Computerworld - The growing use of free Internet telephony software from Skype Technologies SA could soon create the same security challenges posed by other peer-to-peer technologies, say security experts.
The warnings come after last week's disclosure of two critical flaws in Skype's software, one of which could allow malicious hackers to take control of compromised systems. Fixes for both problems have been released, the company said.
Skype, which eBay Inc. acquired last year in a $2.6 billion deal, offers downloadable software that lets PC users make free Internet telephone calls to one another and low-cost calls to telephone users.
Luxembourg-based Skype claims more than 61 million registered users. About 30% of that total use the software for business purposes, it said.
Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG in Basel, Switzerland, cited two problems created by the spread of Skype in corporate settings.
"The major one is around availability," he said. "Skype can use a lot of network bandwidth, which may interfere with business applications and services." Wuchner-Bruhl said another problem with Skype is that it's a security threat. He noted that "every nonstandard application can add unnecessary risks to your environment."
Gartner Inc. suggested in an advisory that eBay's purchase of Skype could trigger development investments to make Skype more suited for corporate use.
In the meantime, Gartner advised business users to refrain from using "voice services based on proprietary protocols like Skype while on corporate networks, because of network security issues."
There are several reasons for such concerns, according to industry experts. "Skype is VoIP on steroids," capable of punching holes through many typical corporate network defenses, said Tom Newton, product manager at SmoothWall Ltd., a vendor of firewall and other security products in Leeds, England.
Like other peer-to-peer technologies, Skype allows its users to establish direct connections with one another.
Skype is also "port agile," meaning that if a firewall port is blocked, Skype will seek other open ports to establish a connection, Newton said.
As a result, Skype could provide a back door into otherwise secure networks for Trojan horses, worms and viruses, Newton said. It could also provide a channel for corporate data to be freely shared among users without any security considerations, he said.
Skype uses a proprietary protocol instead of standard protocols, such as the Session Initiation Protocol, used by vendors of commercial voice-over-IP products. Thus there may be "unknown vulnerabilities" in Skype, said John Pescatore, an analyst at Gartner.
So far, there have been no major attacks directed against Skype.But its growing installed base will inevitably make it a hacker target, according to analysts. As a result, companies need to keep a close eye on both the sanctioned and the nonsanctioned use of Skype on their networks, Pescatore said.
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
