I game, I code, I break things
Technical, constructive, fun.

Skype (in)Security September 9, 2013

It had been a long time since there was a security breach on any of my accounts, but it’s now the in-thing for cyber security and it appears to be the Russians or at least someone pretending to be that is leading the charge.

A number of months back my Electronic Arts Origin account was hijacked, I suspect this was through something on the Origin website that just allowed a bypass into the account as I received no notifications aside from when my e-mail address was changed on the account. The bot or person then changed all the details and settings into Russian and did nothing else aside from remove my friends from the friends list. At that time I had very few games on there and no associated details, so I didn’t mind.

Before that happened the only security breach I had was in the days of using ICQ regularly when I was foolish to have the same password for it as I had set for a forum. I learnt then and kept everything separate since.

So wonder be to my surprise when I’m notified that my e-mail address for my Skype account was changed.

“Here we go again”

I’ve used this account for a long time, I haven’t used it on an actual computer for years and it resides on a Skype phone, a DualPhone 3088 now a 4088. Only I use the account and I don’t login to a computer for it, why would I need to? It has an auto renewing, auto filling skype subscription. It solved itself.

This is where it goes sour of course. I had it linked with PayPal. No sooner as I discovered my password had changed on the account and that the e-mail was changed that I checked my PayPal balance and, low, the “Russian” had pulled £90+ in Skype credit, but only onto the phone. Why? I’m not sure, there was a perfectly good subscription there.

So I attempt to recover from this; Skype do not have a phone number you can contact them on. They only have a ‘live chat’ for ‘premium users’, was I a premium user? I have no idea. So I managed to get through to a person whose first language was definitely not English (was it Russian?) who then proceeded to not grasp that the e-mail address on my account had changed and so just resetting my password wasn’t going to cut it.

At this point, might I add, that Skype’s recovery process entirely relies upon the thought that you only ever have one Skype account and that you’re able to access said account to report any problems in the trouble-shooting process before you even get through to an advisor. So I wasn’t a ‘premium user’ on the Skype account I could actually log in with.

While clarifying which account I couldn’t access and trying to get over the language barrier the person in control of my account had spent a further £20 bringing the total to over £100. I’m now thinking that the Russians aren’t entirely bright.

I answer the security questions and attempt to have my account reset, but all the while the advisor can’t confirm to me the e-mail address they’ve set it to, because of “security” and they can’t escalate the request to someone else (or won’t, I’m not sure). So I’m getting pretty frustrated and my “tokens have exceeded the amount given for that e-mail address” to be able to reset my password.

I’m forced to resolve to “contact us again in 24 hours, until then the account is suspended”. My cries of “which account and which e-mail address?” cannot be confirmed, for security reasons.

So, I’m sat here quite fraught with concern and so I decide to contact PayPal. Once logged into my account I find the contact details and there’s a number I can actually call (real people ahoy!) with a verification number so I don’t have to mess about. The menu system uses voice recognition so I don’t have to mess about with the numbers and I find that ‘claims and fraud’ line is only open until 8.30pm – well by now it’s quite late. Crap. So “Okay, let’s think about this another way” I figure. My Skype account was ‘linked’ to PayPal, surely they can severe the link?

Yes. This was the key, I got through to a nice pleasant person who was actually sympathetic, said they were going to severe the link now and push forward to Skype to refund my money. Though, sadly, they stated they couldn’t do a great deal because it was “completed” already. Still, I’m satisfied that the little Russian can’t take my funds any more.

A few hours pass and I get an e-mail through, it’s the password reset token. In Russian, then, in English. The delay only confirms to me that they’re having some great struggle. I can finally get into my account and it’s pre-loaded with £100+ and nothing else appears to be touched and no apparent calls made.

So I’m not entirely sure how they managed to get into my account as it wasn’t a compromise on my computer, I’m pretty certain. Of course my e-mail account is a suspect but it shows no sign of foul access and I go between various phases of obscure methods of security with it. However, while it was nice at the time to have my Skype automatically renew the Skype Pro subscription you can’t get any longer; I’m certainly going to revise the best practices.

Computing is still in its infancy and this was one, far too easy way to access my bank funds indirectly.

Maybe I can call my family in Australia?

Comments Off on Skype (in)Security
Categories: security

Arduino IDE on Windows with Minimus32 Profile June 5, 2013

Some time ago I typed up an explanation and presented a download of a compressed file for the Arduino IDE on Windows which included libraries for the Minimus32.

The zip file was/is unnecessarily bulky and has folders in places where they don’t need to be. So I decided to create a script.

The script downloads the Arduino IDE, of a version which you specify from the Arduino Website along with PBrook’s Minimus32 and OneWire components from his GitHub page and also the pre-compiled version 4.7.0 of AVR-GCC for windows (if you want a different version then feel free to update and compile from the source code yourself but for now it’s supplied by yours truly).

It then puts it all in a folder called ‘ide’ and it should copy/rename/move everything in its correct place within a sub-folder. The drivers still have to be manually installed.

There are some thoughts on what I’ve done:

1. Alter the script so that it scrapes the Arduino site for the latest stable revision number.
2. Have the drivers self-signed so that the don’t prompt with an error message. This can’t be done as self signing only works for the system it is signed upon.
3. Use a command line tool to inject the drivers into Windows / auto install them.
4. Perform error checking in the script. I have since done this to at least check that the files exist, but nothing more.

The over-all benefit of this, I feel, is that it’s not waiting for me to do a ‘snapshot’ and anyone can now check the latest version (if they modify the script a bit), type it into the script and when it’s finished downloading it should just work nicely without having to do anything (much) extra.

So once you’ve downloaded it. Extract it to wherever you have write access to, then just double-click or run install.cmd from a command prompt.

You shouldn’t need to, but run it as Administrator if you really get into trouble.

I mainly wrote this for myself, because I’m lazy. So if it does help anyone else, great. I am also aware it could be implemented a lot better, so go ahead.

Download: Arduino IDE Download Script for Windows with AVR-GCC 4.7.0 + Paul’s Minimus32 Profile & Internal PullUp OneWire Library (2.98mB)

Comments Off on Arduino IDE on Windows with Minimus32 Profile

Arduino IDE on Windows June 3, 2013

If I have learnt anything from software development over the years, it’s that programming on Windows is a mixed bag. Even more so when it comes to the development of hardware, as I have learnt more recently since joining the Leeds Hackspace.

The Arduino, a rather nice prototyping board, does have an Integrated Development Environment (IDE) for windows, but when you try to do that little bit more with it, such as code for an unorthodox piece of hardware it can get a bit trickier. Namely, when certain chips aren’t supported.

The Arduino IDE (AIDE) is actually a mixture of smaller components. A Java GUI, the AVR-GCC compiler, source code in C++ and profiles for the various Arduino hardware. A problem mainly arises when you want to use a new device, that is perhaps acting like an Arduino but is using a newer chip on the board than is supported by the archaic AVR-GCC compiler that is bundled with the AIDE.

I’ve been working on a script which pulls down the latest AIDE and incorporates support for, in particular, the minimus32 (using the ATMega32u) but it isn’t exactly user friendly (yet). Until that appears (though if you want to try it out, get in touch), I have happened across a rebuild of the Arduino IDE which is a bit nicer and, perhaps with suggestions for including decent updates such as a recompiled AVR-GCC, it could potentially be a better solution.

Comments Off on Arduino IDE on Windows