Newsmaker: What threats does Skype face?

In late December, a security firm sent out an alert that a worm was spreading via Skype. It turned out to be a false alarm.

No worm has spread on Skype, and while security experts have painted a target on the popular Internet telephony application, its defenses have been pretty solid, according to the company's chief security officer, Kurt Sauer.

That's not to say there is no work to be done on security at Skype, part of eBay. The company is looking at integrating payment features, which obviously need securing, Sauer said. Also, Skype is in talks with security companies to provide add-ons to its software to secure text-based communications, he said.

Skype is often described as a boon for security because all calls are encrypted and there is no central server that could be targeted in a cyberattack. However, the application has also caused headaches for many IT administrators because it can find ways to make a Net connection despite strong firewall controls on corporate networks.

Sauer took a break from Skype security for an interview with CNET News.com, accompanied by Chief Operating Officer Michael Jackson.

Q: What do you do as chief security officer for Skype?
Sauer: I came to Skype three years ago. I came from Sun Microsystems, where I was doing work on peer-to-peer authentication. I came to audit the cryptography work that had been done in the Skype client as it existed. Since then, I've taken on the role of overseeing the security architecture of the Skype product family. That's grown into also dealing with incident response for security vulnerabilities. Since the acquisition by eBay, I also look at things like Sarbanes-Oxley compliance for security.

How significant a part of your job is dealing with security vulnerabilities in the Skype client?
Sauer: There are teams of people who are responsible for dealing with a lot of the nuts and bolts. Security of the architecture and where we're driving the product probably takes up about half my time. The other half is spent on compliance-related issues.

Do you see any exploitation of any security flaws in the Skype client? Have Skype users been under attack?
Sauer: We have not had any known exploitation of Skype vulnerabilities. Vulnerabilities divide themselves into different categories and we have not seen attack vectors in Skype's products that allow worms or viruses to replicate. Instead, they have tended to be one-off problems that can cause Skype to fail.

There have been several bugs related to the Skype URL, where clicking on a malicious link could cause a PC to be compromised. Were these issues all reported to you privately?
Sauer: Yes. I had experience with security vulnerability response work when I was at Sun. What I wanted to bring to Skype from that experience was transparent communication with vulnerability reporters.

I don't think that we're ever going to be able to say that we're done tinkering with how we ensure the quality of our software.

One of the ways that you can really piss off the security researcher community is to be completely opaque, not say anything back. Some researchers don't want to talk to you, but to the extent they want to engage in a dialogue, we try to do that.

If you look at the robustness of the Skype code, would you say it has become much better over the years you have been with the company?
Sauer: Close to three years ago we had problems in our quality assurance process. We were working on building code tests and unit testing to improve the quality of the code. Things that happened between a year and two years ago turned into a need for better organization of the actual code development. So now I've introduced a lot more peer review over software before it gets to the final release.

Processes to make sure the software gets out is as flawless as it can, you feel those have all been established now?
Sauer: I don't think there's any organization that can't learn. I don't think we are the perfect software engineering organization. With each level of additional control, there is a certain amount of cost and time. You have to make rational decisions about how much overhead you're willing to place in the product development cycle. I don't think that we're ever going to be able to say that we're done tinkering with how we ensure the quality of our software. But having peer review is actually one of the best defenses to bad code that you can have because people don't ever want to show crappy code to a co-worker.

Flawed code isn't the only way users could get hit. We've seen worms hit all the popular instant-message tools. Is that a threat for Skype, too?
Sauer: I haven't seen any. You can't send executable code through a chat. A lot of what IM clients are going through is figuring out how to properly protect users against things like attacks against browsers that are launched through links. To that extent, we're looking at how we can partner with companies like antivirus vendors.

Symantec and, I think, McAfee have products that do things like doing risk scoring for links. It would be a really interesting thing for us to allow for a third-party specialist application to be able to make risk assessments of things like link content to help users make informed choices. We're certainly in active discussions about how we could do that.

More Newsmakers

[n3td3v]

security and media

what roles do the media play in the security community? can the media infulence hackers and script kiddies into a trend or to make a trend more trendy, and therefore, be researched? this is the question i've always wondered. i have forever been under the impression the media have a huge infulence in whats going on in the underground. i would say this stuff and the media say their only reporting on whats going on, but i don't 100% believe its as clear vut as that. i've seen many instances of both cnet news and securityfocus news push a certain subject. the media need their headlines and advertising revenue for normal news headlines, but when its security news then i think the media should be extra responsible in not raising issues which don't need to be suggested to the underground of hackers. it is basically "hey hackers, we need our headlines, heres some background information from X company security expert now go hack them"... is basically the thought i go away with every time these kind of articles appear. i can't be the only person who reads the media and get the "we want to infulence the hackers" impression.

[Dachi]

I agree

With the exception of say MS, who is always under the spotlight anyway, I would agree that articles like this touting a company?s extensive security measures/code auditing etc. really only serves to make the software a more lucrative platform to attack.

[jabbotts]

crime hasn't changed, neither has mass media brainwashing

In short; my observation has been that mass media informs the end users who are the last people to know about a security threat. Anyone who would use a secirity threat for profit already knew about it long ago.

In long; crime is crime, it's not different if it's with a crowbar or keyboard. If your reading about something in the media, it's quite likely that the "underground" knew about it months ago. A news article on security threats doesn't instigate criminal activity, it notifies the lesser computer-literate end users who are usually the last to know.

My example of this is bump keys. A modern day skeliton key that can be made from a blank in about three ours of work and open any lock the blank fits into. The name "bump key" being derived from the tapping motion used to free the lock droppers so it opens. If you where in the criminal underground on the more educated side, I'm guessing you knew a year or more ago about this. If you where a geek online, you've seen the video of how to make and use bump keys around six months or more ago when it was going around the net. If you where a local news reporter, you published an article or news item on bump keys in the last six months (tv news did a spot one a slow news day four months ago or so). If you are the average home owner, you didn't have a clue until the mass media published or had a tv spot. Even then, it was one quick "oh, by the way" report in the scare segment of the broadcast.

The media told the public nothing they didn't already know. In this instance, the media told the security research and criminal communities nothing they didn't already know. If a flaw in Skype is found, it'll be nothing the security community didn't already know.

Media sways the general public. Look at how many americans believed Iraq had bio and nuclear weapons hidden away somewhere. Who where the people that continualy asked for evidence of this before invading a country over it's oil resources?

Among "underground" communities, there is generally a distain of mass media's lies and government BS in generall. There was nothing in the article blatantly challenging toward the hackers, secirty auditors or criminals other than that Skype is not currently known to be vaulterable and that the developers are using some good FOSS development processes even if they are not releaseing the source under GPL or any of the other hundred free software licenses.

Your use of "Hacker" when you actually ment computer enabled criminal is rather inaccurate. Criminals seek profit from any activity that provides high return with low effort. Hackers seek to further understand computer systems and push the limits of what can be done with them. Hackers and criminals use the same techniques with the difference being that the criminal now uses, for profit, what the Hacker originally discovered out of curiousity.

Using the term "Hacker" in this instance is pandoring to the media. "Quick, use the boogieman word of the month, we have to scare some readers in to clicking on the article. I know, put Hacker in the title and copy, that'll scare the hell out of anyone who doesn't actually know about the history of computers."

With a l33tsp33k alias like "n3td3v" you should really have a better grasp of this stuff. But then, l33tsp33k in normal conversation/writing is more of a ScriptKiddie thing.

My question has always been; how much do antivirus companies pay developers to build new viruses for them to gaurd against?

[malis61]

Skype threats?

Well their security chief may not admit to a problem, but there has to be some reason why when we downloaded Skype on to my computer, I ended up with one of those "Registry" malware infections and a serious boot problem, and had to actually use that last resort Restore function.

[xcgeek]

Not likely

No offense, but if Skype did contain malware, THAT would be huge news, and skype would be make instant enemies with every single one of their users - something no legit company would risk. Isn't it more likely you got that malware from somewhere else, or perhaps a false positive.

[hutchike]

Jajah.com is better than Skype

I use www.jajah.com because it calls your real home phone and makes the connection. I find the call quality is much better than Skype. When Skype can improve its connection quality, I might return to it.

[solrosenberg]

Screw IT

Corporate IT doesn't like Skype and other "consumer" applications because quite frankly they WORK and are easy to use, unlike the "enterprise software" crap IT guys use to justify their excessive salaries.

[Ryo Hazuki]

Screw newbies

Yes, screw with the people responsable for keeping PC's around the world up and running, avoiding them (and others) to get infected.
That's a wise ideoligy.