http://www.csoonline.com/read/030105/machine.html
By Simson Garfinkel March 2005 CSO Magazine Skype is a high-quality encrypted Internet telephony system that allows for the exchange of files, interconnects with the public switched telephone system and easily tunnels through firewalls. You may not have heard of Skype, but there are 9 million Skype users, so chances are some of your employees have. Skype provides a cheap way to communicate, but CSOs should know that the system's security is impossible to audit, and the vendor refuses to disclose details on security features. If secure communications are important to your business, read on. Depending on your organization, Skype is either a wonderful tool for communication or a problem technology that must be policed, controlled and, if possible, eliminated from your systems. Skype was released last year by the creators of Kazaa, the popular file-trading system. Like Kazaa, Skype is based on fire- wall-busting peer-to-peer technology. When you first start running Skype, it scans the Internet looking for a Skype "supernode." Supernodes are other people running the Skype program who aren't screened by firewalls. These users can consequently both receive and initiate connections across the Net. An unknown number of supernodes link to other supernodes; eventually, the chain reaches back to the Skype servers, wherever they happen to be. Supernodes also facilitate connections back to Skype users who are behind firewalls and Network Address Translation boxes. But despite their similarities, Skype does not come with Kazaa's baggage. Unlike Kazaa, Skype is not advertiser-supported and does not come with adware or spyware. Instead, Skype's creators make money by operating the bridge between the Skype network and the other telephone networks. With the SkypeOut service, a Skype user can place calls to ordinary landlines or cell phones throughout the world for just a few pennies per minute from their computers. SkypeIn, a corresponding service that will be released this summer, will allow Skype users to receive phone calls from the telephone network. Every Skype user has a unique Skype user name and password. You provide the user name and password when you log in; the network then verifies that your password matches the password that you provided when you signed up. Once you've logged in, you can initiate a call through your desktop to any other Skype user. You don't need to know where he is; he just has to be logged in to Skype somewhere on the Internet. Unlike AOL Instant Messenger, there's no problem with being logged in to Skype in more than one location. Each location will ring if someone tries to call you. Thus, Skype is a lot friendlier to people like me who work from multiple computers. And while it's primarily designed for voice communications, Skype will also let you send instant text messages and files. Most people I know who use Skype keep a very short contact list of other Skype users and block incoming voice and text messages from everyone else. Unlike Vonage and other voice-over-IP systems, Skype is not based on session-initiated protocol or any other Internet standard. Skype uses a protocol that's both proprietary and secret. The company claims that all Skype communications are encrypted with a 256-bit advanced encryption standard and that keys are exchanged using the RSA encryption algorithm. I've looked at Skype's packets, and I can verify that they are in fact encrypted, but there's really no way to know how secure it is without considerable documentation and cooperation from the company. These facts combine to make Skype an emerging problem for many CSOs. For organizations—such as investment companies—that are required by law to monitor communications between their employees and their customers, Skype is an untappable voice gateway. It's also largely unstoppable, because Skype can tunnel through, over or around most kinds of firewalls. And for organizations—such as hospitals—that are required by law to provide for secure communications between employees and customers, Skype gives the appearance of a secure communications channel, but it might not provide any security at all. On the other hand, if neither monitoring nor secrecy of voice communications is a legal requirement for your organization, another perfectly reasonable approach is to embrace Skype and its peer-to-peer voice technology. Skype is certainly more secure than most cell phones, which have their encryption disabled, or landlines that don't have any encryption at all. Sure, there is a chance that your Skype conversation is going through another person's computer, and there's a chance that they've managed to crack Skype's algorithm and are listening in on everything you say. Even though there is certainly the potential for abuse, in most cases the actual chance of abuse is small. Another important aspect of security is availability—that is, making sure that systems and backup systems are always available to serve your users' needs. And availability is where Skype really shines. No matter where you are, if you have some kind of connectivity to the Internet, you can use Skype to communicate with others. This is a huge benefit to the mobile worker, because you can just sit down in some cybercafé anywhere in the world, take out your laptop, and—wham!—you are in direct communication. (On the other hand, if Skype's creators decide to pull the plug on the company's servers, every Skype user on the planet will be suddenly dead in the water—unless, of course, an enterprising hacker can figure out how to patch the Skype executable so that it uses a different set of servers on the Internet.) Because it's peer-to-peer, you can use Skype to exchange large files without worrying about any server-based restrictions. Although the protocol doesn't seem to recover gracefully from interrupted transmissions (it restarts the transfer in the middle of the file), it's completely reasonable to use Skype to send 100MB files from one end of the planet to the other. Skype's servers will do the user name/ password authentication, but the data packets will go directly from one user's computer to the other's—possibly passing through a Skype user or two. The fact that Skype's user name/password combinations are validated by central servers gives Skype another big advantage over e-mail: authentication. The vast majority of e-mail on the Internet is sent without authentication. As a result, when you get a piece of e-mail, you never can be sure that the address listed on the message is where it was really sent from. But since every Skype user is validated before being allowed to join the network, you can have reasonable trust in the identities that flash through the Skype application. Such authentication helps build the business justification for Skype. Two negatives are operating against Skype. The first is the fact that the Skype client running on your computer can and will relay calls between other network users without your knowledge. That can pose a problem on networks that have only a little bit of Internet connectivity. It makes sense that Skype would detect how much bandwidth you have for this kind of third-party altruism. But alas, the algorithm that Skype uses to determine how much of this relaying it is allowed to engage in is proprietary, so we can't know for sure. The other drawback is that bad guys can, of course, use Skype to send worms and viruses. Obviously, the first thing to do is to block files transmitted by anyone you don't know. A better approach would be to integrate Skype with your computer's antivirus system so that all incoming files are automatically scanned. That's not currently a Skype feature, but it might be by the time you read this. Probably the most important thing about Skype, however, is not the program's functionality today, but something much deeper about the whole Skype process. One year after Skype launched, it had more than 9.5 million users worldwide, with more than 1.5 million connections per day and, on average, 500,000 people connected at any given time. The software is available for Windows, Mac OS X, Linux and Pocket PC. The software has the capability of automatically updating and upgrading itself, allowing it to acquire new features at any time—potentially without the permission of the user. The software uses a secret protocol; all communications are encrypted. And Skype Technologies does its engineering in Tallinn, Estonia, has some business operations in London and registers its website in Amsterdam. If I were going to write an information warfare thriller with a theme based on Invasion of the Body Snatchers, this is certainly where I would start. Simson Garfinkel, CISSP, is a technology writer based in the Boston area. He can be reached via e-mail at [EMAIL PROTECTED] _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
