Security Basics mailing list archives
Re: using Skype, hosted voip, etc. in SMB
From: Michael Krymson <krymson () gmail com>
Date: Mon, 24 Jul 2006 18:02:23 -0500
Skype is an interesting entity, especially in the workplace. Keep in mind there is no consensus on whether Skype has any place in a corporate environment or not. The debate rages on, although the longer it rages on, the more weight regulations will get and force Skype out of the corporate landscape or into new practices to match regs. Skype has its place in consumer computers, no doubt. It's an amazing tool and very popular. This popularity means the question will always come up in the corporate place, "why don't we use Skype, it's free?" Here is a hopefully quick list of things wrong with Skype in the workplace: - It can use your bandwidth whether you want it to or not. Skype can promote itself to a supernode if you have a publicly routable internet address on the computer hosting the app. Being a supernode means it passed other people's traffic through you and uses you as a node. This can also consume system resources. If you are behind any type of NAT device, this behavior won't happen. - Skype is encrypted with a proprietary 256-bit system. I don't believe this has been accredited or checked by any third parties. This proprietary encryption and protocol is their crown jewels. Without this secret, their service is worse than regular plaintext IMs. - Because of the encryption, you can't determine whether someone is telling someone else a trade secret or not, nor can you capture the text parts either. This breaks regulations like SOX where you need to know if information is leaving your control. - Pardon the expression, but watching any traffic that includes users with Skype is a bitch. On your firewall you will see random, sustained connections to Japan, Taiwan, China, Finland, Germany, US DSL users, etc. Normally odd connections like that indicate spyware, virus activity, unwanted activity, or even P2P app presence. Skype destroys that pattern. - Skype can update itself, and do whatever it wants to you, whether you like it or not. The user is promtped with "would you like Skype to make automatic updates to itself?" and that answer stays forever. Granted, it is not likely eBay/Skype will turn rogue, but people once said that about Sony... - So, you have your traffic routed all over the place...and a proprietary encrypted protocol. If that protocol is cracked and made public, those Japan, Taiwan, Finland, and DSL users that get promoted to supernodes could decrypt your messages and conversations. You'd have to treat t like any IM application and weigh the benefits against the costs of possibly failing security regulations. With all of that being said, if you're not under many regulations, don't monitor your egress (both data and IP traffic), and trade secrets won't be given out over Skype calls, you can get away with using Skype in the corporate place just fine, especially for those traveling people. If they need it, find some solution, otherwise they'll just use it anyway. :-) It may sound like I've got something against Skype, but that's not the case at all. I've simply fought this fight in the recent past at my last job is all. :-) Andrew Stewart wrote:
I work for a SMB automotive manufacturer based in the US. In the process of planning for a new project for which we will have a number of people traveling international, there was a proposal to use Skype to save on long distance phone charges when they travel to Europe and Mexico. Skype kind of concerns me as an unknown quantity. They do have some security information, including one security evaluation report, listed on their site <http://www.skype.com/security/>. They claim to use 256-bit AES "in order to actively encrypt the data in each Skype call or instant message." Has this claim been substantiated by any neutral third-parties? I see that a Chinese company claims to have "cracked" the Skype protocol <http://www.voipwiki.com/blog/?p=16> <http://www.voipwiki.com/blog/?p=31>. Does anyone see any security risks coming out of this? What about hosted VOIP services like NewCross Technologies <http://www.newxt.com/> and Pandora Networks <http://www.pandoranetworks.com/> that use open protocols (ie. SIP)? Has anyone used any of these? What security features should I look for in choosing one? ------------------- Andrew Stewart astewart () notre1 com (205) 585-2980 - cell
--------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- using Skype, hosted voip, etc. in SMB Andrew Stewart (Jul 21)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Dragos Ruiu (Jul 26)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 27)
- Re: using Skype, hosted voip, etc. in SMB Morgan Reed (Jul 25)
- Re: using Skype, hosted voip, etc. in SMB Daniel DeLeo (Jul 24)
- Re: using Skype, hosted voip, etc. in SMB Michael Krymson (Jul 25)