[Dshield] Question on Skype
dshield at oitc.com
Sun Feb 19 00:42:06 GMT 2006
At 3:25 PM -0500 2/17/06, Kenton Smith wrote:
>OK, teminology aside, I new I had read something
>recently that had an excellent summary of the
>implications of using Skype, including security. P2P
>is an issue he lists in there.
>"Like KaZaA, Skype is based on peer-to-peer
>technology: instead transmitting all voice calls
>through a central server, as Vonage does, Skype
>clients seek out and find other Skype clients, then
>build from these connections a network that can be
>used to search for other users and send them
>"Third, because Skype is mostly a peer-to-peer system,
>the overall security can be affected by third parties
>that are in the network (but that are unknown to
>those in a particular phone conversation)."
>Entire paper is here:
>It addresses a number of issues surrounding Skype
OK, I agree that there are numbers of security related issues
specific with skype, especially if you become a node. However, if
you are behind a NAT/firewall the potential legal problems of having
other peoples traffic transit your equipment is basically nonexistant
and the security issues behind the router/firewall are no different
than with AIM, and other IMs and equivalent apps.
However, I find the paper hyping issues that are not Skype specific
issues just normal security issues and it muddles everything together
making me (all colleagues who also read the paper) believe that the
author flet that all were Skype problems.
For example, statements such as
"Finally, it must be remembered that the security of the Skype system
also depends entirely on the good will of Skype's programmers and the
organization running Skype's back-end servers. It is possible that
there are back doors Skype conversations."
So how is this any different than software from Oracle, Microsoft,
IBM, or even preconfigured "open sources" such as SuSE or RedHat or
mySQL? All of these could have been configured by a programmer with
evil intentions to steal information
"Skype enables history recording by default, meaning that all IM
conversations are recorded unless users take other action. These
files could be retrieved through the use of spyware, other
remote-control applications, or by an
adversary who gains physical possession of a computer system."
So this is a "Skype" vulnerability? If your client is so infected for
this to happen, all your private documents have by now been copied to
an adversary and they have to be more valuable that some IM chats.
This is not a Skype issue.
"If a Skype user accesses the Skype network through a malicious
Internet Service Provider, it may be possible for the ISP to direct
that user's Skype communications to the malicious Skype node. Thus,
it may be possible for a malicious ISP to learn any of their user 's
If the messages are encrypted and authenticated (as Skype states and
the article's author begrudgingly infers) then it is difficult to
understand how the "evil ISP" can create a " malicious Skype node"
unless they stole source code and cryto keys from Skype. If not, I
don't see that this is any different risk that any other remote
Now remembering that the article was about NGOs....
If I was an NGO employee in the middle of nowhere but with access to
the net on a laptop, I just might want to use Skype (or iChat audio,
etc) to call home...
Now, on my corporate network, I don't think so yet as there are too
many unknowns! Here, we're implementing our own private iChat server
that will support private, secure (https) jabber text/voice/video
communications between our own users.
More information about the list