Skype Security and Spam Updates

With news of eBay's Skype sale out of the way, Skype employees are apparently free to start disseminating information once again. As such, Skype today in blog posts reacted to a pair of security concerns that I've written about recently. One post outlined a new hotfix for Skype 4.1 that, among other things, takes the first baby step toward helping users deal with incoming invite spam. The hotfix purports to make unclickable any links presented within an invite request. While I'd rather see Skype work to change the way invite requests are currently commingled with real contacts within a user's contact list, or actually block the incoming spam, it's a start. I'm actually waiting to apply the hotfix until I get my next spam invite so I can see the differences in action. I'll add a screen or video as soon as I have something to show. In the second note, Skype finally responded to the recent news circulating about the Trojan PeskySpy, which aims to steal the audio of a Skype call and send the conversation to parts unknown. In the post, the author links to the Symantec post about the threat, rather than the less detailed post about the Trojan by Sophos that first captured my attention. The post clarifies that the Trojan hooks into Windows APIs and uses these hooks to collect Skype output rather than directly attacking Skype code. Instead, the Trojan sits in between the audio hardware and Skype, intercepting the data payload after Skype decrypts it (or before Skype encrypts a transmission) on a Windows-based host. As a side note, that second Skype post mentioned represents the first addition to the Skype Security blog since April. Welcome back, fellas.

With news of eBay's Skype sale out of the way, Skype employees are apparently free to start disseminating information once again. As such, Skype today in blog posts reacted to a pair of security concerns that I've written about recently.

One post outlined a new hotfix for Skype 4.1 that, among other things, takes the first baby step toward helping users deal with incoming invite spam. The hotfix purports to make unclickable any links presented within an invite request. While I'd rather see Skype work to change the way invite requests are currently commingled with real contacts within a user's contact list, or actually block the incoming spam, it's a start.

I'm actually waiting to apply the hotfix until I get my next spam invite so I can see the differences in action. I'll add a screen or video as soon as I have something to show.

skypespamlink.jpg

In the second note, Skype finally responded to the recent news circulating about the Trojan PeskySpy, which aims to steal the audio of a Skype call and send the conversation to parts unknown. In the post, the author links to the Symantec post about the threat, rather than the less detailed post about the Trojan by Sophos that first captured my attention.

The post clarifies that the Trojan hooks into Windows APIs and uses these hooks to collect Skype output rather than directly attacking Skype code. Instead, the Trojan sits in between the audio hardware and Skype, intercepting the data payload after Skype decrypts it (or before Skype encrypts a transmission) on a Windows-based host.

As a side note, that second Skype post mentioned represents the first addition to the Skype Security blog since April.

Welcome back, fellas.