Locking down Skype

As one of the pioneers in the advent of internet telephony, Skype is a technological innovation which has risen in popularity over the last few years.

Nine million users cannot be wrong - over a reasonably fast internet connection, voice quality on Skype is sufficient to very good and users only need to employ basic hardware to connect.

Cost-wise it is also hard to beat as it is free when calling from any Skype-enabled PC to another Skype-enabled PC. Furthermore, international calls to landlines or mobiles are competitively priced.

Clearly, the widespread adoption, quality, and price of calls made with Skype and Voice over internet Protocol (VoIP) looks set to change the global landscape of telephone communications worldwide.

Internationally and in New Zealand, an increasing number of SMEs are including a Skype account as part of their business contact details.

The prevalence of Skype is such that just last month the Number Administration Deed (NAD), the New Zealand self-regulatory body that manages the register for the entire pool of phone numbers with the +64 suffix, sold 90,000 unallocated local numbers to a Skype middleperson.

This attracted criticism from the Telecommunications Users Association (TUANZ) for jeopardising the integrity of the New Zealand phone system.

Opening Pandora's Box

From a security viewpoint, the blurring of boundaries between traditional communication networks and the ambiguity of VoIP clients such as Skype can open a "Pandora's Box" of sorts when it comes to security integrity. There are several inherent security risks to permitting the use of Skype within an enterprise environment:

- Skype includes the ability to send and receive files similar to other peer-to-peer (P2P) programs and services.

- Because the file transfers are over a proprietary encrypted channel (similar to HTTPS) the inbound file transfers can effectively bypass enterprise gateway security mechanisms in the same way P2P networks do not have to rely on a central server.

- In this manner, confidential corporate data from within the enterprise could potentially be sent out over a Skype encrypted channel.

- Although Skype offers the ability to set a registry key to disable file transfers, a knowledgeable user can simply change the key, restart Skype and turn the feature back on.

- Skype offers a chat capability that also utilises the encrypted channel. This can potentially hide chat communications from current chat control mechanisms that have been deployed to achieve Sarbanes Oxley (SOX) compliance.

- The lack of centralised telephone call records could potentially be another SOX compliance issue.

Dousing Firewalls

Yet another potentially disturbing aspect of Skype is its ability to tunnel though firewalls without the user ever having to write a single line of code.

Some products have begun adopting the use of Skype for its firewall-piercing capability, such as the Timbuktu Pro operating system which uses a Skype tunnel via the Skype API to automatically navigate through firewalls and routers to provide remote access and control to a workstation or home PC.

The tunnel is created without the need for an active Skype call.

To the hacker, this convenience also creates a myriad of opportunities for abuse. Botnets are a collection of compromised zombie computers running malicious programs under a common command and control infrastructure.

A botnet's originator (or "botnet herder") can control the group remotely, usually through a chat client and commonly for nefarious purposes. Skype is reportedly quickly replacing ICQ as the communications channel of choice for the management and control of for a number of reasons:

- Its firewall piercing capability

- The added resiliency that the use of P2P communications network provides

- If authorities or a network administrator takes down a command and control node, the P2P network simply begins accepting orders from another node in the P2P network.

- With more than 5,000,000 Skype users typically on line at any one time, the traffic from a botnet herder to the individual zombie computer he/she controls via Skype will simply blend in with the other "normal" internet traffic

Skype-related Malware

Over the past six months, two different worms/Trojans associated with Skype have emerged and been documented.

- A variant of the MyTob Trojan (AKA FanBot) disguised as a copy of Skype version 1.4 was being distributed via spam email across the internet. Any email recipient who clicked on the attachment was quickly compromised.

- A Skype-specific Trojan, Warezov, appears as a chat message with the text "Check up this". If clicked by the user, additional malware is downloaded to the PC, installing a key logger and sending the same message to each person in the user's Skype address book.

Reverse-engineering

A Chinese firm has reportedly reverse-engineered the Skype protocol and created their own client. This could potentially derail eBay's (which owns the Skype group) predicted revenue model whereby advertising would be an integral part of the otherwise free internet telephony client.

Given a choice between a client with integrated advertising and one without, it is likely that users will opt for the latter, paving the way for dubious software developers in the VoIP arena and making it harder for enterprises to monitor an increasing assortment of chat clients.

Enforcing Skype policy

Enterprises need to enforce a secure environment in which only the proxies/firewalls are strictly allowed to establish connections to servers outside the company. Skype will use various ports for connection, which is easy against a loosely-configured firewall.

Only some proxies and individual isolated servers should have access to the internet. The firewall rules have to reflect this setup.

Using a Web Gateway Security product, such as Secure Computing's Webwasher, users can identify the Skype executables as unwanted by making use of the Generic Body Filter. Secure Computing's proprietary fingerprinting method will identify the Skype executable installer based on its unique binary pattern and not on a name, which can be changed easily.

The preferred connection method of Skype is UDP, and if unavailable Skype switches to TCP-based connections on ports which were previously used for Skype connections. In cases where those are not open, Skype will use ports 80 and 443 as fallback ports, which are open in general for web access.

Enterprises need to employ a SSL Scanner in order to block outbound Skype connections from the network. Skype utilises external ports 80 and 443 via SSL, but because Port 80 is not seen as a common SSL Port in the default setup of Secure Computing's Web Gateway Security, connection requests to this port are already blocked on a network level leaving only Port 443 for Skype's connection attempts.

These SSL connections are not real SSL and will not be able to fulfill an SSL handshake with the target servers or supernodes. This will stop the requests from being sent outside.

Skype, as well as the Skype API in their current forms prohibit any reliable methodology of security policy enforcement and as such should not be utilised anywhere within the enterprise environment.

Because of the aggressive nature of Skype and its firewall-piercing capabilities, administrators must vigilantly provide technical safeguards and employ effective security solutions to prevent the unauthorised usage of Skype within the enterprise.

US-based web security blogger Paul Henry (MCP+I, MCSE, CCSA, CCSE, CFSA, CFSO, CISSP, CISM, CISA, ISSAP, CIFI)is Vice President of Technology Evangelism, Secure Computing.