Whether it's a casual interaction or a business meeting, people assume that the person they are speaking with is the only person who will have access to the conversation. Even in an online setting, chat logs and video conferencing connections should be encrypted or have some form of privacy control, whether consumers intend to use them or not. The issue is when these protections are activated and data protection still falls through the cracks.
These threats occur sometimes due to a user sharing credentials or otherwise being careless with passwords and other tokens, but there are other cases where software updates may be at fault. In others, the provider itself may not be taking proper precautions to safeguard information, resulting in server security issues. Regardless of the reason, recent issues with popular Voice over Internet Protocol (VoIP) and web chatting tools have resulted in serious concerns for users.
An unexpected audience
A leader in casual chatter, Skype has been using webcam and microphone technology to connect friends, families and co-workers for years. The service is available for free or through a subscription service, and users can choose the tools and settings they want to use in order to customize the entire experience. Data security procedures have always been as basic as creating a password-protected account and specifying whether a basic or encrypted connection is desired, with much of the service remaining casual in nature.
However, ZDNet reported recently that an issue with a software update from the company had resulted in buggy chat communiques. Several users reported that, thanks to what appeared to be a lack of data protection from the provider, privacy issues were sprouting up when messages intended for one audience were sent at the wrong time, re-transmitted or sent to someone not included in the original chat.
Some users pointed out that those receiving messages erroneously had no connection on the social networking site apart from themselves. There was no endpoint-user fault at play to cause these transmissions to jump from one contact to the next, sharing information unintentionally. Leonas Sendraukas of Skype explained in a blog post that the issue was most likely due to the software failing in the middle of transmission, causing the chat text to bounce from one contact to the next during the restore process.
There are times, however, that a company recognizes a server security issue in time to release updates that protect user privacy and security. These errors in programming, while somewhat annoying to consumers, can be easily exploited by hackers when the loopholes in security become apparent.
Cisco Systems, a leading vendor of online and voice networking software and equipment, recently put out a patch for several of its program suites that the company identified as having major weaknesses. ESecurity Planet reported that the company had identified 10 unique threats to data security within the framework of its VPN systems several months ago, but has taken this long to release an official statement on the issue so that patches could be issued to clients. Doing this before the public was made aware of the problem may have helped deter a zero-day incident that would have proven more harm than good for Cisco's customers.
According to Cisco's statement, the possibility for a hacker to infiltrate an IP and bypass standard security was such that it could have resulted in a complete denial of service for some clients, while others simply could have had data unknowingly harvested from these connections.
"During a malicious attack, any website that hosted a copy of the vulnerable component could masquerade as a trustworthy site and attempt to convince the user to instantiate the vulnerable component," reported a Cisco security update in an InfoWorld article.