Arkoon has in the past insisted on the dangers of Skype and similar communications tools for enterprise information security. Their closed, proprietary communications channels mean that data exchanges cannot be controlled for security or confidentiality; there are no means of knowing what data may be transferred into or out of the enterprise network, or whether the software may be snooping on the PCs on which it’s installed.
We now learn that the update to Skype released mid-December reads the system BIOS. This was discovered accidentally, when inquisitive users decided to investigate an error generated only on 64-bit Windows installations - the module which reads the BIOS is not 64-bit compatible. But for this hiccup, the situation could well have remained undiscovered. The dangers warned against by Arkoon are therefore confirmed by Skype! See Pagetable site for full details
Skype - proudly displaying a "No Spyware - Adware - Malware" logo on their home page - confirms the existence of this functionality, while not admitting that it in any way contradicts their own Privacy Policy. Since publication of this problem, Skype has updated the software to remove the incriminated functionality.
For enterprise Information Security managers, several questions need answering:
We now learn that the update to Skype released mid-December reads the system BIOS. This was discovered accidentally, when inquisitive users decided to investigate an error generated only on 64-bit Windows installations - the module which reads the BIOS is not 64-bit compatible. But for this hiccup, the situation could well have remained undiscovered. The dangers warned against by Arkoon are therefore confirmed by Skype! See Pagetable site for full details
Skype - proudly displaying a "No Spyware - Adware - Malware" logo on their home page - confirms the existence of this functionality, while not admitting that it in any way contradicts their own Privacy Policy. Since publication of this problem, Skype has updated the software to remove the incriminated functionality.
For enterprise Information Security managers, several questions need answering:
- What is (or was) Skype intending to do with the collected information? There’s been no clear answer, as yet, from Skype.
- Might there be other as yet undetected comonents of Skype, silently collecting user data? Don’t forget that Skype is deliberately designed so that both code and communications are impenetrable.
Given the confirmation that Skype is perfectly capable of snooping on PCs on which it’s installed, to what extent can an enterprise IS manager trust Skype’s much vaunted Privacy Policy to protect their networks and data?
Arkoon FAST360 UTM appliances include a number of features as standard allowing network security managers to block unauthorized communications by users running Skype or other instant messaging/P2P communications tools. FAST IDPS and FAST SSL filtering and analysis (SSL is frequently "piggy-backed" to get through firewalls) combine to ensure that "covert channel" communications and other mechanisms used to get around perimeter firewalls are detected and brought under control.
