Security Basics mailing list archives
Re: using Skype, hosted voip, etc. in SMB
From: Daniel DeLeo <danielsdeleo () comcast net>
Date: Fri, 21 Jul 2006 15:10:52 -0600
If you have the resources, the best thing to do would be to set up a VPN protected VoIP system. Barring that, you should have a look at Phil Zimmermann's Zfone. The code is available for review, so you're not just trusting Skype's claims. Zfone works with any SIP softphone; I personally use it with Gizmo, which is a free Skype-like service (based on SIP, of course). You should also be able to use Zfone with hosted VoIP services, if you go that route.
I remember reading a powerpoint produced by a French group that used some pretty advanced reverse engineering techniques to get into Skype's guts. If I remember correctly, they concluded that the way the Skype network is managed provided a few possible avenues of attack. Unfortunately, I can't quite remember the link.
Daniel DeLeo On Jul 21, 2006, at 10:33 AM, Andrew Stewart wrote:
I work for a SMB automotive manufacturer based in the US. In the process of planning for a new project for which we will have a number of people traveling international, there was a proposal to use Skype to save on long distance phone charges when they travel to Europe and Mexico. Skype kind of concerns me as an unknown quantity. They do have some security information, including one security evaluation report, listed on their site <http://www.skype.com/security/>. They claim to use 256-bit AES "in order to actively encrypt the data in each Skype call or instant message." Has thisclaim been substantiated by any neutral third-parties?I see that a Chinese company claims to have "cracked" the Skype protocol <http://www.voipwiki.com/blog/?p=16> <http://www.voipwiki.com/blog/?p=31>. Does anyone see any security risks coming out of this?What about hosted VOIP services like NewCross Technologies <http:// www.newxt.com/> and Pandora Networks <http://www.pandoranetworks.com/> that use open protocols (ie. SIP)? Has anyone used any of these? What securityfeatures should I look for in choosing one? ------------------- Andrew Stewart astewart () notre1 com (205) 585-2980 - cell---------------------------------------------------------------------- -----This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree,without disrupting your career or home life. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- -----
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- using Skype, hosted voip, etc. in SMB Andrew Stewart (Jul 21)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Dragos Ruiu (Jul 26)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 27)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Michael Krymson (Jul 25)