Re: SKYPE - What's the latest in terms of Risk...

[Scott Koger <skoger () EMAIL WCU EDU>]

As long as the application continues to use encryption for the traffic, there is no way to inspect the traffic (huge 
hole for unintended data leakage) and as with all consumer software you've really got to scrutinize the fine print of 
the EULA - most have verbiage which allows them to push additional software on your system at some future date. While 
it may be fine for Timmy to call his buddies in Europe on the cheap, I would strongly advise against it's use in the 
enterprise - if for no other reason than the potential for injection of malware onto your systems. I have yet to see a 
favorable review in any mainstream security trade rag.

M. Scott Koger, CISSP
Security Analyst
Information Technology
Western Carolina University
Cullowhee, NC 28723
Office 828.227.2489
Fax    828.227.7700 

-----Original Message-----
From: Sadler, Connie [mailto:Connie_Sadler () BROWN EDU] 
Sent: Thursday, December 20, 2007 12:47 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] SKYPE - What's the latest in terms of Risk...

We haven't looked closely at Skype for a couple of years. Does anyone know what the current assessment is with regard 
to risk? Does it still completely bypass the firewall and facilitate a channel for the propagation of malware?

Any opinions based on experience or analysis will be much appreciated!

Thanks...

Connie

Connie J. Sadler, CM, CISSP, CISM, GIAC GSLC
IT Security Officer, Brown University 
Campus Box 1885, Providence, RI 02912
Connie_Sadler () Brown edu,  Office: 401-863-7266 
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x91E38EFB
PGP Fingerprint: DA5F ED84 06D7 1635 4BC7 560D 9A07 80BA 91E3 8EFB