Skype again

There’s a new book out entitled “Securing IM and P2P Applications for the Enterprise ” (ISBN: 978-1-59749-017-7 ) where it’s written: “Although Skype is well known for its voice communication, it is a very functional client for instant messaging via text and file transfers. Since it encrypts its information natively, this is a good tool to use for online communications.”

I wonder how many of you agree with that statement. There’s been quite some debate on Skype within my own organisation. Prior to my coming into the company, Skype was banned. Period. Don’t even think to argue.

More recently Skype has become a hot topic with some individuals perceiving benefits of using it for free and easy Internet telephony: particular those who travel a lot and spend nights away. In addition, there are plenty of documented potential business uses for Skype. one reference (Skype Me! by Micheal Gough) discusses how using it could be advantageous for a help-desk:

An office in Mumbai, India, can provide the same support that someone at the corporate office in San Diego or an employee at home in Seattle receives. Company X can provide help desk Skype Me! links on the intranet homepage, and calls can be quickly routed for help tickets. The same is true for IT staff members who travel frequently from site to site. No matter where they are, as long as they have an Internet connection, these employees are able to provide reliable assistance….Technicians can take advantage of Skype’s text-chat option to provide specific documentation or even case-sensitive shell commands to a user in dire straits.

Of course, this is dependant upon the Skype network being available….

The book goes on to mention that “Several companies are currently developing software and hardware solutions to augment Skype’s capabilities into a fullfledged business-class telecommunication medium.” I look forward to this but what of the risks?

Some individuals cite Skype’s proprietary encryption as an issue. It’s actually only an issue if confidential matters are being discussed. In fact, having read the paper Skype Security Evaluation by Tom Berson I’m not sure that it’s an issue at all. Tom states:

Skype uses a proprietary session-establishment protocol. The cryptographic purposes of this protocol are to protect against replay, to verify peer identity, and to allow the communicating peers to agree on a secret session key. The communicating peers then use their session key to achieve confidential communication during the lifetime of the session. I analyzed this protocol, and found that it achieves its cryptographic aims. Further, I explored the strength of the protocol against a range of well-known attacks, including replay attack and man-in-the-middle attack. I determined that each of the attack scenarios is computationally infeasible…..I started as a skeptic. I thought the system would be easy to defeat. However, my confidence in the Skype grows daily. The more I find out about it, the more I like.

So, perhaps those who still argue against any corporate use can cite malware as their reason

It’s true that there have been trojans targeted directly against Skype however, with multi-layered network and desktop defences together with basic user security awareness about not clicking on links in unsolicited messages then the malware should be easily defeated.

I’m not trying to be flippant. I’m as concerned about potential risks to private data and network integrity as the next man. Just I think that Skype, if properly managed and if it suits a business requirement, presents a low risk. This is consistent with the message I put out on this blog back in March however, I have softened my attitude somewhat. We need to put the right price on saying “yes” and support what the business wants.

I’ll leave you with this final “security flaw” that some-one noted on a blog titled “Skype Security FUD“..There is another loop hole in it when you talk on it they can stand in your office and hear what your saying Amen!