Computer Safety Tip

Skype Security: Is It Safe for Business?

February 22, 2010 Computer Safety Tip

According to specific data which has recently been released last month from TeleGeography it has been found that Skype accounts for 12 percent of all long distant calls all over the entire globe. The users of Skype have escalated to over 500 million last year in 2009.This year the amounts of users will prove to be even higher.

Last year SIP (also know as Skype for Business) was launched in its beta phase last year. Prior to that release it was generally only used in both personal or consumer settings and environments.

Gough who is the owner of the web site named skypetips.com as well as the author of Skype Me! From Single User to Small Enterprise and Beyond, provided his thoughts with regard to some of the challenges both positive and negative with regard to Skype within the business world.

CSO: We know that Skype is making a play for business customers with Skype for SIP. But as it stands now, do you think it is used in many business organizations?

Michael Gough: “Predominantly it is still used by individuals, but a lot of small-to-medium-sized businesses utilize Skype to cut costs for things like road warriors. Another common use I’ve seen in business is in outsourcing off-shore resources like help desk or support scenarios where you have a lot of people outside your state and doing off-hour support. Often Skype is an option for some of these companies.”

Are there security concerns with Skype that are unique when compared to other VOIP solutions?

“In any corporation, if you are going to install software on end-users computer, you have to do your governance. You have to set the rules that govern what you are going to do or allow with any piece of software. So every enterprise has the challenge of controlling the proliferation of Skype into the environment. If you’re a local administrator, and you’re going to install the product, now, all of a sudden, you have texting and voice conversations that are potentially encrypted and something that the enterprise or company can’t monitor. That is definitely a challenge.”

Top Stories

• Solid state storage fixes data center clogs — for a price
• New battery rules could crimp air travel
• China shuts hacker training site, arrests three
• Symantec hit with class-action lawsuit over auto-renewals
• Intel to monitor social networks on Super Bowl ads
• Sharp, Samsung settle all outstanding LCD patent cases

The first thing an administrator should do is say ‘what are my rules about this? Do I have requirements that say I have to capture IM traffic?’ for instance. For example, if you have employees trading stocks, bonds, anything like that, you can’t use an IM solution (which Skype contains) unless it is actually auditable. It has to be recorded. Anything they chat about has to be able to be logged and printed out.

We know that a DDoS (denial of service) attack can happen at various layers with a VOIP system. How might something like a DDoS attack play out with Skype?

“Fortunately for most businesses that use Skype, they will have traffic over Port 80, or your other typical web-surfing ports. But Skype users can communicate by voice, video and instant messaging. What could potentially happen is an IM could go out to the client; a user could potentially click on that message and take down or infect that computer. But that is long term issue with IM that has always existed. It’s not unique to Skype. Is there something that sits on the internet with Skype that can be attacked to take it down? No, not really: Because your client doesn’t know about any infrastructure.”

What happens is when someone wants to call someone else, unlike a VOIP gateway or a telephone, you have to know who you are calling, click on it and it goes out to the Skype infrastructure and pings it. These systems are all over the world, it’s not one box that you invade. So from that perspective, it’s not a really big concern.

What about eavesdropping? Does Skype technology make this any less or more possible with conversations?
“This is the unique thing about Skype that doesn’t occur in most VOIP: Most companies do not encrypt their VOIP traffic, a major flaw. There are lots of tools, like Vomit and VOIP Pong for instance, which allow you to record unencrypted voice packets and recompile it. You just drop this thing, listen, and you can recompile conversations. Skype traffic is encrypted between point A and point B, so it’s theoretically impossible to intercept a Skype call and encrypt it.

However, you can, on each end node, compromise that machine. Much like a solution that records your actions for a Power Point presentation, for instance if make a video you can play in QuickTime or what have you. That same kind of technology has the ability to record Skype because once it gets to your computer it’s at that point decrypted and any SIM installed, or listening device that is installed, would be able to record a call. But that does require the local machine to be compromised. It’s a pretty low risk from that perspective.”

VOIP is sometimes criticized as making Phishing (phishing schemes conducted over the phone) easier to pull off. Is Phishing a security problem with Skype?

“It can happen to anyone with any phone. It’s the same exploit or concern. If someone goes and searches in Skype registry for any user and every user in a certain city, they can call them on a Skype account or a Skype out or in number, which is a number you get for calling Skype users that then transfers it your computer. Same scenario. I don’t think there is any decreased or increased risk.”

Is there a way to do the old phone number spoof technique using Skype?

“Skype for business does have SIP gateways. What happens is this thing is running Skype software that does the translation of Skype calls and translates it to SIP. Toll fraud is alive and well and can still happen, but for the most part you would have to break into the existing phone system in order to exploit Skype. I suppose if I logged into your account because you had a weak password then I could make and use up all of your Skype-out credits. That is a potential for people whose account is compromised. But I wouldn’t say toll fraud is all that prevalent at this point with Skype. “

Related posts:

1. What is the difference between firewalls, and which one is safe? Most firewalls are similar. As soon as anyone can remotely...
2. SecureCloud 2010: The future of cloud security SecureCloud 2010 is actually an educational and networking event which...
3. Internet Security 2010 Is a Scam!!!! Internet Security 2010 may sound like a good software product...

Related posts brought to you by Yet Another Related Posts Plugin.

Tags: business customers, safe, Skype accounts, Skype Security, VOIP