Penetration Testing mailing list archives
Re: Skype use obligation - Security x Productivity
From: "Justin Ferguson" <jnferguson () gmail com>
Date: Wed, 18 Jul 2007 10:55:15 -0700
Everyone knows that all of the concerning behavior can be disabled correct, or does no one read the documentation? Consulting the network admins guide on their site, specifically in reference to the following registry keys: HKLM\Software\Policies\Skype\Phone\DisableApi HKLM\Software\Policies\Skype\Phone\DisableFileTransfer HKLM\Software\Policies\Skype\Phone\DisableSupernode Furthermore, you can set Skype to disable listening for inbound TCP connections, restrict the ports it uses/et cetera. All of this reduces the problem to a previous one, which is administrative access to the machine. On 7/16/07, Roland Dobbins <rdobbins () cisco com> wrote:
On Jul 16, 2007, at 2:56 PM, M.B.Jr. wrote: > Guess we need to hear some other professionals. I disagree with this characterization - I don't think Skype's network behavior risks any certifications at all (for example, the Skype could be profiled using a NetFlow-based behavioral anomaly-detection system, for example, irrespective of its port/protocol selection), there's nothing in any of those standards which would seem to imply that, AFAICT. The bigger risk with Skype, IMHO, is the 'supernode' functionality which can result in one's conversations being relayed by random nodes beyond one's control and/or one's own Skype nodes acting as a supernode relay for the calls of others. It also uses a closed-source encryption scheme which hasn't been subjected to peer review. There are some ways to restrict Skype functionality either using Skype and/or Skype partner add-ons as well as third-party solutions which can restrict host application behavior. The supernode functionality, AFAIK, is hardcoded. Another option would be something along the lines of a Skype-to-SIP gateway (I think there's at least one commercially available) which would allow your customer to use SIP handsets or softphones to communicate with the gateway, which would then proxy the calls to/ from Skype. But making the assumption that the mere presence of Skype on the network would somehow result in loss of certification is a bit of a stretch, IMHO. ----------------------------------------------------------------------- Roland Dobbins <rdobbins () cisco com> // 408.527.6376 voice Culture eats strategy for breakfast. -- Ford Motor Company ------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/c/wf-spi ------------------------------------------------------------------------
------------------------------------------------------------------------ This List Sponsored by: Cenzic Swap Out your SPI or Watchfire app sec solution for Cenzic's robust, accurate risk assessment and management solution FREE - limited Time Offer http://www.cenzic.com/c/wf-spi ------------------------------------------------------------------------
Current thread:
- RE: Skype use obligation - Security x Productivity, (continued)
- RE: Skype use obligation - Security x Productivity Pretorius, Wynand (ZA - Johannesburg) (Jul 18)
- Re: Skype use obligation - Security x Productivity M . B . Jr . (Jul 18)
- Re: Skype use obligation - Security x Productivity Roland Dobbins (Jul 20)
- Re: Skype use obligation - Security x Productivity M . B . Jr . (Jul 20)
- Re: Skype use obligation - Security x Productivity Mister Dookie (Jul 20)
- RE: Skype use obligation - Security x Productivity Pretorius, Wynand (ZA - Johannesburg) (Jul 18)
- RE: Skype use obligation - Security x Productivity Pradeep-Kumar . Karavadi (Jul 17)
- Re: Skype use obligation - Security x Productivity Cedric Blancher (Jul 17)
- Re: Skype use obligation - Security x Productivity Roland Dobbins (Jul 17)
- Re: Skype use obligation - Security x Productivity Justin Ferguson (Jul 20)
- Re: Skype use obligation - Security x Productivity Roland Dobbins (Jul 20)