Month: September 2006

Skype Users Most Active During Office Hours, Says Study

skypeAccording to an article posted in the September issue of Network Computing by Andrew Conroy-Murray, the peak time for Skype usage in the United States is around noon CST. Unfortunately, there’s no way to tell the difference between business usage and chit-chat.
To quote the article:

Skype users are most active during work hours, according to a new study from Cornell University. Peak time in the United States is noon CST. Unfortunately, the researchers didn’t differentiate between chit chat and business usage. That’s a shame, because while commercial VoIP and IM products are useful for communicating with customers and co-workers, they’re also fraught with productivity and compliance problems. Skype, which encrypts voice and data packets, makes it easy to sneak sensitive information out of the enterprise.

That company that my wife works for uses Skype for inter-business communications on a daily basis. In fact they probably couldn’t operate without it as they have multiple geographic locations and those phone bills could add up.

In my experience, however, there is no good way to block skype traffic at the perimeter of your enterprise since it runs over port 80 and 443. From the ‘Guides: Skype and Firewalls’ section of the Skype Help Section:

There are four options for Skype to work:

  • Ideally, outgoing TCP connections to all ports (1..65535) should be opened. This option results in Skype working most reliably. This is only necessary for your Skype to be able to connect to the Skype network and will not make your network any less secure.
  • If the above is not possible, open up outgoing TCP connections to port 443. This will only work if you are using Skype version 0.97 or later.
  • If the above is not possible, open up outgoing TCP connections to port 80. Some firewalls restrict traffic to port 80 to HTTP protocol, and in this case Skype can not use it since Skype does not use HTTP. In some firewalls it is possible to open up all traffic to port 80, not just HTTP, and in this case Skype will work.
  • If the above is not possible, Skype versions 0.97 or later can use a HTTPS/SSL proxy. In order to do that, you have to configure the proxy address in Internet Explorer options. Then Skype will be able to use it as well.

This makes blocking outbound Skype traffic very difficult using just a firewall unless you want to either:

  • Manually enter all Skype server IP addresses to block
  • Block client requests to ports 80 and 443 (eliminating their browsing capabilities)
  • Configure a proxy for all web traffic that requires some method of authentication that Skype cannot use
  • Install some sort of host based IPS software to disallow the installation of Skype altogether

None of these appear to be an easy and desirable solution to this problem. Perhaps you’re thinking, “Why not use an IPS to detect the traffic and disallow it?”

That would be ideal! Unfortunately the only product I have found, so far, that is able to match the signature of Skype traffic is TippingPoint IPS and they don’t appear eager to share their signature methods.

If anyone happens to have any ideas how to identify Skype traffic I would love to hear it.

The Hidden Benefits of Network Attack

In his latest blog post, Bruce Schneier points out a particularly interesting note in the Harvard Law Review, which argues that there is a significant benefit from Internet attacks:

This Note argues that computer networks, particularly the Internet, can be thought of as having immune systems that are strengthened by certain attacks. Exploitation of security holes prompts users and vendors to close those holes, vendors to emphasize security in system development, and users to adopt improved security practices. This constant strengthening of security reduces the likelihood of a catastrophic attack — one that would threaten national or even global security. In essence, certain cybercrime can create more benefits than costs, and cybercrime policy should take this concept into account.

I’d have to agree, to some extent. Not only does it keep people, and organizations, on their toes but it also forces the vendors to constantly update their products and evolve to address new concerns. What are your thoughts?

Zeroday Emergency Response Team (ZERT)

zertThe ZERT team came to light recently due to their public, unofficial patch for the IE Buffer Overflow in VML (vgx.dll) vulnerability (CVE-2006-4868).

They also received coverage today by eWEEK. That article can be found here: http://www.eweek.com/article2/0,1895,2019162,00.asp

From the ZERT Manifesto:

ZERT is a group of engineers with extensive experience in reverse engineering software, firmware and hardware coupled with liaisons from industry, community and incident response groups. While ZERT works with several Internet security operations and has liaisons to anti-virus and network operations communities, ZERT is not affiliated with a particular vendor.

ZERT members work together as a team to release a non-vendor patch when a so-called “0day” (zero-day) exploit appears in the open which poses a serious risk to the public, to the infrastructure of the Internet or both. The purpose of ZERT is not to “crack” products, but rather to “uncrack” them by averting security vulnerabilities in them before they can be widely exploited.

It is always a good idea to wait for a vendor-supplied patch and apply it as soon as possible, but there will be times when an ad-hoc group such as ours can release a working patch before a vendor can release their solution.

I look forward to seeing more releases and possibly whitepapers on their findings but only time will tell if ZERT can go the distance as a organized incident response team.

Scroll to top