It's good you don't equate ubiquity with safety - the apocryphal lemmings are a poor example.
I submit, however, that another animal is a powerful and relevant metaphor here - the black swan. We simply don't know what the threats are, and the downside is huge. That alone should be warning enough. If you haven't read them, the works of Nicholas Nassim Taleb are worth the read. You ask about "practical" concerns - they are the usual, which are dismissed: Subversion of the client, intrusion of the network thereby, in a very hard to detect fashion - much harder to detect than a subverted web browser. The risk is much larger with skype because of the nature of the task and the software. Lots of traffic to and from the world, with no way to understand or filter it. For web browsing I do use as many mitigating technologies as I am allowed to use for web browsing as I can, but we've basically lost the battle on that front. This doesn't mean that we shouldn't keep fighting. For instance, I've proposed that those who "need" skype should receive a second, less-capable PC, with an internet connection that that doesn't touch the production network - perhaps a separate layer 2 VLAN that doesn't touch the production network, and which could also be used for other purposes as well - like web browsing. I've gotten funny looks and a denial. Corporate culture is fundamentally insane on this issue, AFAICT. On Thu, Dec 30, 2010 at 21:26, Andrew S. Baker <[email protected]> wrote: >>> Ah, but I believe you're mistaking or minimizing the differences between >>> web browsing and skype. > No, Kurt, I am not minimizing them. I pointing out that we routinely hear > about people who experience infosec-related problems in the corporate realm > due to what would otherwise be deemed as simple web browsing. Recent tech > news is replete with such examples. > Whether or not there is technology available to mitigate these is secondary > (unless, of course, you are currently making use of all such technology). > It is safe to say that your organization is already assuming some risk > related to technologies for which there are ready and active exploits on a > regular basis. > > I'm simply asking you to articulate *practical* problems that you expect to > encounter in your employees' use of Skype, so that we can discuss > appropriate mitigation strategies, or come to the conclusion that it is not > worth the effort to do so. > There are all sorts of possibilities and probabilities with technologies, > but rather than wax poetic about things that are possible, let us evaluate > that which is probable and deal with it. > While I am not quite willing to suggest that ubiquity is equivalent to > safety, I will ask: Given the not-insubstantial adoption of Skype in the > corporate realm -- from which you should be able to draw ample examples -- > what are the types of real-world issues you anticipate happening when your > employees start using Skype? > > ASB (My XeeSM Profile) > Exploiting Technology for Business Advantage... > > > > On Thu, Dec 30, 2010 at 11:28 PM, Kurt Buff <[email protected]> wrote: >> >> Ah, but I believe you're mistaking or minimizing the differences >> between web browsing and skype. They are nothing alike. For the >> largest difference, http is a well understood protocol, and there are >> many ways to mitigate issues with it and the software that consumes >> it, including web filters with white/black lists, proxies that >> understand the protocols involved (html, xml, javascript, java and >> flash, mostly), plus browser addons that filter or block >> javascript/flash/java and ads. >> >> There is *nothing* equivalent available for skype. You are given a >> client that consumes an encrypted data stream over which you have no >> control and into which you have no visibility. You cannot >> whitelist/blacklist any ip address on ports 443 (tcp and udp!) or port >> 80, and there is no proxy of which I'm aware that understands the >> protocol to monitor it for buffer overflows or other malicious >> content. >> >> Even with SSL, if I want to spend the money and/or time, I can MITM >> and proxy SSL. Not possible with skype. >> >> Kurt >> >> On Thu, Dec 30, 2010 at 14:48, Andrew S. Baker <[email protected]> wrote: >> >>>Does this >> >>> >> >>> (http://en.wikipedia.org/wiki/Skype_security#Flaws_and_potential_flaws) not >> >>> give plenty for a reasonable person to worry about? >> > >> > Some pause, sure. >> > >> > Plenty to worry about? No, unless you also prohibit internet access for >> > the >> > folks in your organization, since some of these are generic to internet >> > connectivity and standard web services use (xss flaws, etc) >> > >> > More importantly, none of the flaws outlined in the article are newer >> > than >> > 2008. Not to say there aren't any new ones, but they've updated the >> > list at >> > least 3 times this year, but with flaws from 2008 or earlier. >> > >> > There are ways to mitigate supernode access, and some of the other >> > functionality of Skype in an environment. >> > >> > Define the threat and determine if there is sufficient mitigation or >> > workarounds available to handle it vs the benefits that might be derived >> > from the tools usage. >> > >> > Back in 2006, we voted against its usage within our organization based >> > on >> > the proposed use case. Today, the technology is far more robust (the >> > recent >> > meltdown notwithstanding) and the tools for mitigating VoIP risks in >> > general >> > are more prevalent and mature. >> > >> > ASB (My XeeSM Profile) >> > Exploiting Technology for Business Advantage... >> > >> > >> > >> > On Thu, Dec 30, 2010 at 4:53 PM, Kurt Buff <[email protected]> wrote: >> >> >> >> Among my concerns is that skype is a P2P technology - in itself not >> >> such a big deal, normally - and that skype data transits all manner of >> >> end-user machines not under anyone's control (certainly in many cases >> >> not in the control of the putative owner). It also is intrusive in >> >> that according to the EULA it basically owns your machine for its own >> >> purposes, including auditing your hardware configuration and allowing >> >> inbound network traffic that you don't control. >> >> >> >> All aspects of computer and network security for our company is my >> >> focus, though it's not my full time job - or is that not the question >> >> you were asking? >> >> >> >> Does this >> >> (http://en.wikipedia.org/wiki/Skype_security#Flaws_and_potential_flaws) >> >> not give plenty for a reasonable person to worry about? >> >> >> >> Kurt >> >> >> >> On Thu, Dec 30, 2010 at 12:25, Andrew S. Baker <[email protected]> >> >> wrote: >> >> > What's your main concern with Skype? >> >> > What aspect of security is your focus? >> >> > >> >> > ASB (My XeeSM Profile) >> >> > Exploiting Technology for Business Advantage... >> >> > >> >> > >> >> > >> >> > On Thu, Dec 30, 2010 at 3:15 PM, Kurt Buff <[email protected]> >> >> > wrote: >> >> >> >> >> >> This is pretty old, but I'm now being forced to allow skype on our >> >> >> network, and I'm pretty unhappy about it.. >> >> >> >> >> >> Ken, is your firm still allowing skype, and if so, can you speak to >> >> >> what your security folks did to make themselves happy about allowing >> >> >> skype? >> >> >> >> >> >> Has anyone else here done a security review that gave them a >> >> >> decision >> >> >> one way or the other about allowing it? >> >> >> >> >> >> Kurt >> >> >> >> >> >> On Thu, Jan 15, 2009 at 08:12, Ken Cornetet >> >> >> <[email protected]> >> >> >> wrote: >> >> >> > We are deploying it here to a few users. >> >> >> > >> >> >> > >> >> >> > >> >> >> > I’m using group policy to turn off being a supernode, downloads, >> >> >> > listening >> >> >> > on tcp ports, and 3rd party access to the Skype API. >> >> >> > >> >> >> > >> >> >> > >> >> >> > Our security folks reviewed it and are happy. >> >> >> > >> >> >> > >> >> >> > >> >> >> > From: Tim Evans [mailto:[email protected]] >> >> >> > Sent: Thursday, January 15, 2009 11:01 AM >> >> >> > To: NT System Admin Issues >> >> >> > Subject: Skype >> >> >> > >> >> >> > >> >> >> > >> >> >> > Has anyone looked at Skype recently? We’ve got a client that >> >> >> > wants >> >> >> > us >> >> >> > to >> >> >> > use Skype for communications with them. I’ve always been a little >> >> >> > leery >> >> >> > of >> >> >> > using them in a business environment, but looking at it now, I see >> >> >> > they >> >> >> > have >> >> >> > a MSI download for easy deployment and a group policy template for >> >> >> > central >> >> >> > administration of settings. It all looks pretty cool. While the >> >> >> > security >> >> >> > guy >> >> >> > in me wants to say no, I’m having a hard time finding a reason not >> >> >> > to >> >> >> > say >> >> >> > OK. >> >> >> > >> >> >> > >> >> >> > >> >> >> > I’m curious what the members of this esteemed group think about it >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > >> >> >> > …Tim > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
