Saturday, March 26, 2005
A Non Governmental Organisation (NGO), Tactical Tech, based in Amsterdam has an excellent report on its website into the use of Skype software, what is known about how it works and what the possible threats might be. Here is the conclusion from the report, written by Simson Garfinkel.
With the increased deployment of high-speed (“broadband”) Internet connectivity, a growing number of businesses and individuals are using the Internet for voice telephony. This technique is called Voice over Internet Protocol (VoIP).
All telephone systems in the world use a microphone to turn sound waves into an electrical signals and a speaker to turn electrical signals back into sound waves at the other end. But the techniques used for connecting microphones and speakers has seen considerable development over the past one and a quarter centuries. Early systems connected the microphone directly to the speaker using a copper wire. In
the 1970s AT&T deployed the first systems that could transmit multiple phone calls over a single wire by converting each phone call into a stream of digital data. VoIP systems continue this evolution by taking independent digital streams, compressing them, breaking the streams into packets, and sending those packets over the Internet. Naturally, the process is reversed at the receiving end.
With a VoIP system two people can speak with each other by using headsets and microphones connected directly to their computers. Alternatively, a VoIP adapter can be used to convert electrical signals from a standard analog telephone to Internet packets. VoIP gateways interconnect the Internet-based systems with the world-wide Public Switch Telephone Network (PSTN). Typically there is a fee for using such
gateways. Companies like Vonage sell consumers a package that includes a VoIP adapter and use of the Vonage VoIP gateway, giving Vonage customers the illusion that they have a standard PSTN telephone ---the only difference being that the Vonage adapter connects to a cable modem or home network, rather
than connecting to a pair of wires that leads back to the telephone company’s central office.
Overall, Skype appears to offer significantly more security than conventional analog or ISDN voice communications, but less security than VoIP systems running over virtual private networks (VPNs). It is likely that the Skype system could be compromised by an exceedingly capable engineer with experience in reverse engineering, or by a suitably-motivated insider.
When using Skype, the following recommendations may be helpful:
1. Make sure that any computer used for Skype is free of all spyware, adware, remote-control programs, worms, and computer viruses. All PCs running the Windows operating system should be equipped with up-to-date anti-virus and anti-spyware programs.
a. A free anti-virus program is available from http://www.grisoft.com/
b. A free anti-spyware program is available from http://www.lavasoftusa.com/
c. Although there is probably little risk at using Skype to communicate with KaZaA 3.0 users, KaZaA 3.0 should not be used as a substitute for Skype given the potential liability created by the exchange of copyrighted files without the permission of the copyright holder.
2. The username/password combination used for Skype shouldn’t be used for anything else.
3. The username used for Skype shouldn’t be readily identifiable. It should have no relationship to the user’s name, organization or occupation.
4. Both Skype usernames and passwords should be changed on a regular basis if the Skype network is used for any kind of sensitive discussions. Changing usernames makes it harder for an adversary to track the actions of the user. Changing passwords reduces the window during which a compromised password will be useful.
5. Skype users should assume the Skype system could become permanently unavailable at any moment. As a result, they should always have alternative techniques for contacting each other.
6. Do not assume that the person behind a Skype username today is the same person that it was yesterday. Somebody could be sitting down at your associate's computer and using Skype without their permission, or their account may have been hijacked. Always independently verify the identity of a person that you are communicating with if sensitive material is going to be exchanged.
7. Although Skype insists that its voice system cannot transfer a virus, there is no evidence of this claim. In particular, a buffer-overflow in the voice decoder would enable another Skype user to execute commands on any system that the user was in contact with. Furthermore, Skype can be used to transfer files; these files can contain viruses or spyware.
8. Remember, just because Skype is apparently encrypted, the conversation is decrypted at the other end. There is no way to assure that the person you are communicating with is not, themselves, recording the conversation in which you are engaging. Using encrypted communications is no substitute for being careful about what you say.