This has been around for a few days, but there are reports that there may be a backdoor in Skype which allows call interception by authorized parties.

According to reports, there may be a back door built into Skype, which allows connections to be bugged. The company has declined to expressly deny the allegations. At a meeting with representatives of ISPs and the Austrian regulator on lawful interception of IP based services held on 25th June, high-ranking officials at the Austrian interior ministry revealed that it is not a problem for them to listen in on Skype conversations.

This would be different than the experience of the German Bundespolezei who, I think it was earlier this year, stated that their inability to monitor Skype was harming counter-terror efforts.

So what does this mean in the Grand Scheme of Things?

First, Skype has traditionally been known to be better-than-POTS for preventing call interception. It allows the parties to a conversation to be reasonably secure versus attempts at eavesdropping on the traffic scheme. This may or may not now be the case where government entities are involved, which makes it no better or worse than POTS in this respect.

Previously, there has been analysis which indicated that Skype might have some crypto flaws and a paper was published at BlueHat a year or so ago which confirmed both application and crypto issues which, when combined, could produce some interesting misbehavior.

So if you’re worried about government eavesdropping, Skype is now at the same level of confidentiality as POTS. You’ll have to find a tool that allows you to do your own key management, which you should have been doing anyway. If you’re not, then it’s still better than POTS.

This is interesting and not surprising–corporate interests follow the money, not principles, but nothing to see here.

NetworkWorld actually had something rational to say about Skype for a change.

We assessed the state of the encryption and security of the Skype messages and streams, looking for exposed information that could be useful to hackers and susceptible to man-in-the-middle interception and diversion tactics. We evaluated the security of Skype Instant Messaging and file transfer, along with the internetworking of Skype 1.4 and 2.0 beta. We also tracked the effect of Skype operations, in terms of CPU and memory use, on laptops.

Our testing shows that neither Skype VoIP nor Skype Instant Messaging poses any readily exploitable security threat. We also conducted a dozen private interviews with hackers, enterprise network managers and leading network-security-equipment suppliers, none of which could cite one case of Skype being exploited for insidious security assaults.

Of course, next week some vulnerability might be exploited. But as we go to press, we believe that Skype poses more worries about what isn’t known than actual security concerns.

I’ve been saying this for a long time now.

Unless SBC and other carriers succeed in screwing it up to protect their revenue streams, that is.

My employer has been kind enough to loan me an EVDO card with service through Verizon and on the front of the box, it says, “* Not voice capable”.

Of course, yesterday on the train downtown I was able to talk to a co-worker using Skype with no problems whatsoever (other than a few strange looks from my fellow passengers) over the EVDO connection. Pings to the edge of the Verizon network were about 200-300ms, yet the voice quality and latency were still well within tolerable limits (I thought it might be a bit laggy, but it wasn’t).

Yet another example of how Voice is just another stream of packets.

While procrastinating from mapping controls to risks, I just flipped over to eWeek to kill a little time and learned that Skype just released updates to cover multiple critical security vulnerabilities.

Multiple security flaws in the popular Skype voice chat application could put millions of users at risk of computer takeover attacks, the company acknowledged Tuesday.

Skype Technologies S.A., which is being acquired by eBay Inc., warned in two separate advisories that the vulnerabilities could lead of system access or denial-of-service attacks.

The Skype program, which uses peer-to-peer technology to route phone calls over the Internet, is one of the most popular desktop applications sitting behind firewalls, making the threat vector even more serious.

So I head over to the Skype’s Web site to see how they present it. And what I discovered is that they’re not presenting it. Not on the homepage, not on the download page, not on the developer page, not even on the main security page, which I found only by manually typing “http://skype.com/security” into my browswer. But was the vulnerability notice there? Nope. Their bought-and-paid-for cryptography review was there, though. Finally, I found it on their vulnerability bulletins page. Whew. After all that, I was almost too tired to read the notices.

Still, I plowed on and soon discovered that the first vulnerability is a nasty one (The second is a boring ol’ DOS). An exploitable buffer overflow in Skype’s URI parser for “callto://” and “skype://”. Not good. Host the malicious link on an SSL’ed Web server and you’ll blow right past any IDS or IPS countermeasures and quickly be 0wning machines inside firewalls in no time, then potentially using Skype’s own crypto and peer-to-peer architecture as the control channel for whatever botnet or other bit of nastiness the attacker wants to install.

The Blackhat in me salivates at the prospect. It’s beautiful security judo, leveraging tools designed to protect confidentiality (crypto) and Availability (peer-to-peer) to better hide my nefarious doings. Combine it with a skype API-based payload and you’ve got a Skype worm that can leverage the implicit trust relationship of contact lists to propagate further, all potentially wrapped inside Skype’s own crypto.

Too bad the first that most of Skype’s 60 million-and-growing users will ever hear of it will be after someone who does pay attention to these sorts of things decides they want to see if it’s possible to create a 60-million node botnet or retire after making The One Big Score with SkypeOut and toll fraud.

Hey Skype, Ignoring Risk is Accepting Risk–NOT Avoiding it. Put this on your main page while upgrading is still prevention rather than incident response.

So according to SecurityFocus, there’s now a trojan which claims to be a new version of Skype

The malware arrives in an attachment in messages posing as the latest (v1.4) release of Skype. Legitimate downloads of the software only came out last week, so the attack is timely. If users open the infected payload on a vulnerable Windows machine they will find their PCs transformed into zombie clients (theoretically at least) under the control of computer hackers.

Don’t trust patches or software distributed via email. That’s all there is to it.

Gartner doesn’t much like Skype. I think we already knew this, but they released a new report last week that removes any doubt. Network Week pulled out a couple of key quotes:

“Don’t use voice services based on proprietary protocols like Skype while on corporate networks, because of network security issues,” the firm said in a research note.

While it’s possible that Skype under EBay could release a business-class product, “I don’t think that drove what (EBay) did, so I wouldn’t look for that overnight,” Gartner analyst David Smith said.

So it’s time to decide what the real question is for those of us looking at Skype with regards to our Enterprises. Is it whether or not we should get into a Cat & Mouse game with our employees who would use Skype? Or whether Skype is an Enterprise product at all?

I don’t think that Skype has ever tried to imply that they are an Enterprise solution. I’ve had several conversations with them and the feedback we have consistently received is that while their target market is consumers, they were always happy to have more users, regardless of where they came from.

To imply that something is not an “Enterprise” solution, however, solely because the vendor are not trying to sell it to Enterprises does not make sense to me. Whether the sticker on the side that says, “Consumer” or “Enterprise” is irrelevant. It either meets a set of requirements or it doesn’t.

Currently, though, most Enterprises lack any agreed-upon set of requirements for a softphone solution. Nature abhors a vacuum, though, so users are adopting Skype to fill the need since it meets user requirements extremely well.

From the security and network engineering perspective, it creates a number of potential risks since we can’t snoop inside its encryption. From a malware perspective, this is worrisome but assuming that the registry hooks to disable file sharing work as promised in the 1.4 version, this risk can then be largely mitigated by pushing some Group Policy Objects to enforce the official written policy.

If the risk is that we don’t trust our employees to have unaudited voice or IM, then I think the threat needs to be highlighted and discussed so we can be address it through an appropriate combination of improved management, awareness training and in the worst case, HR. Regardless, this problem will not be solved at the technological level.

At this time, there are high-level people within my Enterprise with a strong desire to utilize Skype as a toll bypass solution for their employees who travel internationally. The current costs to be avoided are significant spending on cell phone charges.

If the alternative is to provide our own solution to this problem, then it must be publicized as soon as possible and its adoption accelerated. Otherwise, we should not be surprised that our co-workers solve problems to the best of their ability with the resources available.

Either way, I’m not convinced that banning Skype without providing a viable alternative is an acceptable approach to solving the Business’ demand for some kind of softphone solution.

A friend of mine used to say, “You know how you kill a weed? You grow it to death.”

And buried down in the bowels of a Register Story about who might buy Skype, is this indicator that Skype might be learning a thing or two about growing itself to death:

In terms of technology, Skype has a real problem: it relies on “supernodes” - users who have direct Web access to a “real” IP address. The traffic in and out of normal nodes wouldn’t be capable of travelling between two subscribers; there are no inbound routes. So the software fakes a session through a supernode.

The problem seems to be: the number of potential supernodes is dropping, and the number of ordinary nodes - behind mapped addresses or firewalls, or both - is going up rapidly.

The result: quality of calls is falling. Bandwidth available is poor compared with a year ago.

This would be consistent with what we’ve seen in some informal testing I’ve been involved in. We thought it was related to quality issues in the implementation of their authenticated proxy support (and there definitely seem to be some issues there) or the overall load on our proxies, but perhaps we’ve been wrong.

If this is the case, then it looks like Skype’s free bandwidth lunch may be coming to an end. I see no reason why it wouldn’t be the case–I can now buy a Cable/DSL firewall/access point/print server/blender/kitchen sink combo at the grocery store right next to the extension cords and lightbulbs. Even the least computer-savvy people I know have bought and installed one. Okay…maybe I strongly encouraged them, especially if we were drinking, but the point is still that they all went out and did it!

But getting back to Skype… IP Bandwidth is cheap these days. I would think it would be easy for Skype to buy some IP access scattered around the country, set up some supernodes, and let the network do the rest. Unless they don’t have the cash, which seems highly unlikely considering how little this would cost since all they’re looking to do is augment the existing infrastructure.

This reminds me a little of the origins of Amazon.com. They were founded as an on-line bookseller who could beat the competition because they didn’t have to support a physical infrastructure of supply chain–they’d just order books from the publishers or dealers, then ship them along to the customer in return for some mark-up. It didn’t quite work out that way, though. These days, Amazon has massive “distribution centers” filled with inventory, workers, and fulfullment systems, none of them free.

I think that if anyone is working on a valuation for Skype, they should look long and hard at the assumptions about the viability of the pure peer-to-peer architecture and how much it’s going to cost to prop that architecture up as the supernode-to-non-supernode ratio continues to shift the wrong direction.

A couple guys over at NetworkWorld pondered the question of How much encryption is ‘enough’ for VoIP? back in June:

“In fact, we’ll argue here that if anything, there is too much encryption of VoIP traffic. Why? It’s easy to encrypt IP traffic using techniques like IPSec and SSL, so any IP-based traffic - like VoIP - can be encrypted with minimal effort. In fact, many free or almost-free VoIP applications even encrypt traffic by default. Our concern here is that this readily available encryption makes lawful and appropriate monitoring of traffic for national security and law enforcement much more difficult than it should be.

(emphasis mine)

That’s the same thing as saying, “We shouldn’t wear bulletproof vests in case the police decide they to need to shoot us.”

Their core argument is, basically, that you never had crypto before, therefore you must not need it now, especially since it might be inconvient to anyone who actually wanted to eavesdrop on your calls. Umm…Earth to NetworkWorld…that’s the whole point of encrypting–if they have to eavesdrop rather than just being able to aske me about it, then I don’t want them to know! And the risk of Bad Things happening to me or my Right to Privacy due to abusive use of eavesdropping far outweighs any potential, amorphous benefit that Law Enforcement will potentially gain by being able to easily spy on my voice traffic.

In a corporate setting, to deliberately avoid a safeguard, especially if it’s on-by-default (as is the case with many consumer VoIP implementations), on the off chance that someone might “need” to intercept (attack) your voice traffic is absurd.

To make matters worse, if your employer suffered any sort of significant incident after explictly disabling a safeguard, you’re looking a world of hurt which will probably start with unemployment and could possibly go as far as a civil negligence case if the company winds up in the press and feels the need to “look tough.”

While I wouldn’t go so far as to call the PSTN a well-manicured neighborhood, I still prefer Phil Zimmerman’s (creator of PGP) assessment of the situation in a recent Wired article about his new encrypted VoIP start-up:

The PSTN is like a well-manicured neighborhood, (while) the internet is like a crime-ridden slum,” Zimmermann said. “To move all of our phone calls from the PSTN to the internet seems foolish without protecting it.”

I tend to agree with the person who wrote in to NetworkWorld (no link, unfortunately) about the original article and said:

“My view is that VoIP is in fact ‘inherently unsecure’ because so many people have access to the LAN infrastructure before it goes across the WAN.”

My approach to VoIP security has been to start from a similar assumption. It is inevitable that some risks must be accepted in the course of a deployment. What I’ve done, though, is look at the currently-understood threats within the context of our environment and provided recommendations to mitigate the risks which are either cheaply & easily-mitigated (like encrypting calls for certain key staff members) or which are significant, like the loss or unavailability of some or all of the VoIP infrastructure.

Network integrity and Layer 2 security tops my list as being essential to ensuring Availability and QoS as well as reducing the risk of eavesdropping. I’m much more concerned about someone or something both accidentally or deliberately taking down the VoIP infrastructure with a worm, an exploit, or a poorly-implemented third-party tool or device than anything else. If we can secure the integrity of the switch fabric, the nature of switched ethernet will mitigate againist many of the currently-identified network attack vectors as well as many other yet-unknown threats.

In certain situations, however, where privileged conversations may reasonably take place with some frequency, such as between senior staff, Legal or HR, it seems a reasonable precaution given that most of these people will probably already have the capable hardware (nicer handsets which coincidentally also have the CPU power to do encryption). It simply becomes a matter of enabling it in those cases and accounting for the incremental memory & CPU increases on the VoIP servers.

This approach gives us redundant security in the places where a breach would have the greatest impact, provides some degree of future-proofing against vulnerabilities we are not currently aware of, and costs very little to implement.

A note: There’s a lot more to securing VoIP than just what I’ve listed here, but there are plenty of places you can look for more information.

I just finished reading an article on “VoIP Fraud: The Industry’s Best-Kept Secret, and while it was interesting, not one of the frauds detailed in the story was VOIP-specific. For example…

The biggest issue is fraud, perpetrated by scammers who take advantage of lax international communications standards and regulations, and make thousands of minutes of calls through carriers — many of them fly-by-night operators — in places such as Afghanistan and Lichtenstein, who charge exhorbitant rates for call termination, leaving the originating service provider with sky high bills and no one to charge for them.

Toll Fraud is nothing new. Credit card fraud is nothing new. Reverse Arbitrage is nothing new. Wire Fraud is nothing new. The only thing that’s new are the victims. While it’s unfortunate that VOIP carriers are getting abused by phone scammers, these are all well-known problems in the telecom industry. The large carriers mitigate some of the risk through their internal anti-fraud efforts and industry group sharing. The rest they’re generally large enough to absorb as a cost of doing business.

VoIP carriers don’t (yet) have these options. Many of them were caught off-guard by toll fraud and the ILEC sure isn’t going to do anything to help them survive. I wish them well. Hopefully they’ll be better-prepared when the scammers finally do something VoIP-specific.