MySpace and Skype are partnering, potentially creating “an IT departments worst security nightmare: a massive, productivity-draining time-waster that opens up firewall ports, also presenting an unidentifiable, secure, secret stream of network traffic on a corporate network,” an Akonix rep wrote in a letter. They make security products for corporate instant messaging, so you can see where the writer is coming from.
The letter made me laugh—all it lacks are emergency klaxons and chattering skulls—but in fact, the rep wasnt spinning pure hyperbole. Stitching together Skype—the VOIP (voice over IP)/IM service that, according to McAfees count, has been targeted by about a dozen malware programs—with MySpace, which pushes out malware, spyware, music files that arent real music files but actually distribute password-stealing Trojans, and so on, … wow. Could you make it any more convenient for malware writers? I mean, its kind of tough for them now, having to actually write separate attacks for both MySpace and Skype.
Why, yes, you could make it more convenient. How about this: You could allow MySpace IM users to link their profiles to their new freebie Skype accounts. Oh, wait, thats really happening. But then you could film clips of people using the two together and upload them to YouTube, and then you could sell the clips on eBay and people could pay for them with PayPal or, hey, even Wells Fargo—thats safe, right? And then you could afford to help out those deserving people in Nigeria who are trying to get money out of the country, or maybe you could buy some hot stocks if you get a great tip e-mailed from somebody youve never heard of.
Seriously, though. Skype and MySpace? Whats particularly ironic about this terrible match is that the announcement came on Oct. 17, the same day that yet another Skype-targeted piece of malware came to light. This one is a password-stealing Trojan posing as a security plug-in for the popular VOIP and IM service. It displays a fake log-in screen thats almost identical to the real thing.
By McAfees reckoning, that brings the count to about 12 for Skype-targeted nastyware. What happens when you put that track record together with MySpace, which can also be a bit of a cesspool when it comes to serving up malware? There was that MySpace worm in June, for example, that was turning MySpace.com users sites into bots to serve phishing scams and viruses, using “fast flux” to hide its phishing and malware delivery sites behind ever-shifting networks of proxy servers that are next to impossible to track down.
Mmmm, MySpace. Worms. Skype. Password-stealing Trojans.
Heres what Dave Marcus at McAfees Avert Labs had to say about this unholy alliance: “One thing that always piques our curiosity is when you have two areas with established malware patterns to them and you merge them … Combine them together and you get … wonderful convergence. Well see what happens with that. Malware writers like convergence. They like to focus on one thing and not three.”
Ultimately, Marcus told me in a recent conversation, convergence makes malware authors job easier. Thats why they generally write malware for just one or two Windows builds: The world converges on Windows, making it easy for malware authors to concentrate on just writing for Windows.
Don Montgomery, vice president of marketing for Akonix, called Skype/MySpace “a great deal for consumers and a nightmare for corporations.”
“Youve got two consumer behemoths doing great things for people at home or younger folks or people who want to be able to talk anywhere in the world for free or little cost. And thats great for the consumer but maybe not for a business,” he said.
Skype, for its part, has been a bane to many IT departments because of its encryption and architecture, which sets up encrypted connections inside users PCs, cutting a hole through firewalls and blocking IT from seeing inside its traffic. Skype can use one port to set up a connection and another port to complete the stream of traffic. It is possible to block it, though—Ive heard from network administrators whove had no problem blocking the Skype protocol. It can be done through the firewall or through protocol recognition.
In fact, larger companies often block Skype. Theres just no valid value proposition to the service for them. If employees need encrypted communications, the organization will provide it for them. As far as encrypting traffic so your own IT department cant see it—bad idea. “Thats core to IT security: the ability to view into the stream,” Montgomery said.
Skypes recent outage showed that business-class users get no extra safeguards. Click here to read more.
As for free phone calls, they just arent worth the risk. Except, perhaps, if youre a small or midsize business trying to save money on your phone bill. Skype gives smaller businesses the ability to cut the cost of telephony and to break free of phone companies, and you get a pretty decent-quality service, to boot, Montgomery noted.
“Smaller business embraces it as a cost saver and makes a decision, I believe, that cost savings outweigh security risks and the inability to see whats going through those secure channels,” he said.
Maybe its time for small businesses to rethink that value proposition. Put Skype and MySpace together and you get multiple areas of risk: 1) security, with MySpace added to the mix and the real risk of malware coming from that source; 2) waste of productivity; 3) regulatory compliance with rules that govern who can talk to whom and what information can be passed when; and 4) added liability for whatever users put up on their MySpace profiles.
As Dave Marcus put it, this isnt doomsday. But its something that organizations should be educating their user base about. And bear in mind, both Skype and MySpace have huge user bases, so the chances of not having users in your organization is pretty small.
Another factor is that IM is an up-and-coming vector for malware. McAfee has seen more IM malware in the past year than in the past 10 years combined. Its becoming one of the most popular ways to distribute spam links.
Make sure your users are aware.
eWEEK Senior Security Editor Lisa Vaas has written about technology since 1997. She can be reached at lvaas@eweek.com.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.