[ISN] Newsmaker: What threats does Skype face?

From: InfoSec News (alerts@private)
Date: Tue Jan 02 2007 - 22:16:40 PST


By Joris Evers
Staff Writer, CNET News.com
January 2, 2007

newsmaker - In late December, a security firm sent out an alert that a 
worm was spreading via Skype. It turned out to be a false alarm.

No worm has spread on Skype, and while security experts have painted a 
target on the popular Internet telephony application, its defenses have 
been pretty solid, according to the company's chief security officer, 
Kurt Sauer.

That's not to say there is no work to be done on security at Skype, part 
of eBay. The company is looking at integrating payment features, which 
obviously need securing, Sauer said. Also, Skype is in talks with 
security companies to provide add-ons to its software to secure 
text-based communications, he said.

Skype is often described as a boon for security because all calls are 
encrypted and there is no central server that could be targeted in a 
cyberattack. However, the application has also caused headaches for many 
IT administrators because it can find ways to make a Net connection 
despite strong firewall controls on corporate networks.

Sauer took a break from Skype security for an interview with CNET 
News.com, accompanied by Chief Operating Officer Michael Jackson.

Q: What do you do as chief security officer for Skype?

Sauer: I came to Skype three years ago. I came from Sun Microsystems, 
where I was doing work on peer-to-peer authentication. I came to audit 
the cryptography work that had been done in the Skype client as it 
existed. Since then, I've taken on the role of overseeing the security 
architecture of the Skype product family. That's grown into also dealing 
with incident response for security vulnerabilities. Since the 
acquisition by eBay, I also look at things like Sarbanes-Oxley 
compliance for security.

How significant a part of your job is dealing with security 
vulnerabilities in the Skype client?

Sauer: There are teams of people who are responsible for dealing with a 
lot of the nuts and bolts. Security of the architecture and where we're 
driving the product probably takes up about half my time. The other half 
is spent on compliance-related issues.

Do you see any exploitation of any security flaws in the Skype client? 
Have Skype users been under attack?

Sauer: We have not had any known exploitation of Skype vulnerabilities. 
Vulnerabilities divide themselves into different categories and we have 
not seen attack vectors in Skype's products that allow worms or viruses 
to replicate. Instead, they have tended to be one-off problems that can 
cause Skype to fail.

There have been several bugs related to the Skype URL, where clicking on 
a malicious link could cause a PC to be compromised. Were these issues 
all reported to you privately?

Sauer: Yes. I had experience with security vulnerability response work 
when I was at Sun. What I wanted to bring to Skype from that experience 
was transparent communication with vulnerability reporters.

One of the ways that you can really piss off the security researcher 
community is to be completely opaque, not say anything back. Some 
researchers don't want to talk to you, but to the extent they want to 
engage in a dialogue, we try to do that.

If you look at the robustness of the Skype code, would you say it has 
become much better over the years you have been with the company?

Sauer: Close to three years ago we had problems in our quality assurance 
process. We were working on building code tests and unit testing to 
improve the quality of the code. Things that happened between a year and 
two years ago turned into a need for better organization of the actual 
code development. So now I've introduced a lot more peer review over 
software before it gets to the final release.

Processes to make sure the software gets out is as flawless as it can, 
you feel those have all been established now?

Sauer: I don't think there's any organization that can't learn. I don't 
think we are the perfect software engineering organization. With each 
level of additional control, there is a certain amount of cost and time. 
You have to make rational decisions about how much overhead you're 
willing to place in the product development cycle. I don't think that 
we're ever going to be able to say that we're done tinkering with how we 
ensure the quality of our software. But having peer review is actually 
one of the best defenses to bad code that you can have because people 
don't ever want to show crappy code to a co-worker.

Flawed code isn't the only way users could get hit. We've seen worms hit 
all the popular instant-message tools. Is that a threat for Skype, too?

Sauer: I haven't seen any. You can't send executable code through a 
chat. A lot of what IM clients are going through is figuring out how to 
properly protect users against things like attacks against browsers that 
are launched through links. To that extent, we're looking at how we can 
partner with companies like antivirus vendors.

Symantec and, I think, McAfee have products that do things like doing 
risk scoring for links. It would be a really interesting thing for us to 
allow for a third-party specialist application to be able to make risk 
assessments of things like link content to help users make informed 
choices. We're certainly in active discussions about how we could do 

Some security experts have predicted that Skype could be used as a way 
for hackers to remotely control networks of compromised computers, 
botnets. Have you seen that happen?

Sauer: I haven't, but you can certainly use Skype for 
application-to-application messaging. I'm not going to say you can't do 
that, but we have not seen instances of that happening. We do think that 
the Skype client has sufficient controls to prevent things like auto 
spreading because of the current authorization model. For example, I 
can't send you a file unless you've authorized it.

Have you seen any proof-of-concepts of malicious software that targets 

Sauer: We've had some security researchers share concepts of things in 
the past. They were just simple ideas that we agreed not to disclose.

Some folks see Skype itself as a security threat, especially in 
businesses with controlled environments. Skype can find its way outside 
of the corporate firewalls even if IT people try to hammer it shut. Is 
Skype a security threat?

Sauer: That's what the most recent copy of our network administrator 
guide and Skype 3.0 is all about. It's trying to provide controls that 
let IT administrators run their networks the way that they want to.

A lot of administrators have objected to users coming in and installing 
Skype on a desktop. One place like that is eBay, it was amusing when we 
had the acquisition. I came out and popped in to talk to the IT people 
who where all stunned because they were trying to keep Skype out. eBay 
has been a really good learning opportunity for us about how a business 
that is not Skype would use Skype in their business. One of the things 
that eBay expressed was a strong desire to be able to push out policies 
and allow those policies to be.

You touched upon encryption, which people and even certain countries are 
concerned about because they want to control what kind of communication 
goes on. How do you deal with that, have you ever caved and given 
anybody the encryption keys to Skype?

Sauer: Since we don't have the encryption keys, therefore we can't give 
them to somebody.

So even you can't listen on my Skype calls?

Sauer: The way that Skype works is that the people who are communicating 
communicate on a secure channel between themselves with keys that are 
generated by them and not generated by Skype.

So the answer to the question--if even you can't listen on somebody's 
Skype calls--is...?

Sauer: What we say to that is that we provide a safe communications 
experience. I'm not going to tell you that we can or can't listen in to 

And you don't provide government, or any agency or any company, a way 
that they could listen in on Skype conversations.

Sauer: We don't.

Skype is offering more paid services, such as SkypeOut for calls to 
regular phones. Recently I've heard complaints from Skype users who had 
their credit card payments declined, even though their card was good. 
Are you experiencing a fraud increase?

Sauer: Anybody who sells nontangible goods with value is a target for 
fraudsters. I've had friends of mine contact me about this very sort of 
thing. We don't publish how we do it, but it is our protection 
mechanism. I'm not going to tell you what our precise method of 
protecting credit cards is, but I will say that if you're going to use 
the same credit card on a bunch of accounts, it's probably not going to 

Is there an increase in fraud? Is it a major concern for you?

Jackson: It's a concern because it's a pain in the ass. We have an 
antifraud algorithm to trap the people who are cheating us, but it traps 
a lot of good users as well. It is a very fine balance that does affect 
the business itself because we're declining a lot of good transactions 
and pissing regular users off.

Rounding out Skype and security, what is your major concern, what keeps 
you up at night?

Sauer: The thing that keeps me up at night is our future development 
activity. We have a lot of new initiatives. We talked about things like 
adding the ability to send money to Skype. These are new areas that 
bring with them new consumer risks, so we have to work closely within 
our engineering teams to make sure we have total buy-in on how we're 
going to do something so that we don't mis-engineer anything.

Subscribe to InfoSec News

This archive was generated by hypermail 2.1.3 : Tue Jan 02 2007 - 22:27:57 PST