Sunday, June 04, 2006

Skype as the Attack Vector

It's often hard to actually measure the risk exposure to a threat, given how overhyped certain market segments/products' insecurities get with the time. Gartner, and the rest of the popular marketing research agencies seem to be obsessed with Skype as the major threat to enterprises, while Skype isn't really bad news, compliance is, in respect to VoIP, P2P, IM and Email communications retention or monitoring. From the article :

"The most recent bug in Skype is another clue to enterprises that they should steer clear of the VoIP service, research firm Gartner recently warned. Two weeks ago, Skype patched a critical vulnerability that could let an attacker send a file to another user without his or her consent, and potentially obtain access to the recipient's computer and data. This vulnerability follows three in 2005 (two high-risk, one low-risk) and highlights the risk of not establishing and implementing an enterprise policy for Skype," wrote Gartner research director Lawrence Orans in an online research note. "Because the Skype client is a free download, most businesses have no idea how many Skype clients are installed on their systems or how much Skype traffic passes over their networks."

There's a slight chance an enterprise isn't already blocking Skype, using both, commercial and public methods wherever applicable. Moreover, it would be much more feasible to consider the fact that, if the enterprise -- assuming a U.S one -- isn't blocking the use of Skype, it must somehow monitor/retain its use in order to comply with standard regulations. Skype poses the following problems :

- inability for the enterprise to retain the IM and VoIP sessions in accordence with regulations
- wasted bandwidth costing loss productivity and direct cash outflows, slowdown for critical network functions
- covert channels possibilities

Several months ago, Skype was also discussed as a command'n'control application for botnets, while steganography based communications and plain-simple encrypted/stripped IRCd sessions remain rather popular. Malware authors are actively looking for ways to avoid IRC given the popularity it has gained and the experience botnet hunters have these days.

Skype is the last problem to worry about, as in this very same way the recent vulnerabilities in major market leading AVs would have had a higher risk exposure factor as there's a greater chance of occurrence of malware, than a Skype vulnerability. It's the vulnerabilities in software in principle you have to learn how to deal with, and third-party applications that somehow make it on your company's network.

More resources :
Skype Security Evaluation
Silver Needle in the Skype
Skype Security and Privacy Concerns
Impact of Skype on Telecom Service Providers