The explosive growth of Instant Messaging (IM) and Peer to Peer (P2P) networks such as Skype has been accompanied by a 2200% increase in attacks on such networks in 2005 compared with 2004, according to Face Time Labs. With this in mind, security consultant Stewart Twynham takes a closer look at Skype ' the world's most successful internet phone service.
I am often asked in my capacity as an external adviser to liaise with suppliers and development teams based in glamorous sounding places such as Johannesburg, Mumbai, and even Colchester. Skype enables me to keep on track by staying in constant communication. The combination of recorded 'chat' sessions and totally free Skype-to-Skype phone calls also saves me hundreds of pounds every month.
It's a great solution for me, but the technology on which it is based is also coming under increasing attack from malicious users. And while small businesses seem to love it, larger corporates are staying away from these types of solutions.
The aim of this article is to explain a little bit about how Skype actually works, and help potential business users make the most informed choice about whether this kind of technology is right for them.
A free service ' but how?
One of the key differentiators of Skype is that the core product is free, and it doesn't try to sneak in revenue by bombarding its users with advertising or spam (although this may change now Skype is owned by eBay). Instead, Skype has kept its operating costs very low by not requiring much in the way of a centralised infrastructure. In fact, the only things hosted centrally are your login details ' everything else from the global user directory to the setting up and handling of calls is carried out in a completely decentralised fashion.
And therein lies the (small) catch. Skype's end-user licence agreement states: 'You hereby grant permission for the Skype Software to utilize the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype Software users.'
This means, in effect, that every time you log in, your computer becomes a very small part of one gigantic telephone exchange. It's something they call Peer to Peer or P2P.
What does P2P networking mean in practice?
What it means depends on your own situation. If you're sat at home on a broadband modem with a personal firewall, then your copy of Skype will almost certainly become a 'supernode' ' a part of the network that helps other users connect up.
To demonstrate this, I created a small 'hole' in my firewall, started up Skype, and kept an eye on the firewall logs. After logging in to the central server, my next port of call was a home broadband user somewhere on NTL's network in the UK ' presumably another 'supernode'. After about an hour, I find that I've had connections from users in Denmark, Poland, Italy, Finland, Latvia, the Czech Republic, South Africa, Israel, Japan and the US. Even more interesting, one of the users appears to be Research Machines plc, a major supplier to the UK education sector, and I guess one of a number of corporates whose CIO is unaware of Skype's popularity internally.
For corporate users, it's a little different. If you're sat in a company behind a series of firewalls and network protection, then Skype cannot normally become a supernode. Instead, you'll be dependant on a supernode to relay your connection and even your data, just as the user at Research Machines plc was using my machine. Hey, your Skype conversation could even be passing through my laptop right now!
Is this really safe?
If I were MI5 - or let's face it any large corporate - I don't think I'd be rushing out to kit everyone out with a shiny new Skype phone. Yet I use it, and so do many of my clients. So is it safe? Well, I suppose there are actually three major issues here:
1. The better your firewall, the more likely your data and /or conversations have to be routed not just across the Internet but via other users PCs, meaning your top-secret negotiations are probably being transmitted right now through a PC somewhere in Finland. Yes, it's encrypted, but it's probably best that you know about this.
2. If you use a broadband modem and don't have anything other than a personal firewall, the chances are your machine will become a supernode. This means you'll be part of that gigantic telephone exchange, helping other Skype users to connect. Aside from having to handle small amounts of extra traffic (for which your ISP may charge you), there is the security risk of having a piece of software on an open 'port'. For example, any bugs in the software could render your PC vulnerable to attack.
3. You have to have yet another piece of software installed on your machine. This means you must keep the software updated, and even when the software is not running, the settings may make your machine more prone to an infection.
Should we use it?
What suits me may not suit you, and visa versa. My own observations for business users would be:
- Skype has proven to be a relatively safe and reliable product to date, and indeed appears (anecdotally at least) to outperform other rival products in both security and sound quality. It certainly avoids all of the advertising and spam associated with some other products.
- The P2P technology makes the Skype network almost immune to conventional technical failures, but not necessarily a sustained malicious attack. Most observers (myself included) expect something nasty soon.
- Any decision to use voice over IP, Instant Messaging or peer to peer products should be made at the top. Simply allowing users to do their own thing is a recipe for disaster - instead choose one solution, make it standard, then do your best to keep abreast of the strengths and weaknesses of that one product.
- Remember that Skype was never built with the corporate network in mind. In terms of management, there are better products for high numbers of users.
- End users should be aware that the use of P2P software without permission will almost certainly contravene their employer's usage policies, because the computer resources belong to the company, not the user.
If you do go ahead, keep in mind:
- Keep a close eye on the product, security alerts and all software updates.
- Religiously keep the software up to date.
- Keep operating systems, firewalls, anti spy-ware, and anti-virus products up to date. These are just as important as the software itself.
- Where possible, use a properly configured hardware firewall which restricts both outbound as well as inbound connections. You'll still be able to use Skype, but this will prevent you from becoming a supernode, and restrict what a malicious user could do should your PC ever become compromised.
- The vast majority of attacks on IM and P2P networks still require user intervention- typically a 'click here' link, or the classic 'enter your credit card numbers for confirmation' phishing attack. That is why educating your users on how to use the technology safely is so critical.
- Make sure you also cover issues such as minimising SPIM (SPam over Instant Messaging) and SPIT (SPam over Internet Telephony) with your users.
Stewart C. Twynham MBCS MIEE
© Bawden Quinn Associates Ltd, 2006
By the same author - Website security Expert Guides
