RSS

Skype Security

Mon, Oct 16, 2006

Security How To's

I use Skype fairly regularly as do many people I know. In fact, you can Skype me at chrisharringtonor leave me voicemail at 603-397-3392 (also Skype). Over the past couple months I have seen some interesting information and links on Skype and it’s security and anonymity. I thought I would share some of these.

Anonymity
Skype is basically Voice over IP (VoIP) using some peer to peer (P2P) technologies. I am not going to go into the details here. If you want to learn more about how Skype works check out this link. Since Skype is P2P based many people believe that there is an inherent security, due to the multiple peers involved with the call. This is simply not true . If it has an IP address it is traceable to some extent. Kobi Alexander (former CEO of Comverse and Federal Fugitive) found this one out the hard way. He placed a one minute Skype call which investigators traced to Sri Lanka. He was arrested in Namibia shortly after. George Mason University has published a paper on Tracking Anonymous PeertoPeer VoIP Calls on the Internet. It’s an interesting read.

Disabling Super Node
Skype has the ability (and authority under the EULA you didn’t read) to use your PC as a Super Node. Skype uses Super Nodes to route Skype phone calls. If you have a reasonable fast processor and fast Internet connection your PC may be tasked with being a Super Node. The concern here is that Skype could plug up your network with calls being routed to other Skype users. This was enough of a concern to the folks at Fermi National Accelerator Laboratory that they wrote a how-to on disabling super node / relaying in Skype.

**DISCLAIMER:** Disabling Super Node is Skype *may* be in violation of their Terms of Service. I have not read closely it so I do not know for sure. Proceed at your own risk and I take no responsibility.

Disable File Transfer & API access
Transferring files using IM / Chat / VOIP clients has been problematic at best because of the risk of passing malicious files. Most commercial AntiVirus vendors don’t have tight integration with these types of products. There are AV plugins for Outlook and IE but not may for Trillian or mirc. The Skype Security Blog has a post on Disabling File Transfers.

On that same blog post is a procedure for disabling access to the Skype API. As the saying goes, if you don’t need it…don’t turn it on.

There is also a good whitepaper on Skype security by Simson Garfinkel here.

–Chris

This post was written by:

Chris Harrington - who has written 153 posts on InfoSecPodcast.com.


Contact the author

Leave a Reply

Related Posts from the Past:



Bad Behavior has blocked 1577 access attempts in the last 7 days.

Rodney's 404 Handler Plugin plugged in.