In late December, a security firm sent out an alert that a worm was spreading via Skype. It turned out to be a false alarm.
No worm has spread on Skype, and while security experts have painted a target on the popular internet telephony application, its defences have been pretty solid, according to the company's chief security officer, Kurt Sauer.
That's not to say there is no work to be done on security at Skype, part of eBay. The company is looking at integrating payment features, which obviously need securing, Sauer said. Also, Skype is in talks with security companies to provide add-ons to its software to secure text-based communications, he said.
Skype is often described as a boon for security because all calls are encrypted and there is no central server that could be targeted in a cyberattack. However, the application has also caused headaches for many IT administrators because it can find ways to make a net connection despite strong firewall controls on corporate networks.
Sauer took a break from Skype security for an interview, accompanied by chief operating officer Michael Jackson.
Q: What do you do as chief security officer for Skype?
Sauer: I came to Skype three years ago. I came from Sun Microsystems, where I was doing work on peer-to-peer authentication. I came to audit the cryptography work that had been done in the Skype client as it existed. Since then, I've taken on the role of overseeing the security architecture of the Skype product family. That's grown into also dealing with incident response for security vulnerabilities. Since the acquisition by eBay, I also look at things like Sarbanes-Oxley compliance for security.
How significant a part of your job is dealing with security vulnerabilities in the Skype client?
Sauer: There are teams of people who are responsible for dealing with a lot of the nuts and bolts. Security of the architecture and where we're driving the product probably takes up about half my time. The other half is spent on compliance-related issues.
Do you see any exploitation of any security flaws in the Skype client? Have Skype users been under attack?
Sauer: We have not had any known exploitation of Skype vulnerabilities. Vulnerabilities divide themselves into different categories and we have not seen attack vectors in Skype's products that allow worms or viruses to replicate. Instead, they have tended to be one-off problems that can cause Skype to fail.
There have been several bugs related to the Skype URL, where clicking on a malicious link could cause a PC to be compromised. Were these issues all reported to you privately?
Sauer: Yes. I had experience with security vulnerability response work when I was at Sun. What I wanted to bring to Skype from that experience was transparent communication with vulnerability reporters.
One of the ways that you can really piss off the security researcher community is to be completely opaque, not say anything back. Some researchers don't want to talk to you, but to the extent they want to engage in a dialogue, we try to do that.
If you look at the robustness of the Skype code, would you say it has become much better over the years you have been with the company?
Sauer: Close to three years ago, we had problems in our quality assurance process. We were working on building code tests and unit testing to improve the quality of the code. Things that happened between a year and two years ago turned into a need for better organisation of the actual code development. So now I've introduced a lot more peer review over software before it gets to the final release.
Do you think the processes have all been established that ensure the software that is released is as flawless as possible?
Sauer: I don't think there's any organisation that can't learn. I don't think we are the perfect software engineering organisation. With each level of additional control, there is a certain amount of cost and time. You have to make rational decisions about how much overhead you're willing to place in the product development cycle. I don't think we're ever going to be able to say that we're done tinkering with how we ensure the quality of our software. But having peer review is actually one of the best defences to bad code that you can have, because people don't ever want to show crappy code to a co-worker.
Flawed code isn't the only way users could get hit. We've seen worms hit all the popular instant-message tools. Is that a threat for Skype, too?
Sauer: I haven't seen any. You can't send executable code through a chat. A lot of what IM clients are going through is figuring out how to properly protect users against things like attacks against browsers that are launched through links. To that extent, we're looking at how we can partner with companies like antivirus vendors.
Symantec and, I think, McAfee have products that do things such as risk scoring for links. It would be really interesting for us to allow a third-party specialist application to be able to make risk assessments of things such as…
