Re: using Skype, hosted voip, etc. in SMB

[Daniel DeLeo <danielsdeleo () comcast net>]

If you have the resources, the best thing to do would be to set up a  
VPN protected VoIP system.  Barring that, you should have a look at  
Phil Zimmermann's Zfone.  The code is available for review, so you're  
not just trusting Skype's claims.  Zfone works with any SIP  
softphone; I personally use it with Gizmo, which is a free Skype-like  
service (based on SIP, of course).  You should also be able to use  
Zfone with hosted VoIP services, if you go that route.

I remember reading a powerpoint produced by a French group that used  
some pretty advanced reverse engineering techniques to get into  
Skype's guts.  If I remember correctly, they concluded that the way  
the Skype network is managed provided a few possible avenues of  
attack.  Unfortunately, I can't quite remember the link.

Daniel DeLeo

On Jul 21, 2006, at 10:33 AM, Andrew Stewart wrote:

> I work for a SMB automotive manufacturer based in the US.  In the  
> process of planning for a new project for which we
> will have a number of people traveling international, there was a  
> proposal to use Skype to save on long distance phone
> charges when they travel to Europe and Mexico.  Skype kind of  
> concerns me as an unknown quantity.  They do have some
> security information, including one security evaluation report,  
> listed on their site <http://www.skype.com/security/>.
> They claim to use 256-bit AES "in order to actively encrypt the  
> data in each Skype call or instant message."  Has this
> claim been substantiated by any neutral third-parties?
>
> I see that a Chinese company claims to have "cracked" the Skype  
> protocol <http://www.voipwiki.com/blog/?p=16>
> <http://www.voipwiki.com/blog/?p=31>.  Does anyone see any security  
> risks coming out of this?
>
> What about hosted VOIP services like NewCross Technologies <http:// 
> www.newxt.com/> and Pandora Networks
> <http://www.pandoranetworks.com/> that use open protocols (ie.  
> SIP)?  Has anyone used any of these?  What security
> features should I look for in choosing one?
>
> -------------------
> Andrew Stewart
> astewart () notre1 com
> (205) 585-2980 - cell
>
> ---------------------------------------------------------------------- 
> -----
> This list is sponsored by: Norwich University
>
> EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
> The NSA has designated Norwich University a center of Academic  
> Excellence
> in Information Security. Our program offers unparalleled Infosec  
> management
> education and the case study affords you unmatched consulting  
> experience.
> Using interactive e-Learning technology, you can earn this esteemed  
> degree,
> without disrupting your career or home life.
>
> http://www.msia.norwich.edu/secfocus
> ---------------------------------------------------------------------- 
> -----


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------