In Depth

Security Risks: Can 9 Million Skype Users Be Wrong?

Skype is a great way to communicate. But security professionals should know that it also brings auditing and monitoring risks.

By Simson Garfinkel

March 01, 2005 — CSO — Skype is a high-quality encrypted Internet telephony system that allows for the exchange of files, interconnects with the public switched telephone system and easily tunnels through firewalls. You may not have heard of Skype, but there are 9 million Skype users, so chances are some of your employees have. Skype provides a cheap way to communicate, but CSOs should know that the system's security is impossible to audit, and the vendor refuses to disclose details on security features. If secure communications are important to your business, read on. Depending on your organization, Skype is either a wonderful tool for communication or a problem technology that must be policed, controlled and, if possible, eliminated from your systems.

Skype was released last year by the creators of Kazaa, the popular file-trading system. Like Kazaa, Skype is based on fire- wall-busting peer-to-peer technology. When you first start running Skype, it scans the Internet looking for a Skype "supernode." Supernodes are other people running the Skype program who aren't screened by firewalls. These users can consequently both receive and initiate connections across the Net. An unknown number of supernodes link to other supernodes; eventually, the chain reaches back to the Skype servers, wherever they happen to be. Supernodes also facilitate connections back to Skype users who are behind firewalls and Network Address Translation boxes.

But despite their similarities, Skype does not come with Kazaa's baggage. Unlike Kazaa, Skype is not advertiser-supported and does not come with adware or spyware. Instead, Skype's creators make money by operating the bridge between the Skype network and the other telephone networks. With the SkypeOut service, a Skype user can place calls to ordinary landlines or cell phones throughout the world for just a few pennies per minute from their computers. SkypeIn, a corresponding service that will be released this summer, will allow Skype users to receive phone calls from the telephone network.

Every Skype user has a unique Skype user name and password. You provide the user name and password when you log in; the network then verifies that your password matches the password that you provided when you signed up. Once you've logged in, you can initiate a call through your desktop to any other Skype user. You don't need to know where he is; he just has to be logged in to Skype somewhere on the Internet.

Unlike AOL Instant Messenger, there's no problem with being logged in to Skype in more than one location. Each location will ring if someone tries to call you. Thus, Skype is a lot friendlier to people like me who work from multiple computers. And while it's primarily designed for voice communications, Skype will also let you send instant text messages and files. Most people I know who use Skype keep a very short contact list of other Skype users and block incoming voice and text messages from everyone else.

• Email
• Print
• Comments
• Digg This
• SlashDot

• When Voice Becomes Data
• Group Points to VOIP Flaw in DSL Home Gateway
• Voice over IP Security