By Michael Gough with Bill Campbell

Being a security consultant, I am always amazed when I read articles like the one I recently found on blocking Skype. The firm Info-Tech Research Group in Australia cites in their report “Five Reason’s To Ban Skype” claiming that the popular VoIP technology is just too insecure for business use. These blanket statements are grossly inaccurate as each business is different and has the responsibility to set their own policy to match their specific need. Many very intelligent Fortune 500 companies approve and use Skype for internal use.

First and foremost a company should create a policy for any and all new technologies. The policy should ban their use until specifically allowed. This should be the policy for most organizations that try to manage, control and secure their IT resources. From this perspective, Info-Tech is correct: Skype should be treated like any other IM product which many companies allow, but do have policies that state "Not for company sensitive business use." This means chatting abouyt the weather is fine; discussing mergers is not. Most of us know the difference. Info-Tech estimates that roughly one-third of Skype’s 53 million registered users are business users.

Among dangers Skype poses, according to Info-Tech:

1. It is too firewall-friendly. Skype's proprietary closed-source VoIP protocol does not employ accepted VoIP standards like H.323 and Session Initiation Protocol (SIP). Skype's protocol allows it to traverse corporate firewalls and symmetric NATs (the part of the network that gives you IP addresses for use inside the firewall and that matches yours to a public IP address). An unknown and unsanctioned VoIP protocol freely roaming the network, without IT's approval or assessment, poses an unacceptable transgression of IT's authority over the corporate network and computing resources.

2. Skype has too many vulnerabilities. Buffer overflow vulnerabilities are known to exist in Skype. And since Skype travels the network as data packets, conversations are prone to capture. Problems also exist with Skype's encryption format: First, it doesn’t prevent a man-in-the-middle attack and secondly, if it becomes infected with a worm (which it one day will), the worm could hide in the encryption during transmission, undetected by anti-virus software. Because the encryption is closed source, there are some unanswered questions about how well the keys are managed. Finally, Skype recently announced that all of its VoIP clients, including Windows, Linux, Mac OS X, and Pocket PC, suffer from bugs that leave PCs prone to crashes and open computers to takeover by a hacker.

3. It poses a communication barrier with other countries or institutions. Countries like China and Oman have banned Skype already, as has the United Arab Emirates. Many post-secondary institutions in North America have banned Skype as well, in addition to most other P2P and file sharing applications.

4. It violates established legal requirements. For example, securities brokers operate under a mandatory requirement to record and track all telephone calls. Unsanctioned usage of an application like Skype would put a brokerage at severe risk of prosecution if caught using telephony that is undetectable, untraceable, and unauditable.

5. It is one more type of communication to secure, monitor, store, and archive. Enterprises are already struggling with records retention rules imposed by HIPAA, Sarbanes-Oxley, and other laws. In addition, the question of whether VoIP calls constitute a business record or not is a legal quagmire in and of itself. Throwing Skype into the communications mix will only further cloud the issue.
   

On the other hand...

#1 – Yes, Skype does not use either of the two most popular VoIP standards, H.323 or SIP. This is because Skype was not designed to interact with these systems, so there is no need. If there is, gateways can be used to connect the two systems together as several vendors are now developing. SIP has been known in the past to have many security issues and no solution is "totally secure." To think Skype is or should be goes against the evidence that no application is 100% secure. H.323 and SIP have had many vulnerabilities over the years and you do not see companies banning these devices. If you want to see how insecure your VoIP solution is, just download either VOMIT or VoiPong and run it against a SIP or H.323 system, with approval of your Information Security manager of course. You will find you can record anyone's voice call without permission if you have access to the voice data network that the IP phones reside on. I saw a presentation a few years ago by Ofir Arkin on VoIP security and he demonstrated how insecure SIP could be, so do not begin to think SIP or H.323 are any more or less secure than Skype – they are just different. Skype was not designed to be the corporate IP telephone infrastructure, SIP and H.323 were, so Info-Tech is comparing Apples to Oranges.

Skype is incredibly firewall friendly, but there are ways to block the use of Skype, both from a commercial appliance perspective as BlueCoat and Verso claim to do. Chinese telcos bought Verso appliances to block Skype. You can also use your software inventory or asset management solutions or just write a script that goes out on your network, discovers any Skype clients and disable or delete Skype as needed. If you do not know how, let me know, and you can hire me to show you. Info-Tech’s blanket statement attempts to spread “FUD”, Fear Uncertainty and Doubt, about Skype to block it in the enterprise. That is unwarranted.

#2 – The recently announced Buffer overflow vulnerabilities are no different than any application and that includes the Windows operating system that inherently runs on 90% plus of the systems in worldwide enterprises. With this logic they should also ban Microsoft Windows with all the worms, damage and financial loses companies have already suffered, clearly a much higher risk to organizations than Skype’s vulnerabilities which were identified and patched just as any application vendor does. You could, between the time vulnerability is announced to the time it is patched, do exactly what I suggested in #1: scan your network and disable Skype until it has been updated, simple and easy. Also Info-Tech did not seem to acknowledge the ‘Skype Security Evaluation' white paper Skype released by Tom Berson of Anagram Laboratories in October 2005 that discusses most of the security aspects of Skype and answers many concerns IT security professionals would have. Also as in any software, bugs are inherent and unavoidable. That is why we recommend you practice "defense in depth" to avoid the risks associated with any and all applications and especially the operating system they run on. Worms do not need Skype, they do just fine on the Windows operating system alone. Info-Tech's logic applies to a corporate VPN as well, used to secure a connection between home and work, for example. Worms have been seen and proven to pass through this encrypted channel and I do not see Info-Tech warning anyone of this threat. It all comes down to "defense in depth" and protecting the asset that runs any operating system and any and all applications running on each asset. With hardware devices in the home, like a Cable/DSL router and firewall and anti-virus software on the mobile systems, a client is fairly secure from worms. Might I also point out that Microsoft is the leader in IM with over 250 million users, far more than Skype, and also has voice capability. MSN is just not as flexible or good as Skype and I do not see Into-Tech warning anyone about this application that is used far more worldwide than Skype. They did say Skype "should be treated like any other IM product" and they are correct in this statement. Treat Skype as you would AIM, YIM, MSN or any other IM product.

#3 – Yes, companies and countries have blocked Skype, some for fear of economic damage to their Telco industry as China has done. British Telecom specifically lowered their long distance fees to match or beat those of Skype due to this economic threat. Others block it to avoid file sharing that leads to lawsuits and sharing of copyrighted material. Company policy should dictate how to treat applications that can transfer files and that includes Email, Web based email and Web surfing which many companies allow. For file sharing, there is nothing Skype can do that Web based email cannot also do. They are both encrypted channels, Web email over HTTPS or SSL and Skype with AES, so there is no difference. Company policy should dictate use of anti-virus "auto-protect" solutions, scanning files as they are saved, just like email. Companies have the same issue with copyrighted or inappropriate material that can be transferred over Skype or any IM product that they do over email, web based email or web browsing and downloads. Skype does not increase this risk at all. Set a company policy on all file transfers and how the company will look for any and all inappropriate materials on all company systems regardless of how they get there: the rules and actions are the same. Did I point out you can disable the File Transfer capability of Skype, making it less of a risk than email or Web surfing?

#4 – Yes, some companies that trade stock, for example, have a requirement in the United States by the SEC and OCC to monitor all transactions of these individuals to avoid any insider trading issues, as Martha Stewart are all too familiar with. These institutions also ban Web based email, scan and monitor email and approved IM solutions and yes, can even monitor internal telephone calls. There are some organizations with these requirements that should ban and control any and all communication as a part of their jobs, but these companies are in the minority and not the norm. Also the users of these companies would just go outside and use their cell phone with text messaging to conduct this sort of risky business and businesses are not required to monitor cell phone or text messaging. So what applies to these companies does not apply to 90% of all companies. Did I mention that there are recording solutions that can record Skype calls?

#5 – If the regulatory people, of which Info-Tech forgot to mention CALEA, cannot decide what to do about all of the solutions, then how are companies suppose to cope with this? Again, a company should set a communication policy of what to use and when, so an employee uses the correct communication device for the correct communiqué. New solutions are being developed all the time and just because it is new does not mean it should not be considered. A company should have a new technologies policy that states "any and all technologies are banned until a policy is created on the proper use of these technologies." Then determine the proper use and allow the technology and monitor its use.

Another concern that The Butler Group says that Info-Tech missed, a key reason for corporations not to use Skype — the hijacking of bandwidth. That issue is the supernode technology inside of Skype that was specifically designed to let Skype punch through network address translation (NAT) and firewalls.

#6 – The Butler Group is incorrect in this statement. This should be little to no concern to a business that uses an enterprise firewall device like a Cisco PIX, NetScreen, CheckPoint or other true firewall. Home users that have a Cable/DSL router or any business that uses a NAT or firewall product cannot become a supernode. Only systems that are open on the Internet with a true routable IP address, the Skype client loaded and has enough CPU, memory and storage can become supernodes. Most if not all corporate enterprises worldwide use these types of devices. So losing bandwidth to a supernode is a non-issue. If a company sees this behavior, then their system is mis-configured. Thus they have bigger issues than Skype. This is something you should verify, but in reality should not find.

In summary, you cannot apply the same logic for a company that has strong policies or regulatory requirements to control communication to every enterprise. Each company is different and should set a policy, evaluate the advantages, support, risks and costs to decide how, if at all, to apply a communication tool like Skype. Do not take Info-Tech's or The Butler Group's recommendation as absolute fact as it does not apply to 90% of you out there. If you properly secure your clients and infrastructure with "defense in depth," the risk of using Skype is far less than using Microsoft Windows or laptops without encryption.

Michael is a Computer Security Consultant and delivers security consulting services to clients of a Fortune 50 Company where he works. Been at it for 18 years. He also presents for his company at many trade shows, presenting at conferences working with associations and groups advising agencies like the FBI on Skype security and Center for Internet Security on wireless security. Michael knows Skype. He is the man behind the hot web sites www.SkypeTips.com and www.VideoCallTips.com and the main author for "Skype Me" by Syngress press. The book will be available in December 2005.

Linda tells me, "I would never do video." Dina says, "I feel naked!"

For many the web is a place of fear: fear of being flamed, fear of being "hit on" by the opposite sex, spammed, infected with a virus, or of someone hacking into your computer. To protect themselves many users hide behind NAT Routers, double firewalls and strive for anonymity hiding behind pseudonyms and avatars. Trust takes a longer time to build in this environment. It might take weeks or even months weeks before you share a pic of youself with what was a brief time ago a complete stranger. Given the potential intimacy provided by live video this behaviour seems to suggest that video will be in low demand or its use constrained.

But other real-life examples tell a different story. Video is hot. 500,000 Skype fans downloaded Video4IM and vSkype in the first 30 days of the beta release of both these products. WebCams are hot too. This ChannelTimes article (server down at time of posting) claims Skype's partner Logitech shipped its 25th million webcam this year (37 % of the world market according to research firm IDC).

Is all this activity about moms and grandchildren? Or is sharing real-time images of you and your environment simply cool. Does video dramatically enhance voice and Skype Chat? So what is the story here? And what is your story? Is your video pic a real-time emoticon?

Robin Batt's story covers both sides, "I get more of a feeling of a connection with Kay, she's based in Italy, we speak daily, IM all the time. If she leaves her camera on, I know when she's there, I can see when she's frowning/laughing/doing something else. Although, Kay doesn't like it because it makes her self-conscious."

"There is a big opportunity in making cute little apps that let you mess with your appearance. I'd actually like to find a developer who can and build a couple. Could be either really sophisticated photographic touch up or could be really easy to build little cartoon cutouts like, today's Friday, I've got my real face, but my party hat on or or, you could have fake backdrops so if I'm talking with a client I put a fake office backdrop on so I look like I'm in a smarter environment than I really am.

I think video will be about fun long before about doing mission critical business much like mobile, emoticons, ringtones etc. Mobile operators ALWAYS get it wrong they are only just learning now that mobile data is about killing time, not saving time. That's especially important in the mobile environment waiting for a friend in a bar, waiting for the bus, dentist, taking the train somewhere, even if using business apps - like stock tickers - you're doing it more to kill time than to save time that's my philosophy anyway.

I think video is the same as mobile. It will be more about social interaction - friends goofing around...than business communications...in the beginning. Killing time and goofing around become the drivers for the mobile and video market until the deeper uses get discovered.

And until people get familiar with it...or until it becomes so popular on a social level that it starts to virally pervade businesses anyway...so they decide to harness it so they can control it...and it becomes an enterprise app (like IM did). Plus I don’t think goofing around is necessarily shallower. Nothing wrong with goofing around.

oh, and porn of course - always an early driver of new tech. Although that's an interesting one because the phone/online/text sex industry benefits from the fact that the buyer cant see the 'hot chick' to validate if she really is hot. That changes in the video environment, obviously."

I wonder if Robin has it right with her comment on hot chicks? I wonder whether in fact all chicks are hotter in a video call than a voice call. Are there not more "emoticons" happening in video? Doesn’t live video provide more to feed your imagination; not less?

Tell us about your experience with video. What "deeper uses" than goofing around will make Skype Video a pervasive application? Is it a killer-app for job interviews? Does Skype video enhance voice and chat messaging for you? In what ways?

Are you afraid of Skype video; are you videophobic?