to send you any notification when you submit a trouble ticket. From other forums, it seems the average response time is about four days. Its strange that there's no number for a company that sells a phone service.

Skype don't support two-factor authentication that eBay and sister company Paypal, frequent fraud targets themselves, do support.

Paypal and eBay aren't perfect, but any account change generates an email.
When I hurriedly installed the VeriSign OTP app for iPhone over 3G to use with these services, my iPhone deleted the app and the token details when synced back to iTunes (my advice, install your apps from iTunes). Paypal required a good bit of personal data and access to my email address to log in and activate a new token. eBay sent me a one-time security code to get back into my account via autodialling my *phone number* on file.

Interesting points -

My account got compromised a few days after running the iPhone app. I'm not alone in having this happen to me (see http://gigaom.com/2009/03/30/review-skype-for-iphone-verdict-awesome/#comment-935445 , among others ) . Is the vector the iPhone app itself, or is there another method of compromise, an exploit that is triggered only when the user goes online?

A key exchange takes place when a user logs on, between the client and a Skype supernode (see http://www.blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-biondi-up.pdf). Is the iPhone implementation using a weaker implementation of the password hashes or keys?

Would a brute-force attack work on Skype via their API? Do they permit a large amount of password retries?

For the short amount of time before I got my Skype account locked out, there were an incredible number of calls made to a variety of different numbers, all of them apparently real. Who was calling, who was being called, and why? Are cracked Skype accounts a business model for some crooks selling international call credit? Are they being used by call centers?

While many users in a similar situation had their password reset, I hadn't. Perhaps the thieves didn't change it to avoid tipping me off that the account had been hacked, when I found myself unable to log in.

Security tips -

Here's a couple of security pointers that I learned the hard way -

If you refill your Skype account infrequently, and you're not on a regular plan, and you're using Paypal, don't leave them with access to Paypal. If a billing agreement exists at Paypal for your Skype account, CANCEL IT NOW. Read the Paypal help on how to view your billing agreements and how to cancel them. This limits your exposure to only the funds in your Skype account. Attackers immediately turn auto-renew on, and Skype will happily start draining your Paypal account via this existing agreement. Although this is a change to the way you are billed, and there are financial transactions taking place, SKYPE WILL NOT ASK FOR VERIFICATION VIA EMAIL.

If your account is hijacked, the most useful thing you can do is dispute the charges, either at your credit card issuer or at Paypal. Paypal immediately started a chargeback from Skype once I disputed the charges. I'm still awaiting the results of their investigation, so I don't know if I'll get the funds back. Disputing the charges though results in Skype cancelling the credit in your account, and locking out all pay services. You want this, especially if you're not especially confident your account won't get broken into again.

I'll update my blog to let readers know how this all shakes out, Skype are silent so far.

I'm continuing to research Skype and the way it actually works, and other cases like my own, to try to answer my own questions. I can say, though, that given the choice, I wouldn't let Skype anywhere near a network I manage. It's a closed source vendor with support that's not quite up to Open Source, and there are security issues even as a free product.


Bluetooth Tethering your Ubuntu Jaunty netbook to iPhone running 3.0

Having access to an iPhone running the latest firmware, I was anxious
to get my netbook running Ubuntu 9.04 (Jaunty Jackalope).

It's easy once you install blueman from Synaptic package manager. For
whatever reason, the default Gnome bluetooth manager won't get the job

Open up Bluetooth Manager from "System Preferences". Set your iPhone's
bluetooth to be discoverable.
The iPhone will show up in the list (if not, hit the 'Search' button).
Once it does, click on 'Bond'. 'Bond' will cause your iPhone to tell
you your netbook is trying to pair with it (It actually says 'Netbook
would like to pair with your iPhone', charmingly anthropomorphic).
You want that, so click 'Pair'.
Your iPhone will tell you to confirm that the same passkey is being
displayed in Blueman on your netbook. Confirm this on your netbook
Once this is done, right click on the iPhone in Blueman. Under
'Network access', select 'Network access point'.
That's it, you're tethered. Your connection will show up in Network
Manager as 'bnep0'.


Netbook kernel redux (Virtualbox)

Right after you upgrade your kernel, Virtualbox is going to complain
that it can't load its corresponding kernel module.
Make sure you *also* install the corresponding Linux kernel headers
package and then reinstall Virtualbox.

Netbook kernel

This might seem a bit obvious, but until I installed the updates on
the husbinator's EeePC, I didn't know a netbook specific version of
the Linux kernel was available.
To get it on to your netbook, follow this link - http://array.org/ubuntu/setup.html

I installed it on the Lenovo S10. Haven't seen a *massive* jump in
performance like the Dothan-based Eee, but its a bit snappier.


Hold off on the latest Lenovo S10 BIOS update

Liliputing says hold off on S10 BIOS update v90.. may cause bricks,
ulcers http://is.gd/B2x9

It's not worth rushing into this one to clear up a little fan noise.

When all else fails ... (Unison)

Blow away *all* of the archive-files. Including those on the remote
end. I'd forgotten that Unison leaves files in ~/.unison on the remote
side as well. I couldn't get past the 'inconsistent state' error until
I read the article below.

See http://blog.philippheckel.com/2008/10/25/unison-and-multiple-hosts-warning-inconsistent-state/