http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9012239 By Michael Gough March 06, 2007 Computerworld There's been a lot information -- and misinformation -- available about whether Skype is dangerous to corporate networks and individual users. How dangerous is it? In this article, I'll separate the truth from the myths when it comes to Skype vulnerabilities. Understanding Skype's basic architecture Skype is a peer-to-peer (P2P) application, meaning that users connect to one another directly and not through a central server for communication. Skype initially uses Internet-based servers to authenticate users when they log in and to track their status, but when a "chat" or instant message, "voice call" or "file transfer" is initiated, the parties involved in the communication do so in a P2P direct connection. If one or both of the users are behind a typical corporate Network Address Translation (NAT) firewall, the communication can be relayed through a Supernode because a direct P2P can't be established behind a NAT. In the case of a file transfer, you will see a message indicating your transfer is being relayed. One of security professionals' primary concerns about Skype are it's so easy for a Skype client to find a way around a secure corporate firewall configuration. Skype does this by using ports 80 and 443, which are open in most firewalls to allow Web browsing. In addition, Skype may reroute traffic if the initial port assigned during the Skype installation isn't available. This makes blocking Skype at a firewall more difficult since the ports Skype uses can change as needed. Skype also encrypts each communication with a unique AES 25-bit encryption key, meaning each communication will use a different key each time you communicate, making eavesdropping communications almost impossible. One more thing to keep in mind about Skype security is its Supernodes, which route Skype traffic. A Supernode is a computer with a specific configuration that must have a direct connection to the Internet and can't be behind a firewall using NAT. And they must have a "real" public routable IP address. Beyond those restrictions, these Supernodes can be any Skype user computer that meets the minimum hardware and configuration requirements. There's a lot more you can learn about Skype's security architecture. For details, visit the Skype Security Resource Center. Skype FUD Now that you have an understanding of how Skype works, we can look at whether it's dangerous. There are a lot of misconceptions floating around about Skype. Here are the five most common: 1. Skype uses a lot of bandwidth on a network. 2. Any computer can be a Supernode. 3. Skype is like any other IM application and susceptible to IM worms and viruses. 4. Skype is hard to stop on my network. 5. Skype is encrypted so I cannot archive IM messages. Let's take a look at each of them in turn: Myth No. 1: Skype uses a lot of bandwidth on my network Skype actually uses very little bandwidth, approximately 30Kbit/sec. per voice call. If a user's computer becomes a Supernode, then yes, a Supernode will consume a tremendous amount of bandwidth. But remember you must be on a system directly connected to the Internet in order to become a Supernode, and in most corporate configurations PCs aren't directly connected to the Internet, so this is normally not an issue. Myth No. 2: Any computer can be a Supernode We've already learned that a system must have a routable IP address and sit directly on the Internet to become a Supernode. If a computer resides in a typical company network protected by a firewall that provides NAT, using a 192.168.x.x or 10.x.x.x private IP address scheme, then it's impossible for it to become a Supernode. NAT firewalls and even home routers prevent many systems from becoming Supernodes. Myth No. 3: Skype is susceptible to IM worms and viruses Last year, there were 1,355 virus or worms that affected IM clients through early December, according to Akonix Systems Inc., and not one of those affected Skype. Though Skype did have two security alerts in 2006, four in 2005 and one in 2004, none of these has been exploited. The main vulnerability of IM applications is their file transfer feature, which can be exploited to allow anyone to send a file that contains possible malware. To protect against this, Skype file transfers can be scanned with any antivirus application that is up to date and current and running in "auto-protect" mode. In addition, many antivirus applications have specific IM-scanning options. So if you have a current, up-to-date antivirus application that runs in "auto-protect" mode, you have little to worry about. You can also disable Skype's file transfer feature. Myth No. 4: Skype is hard to stop on my network Skype is only hard to block if you don't know what is on your network or if you don't have good configuration management of your clients. There are many ways you can block Skype, ranging from scripts to using network management software, to blocking Skype at the network layer. For details, see this article. Myth No. 5: Skype is encrypted, so I can't archive IM messages This one's not really a myth. Skype sessions are encrypted, so yes, you can't capture or archive Skype communications. The same is true of many IM applications, though, so it's not less secure than other IM programs that can use encryption. Conclusion So far, Skype hasn't suffered from the ills that bedevil most of the IM applications regarding viruses and worms. But it's most likely only a matter of time before a vulnerability is discovered and exploited. Any application that allows file transfers, IM or voice that can't be monitored, archived or recorded, has some level of risk. However, Skype's architecture is more difficult to crack than other IM applications open to the Internet, and so it's the safest of those, but there are non-Internet applications like Jabber that are even safer for internal-only IM communication. But if asked if Skype is safer than MSN Messenger, Yahoo Messenger, AIM or ICQ, the answer is "yes" for now. For more information: Skype Slips into business http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=112575 Skype aims to meet more business needs http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9006678 Skype Security Blog http://share.skype.com/sites/security Skype - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/Skype SkypeTips.com http://skypetips.internetvisitation.org/ -=- Michael Gough is host and webmaster of SkypeTips.com and VideoCallTips.com. _________________________________________ Visit the InfoSec News Security Bookstore http://www.shopinfosecnews.org
This archive was generated by hypermail 2.1.3 : Thu Mar 08 2007 - 01:14:14 PST