- CNET NETWORKS UK BUSINESS SITES:
- atlarge.com
- BNET UK
- silicon.com
- SmartPlanet.com
- ZDNet.co.uk
To print: Click here or Select File and then Print from your browser's menu
This story was printed from silicon.com, located at http://www.silicon.com/
Story URL: http://www.silicon.com/research/specialreports/voipsecurity/0,3800013656,39166609,00.htm
Is Skype secure enough for businesses?
Analysis: Experts say 'no'
By Stewart Baines
Published: Monday 02 April 2007
Though Skype touts security features, is it safe enough to be a serious option for businesses? Stewart Baines hears from the sceptics and explains how to secure the popular VoIP software if you decide to use it.
Skype is wildly popular. The eBay subsidiary says it has 171 million registered users, 30 per cent of whom are using the VoIP software in businesses. It's anyone's guess how many registered business users are using it with their company's blessing but there is a good chance it is present in a significant proportion of the UK's small businesses.
The question that small businesses need to address is whether to bring Skype into the fold and condone its use or continue to turn a blind eye.
VoIP security webcast
Learn about the most dangerous threats, dos and don'ts and special advice for how SMEs can protect their VoIP networks. Watch it now.
With so many business users, it's hardly surprising the VoIP software company is turning to the establishment for its future prosperity. It has been developing a number of business features and a security policy it believes will appease enterprise concerns.
Firstly, the voice and chat bit-streams have very strong encryption which Skype claims fully protects against unauthorised eavesdropping. Secondly, file transfers can be scanned by major antivirus products. Thirdly, firewalls do not need to be compromised as Skype doesn't require any additional inbound ports to operate, and the privacy settings allow people to block all incoming calls from anyone not in their contact lists.
In the business version of Skype, there are some additional features aimed at enterprise users including downloading and updating via Windows Installer, and a Skype for Business Control Panel that lets administrators set rights and privileges. This gives them some control over how Skype performs on the enterprise network.
While Skype is addressing the vulnerabilities in its software, several potential threats remain and, according to industry experts, they pose too much of a risk for businesses to condone its use. (Learn more about Skype security in silicon.com's VoIP security webcast.)
Question of encryption
According to security experts, Skype remains vulnerable. Lawrence Orans, a research director at Gartner who wrote a research note on Skype security, says: "While Skype's 3.0 release clearly offers some enterprise-class features, an underlying issue still remains: Skype uses a proprietary signalling protocol. Skype's protocols cannot be secured by standard firewall products.
"Also, Skype has had several vulnerabilities discovered in its code and has not shown enterprise-level capabilities in timely development and distribution of patches, workarounds and guidance."
An independent test in 2005 by Tom Berson, a cryptographer and security expert, can be found on the Skype website. Berson confirms the Skype protocol is hard to break.
But that does not reassure the many IT directors who do not want systems in their enterprise that use undisclosed proprietary encryption (or for that matter governments who want to wire-tap calls). They are concerned about how Skype is being used.
Unlike major instant messaging applications, which do support logging and filtering, the closed nature of Skype means it is impossible for third party applications to interface with Skype. This makes it very difficult to know exactly what information is entering or leaving the organisation.
Vishing, spoofing and spit
While Skype's strong encryption prevents interception and eavesdropping, the software is still vulnerable to the vishing (phishing scams over VoIP) and social engineering threats that email and telephony also suffer from.
Mark Osborne, chief information security officer at carrier Interoute, says: "The biggest risk that Skype presents is not the breaking in to steal corporate assets, it's the threat from viruses and keyword loggers in malware."
One of the recent Skype threats centres around the Warezov worm. This entails users receiving a chat message that encourages them to click a link which downloads the malware, according to antivirus company F-Secure.
Another threat is spoofing: a voice message or even live call encouraging you to go to a website or call a number to confirm your bank details or Skype password. If a fraudster can solicit your login details, they can run up a substantial bill on SkypeOut, the service that allows Skype users to call standard telephone numbers.
Fears over the theft of Skype passwords are not unfounded. According to the Symantec Internet Security Report published in March 2007, a survey of stolen information used in identity theft found Skype passwords were being advertised on 'underground economy' servers. They sell for $12 each, alongside stolen credit cards details with card verification values ($1 to $6) and a full identity including US bank account, credit card, date of birth and government issued identification number ($14 to $18).
Spam on softphones and IP handsets - often called spit - has been widely reported as a future threat. If unsolicited voice communications (or recorded messages) become a problem in their volume and potentially illicit enticements, content filters will be of little use as they will not be able to break the encryption. Even unencrypted VoIP is difficult to content filter, although not impossible. Plus, spoofing can hide the real source of the messages.
But according to Chris Linsay, general manager for broadband voice & software at BT Business: "There are a lot of theoretical threats but not that many real incidences yet. It's a bit too nascent."
Better practice
There are some basic tips for protecting Skype users from hackers, fraudsters and spammers.
According to Gartner's Orans, blocking Skype is no simple affair. "Many network equipment and security vendors claim the ability to block Skype traffic," he says. "However Skype has also been known to modify its protocol from release to release, potentially rendering blocking mechanisms ineffective until the vendors can catch up and make the appropriate modifications."
Use at your peril
'Use it at your own risk' appears to be the motto among security experts for using Skype within a business.
If the majority of use is internal, then alternatives exist such as the voice components of Microsoft Office Communicator or Lotus Sametime. Alternatively, telcos such as BT (the BT Broadband Softphone) and Interoute (iSip) now offer softphone clients that can be used freely between clients, with an obvious charge from breaking out to the PSTN.
The view from the security professional is that Skype's risks outweigh its benefits.
Interoute's Osborne says: "Skype may be freely downloaded but it must be stopped from entering the corporate environment where it is simply not acceptable. Consumers do drive applications into the corporate world (e.g. IM) but increasing conflict between corporate regulations and compliancy and the activities of individual users who want to download their own software, can only have one winner. The company must win."
Copyright ©1995-2008 CNET Networks, Inc. All rights reserved. Top of page
