Educause Security Discussion mailing list archives
Re: Skype?
From: "Basgen, Brian" <bbasgen () PIMA EDU>
Date: Tue, 3 Feb 2009 09:47:47 -0700
We have historically blocked Skype through our IPS. However, we recently re-evaluated and found many of the early problems with Skype have been addressed. Here are our findings: 1. Resource Use: a. Supernode: Information on hundreds of other Skype users could be routed through the PCC network. A PCC computer would act as a "communications" hub for these users, with all call setups going through the PCC computer. This "functionality" is on by default, but can be disabled by altering the Windows Registry. b. Relay Host: PCC computers can be used to relay portions of voice, file, or video conversations between other users. This can be prevented by a network re-architecture that would use NAT or by disabling a Windows Registry setting that would prevent incoming connections. c. Overall: This is a low risk for the college. Skype created the ability to disable these two functions with their release of version 3. Skype also now states that relay hosts will typically experience less that 80kbit of network utilization, and supernodes less than 40kbit. Previously, no limit or expectation was set regarding actual network utilization. 2. Monitoring & Privacy: a. Skype is apparently able to decrypt communications and monitor them since it possess the encryption keys. b. Overall: This is a low risk for the college. PCC should not assume, however, complete security when using Skype for confidential data communication. 3. Conventional Risks: a. Spyware, viruses, phishing: Like any other file sharing and communication program, Skype can be afflicted with viruses, worms, etc. Since Skype does not integrate with the IT security infrastructure, no preventative scanning occurs. b. Spam, etc: Like any other communications program, unwanted individuals can use this as a means of unsolicited contact. Unlike other PCC communications such as e-mail, PCC does not protect Skype communications, for example, with a Skype spam filter. c. Overall: This is a medium risk for the college. Skype increases exposure to spam, spyware, viruses and phishing schemes without mitigating infrastructure controls. Instead, Skype operates at the "last line of defense" - the end-user computer, which means reliance only on desktop defenses (anti-virus and anti-spyware software). While this represents a vulnerability, there are not many known exploits of Skype currently, creating a low threat and thus acceptable overall risk. ~~~~~~~~~~~~~~~~~~ Brian Basgen Information Security Pima Community College
-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clark, Sean Sent: Tuesday, February 03, 2009 9:30 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Skype? We are trying to gather info on how our peer institutions are handling Skype on their networks. The two biggest concerns that we have are the security risks associated with Skype and how universities are handling funding for the increased Internet bandwidth associated with Skype, since Skype is essentially transferring costs from long distance carrier expenditures to expenses associated with Internet bandwidth usage. Since we are a large university that includes a health sciences center (with all of the security concerns that come with handling private data such as PHI) I'm open to feedback from all universities, but particularly interested in those institutions that have health sciences centers. Specific questions Do you work for a university? If you work for a university, does that university have a health sciences center? Are you blocking Skype? If you are not blocking Skype, how are you handling the security concerns associates with Skype? If you are not blocking Skype, have you addressed the increased network bandwidth costs, or are you just eating the extra bandwidth? Other discussion, thoughts and responses are, of course, encouraged, but the above information would be particularly useful for me in preparation for the questions that I foresee coming from our upper management in the near future. Thank you. Sean Clark Manager, IT Security/Email/UNIX Systems UCDenver IT Services Sean.Clark () UCDenver edu
Current thread:
- Skype? Clark, Sean (Feb 03)
- <Possible follow-ups>
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Basgen, Brian (Feb 03)
- Re: Skype? Stanclift, Michael (Feb 03)
- Re: Skype? Mike Porter (Feb 03)
- Re: Skype? Tupker, Mike (Feb 03)