Re: using Skype, hosted voip, etc. in SMB

[Michael Krymson <krymson () gmail com>]

Skype is an interesting entity, especially in the workplace. Keep in
mind there is no consensus on whether Skype has any place in a corporate
environment or not. The debate rages on, although the longer it rages
on, the more weight regulations will get and force Skype out of the
corporate landscape or into new practices to match regs.

Skype has its place in consumer computers, no doubt. It's an amazing
tool and very popular. This popularity means the question will always
come up in the corporate place, "why don't we use Skype, it's free?"

Here is a hopefully quick list of things wrong with Skype in the workplace:

- It can use your bandwidth whether you want it to or not. Skype can
promote itself to a supernode if you have a publicly routable internet
address on the computer hosting the app. Being a supernode means it
passed other people's traffic through you and uses you as a node. This
can also consume system resources. If you are behind any type of NAT
device, this behavior won't happen.

- Skype is encrypted with a proprietary 256-bit system. I don't believe
this has been accredited or checked by any third parties. This
proprietary encryption and protocol is their crown jewels. Without this
secret, their service is worse than regular plaintext IMs.

- Because of the encryption, you can't determine whether someone is
telling someone else a trade secret or not, nor can you capture the text
parts either. This breaks regulations like SOX where you need to know if
information is leaving your control.

- Pardon the expression, but watching any traffic that includes users
with Skype is a bitch. On your firewall you will see random, sustained
connections to Japan, Taiwan, China, Finland, Germany, US DSL users,
etc. Normally odd connections like that indicate spyware, virus
activity, unwanted activity, or even P2P app presence. Skype destroys
that pattern.

- Skype can update itself, and do whatever it wants to you, whether you
like it or not. The user is promtped with "would you like Skype to make
automatic updates to itself?" and that answer stays forever. Granted, it
is not likely eBay/Skype will turn rogue, but people once said that
about Sony...

- So, you have your traffic routed all over the place...and a
proprietary encrypted protocol. If that protocol is cracked and made
public, those Japan, Taiwan, Finland, and DSL users that get promoted to
supernodes could decrypt your messages and conversations. You'd have to
treat t like any IM application and weigh the benefits against the costs
of possibly failing security regulations.


With all of that being said, if you're not under many regulations, don't
monitor your egress (both data and IP traffic), and trade secrets won't
be given out over Skype calls, you can get away with using Skype in the
corporate place just fine, especially for those traveling people. If
they need it, find some solution, otherwise they'll just use it anyway.
:-) It may sound like I've got something against Skype, but that's not
the case at all. I've simply fought this fight in the recent past at my
last job is all. :-)


Andrew Stewart wrote:
> I work for a SMB automotive manufacturer based in the US.  In the process of planning for a new project for which we
> will have a number of people traveling international, there was a proposal to use Skype to save on long distance phone
> charges when they travel to Europe and Mexico.  Skype kind of concerns me as an unknown quantity.  They do have some
> security information, including one security evaluation report, listed on their site <http://www.skype.com/security/>.
> They claim to use 256-bit AES "in order to actively encrypt the data in each Skype call or instant message."  Has this
> claim been substantiated by any neutral third-parties?
>
> I see that a Chinese company claims to have "cracked" the Skype protocol <http://www.voipwiki.com/blog/?p=16>
> <http://www.voipwiki.com/blog/?p=31>.  Does anyone see any security risks coming out of this?
>
> What about hosted VOIP services like NewCross Technologies <http://www.newxt.com/> and Pandora Networks
> <http://www.pandoranetworks.com/> that use open protocols (ie. SIP)?  Has anyone used any of these?  What security
> features should I look for in choosing one?
>
> -------------------
> Andrew Stewart
> astewart () notre1 com
> (205) 585-2980 - cell
>
>
>   


---------------------------------------------------------------------------
This list is sponsored by: Norwich University

EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The NSA has designated Norwich University a center of Academic Excellence 
in Information Security. Our program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Using interactive e-Learning technology, you can earn this esteemed degree, 
without disrupting your career or home life.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------