The section in ISO 27001 that covers cryptographic controls states that, when developing a cryptographic policy, consideration should be given to the use of encryption for the protection of sensitive information transported by mobile or removable media, devices or across communication lines. I know many organisations routinely use encryption to secure thumb drives, laptops, emails and instant messaging, but when it comes to discussing sensitive information over the phone, far fewer employ some form of encryption.
It's easy to understand why: Encryption devices for landlines are expensive and usually require all parties to have the same kit installed in order to work. And, after all, is anybody really going to tap into your phone line?Skype has never flatly denied that an attacker might be able to intercept traffic.
Depending on your business, the answer may be yes. Recent stories of industrial espionage and investigative journalism show that eavesdroppers do attempt to listen in on calls regarding certain industries and types of information. So is there an easy and low-cost way to enable encrypted phone calls between colleagues or clients? While there are currently no products for encrypting landline calls that meet that description, Skype provides a free and secure way to make voice over Internet Protocol (VoIP) calls and is well worth bearing in mind as a form of communication for those organisations that want to follow their encryption policy to the letter.
When considering the pros and cons of Skype, take into account that encryption is inherent in the Skype protocol, so it can't be turned off; it is also completely transparent to the user, so there's no chance that he or she can inadvertently disable it. Other Skype features such as instant messaging, file transfer and video conferencing -- which also includes inherent encryption -- may or may not be of interest, but a big plus of using Skype is that calls to other Skype users are free, with cheap rates for calls to landlines and mobile phones.
But how secure is it? Unfortunately, this is a difficult question to answer with complete accuracy due to the lack of public access to the source code. Even though Skype security reportedly uses non-proprietary, widely trusted encryption techniques such as RSA for key negotiation and 256-bit AES to encrypt conversations, the technology also uses a proprietary protocol and is closed source. Skype's chief security officer Kurt Sauer has said that there are no backdoors in their software to bypass the encryption on a call, but he has also said that the company complies with all government requests, implying that it might allow governmental eavesdropping when forced to by law , and Skype has never flatly denied that an attacker might be able to intercept traffic. So we've no way of knowing if there is, or if there will be, a backdoor.
But given that users are unlikely to discuss information of interest to the national security services, Skype does provide strong security for most calls. Any eavesdropper would most likely find it impossible to decipher a conversation and, unlike traditional calls, there's no constant circuit between the parties as the voice data is sent via packets switched along thousands of router paths. However, the fact that encryption cannot be turned off and is completely transparent to the user is what makes Skype so appealing from an information security perspective. Encryption, particularly PKI, is notoriously difficult to roll out on a large scale, yet Skype provides easy-to-use encrypted communication for everyone.
But like any software, particularly Internet-based programs, it is important to stay current with vendor updates. There have been some security problems with Skype, such as buffer-overflow and cross-site scripting vulnerabilities, as well as a wiretap Trojan, but on the whole Skype has a good record of fixing vulnerabilities quickly. Even so, any computer used for Skype should run up-to-date antivirus and antispyware to prevent keyloggers or similar malware from logging conversations. This is particularly important when considering that Skype keeps an open connection to the Internet even when it's idle -- a vector for a possible attack.
For those organisations with a mobile workforce, Skype is also available for various smartphones, providing the same built-in encryption functionality. There is even an iPhone version. However, some network operators do not allow Skype calls to be made over their 3G network s for fear of lost revenue, restricting it to paid-for Wi-Fi use only.
Encrypting mobile calls may be more important than you think given that the A5/3 encryption system, which is being phased in on many 3G cellular networks around the world, was recently cracked in less than two hours. (The A5/1 encryption system, widely used on GSM handsets now, has already been cracked.) Whether this becomes a real attack vector for criminals remains to be seen, but by using Skype you don't have to worry about it.
There are, of course, commercial software encryption products for mobile phones: PhoneCrypt from SecurStar and Cellcrypt, which has a version for the BlackBerry smartphone, being some of the better known.
Depending on the nature of your business, it may be appropriate for some employees to consider using devices developed for the National Security Agency's Secure Mobile Environment Portable Electronic Device (SME PED) program, such as the Sectéra Edge from General Dynamics C4 Systems. Such devices are certified to protect wireless voice communications classified as "Top Secret," as well as access email and websites classified as "Secret."
Finally, if you're not using Skype or some form of specialist device or software, never assume that voice calls are secure. As with fax and email, never discuss confidential or sensitive issues on a mobile phone. Remember also, if you use Skype to call a regular landline number, the connection remains encrypted only until it reaches the public phone switches. And, even with the most advanced technology, an eavesdropper can still overhear a sensitive conversation had out in the open.
About the author:
Michael Cobb, CISSP-ISSAP is the founder and managing director of Cobweb Applications Ltd., a consultancy that offers IT training and support in data security and analysis. He co-authored the book IIS Security and has written numerous technical articles for leading IT publications. Mike is the guest instructor for several SearchSecurity.com Security Schools and, as a SearchSecurity.com site expert, answers user questions on application security and platform security.