Re: Skype?

["Basgen, Brian" <bbasgen () PIMA EDU>]

 We have historically blocked Skype through our IPS. However, we recently re-evaluated and found many of the early 
problems with Skype have been addressed. Here are our findings:

1.      Resource Use:
a.      Supernode: Information on hundreds of other Skype users could be routed through the PCC network. A PCC computer 
would act as a "communications" hub for these users, with all call setups going through the PCC computer. This 
"functionality" is on by default, but can be disabled by altering the Windows Registry.
b.      Relay Host: PCC computers can be used to relay portions of voice, file, or video conversations between other 
users. This can be prevented by a network re-architecture that would use NAT or by disabling a Windows Registry setting 
that would prevent incoming connections.
c.      Overall: This is a low risk for the college. Skype created the ability to disable these two functions with 
their release of version 3. Skype also now states that relay hosts will typically experience less that 80kbit of 
network utilization, and supernodes less than 40kbit. Previously, no limit or expectation was set regarding actual 
network utilization.
2.      Monitoring & Privacy:
a.      Skype is apparently able to decrypt communications and monitor them since it possess the encryption keys.
b.      Overall: This is a low risk for the college. PCC should not assume, however, complete security when using Skype 
for confidential data communication.
3.      Conventional Risks:
a.      Spyware, viruses, phishing: Like any other file sharing and communication program, Skype can be afflicted with 
viruses, worms, etc. Since Skype does not integrate with the IT security infrastructure, no preventative scanning 
occurs.
b.      Spam, etc: Like any other communications program, unwanted individuals can use this as a means of unsolicited 
contact. Unlike other PCC communications such as e-mail, PCC does not protect Skype communications, for example, with a 
Skype spam filter.
c.      Overall: This is a medium risk for the college. Skype increases exposure to spam, spyware, viruses and phishing 
schemes without mitigating infrastructure controls. Instead, Skype operates at the "last line of defense" - the 
end-user computer, which means reliance only on desktop defenses (anti-virus and anti-spyware software). While this 
represents a vulnerability, there are not many known exploits of Skype currently, creating a low threat and thus 
acceptable overall risk.


~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College



> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Clark, Sean
> Sent: Tuesday, February 03, 2009 9:30 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Skype?
>
> We are trying to gather info on how our peer institutions are handling
> Skype on their networks.  The two biggest concerns that we have are the
> security risks associated with Skype and how universities are handling
> funding for the increased Internet bandwidth associated with Skype,
> since Skype is essentially transferring costs from long distance
> carrier expenditures to expenses associated with Internet bandwidth
> usage.
>
> Since we are a large university that includes a health sciences center
> (with all of the security concerns that come with handling private data
> such as PHI) I'm open to feedback from all universities, but
> particularly interested in those institutions that have health sciences
> centers.
>
> Specific questions
>
> Do you work for a university?
>
> If you work for a university, does that university have a health
> sciences center?
>
> Are you blocking Skype?
>
> If you are not blocking Skype, how are you handling the security
> concerns associates with Skype?
>
> If you are not blocking Skype, have you addressed the increased network
> bandwidth costs, or are you just eating the extra bandwidth?
>
> Other discussion, thoughts and responses are, of course, encouraged,
> but the above information would be particularly useful for me in
> preparation for the questions that I foresee coming from our upper
> management in the near future.
>
> Thank you.
>
> Sean Clark
> Manager, IT Security/Email/UNIX Systems
> UCDenver IT Services
> Sean.Clark () UCDenver edu