babble blog

Do recent buffer overflows found in popular VoIP service Skype signal an end to Voice over IP? Probably not.

With every new technology come new threats and security risks. With Voice over IP (VoIP), however, the threats and security risks are well known; they're much the same as with the Internet itself. So it didn't surprise me to read last week that a new buffer overflow vulnerability was found within the very popular Skype VoIP service. But what will make or break VoIP will be how this very young industry handles emerging security issues and whether the public eventually puts its trust in the new technology. Judging by the way Skype has handled its recent vulnerabilities, I think the prognosis is good for VoIP in the long run.

Peer-to-peer VoIP software could pose dangers to IT

OCTOBER 31, 2005 (COMPUTERWORLD) - The growing use of free Internet telephony software from Skype Technologies SA could soon create the same security challenges posed by other peer-to-peer technologies, say security experts.
The warnings come after last week's disclosure of two critical flaws in Skype's software, one of which could allow malicious hackers to take control of compromised systems. Fixes for both problems have been released, the company said.
Skype, which eBay Inc. acquired last year in a $2.6 billion deal, offers downloadable software that lets PC users make free Internet telephone calls to one another and low-cost calls to telephone users.
Luxembourg-based Skype claims more than 61 million registered users. About 30% of that total use the software for business purposes, it said.
Andreas Wuchner-Bruhl, head of global IT security at Novartis Pharma AG in Basel, Switzerland, cited two problems created by the spread of Skype in corporate settings.
"The major one is around availability," he said. "Skype can use a lot of network bandwidth, which may interfere with business applications and services." Wuchner-Bruhl said another problem with Skype is that it's a security threat. He noted that "every nonstandard application can add unnecessary risks to your environment."
Gartner Inc. suggested in an advisory that eBay's purchase of Skype could trigger development investments to make Skype more suited for corporate use.

In the meantime, Gartner advised business users to refrain from using "voice services based on proprietary protocols like Skype while on corporate networks, because of network security issues."
There are several reasons for such concerns, according to industry experts. "Skype is VoIP on steroids," capable of punching holes through many typical corporate network defenses, said Tom Newton, product manager at SmoothWall Ltd., a vendor of firewall and other security products in Leeds, England.
Like other peer-to-peer technologies, Skype allows its users to establish direct connections with one another.
Skype is also "port agile," meaning that if a firewall port is blocked, Skype will seek other open ports to establish a connection, Newton said.
As a result, Skype could provide a back door into otherwise secure networks for Trojan horses, worms and viruses, Newton said. It could also provide a channel for corporate data to be freely shared among users without any security considerations, he said.
Skype uses a proprietary protocol instead of standard protocols, such as the Session Initiation Protocol, used by vendors of commercial voice-over-IP products. Thus there may be "unknown vulnerabilities" in Skype, said John Pescatore, an analyst at Gartner.
So far, there have been no major attacks directed against Skype. But its growing installed base will inevitably make it a hacker target, according to analysts. As a result, companies need to keep a close eye on both the sanctioned and the nonsanctioned use of Skype on their networks, Pescatore said.

The news that three people managed to swindle #300,000 out of eBay customers (and that's just the amount people complained about) shows how easy it is to perform online scams. A British teenager pulled off a similar scam and it was months before he was stopped.

EBay was one of the early success stories of the web and has spawned whole industries; there's a shop in San Francisco where you can take in second hand goods, they'll sell them on eBay for you and split the profits. It's also having a major impact on the viability of secondhand book shops.

It's also something of a rarity for an online company in that it's hugely profitable. EBay has never made a loss and profits were up 40 per cent last quarter. After all, it could afford to shell out billions for Skype so there's obviously money to burn.

Which begs the question as to why it can't invest a fraction of those profits in protecting its customers. The cynic would say that, as it takes a cut from each and every sale, the more sales the better. Life isn't that black and white but it still leaves you wondering whether it will take a class action lawsuit before EBay starts making real efforts to beat off the scammers.

The Babble blog is about what's going on the VoIP and Internet technology sector.

We will post daily articles and reflect on what they mean to the industry and our beloved Babble in particular.

Don't forget to visit our website www.babble.net.

Cheers

A

Telefonica is to buy UK-based mobile operator O2 for an agreed GBP 17.7 billion (EUR 26.9 billion) or GBP 2 per O2 share, in cash. The transaction will immediately boost earnings per share and would generate an estimated EUR 293 million of annual operating cost and capital expenditure synergies by 2008, according to Telefonica. O2 will retain its existing brand and will continue to be based in the UK. O2's operating business will be led by the current management and Sir David Arculus and Peter Erskine will join the board of directors of Telefónica. This deal gives Telefonica an entry into the UK, Irish and German consumer markets. Earlier this year Deutsche Telekom and KPN attempted to acquire O2 in a joint effort, but no deal was made and Deutsche Telekom was said to be preparing a bid of up to EUR 26 billion in September of this year.