[Dshield] Question on Skype

Tom dshield at oitc.com
Sun Feb 19 00:42:06 GMT 2006


At 3:25 PM -0500 2/17/06, Kenton Smith wrote:
>OK, teminology aside, I new I had read something
>recently that had an excellent summary of the
>implications of using Skype, including security. P2P
>is an issue he lists in there.
>"Like KaZaA, Skype is based on peer-to-peer
>technology: instead transmitting all voice calls
>through a central server, as Vonage does, Skype
>clients seek out and find other Skype clients, then
>build from these connections a network that can be
>used to search for other users and send them
>messages."
>and
>"Third, because Skype is mostly a peer-to-peer system,
>the overall security can be affected by third parties
>that are in the network (but that  are unknown to
>those in a particular phone conversation)."
>Entire paper is here:
>http://www.tacticaltech.org/files/Skype_Security.pdf
>
>It addresses a number of issues surrounding Skype
>security.

OK, I agree that there are numbers of security related issues 
specific with skype, especially if you become a node.  However, if 
you are behind a NAT/firewall the potential legal problems of having 
other peoples traffic transit your equipment is basically nonexistant 
and the security issues behind the router/firewall are no different 
than with AIM, and other IMs and equivalent apps.

However, I find the paper hyping issues that are not Skype specific 
issues just normal security issues and it muddles everything together 
making me (all colleagues who also read the paper) believe that the 
author flet that all were Skype problems.

For example, statements such as

"Finally, it must be remembered that the security of the Skype system 
also depends entirely on the good will of Skype's programmers and the 
organization running Skype's back-end servers. It is possible that 
there are back doors Skype conversations."

So how is this any different than software from Oracle, Microsoft, 
IBM, or even preconfigured "open sources" such as SuSE or RedHat or 
mySQL?  All of these could have been configured by a programmer with 
evil intentions to steal information

"Skype enables history recording by default, meaning that all IM 
conversations are recorded unless users take other action. These 
files could be retrieved through the use of spyware, other 
remote-control applications, or by an
adversary who gains physical possession of a computer system."

So this is a "Skype" vulnerability? If your client is so infected for 
this to happen, all your private documents have by now been copied to 
an adversary and they have to be more valuable that some IM chats. 
This is not a Skype issue.

"If a Skype user accesses the Skype network through a malicious 
Internet Service Provider, it may be possible for the ISP to direct 
that user's Skype communications to the malicious Skype node. Thus, 
it may be possible for a malicious ISP to learn any of their user 's 
Skype passwords."

If the messages are encrypted and authenticated (as Skype states and 
the article's author begrudgingly infers) then it is difficult to 
understand how the "evil ISP" can create a " malicious Skype node" 
unless they stole source code and cryto keys from Skype. If not, I 
don't see that this is any different risk that any other remote 
access scenario.

Now remembering that the article was about NGOs....

If I was an NGO employee in the middle of nowhere but with access to 
the net on a laptop, I just might want to use Skype (or iChat audio, 
etc) to call home...

Now, on my corporate network, I don't think so yet as there are too 
many unknowns!  Here, we're implementing our own private iChat server 
that will support private, secure (https) jabber text/voice/video 
communications between our own users.

Tom


More information about the list mailing list