Skype in the Enterprise

By: Richard "Zippy" Grigonis

Skype (News - Alert) is the most popular IP-related communications program in the world. As of December 31, 2007 Skype had 276 million user accounts, and 12,051,566 concurrent Skype users were online as of February 18, 2008. Skype’s popularity stems in part from enabling users to make free Internet phone calls to other Skype users, and for conventional phone users to communicate with Skype users for a relatively small fee (via the SkypeIn and SkypeOut services). Skype can also do instant messaging, file transfer, short message service, videoconferencing and it runs easily because it can effortless penetrate firewalls. And it’s estimated that about a third of Skype aficionados are using it for business purposes. So it’s okay for the enterprise, right? Well, sort of. . .

One of Skype’s greatest strengths, being able to poke a hole in a firewall to communicate with the outside world, is also one of its scariest features. It’s so effective, other software products piggy-back on Skype’s firewall-penetrating ability. For example, Timbuktu Pro is a desktop-to-desktop remote control program enabling users to connect to, collaborate with, and control remote machines through a Skype tunnel with other Timbuktu Pro users. Users can even launch a Skype Internet telephony call from within Timbuktu Pro. Timbuktu Pro leverages Skype’s API to automatically navigate through routers, firewalls, and NAT devices. The advantage is that, whether you’re on the road, in the office, or at home, you can place Skype calls and show and share your desktop over Skype remote desktop connections. The disadvantage that you have to pay attention to is the security aspect (or lack thereof?).

Instead of SIP (Session Initiation Protocol (News - Alert)) Skype uses a proprietary protocol that operates on an almost totally decentralized and distributed overlay peer-to-peer (P2P) model, which is why the amazingly scalable Skype network could quickly grow to nearly 280 million accounts without a huge central directory and server farm/datacenter, as one would require in a client/server model. Being a P2P model, like the Internet, Skype can survive disasters. If a natural catastrophe occurs (or if your boss or local tyrannical government official takes down a command and control node) the P2P network will accept orders from another network node. The VoIP client was developed by KaZaa in 2003. The peer nodes fall into three categories: Super Nodes, Ordinary Nodes and the Login Server.

An Ordinary Node is the Skype client application software running on your host computer. Each Skype client builds and refreshes a table of reachable nodes, called the host cache, which is stored in the Windows registry for each Skype node. The host cache contains the IP addresses and port numbers of the Super Nodes. All Super Nodes in turn connect to Skype’s only central device, the Login Server, situated in Denmark. The Login Server is used to verify your Skype Name, your email address and an encrypted version of your username password. Communication is done via RC4 encryption. When you load Skype, it reads the date from the host cache, takes the first IP address and port from the table, and attempts to connect to that particular Super Node by sending to its address a UDP (News - Alert) (User Datagram Packet) and awaiting a response. If no response arrives after five seconds, it sends a TCP packet to the same address. It attempts to forge a TCP connection to the host cache IP address and port 80 (the HTTP port). If unsuccessful, it tries to connect via port 443 (HTTPS port). If that Super Node is no longer connected to the network, your computer reads the next entry in the table. If there is no connection to any Super Node in the table, then Skype returns a login error upon start-up.

If you run Skype and you aren’t using a firewall, have good bandwidth and a reasonably powerful CPU, your host may find itself transformed into a Super Node without your knowledge or permission, in which case you’ll notice a performance hit, since Skype routes calls through fellow Skype peers on the network and provide data routing for users behind certain firewalls.

Banned in Boston?

For this reason, some organizations such as universities have banned use of Skype. For example, Oxford University, the University of Minnesota, the University of Texas, the University of California’s Santa Barbara and Dominguez Hills campuses, and Jose State University (which, ironically is not far from Skype’s parent company, eBay (News - Alert)) have banned Skype because of security concerns and excessive Super Node bandwidth consumption (about a gigabyte a month). The Pharmaceutical giant Novartis in Basel, Switzerland bars employees from using Skype. So does Goldman Sachs and the German chemicals colossus, Degussa. The French ministry of research discourages Skype use in all French public universities and laboratories working on high security projects. The Max Planck Society, a German government-funded research organization has outlawed use of P2P software (Skype in particular) at all of its institutes. Fermilab in Chicago takes a different tack, telling its employees how to disable the Super Node process.

In 2005, Info-Tech Research Group published a research note titled “Five Reasons to Ban Skype” that 17 million people (at that time) were using Skype for business purposes, but that Skype was not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls. It also said that much of Skype’s technology is closed source and subject to man-in-the-middle attacks; enterprises can’t communicate with countries and institutions that have banned the service; Skype is undetectable, untraceable, and unauditable, putting organizations at risk that are subject to retention laws such as imposed by HIPAA, Sarbanes-Oxley, etc. Securities brokers, for example, must record and track all of their phone calls.

Later that same year, Skype hired security expert Tom Berson who audited the technology and found two problems that were fixed in October 2005. Berson rated Skype “secure and reliable”.

A year later, a third party paper analyzing Skype was presented at Black Hat Europe 2006. It noted that Skype has blind trust in anything speaking the Skype protocol and there’s a lack of privacy. Skype has the keys to decrypt calls or sessions. The paper also revealed that Skype makes it difficult to enforce a corporate security policy and that there is “no way to know” if Skype’s programmers (or somebody else) has created a backdoor to the program, thus converting it into a Trojan.

To assuage your concerns, eBay/Skype maintains a Skype security page at www.skype.com/security/safety, where you’ll find Skype Security Bulletins.

There’s also a Skype Security Blog at http://share.skype.com/sites/security, where you’ll find such tips as these: “We’ve seen some instances where a chat message masquerading as a link to an image file instead leads to a piece of malware,” and, “We recently disabled the ability to use Skype’s Live tab to download clips from the Dailymotion and Metacafe video galleries. We took this step as a cautionary measure after security researchers found a vulnerability in Skype 3.5 and 3.6 for Windows that would have allowed an attacker to execute arbitrary code on a Skype user’s Windows PC without their consent. As we said in our post on January 18, the measure would be temporary. That is, until an official fix to the vulnerability would be made available. We are pleased to report that the core vulnerability has now been addressed and a fix is included in the latest build of Skype for Windows, 3.6.0.248.”

Skype, like many U.S. companies, has cooperated with the Chinese government in the development and implementation of Internet censorship in the People’s Republic of China. Skype has a joint venture with TOM Online (News - Alert), involving a co-braded version of Skype called TOM-Skype, available in mainland China. Chinese citizens attempting to download the Skype client are redirected to a TOM Online site where the modified Chinese version is available for download. Dissidents and activists in China worry that the Chinese version could become (or already is) a trojan that will collect information on users. What is known is that TOM’s “guidance” to Skype about how to cooperate with local laws and regulations in China involved placing a text filter of words that are not displayed in TOM-Skype text chats. Also, although SkypeOut calls are not permitted, Chinese users can access SkypeOut by downloading the software directly from the Skype website. At least one other Chinese company has successfully reverse-engineered the Skype protocol, as did a group of Chinese hackers in 2006.

But Skype Marches On!

While the rest of the world dickers with all of these issues great and small, interesting third-party software continues to appear that works in concert with Skype.

For example, if there are people in your organization providing customers service, OnState (News - Alert) CallCenter for Skype from OnState is a customer contact management solution requiring no hardware or special software. The service provides customers with local, national and toll-free numbers in over 20 countries, automatically call back visitors on your web site, delivers chat support online, responds to customer inquiries anytime or anyplace where Skype can go, and can easily scale along with your business. Customer service capabilities such as skills-based routing, customer segmentation and detailed reporting and analytics are included. Moreover, customers can contact you through their medium of choice, via phone, mobile phone, from your website, via chat, leave a voicemail message, or automatically schedule a callback. On your end, your agents and employees only need the OnState Plug-In for Skype.

PrettyMay Call Center for Skype (PMCCS) from PrettyMay Team is also a 100 percent software-based call center solution for Skype, enabling SMBs to quickly implement a “Skype PBX (News - Alert)” system with auto-attendant, Interactive Voice Response (IVR), extension transferring, call recording and personalized voicemail capabilities, etc. With PMCCS, you can set up your Skype account as an IVR system. In its current version, PMCCS supports up to 30 simultaneous Skype or SkypeIn lines without any extra hardware.

Additionally, the Convenos Meeting Center from Convenos is a web conferencing and collaboration solution that works seamlessly with Skype as a “Skype Extra” plugin. You access the Convenos Meeting Center through the “Do More” menu on Skype or in the online extras gallery. Convenos can be used to share files, presentations, applications or your desktop while making a Skype call.

So, if you’re not working with high security material and are free from paranoia about freebie software run under the auspices of your employees, Skype’s millions of users await to speak with you. IT

Richard Grigonis (News - Alert) is Executive Editor of TMC’s IP Communications Group.

Convenos (www.convenos.com)

eBay/Skype (www.skype.com)

OnState (www.on-state.com)

PrettyMay (www.prettymay.net)

» Internet Telephony Magazine Table of Contents