Skype, One Of The Best Botnet Control Tools For Hackers
Everyone knows and loves VoIP telephony services, because they offer cheap (often free) calls between computers, even if they are located in different parts of the world. However, not many people know just how dangerous these services can be for your computers security.
Thus, VoIP services could provide a means for cybercriminals to send spam and launch attacks that cripple Web sites, experts have warned. Moreover, because many voice over Internet protocol applications use proprietary technology and encrypted data traffic that can’t easily be monitored, the attackers will be able to go undetected, according to news.com.
“VoIP applications could provide excellent cover for launching denial-of-service attacks,” the Communications Research Network said Wednesday. The Communications Research Network is a group of industry experts, academics and policy makers funded by the Cambridge-MIT Institute, a joint venture between Cambridge University and the Massachusetts Institute of Technology.
The group urges VoIP providers to publish their routing specifications or switch to open standards. “These measures would…allow legitimate agencies to track criminal misuse of VoIP,” Jon Crowcroft, a professor at Cambridge University in the U.K., said in a statement.
Essentially, some of the features to protect VoIP applications can now be used maliciously, Crowcroft said. “While these security measures are in many ways positive, they would add up to a serious headache if someone were to use a VoIP overlay as a control tool for attacks,” he said.
In a denial-of-service attack, a flood of information requests is sent to a Web server, bringing the system to its knees and making it difficult or impossible to reach. Today, such attacks often involve many hacked computers, so-called “zombies,” that have been networked in a so-called “botnet.”
Cybercriminals rent out use of their botnets on the black market. About 60 percent of the world’s spam is sent through such compromised computers, and the zombies are also used in extortion schemes where a Web site owner is told to pay or face a denial-of-service attack.
Botnets are usually tracked down by the commands used to control them – usually an IM or IRC stream. “VoIP offers a lot more scope for hiding information in the traffic,” says Ian Brown, who leads the Internet security group at the Communications Research Network. “There is a lot more traffic coming through, and audio traffic is a lot of random looking bits. If you can’t see the botnet messages, you can’t dismantle the botnet.”
Skype disputes that its traffic is any more dangerous than other traffic, but the application has gained a reputation for stealth ness, both in the way it gets onto systems, and in the way it guards the internals of its working.
Skype is designed to be easy for inexperienced end users to install, without the benefit of support from their ISPs or IT managers. It has to work unaided – and that means it has to be good at getting past firewalls and other security measures.
This can be a benefit, but for business, it means an unmanaged hole in a firewall, and an un-audited channel of communications – which in many industries may be against business regulations. Skype clients also act as servers, using bandwidth to handle other people’s calls.
Lots of IT managers simply want to shut Skype down. “I wouldn’t go so far as to say all companies should block Skype,” says Brown, “but it’s something they should be aware of.”
Skype denies that it’s unpopular with IT. “I speak frequently to enterprise IT departments and CIOs about trying to integrate Skype into their architectures,” says Kurt Sauer, director of security operations at Skype.
“Customers should demand standards compliance from Skype,” says Brown. Crowcroft reckons it’s now in Skype’s interest anyway: it could reach a bigger market by inter-working with instant messenger tools that now offer voice. It would also be good for ISPs – if they knew the routing specifications, they could apply traffic engineering and deliver a better quality of service to VoIP users.
Skype doesn’t see it that way: “It’s what Gartner wants and its what our competitors want,” said Sauer. But he thinks the time to go standard is not yet. “VoIP itself is not through its innovation cycle. It’s not a commodity. If people say we should standardise on a protocol, it would diminish our ability to innovate” (read our review of Skype 2.0, for a view on Skype’s innovation).
Since Skype’s user base is consumers, not the enterprise, it can afford to ignore calls to standardize – at least in theory. Which may be why the CRN chose to make the announcement the way it did.