Security expert comments on Skype security white paper
The Skype Forum is buzzing with commentary on Tom Berson's security white paper. Most of it from sidewalk superintendents. Here and here.
I thought I would find an industry specialist to talk with.
Please meet Michael Gough.
Security consultant, trainer, author.
Michael, what were your first thoughts when you read Tom Berson’s white paper on Skype Security?
“Nothing custom; nothing home grown. The fact that Skype followed industry best practices helped to ease my concerns and those in my field as to how Skype actually implemented their encryption scheme.”
Tell me about how secure the Skype encryption is?
“Skype uses 256-bit AES to encrypt every session between users. More important, this encryption changes each time you contact someone via IM, file transfer, or a voice call. So if some malicious person managed to capture all the data and managed to figure out your AES key, it would be worthless for the next call you make with Skype. Cracking the AES key would take someone roughly 20 years, so it’s not very probable. The U.S. Government uses AES to encrypt sensitive data, so it is considered secure enough for the available computing power we have available to us today."
Michael, on page 10 Tom mentions a problem in WEP, the security protocol for my wireless router. What is Tom referring to? Is my wireless Router not secure?
“No Bill, your wireless router does not give you much security! At least your Skype traffic flowing through your router is safe, but other traffic is not. To put the two systems –AES and WEP- in perspective: as I said earlier it would take about 20 years for someone to crack AES, however it would take only a few hours to a few days to crack WEP. Now remember that big security code you put in your router when you enable WEP. Well you need to change it every day to beat the bad guys! WEP’s got problems. That is why it has been replaced by WPA and other options."“So you see, if the experts who worked on security for the IEEE 802.11 security protocol could implement this sort of hole it any wonder security professionals in corporate America are so worried about what some hacks in Estonia would create for a free voice on the net product. So Tom’s paper helps to clarify what they exactly did and how they do encryption.”
Michael, I have only talked to the handful of security people. They are all anal. They are all impossible to please. So you told me the good news; now fill me in on the bad news.
“Tom found some code issues, didn’t he? Well are they fixed yet? Where is the proof? How will Skype continue to test their security with third parties like Anagram Labs?” Security is an on going process and one security evaluation will not be enough to convince the biggest of security skeptics.”
Thanks Michael. I am sure you will hear from me again soon as we get more feedback from IT professionals on this white paper.
“Bill, I would add that it is safe to say "a company needs to look at their company security policies and how a company would use Skype, but in my professional opinion, the way Skype has implemented security and encryption should fulfill many companies requirements for a secure voice client solution. It all depends on how it will fit into your network infrastructure and fulfill their business needs for each particular company as far as how to use Skype effectively"Michael is a Computer Security Consultant and delivers security consulting services to clients of a Fortune 50 Company where he works. Been at it 18 years. he also presents for his company at many trade shows, presenting at conferences working with associations and groups advising agencies like the FBI on Skype security and Center for Internet Security on wireless security. Michael knows Skype. He is the man behind the hot web sites www.SkypeTips.com and www.VideoCallTips.com and the main author for "Skype Me" by Syngress press. The book will be available in December and followed up with a Video Call book.
Comments
Very interesting. Thanks.
Posted by: Rick | October 24, 2005 05:45 PM
Let me put my broom down a minute to respond. How about addressing these questions to the security expert?:
- Do you believe the report is complete? Since Skype on OSX, Linux nor the Gateways (SkypeIn/SkypeOut) are addressed (or some elements even mentioned) in this report?
- Is this really a 'security' report or really a report on Skype's cryptographical implementations?
- What about corporate security and the ability for Skype to circumvent border security such as anti-virus on incoming files?
- How about the fact that Skype sends out passwords in plain text to user's email?
- What about organizations concerned with security coupled with compliance?
Always easy to slant the interview to the outcome you want, how about asking the hard questions?
Posted by: MuppetMaster | October 24, 2005 10:49 PM
Good points by Muppet, but nearly all systems have security issues. As with QoS, the key question, from a marketing point of view at least, is whether it is secure enough.
Like Bill says, all security guys I ever talk to are completely anal and impossible to please.
Ask yourself this, is Skype more secure than POTS? Nuff said, I'm off to buy some cinema tickets by phoning someone on a completely unencrypted line and give them my credit card details. Am I worried!? ;)
Posted by: Paul Jardine | October 25, 2005 12:23 AM
This falls under the broad category of risk management. Encryption addresses the threat of eavesdropping to a degree. If a conversation is encrypted, the easiest point of interception is to tap the devices (PCs, headsets, PDAs, smart phones) that channel data produced by people's bodies (microphones and cameras) and consumed by people's bodies (displays and speakers/headphones). If Skype packets give up sender and recipient IP addresses, then those devices can be identified and tapped. Successful end to end encryption just means that the point of interception must be closer to the conversing parties instead of somewhere in between them.
Other threats can be inventoried and their risks in a Skype context assessed, exposure to those threats (chances and consequences) compared to other communication tools and practices, and costs-benefits-risks balanced against personal and institutional criteria. This report is a good first step. As Skype and others continue on this path, we'll all be able to make better choices about when and how to use our tools.
Posted by: Phil Wolff | October 25, 2005 01:26 AM
Enterprises are concerned about security, not only encryption. Skype is an application that goes out of its way to circumvent standard IT security architectures and policies. This report does nothing to address those critical points.
Further, this report is not certification, but simply one security consultant giving his opinion. Great conceptually on Skype's part, but poorly executed as a half-measure.
Posted by: MuppetMaster | October 25, 2005 03:40 AM
I agree to the last "excerpt" by Michael "It all depends on how it will fit into your network infrastructure and fulfill their business needs for each particular company as far as how to use Skype effectively". Personally usage is by far different to enterprise usage.
Posted by: Richard | October 25, 2005 06:41 PM
The recent security announcements are indeed unfortunate, they seem to have no mention of the security report, i.e. were they pointed out by the security report? were they discovered after review procedures suggested by Anagram? MarCom spin on this seems to be nil!
Given that there is no mention, the ultimate conclusion of the user community is going to be that Mr Berson has the gravitas of a blimp, and marketing has shot itself in the foot, by drawing attention to security right before they have to disclose the bad news!
Reading the report, it's not entirely clear what was and was not in scope, but that is just bad consultancy, so there's no hiding place there.
To be honest, I think that Anagram has been let down by Skype, they should have gone for a joint press announcement on these issues, rather than Skype just blurting out the news.
It all emphasises the amateurish nature of the Skype company, and shows how little you have to know to get $4 billion!
Posted by: Paul Jardine | October 26, 2005 09:50 PM
Hey Paul!
Interesting comment, "amateurish nature". Yes I agree they are still a start-up.
However Tom did identify the bug and note it in his report. This bug/flaw http://www.skype.com/security/skype-sb-2005-03.html is the same bug that Tom identified the problem alluded to in Tom's report concerning the ASN.1 problem is actually the same.
I agree also with your comment acout scope. The report should have been more clear that this was strickly about encryption.
However, that said it was a excellent and well needed white paper.
Thanks for joining in...
Regards, Bill
Posted by: Bill Campbell | October 27, 2005 02:10 PM
Bill,
All the more reason that there should have been a joint press release by Anagram and Skype on these security issues. There were actually 2 issues, one with the URI buffer overflow (only Windows) and one with the heap (all platforms).
It doesn't take much to put a positive spin on the discovery of these problems shortly after a security review! Any half-technically aware Marketing person should have realised that and made damn sure nothing negative was said about security in the weeks following the publication of the report unless Anagram were there to explain it.
Also, it isn't clear to me that the URI issue is the same one Tom raised in the report, but if it was, then the way they released it is even more stupid.
I also read in the report that the review was on version 1.3 of the code???!
Posted by: Paul Jardine | October 27, 2005 08:21 PM
skype is more secure than POTS. even our government isn't crazy about it because they can't tap it.
Posted by: Neo | November 10, 2005 06:12 PM