[ISN] Can 9 Million Skype Users Be Wrong?

InfoSec News isn at c4i.org
Tue Mar 22 03:11:47 EST 2005


http://www.csoonline.com/read/030105/machine.html

By Simson Garfinkel 
March 2005 CSO Magazine

Skype is a high-quality encrypted Internet telephony system that
allows for the exchange of files, interconnects with the public
switched telephone system and easily tunnels through firewalls. You
may not have heard of Skype, but there are 9 million Skype users, so
chances are some of your employees have. Skype provides a cheap way to
communicate, but CSOs should know that the system's security is
impossible to audit, and the vendor refuses to disclose details on
security features. If secure communications are important to your
business, read on. Depending on your organization, Skype is either a
wonderful tool for communication or a problem technology that must be
policed, controlled and, if possible, eliminated from your systems.

Skype was released last year by the creators of Kazaa, the popular
file-trading system. Like Kazaa, Skype is based on fire- wall-busting
peer-to-peer technology. When you first start running Skype, it scans
the Internet looking for a Skype "supernode." Supernodes are other
people running the Skype program who aren't screened by firewalls.  
These users can consequently both receive and initiate connections
across the Net. An unknown number of supernodes link to other
supernodes; eventually, the chain reaches back to the Skype servers,
wherever they happen to be. Supernodes also facilitate connections
back to Skype users who are behind firewalls and Network Address
Translation boxes.

But despite their similarities, Skype does not come with Kazaa's
baggage. Unlike Kazaa, Skype is not advertiser-supported and does not
come with adware or spyware. Instead, Skype's creators make money by
operating the bridge between the Skype network and the other telephone
networks. With the SkypeOut service, a Skype user can place calls to
ordinary landlines or cell phones throughout the world for just a few
pennies per minute from their computers. SkypeIn, a corresponding
service that will be released this summer, will allow Skype users to
receive phone calls from the telephone network.

Every Skype user has a unique Skype user name and password. You
provide the user name and password when you log in; the network then
verifies that your password matches the password that you provided
when you signed up. Once you've logged in, you can initiate a call
through your desktop to any other Skype user. You don't need to know
where he is; he just has to be logged in to Skype somewhere on the
Internet.

Unlike AOL Instant Messenger, there's no problem with being logged in
to Skype in more than one location. Each location will ring if someone
tries to call you. Thus, Skype is a lot friendlier to people like me
who work from multiple computers. And while it's primarily designed
for voice communications, Skype will also let you send instant text
messages and files. Most people I know who use Skype keep a very short
contact list of other Skype users and block incoming voice and text
messages from everyone else.

Unlike Vonage and other voice-over-IP systems, Skype is not based on
session-initiated protocol or any other Internet standard. Skype uses
a protocol that's both proprietary and secret. The company claims that
all Skype communications are encrypted with a 256-bit advanced
encryption standard and that keys are exchanged using the RSA
encryption algorithm. I've looked at Skype's packets, and I can verify
that they are in fact encrypted, but there's really no way to know how
secure it is without considerable documentation and cooperation from
the company.

These facts combine to make Skype an emerging problem for many CSOs.  
For organizations—such as investment companies—that are required by
law to monitor communications between their employees and their
customers, Skype is an untappable voice gateway. It's also largely
unstoppable, because Skype can tunnel through, over or around most
kinds of firewalls. And for organizations—such as hospitals—that are
required by law to provide for secure communications between employees
and customers, Skype gives the appearance of a secure communications
channel, but it might not provide any security at all.

On the other hand, if neither monitoring nor secrecy of voice
communications is a legal requirement for your organization, another
perfectly reasonable approach is to embrace Skype and its peer-to-peer
voice technology. Skype is certainly more secure than most cell
phones, which have their encryption disabled, or landlines that don't
have any encryption at all. Sure, there is a chance that your Skype
conversation is going through another person's computer, and there's a
chance that they've managed to crack Skype's algorithm and are
listening in on everything you say. Even though there is certainly the
potential for abuse, in most cases the actual chance of abuse is
small.

Another important aspect of security is availability—that is, making
sure that systems and backup systems are always available to serve
your users' needs. And availability is where Skype really shines. No
matter where you are, if you have some kind of connectivity to the
Internet, you can use Skype to communicate with others. This is a huge
benefit to the mobile worker, because you can just sit down in some
cybercafé anywhere in the world, take out your laptop, and—wham!—you
are in direct communication. (On the other hand, if Skype's creators
decide to pull the plug on the company's servers, every Skype user on
the planet will be suddenly dead in the water—unless, of course, an
enterprising hacker can figure out how to patch the Skype executable
so that it uses a different set of servers on the Internet.)

Because it's peer-to-peer, you can use Skype to exchange large files
without worrying about any server-based restrictions. Although the
protocol doesn't seem to recover gracefully from interrupted
transmissions (it restarts the transfer in the middle of the file),
it's completely reasonable to use Skype to send 100MB files from one
end of the planet to the other. Skype's servers will do the user name/
password authentication, but the data packets will go directly from
one user's computer to the other's—possibly passing through a Skype
user or two.

The fact that Skype's user name/password combinations are validated by
central servers gives Skype another big advantage over e-mail:  
authentication. The vast majority of e-mail on the Internet is sent
without authentication. As a result, when you get a piece of e-mail,
you never can be sure that the address listed on the message is where
it was really sent from. But since every Skype user is validated
before being allowed to join the network, you can have reasonable
trust in the identities that flash through the Skype application. Such
authentication helps build the business justification for Skype.

Two negatives are operating against Skype. The first is the fact that
the Skype client running on your computer can and will relay calls
between other network users without your knowledge. That can pose a
problem on networks that have only a little bit of Internet
connectivity. It makes sense that Skype would detect how much
bandwidth you have for this kind of third-party altruism. But alas,
the algorithm that Skype uses to determine how much of this relaying
it is allowed to engage in is proprietary, so we can't know for sure.

The other drawback is that bad guys can, of course, use Skype to send
worms and viruses. Obviously, the first thing to do is to block files
transmitted by anyone you don't know. A better approach would be to
integrate Skype with your computer's antivirus system so that all
incoming files are automatically scanned. That's not currently a Skype
feature, but it might be by the time you read this.

Probably the most important thing about Skype, however, is not the
program's functionality today, but something much deeper about the
whole Skype process. One year after Skype launched, it had more than
9.5 million users worldwide, with more than 1.5 million connections
per day and, on average, 500,000 people connected at any given time.  
The software is available for Windows, Mac OS X, Linux and Pocket PC.  
The software has the capability of automatically updating and
upgrading itself, allowing it to acquire new features at any
time—potentially without the permission of the user. The software uses
a secret protocol; all communications are encrypted. And Skype
Technologies does its engineering in Tallinn, Estonia, has some
business operations in London and registers its website in Amsterdam.

If I were going to write an information warfare thriller with a theme
based on Invasion of the Body Snatchers, this is certainly where I
would start.


Simson Garfinkel, CISSP, is a technology writer based in the Boston
area. He can be reached via e-mail at machineshop at cxo.com.





More information about the ISN mailing list