5

I am trying to write a security opinion that may influence policy in the future in the Enterprise-grade network which I work to protect regarding the use of Skype on the networks, and security risks thereof. I have been trying to find recent analyses of Skype from a security standpoint, but I am unable to find more recent analyses (older than 2011 is what I have been finding).

Is anyone able to link me to a more recent analysis of Skype security, or help outline the security risks of Skype such that the security opinion is more complete?

(Security research briefs, whitepapers, etc. are generally what I'm looking for)

Thomas Ward
  • 731
  • 1
  • 7
  • 24
  • What makes a report from before 2011 inaccurate exactly? – Ramhound Jul 09 '12 at 12:50
  • I allow to use any software, and I do risk analysis, but any risky software is enforced to be used in correct way. So its not skype to focus on, but the business network, systems, and so on. – Andrew Smith Jul 09 '12 at 13:21
  • Unless these 2011 reports (note that the ones i've found are *older* than 2011) are just as accurate as a more recent report, i'd prefer a recent report. – Thomas Ward Jul 09 '12 at 13:21
  • @LordofTime - There might not be reports. I would use the reports you have found, until such time, you find a newer report. – Ramhound Jul 09 '12 at 15:55
  • @Ramhound indeed, although my use of "reports" was in error. I was meaning something more along the lines of what Mark posted below, white papers and research documentation (which somehow was hidden from Google searches and in depth searches for specific information). Thanks to Mark for the information! – Thomas Ward Jul 09 '12 at 16:15

2 Answers2

5

I believe the reports before 2011 are valid. The architecture of Skype hasn't changed since before then afaik. This type of report has been done before by many folk that I've known or worked with as well as myself. I can't give you the finished working papers obviously as it's essentially PII but here's some papers that research was based upon (apologies if you already have them) -

You'll also find that the vendors will regularly publish KBs in relation to Skype and how their new filter/feature extends Skype detection/analysis so it'd be a good bet searching through the Web Proxy vendor (Intel/McAfee, Cisco Ironport, Websense, Bluecoat, Trend, Symantec - trying not to show any bias - etc) Knowledge Bases.

Mark Hillick
  • 2,124
  • 11
  • 14
  • The research papers you have linked are excellent. The Bluecoat reports seem to concur with the other, older-than-2011 reports I did find myself. Thanks for providing these links. – Thomas Ward Jul 09 '12 at 15:54
  • No problem, glad to have helped. I've successfully used them in the past. – Mark Hillick Jul 09 '12 at 15:55
  • 3
    Apparently Skype [replaced p2p supernodes](http://arstechnica.com/business/2012/05/skype-replaces-p2p-supernodes-with-linux-boxes-hosted-by-microsoft/) in May 2012, which may change some concerns. – Stennie Jul 13 '12 at 10:52
0

I know you mentioned you're interested in newer reports. There are 2 very interesting papers from 2006 (Vanilla Skype part1 and part2) that deal with Skype cryptography, reverse engineering, traffic analysis, security concerns (data exfiltration, backdoor,risks when used in sensitive business). Surely many things changed, but the methods described in the papers are very instructive.

liviu
  • 153
  • 2
  • 7