Considering Skype?

Two people looking into a webcam on a laptop monitor

Considering Skype? Some Guidance to Keep You Safe

In this period of economic restraints, everyone at Brown is investigating possible ways to reduce expenses. As a result, there has been an increased interest in services like Skype,GoogleTalkGizmo, or MajicJack for making free long distance telephone calls over the Internet (also called Voice over Internet Protocol or VoIP).

While being able to make free long distance calls sounds enticing, the Information Security Group (ISG) wants you to be aware of risks associated with such services, especially if University information may be transmitted using one of them.

Because of its popularity, ISG has focused its attention on Skype. Our research has revealed concerns about security, bandwidth, monitoring and auditing, as well as the long-term viability of Skype as a telephony solution. Therefore, while ISG does not recommend Skype as a day-to-day telephony solution for Brown faculty and staff, we recognize that with proper precautions and oversight, Skype could be considered an alternative solution under certain circumstances.

If you are considering the use of Skype, or one of the other services, we encourage you to be aware of the risks and some of the ways you can mitigate them. And though this article is specifically about Skype, many of the recommendations may apply.

ISG'S RECOMMENDATIONS

The use of Skype on the Brown University network is discouraged and unsupported. However, if an individual or department chooses to install and use Skype, ISG has developed the following appropriate configuration standards for Skype to mitigate risk to the University and provide a higher level of security and privacy.

The Brown University Standards for appropriate Skype configuration and use are:

  • Do not have Skype running in a "listen mode".
  • Users should not have Skype automatically sign in when starting their computer or the Skype program.
  • Only launch the application when you need to use it. If you are expecting an incoming call, coordinate it through other means (e.g., e-mail, instant messaging, etc.).
  • Keep your calls to a reasonable length to both mitigate the security risks of this peer-to-peer network connection and conserve network resources.
  • When the call is finished, turn the application off. Closing the Skype application window is not enough; the background application must be turned off as well via the system tray icon.
  • Always ensure that your anti-virus software is running and up-to-date.
  • Do not use the same password for Skype (or other P2P services or IM) as you use for other logins (such as on-line banking or email). Using the same password as you do for your Brown account is prohibited.
  • Skype is prohibited to be installed on administrative computers that are used to process and store confidential or protected data.

ABOUT SKYPE AND SECURITY

Users should be aware that Skype is a peer-to-peer application. Peer-to-peer applications are often associated with security risks such as the spread of viruses and worms and spyware. Users should read the license agreement carefully before installing Skype, and pay particular attention to article 4 of the license agreement as quoted below:

4.1 Permission to utilize your computer. In order to receive the benefits provided by the Skype Software: You hereby grant permission for the Skype Software to utilize the processor and bandwidth of your computer for the limited purpose of facilitating the communication between Skype Software users.

4.2 Protection of Your computer (resources): You understand that the Skype Software will use its commercially reasonable efforts to protect the privacy and integrity of your computer resources and your communication; however, you acknowledge and agree that Skype cannot give any warranties in this respect.

This article indicates that you are agreeing to allow other Skype users to use the resources (processor and bandwidth) of your computer and the Brown network. Your system will therefore participate in providing VoIP services to others which may affect the performance of your computer or result in excessive bandwidth usage by your computer.

. . . AND ALSO NOTE

  • Skype has no inherent security, and is dependent on their user's website/browser security. Skype takes no additional measures to filter possible malicious content that may come from a Skype connection from one user to another, especially in terms of video or IM use. Up to date anti-virus is critical during its use
  • Skype has been known to be vulnerable to cross site scripting tools, and has witnessed an increase in "vishing" (phishing via spoofing phone numbers) on a monthly trend for the last 17 months
  • Skype cannot be used for emergency (9-1-1) calls.
  • Data from security companies have indicated a rise in vulnerability code targeting the users of Skype who have PayPal accounts (both Skype and PayPal are owned by eBay, and are tightly intertwined). One or the services with Skype is the ability to send one of your contacts money instantly, thanks to the seamless integration with PayPal; it's as easy as clicking on menu next to your contact then click send PayPal and enter the $ amount. Malicious code is being observed that can do this in the background without the approval of the user. Users of both PayPal and Skype should monitor their PayPal account closely.
  • Skype calls cannot be blocked by Do Not Call lists, and Skype accounts are currently being targeted by telemarketers.
  • Targeted attacks have been observed on Skype networks immediately after Microsoft releases their monthly patch updates.
  • Skype (and other services) allow you to sign-up and begin their service free of charge. However, they may also require you provide some amount of personal information upon registration. Oftentimes, the information you provide is used for targeted advertising, or to support other revenue-generating activities for the service provider (like the selling of email listings). Skype does have a number of privacy settings in the client that provides you with some measure of control on how they use your data. As always you should be diligent about the protection and privacy of your personal information, and make the appropriate changes to your settings.

Problems with this page? Write to secureit@brown.edu