Dawn of the Zero Day

It was 7:45am. I’d woken up fifteen minutes before my alarm sounded. This was a rare occurrence considering how often I’ve slept through it these days, and since I’d gone to bed sometime after 2am. Having slept uncomfortably, I checked my phone for social updates for some motivation to get up. Be careful what you wish for.

I was tagged in a post by a friend. He often posts computer science gems to keep us in the loop. This was a simple post on tumblr. And after absorbing the gravity of its message, I could stay in bed no more.

It was a description of a zero day exploit that can allow anyone to gain access to anyone else’s Skype account. Various thoughts rushed through my head. The people must be told about this. I need to protect myself against it. Where do I go from here?

Needless to say, I’d got out of bed with haste only to deadlock standing still thinking about my options. Why did I care? This was big news, and very new. The post was made a few hours before, and it was only a matter of time before it went mainstream. At that point, if I didn’t have the correct defences up, it would be endgame.

I fired up my laptop and thought about the problems Skype themselves would be having in dealing with this. Coming up with a rapid fix to such a broken feature isn’t too hard, but ensuring it doesn’t break something else is. I logged in to Skype, relieved that my account wasn’t yet hijacked in the few hours the post was up. The nature of the flaw meant I had to make some changes to my Facebook profile, closing a few doors that left me wide open. This was a case where professional paranoia was no longer paranoid.

I then spent a good 30 minutes changing details on my Skype profile. I remained dissatisfied with the process, however. There was a striking sense of instability about the whole thing, and I wasn’t convinced my data was safe.

This sparked a chain of thoughts about how I’ve been increasingly alerted to this sort of thing, and whether I would feel safe at all considering how often these things happen. The new age of zero day exploits had long since dawned, and the state of security is in such disrepair that leaks no longer effectively fix them. Is a paradigm shift in standards necessary to effect change? How can we enforce industry strength security properly? I digressed.

Deciding it wasn’t worth wasting any more time over, I figured I needed to start heading out. There wasn’t much time to enjoy my usual Starbucks breakfast, and I felt too unsettled on the tube to play Pokemon on my DS. So here I am, on the (kind of) wrong tube train, deciding what the next best courses of action are. And pondering when I’m going to feel safe enough to break the news to a wider audience against a perceived duty to inform.

UPDATE — 13:00 – As the exploit appears unusable now that Skype have disabled password resets while they find a fix, I’ve linked a source describing the methods.

Advertisements

About Alexander Karapetian

Software Engineer & Computer Scientist from Imperial College.
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s