[Users] Skype could pose security problems for companies, analysts say

Jared Rimer jrimer at tagline.cc
Tue Nov 8 12:55:18 EST 2005 

Thought you guys might want to see this.  Comes from ComputerWorld.
Skype could pose security problems for companies, analysts say
Two flaws in the telephony software were disclosed this week
                    News Story  by
Jaikumar Vijayan
Click Here!
   OCTOBER   27, 2005
(COMPUTERWORLD)
    -
              The growing popularity of Skype Technologies SA's free 
Internet telephony
software could soon pose the same kind of security challenges for 
companies that
other peer-to-peer (P2P) software technologies have created in recent 
years, according
to security experts.
The warning comes after the disclosure this week of two critical 
flaws in Skype's
software, one of which could allow malicious hackers to take complete 
control of
compromised systems.
One of the flaws is a buffer overflow error in Skype's user client 
for Windows that
could allow attackers to execute arbitrary code on compromised 
systems, according
to a
statement
  from the company. The other
vulnerability
  is a heap overflow flaw in a networking routine affecting Skype 
clients for all
platforms. That flaw could crash the client software.
Fixes for both problems have been released.
Skype, which was recently acquired by eBay Inc. for $2.6 billion, 
offers downloadable
software that allows PC users to make free Internet telephone calls 
to each other
and low-cost calls to telephone users.
So far, Skype has garnered more than 61 million registered users, 
approximately 30%
of whom use it for business purposes, according to the company. 
Almost all of that
adoption has been in Europe and Asia, though analysts expect Skype to 
eventually
gain wide accepted in the U.S. as well.
According to Stamford, Conn.-based analyst firm Gartner Inc., eBay's 
purchase of
Skype could result in a product more suited for corporate use.
In the meantime, business users should refrain from using "voice 
services based on
proprietary protocols like Skype while on corporate networks because 
of network security
issues," Gartner said in a Sept. 15
advisory
.
There are several reasons for the concern, industry experts said.
"Skype is VoIP on steroids," capable of punching holes through many 
of the network
defenses that companies typically deploy, said Tom Newton, product 
manager at SmoothWall
Ltd., a Leeds, England-based vendor of firewalls and other security products.
Like other P2P technologies Skype allows users to establish direct 
connections with
each other. It's also "port agile," meaning that if a firewall port 
is blocked Skype
will look around for other open ports that it can use to establish a 
connection,
Newton said. "If you put Skype behind a firewall or Network Address 
Translation layer,
99 times out of 100 it will work" without any special configuration, he said.
As a result, Skype could provide a backdoor entry into otherwise 
secure networks
for Trojans, worms and viruses, Newton said. It could also provide a 
channel for
corporate data to be freely shared between users without any of the 
usual security
considerations.
Also, like other P2P applications such as KaaZaa, the connection 
sharing permitted
by Skype makes the the host computer and the network available to 
others as well,
said Robin Bloor, an analyst at Hurwitz & Associates in Waltham. Mass.
As a result, "Skype can use a lot of network bandwidth, which may 
interfere with
business applications and services," said Andrea Wuchner-Bruhl, head 
of global IT
security at Novartis Pharma AG, in Basel, Switzerland.
The fact that Skype uses a proprietary protocol instead of a standard 
one such as
the Session Initiation Protocol (SIP) also makes it an "unknown from 
the point of
view of the vulnerabilities that might be there," said John 
Pescatore, a Gartner
analyst.
"Every nonstandard application can add unnecessary risks to your 
environment," Wuchner-Bruhl
said. "In the end no one really knows what all is built into such an 
application."
So far at least, there have been no major attacks directed against 
Skype. But its
growing popularity and installed base will inevitably make it a 
hacker target, analysts
said.
Companies will need to keep a close eye on both the sanctioned and 
the unsanctioned
use of Skype on their networks, Pescatore said.
IT administrators may also need to impose measures such as denying 
local administration
rights on the desktop, content control and management at the network 
gateways. They
may also need to lay out clear policies and procedures for users, 
Wuchner-Bruhl said.
In the end, the use of Skype needs to be resolved in the same way 
companies have
gone about addressing other P2P applications, including instant 
messaging, Bloor
said. "But you are probably going to have something bad happen to 
someone first,"
he said.

Jared Rimer
Business website: http://www.superior-software.com/support
Personal Website: http://www.asmodean.net/jrimer
Music Education Network for the Visually Impaired  http://menvi.org a 
service done through Superior Software level one
WBBY Internet Radio and All In Play team up.  Learn more 
http://www.menvi.org/allinplay
WBBY Internet Radio: www.wbby.us

More information about the Users mailing list