Question : Skype - What are the real security risks / Issues?

I manage a global network and since Skype's introduction have had numerous accounts of end users signing up for this service to save money on long distance calling. Currently, those in the business bringing this forward receive countless ataboys and accolades for saving the company money. They also use Skype for instant messaging which undermines our investment in our internal IM solution as the corporate standard. Like all epidemics, this ones now spread to the masses and its getting difficult to hold down the rebellion.

There are certain truths with the technology that I can't dispute.

1. Saves money over traditional LD
2. Secure transmission - Using AES 256 to encrypt transmission ensures that it conversations cannot be listened to unless someone comes up with an algorithm to crack AES - realtime.
3. Quality of service - Still rather questionable, but its free.. Free sets an entirely different expectation.

Issues that concern me..

1. Global WANS are very expensive and ours was not designed to handle VOIP. However, since Skype uses ports 80, 443 destined to a public address, our network views this as Internet traffic and therefore treats it as the lowest priority. However, if the usage increases dramatically there is a risk that it will utilize a high percentage of bandwidth and at 80% + will begin to degrade all traffic. This could lead to increased spending on WAN bandwidth or traffic shaping which could exceed savings on LD.

2. What's Skype up to? Ebay paid a fortune for Skype and there's got a be a plan to turn it into a revenue generator. I understand Skype out is a source of income, but how much can they make on that service? Nothings free forever..

Things I've heard that I can't quite quantify..

1. Trade journals, magazines, etc.. have noted that Skype could pose a security threat which are valid concerns but what evidence exists to support the claim? Can anyone cite a specific incident where a company got burned legally? Or lost some critical product formulation?

2. The government in China can ease drop and filter this traffic. How can they break the AES encryption?

3. Skype can capture IM converations. Sounds unrealistic.. How big is their data center??

While I don't have a direct question, my intent here is get a feeling for what others are experiencing looking at the big picture of using Skype in a corporate environment. Clearly, I could just block the traffic but then I must answer to senior management and the board as to why I'm not supporting cost savings measures. If I were to go down that path then I've got to have credible and sound information to quantify the overall risk to the business. Standing behind the security flag is not enough these days..

I would think that others are wandering through this political mine field as well..

Appreciate any comments.

Answer : Skype - What are the real security risks / Issues?

skype routing is, at least from my understanding, based on P2P networks, so it's possible that skype calls may be connected through you. Also of note are a souple of buffer overflows such as http://secunia.com/advisories/13191/ which pose more of a client machine risk than an overall network risk.
Also note that even though skype does use encryption, it's apparently not the strongest possible. It also has limited logging capability so for some industries which may need to track records, it's not an ideal solution

Random Solutions

Monitoring a Mitel VoIP implementation on HP Procurve

Building jar with working source level

DHCP Addresses have changed from 192.168.8.x addresses to 169.254.x.x help!

Can't add a DN to a CTI route point on Call manager due to....

Can't access server by name only ip

Computers can't see each other on the same workgroup. Networked with wireless linksys router.

Run NSlookup from a remote Computer.

Configure Etherchannel between 2 Cisco 3550's

smtp case sensitive

There are no logon servers available to service the logon request" HELP!