Re: Skype risk assessment

[David Gillett <gillettdavid () FHDA EDU>]

  I'm somewhat annoyed that the designers of Skype decided up front that
network policy and security were their enemy.  It's an awkward place from
which to start a conversation.

  On the other hand, it was discovered sometime last year that all Skype
calls into and out of China are archived in case their government gets
curious.  As usual, notions of risk depend very much on what you consider to
be the asset, and what the threat.

  As far as I can see, Skype's peer-to-peer mode amounts to users
subsidizing their bandwidth.  Since we get public funds, that's probably
illegal on our campus (but I am not a lawyer and so far as I know our
counsel has not advised us on this).

  In general, if the campus phone system isn't meeting someone's needs, we'd
prefer that they talk to our tech group than that they just try to implement
VOIP themselves piecemeal. We *do* have Skype sanctioned and supported to
provide "video phone" service for deaf students.

  Oh yes -- it has a file-delivery function too, which since it's encrypted
may serve as a stealth vector for malware.

David Gillett, CISSP CCNP
Sr Security Engineer
Foothill-De Anza Community College District

-----Original Message-----
From: Alex Keller [mailto:alkeller () sfsu edu]
Sent: Friday, May 14, 2010 13:51
To: SECURITY () listserv educause edu
Subject: Re: [SECURITY] Skype risk assessment

this BlackHat presentation may be of interest. it would seem that Skype
employs some fairly sophisticated obfuscation techniques. looks like there
is plenty to be concerned about.

http://blackhat.com/presentations/bh-europe-06/bh-eu-06-biondi/bh-eu-06-bion
di-up.pdf



--
Alex Keller
Systems Administrator
Academic Technology, San Francisco State University
Office: Burk Hall 153 Phone: (415)338-6117 Email: alkeller () sfsu edu