Risk Analysis in Skype Software Security
Afnan AlOmrani, Rasheed AlZahrani, Eyas ElQawasmeh Information System Department
College of Computer and Information Sciences King Saud University
Riyadh, Saudi Arabia
[email protected], [email protected], [email protected] ABSTRACT
Skype software is considered as a common and important communication service that is used these days. This research aims to investigate the security issues related to the Skype. The unsolved issues in security will be discussed in this research and will be highlighted. This is done by explaining some ways used by attackers for Skype. The research conducted a survey where its results are presented and gave evidence about the concerns that are related to the Skype security. Also, some experiments in Skype will be presented. In addition, recommendations will be proposed to enhance the security level in Skype.
KEYWORDS - Skype Security, Skype software, Encryption, Decryption, Risk analysis.
1 INTRODUCTION
Skype is an Internet communication service which allows people to call, see, message, and share their world to others wherever they are. It has a great advantage in bringing the societies together. Skype software provides many benefits to the users, such as: call anyone in anywhere for free, call mobiles and landlines, and provide group call. Also, it allows video calls either for a group or one to one.
In addition, the user can send different kind of messages whether it is text, video, or instant messages. Moreover, sharing is another feature provided by Skype. It can be screen sharing, file sharing, or even a contact sharing [1].
Skype software works through a technology called Voice over IP (VoIP). “VoIP is a method of transmitting the human voice over Internet Protocol
(IP) networks” [2]. Skype uses this technology in order to make phone calls, video calls, group calls over the internet replacing the traditional phone lines [2].
Currently, Skype security status is under ongoing debate; some researchers find that Skype is one of the safest VoIP software, while others believe that there are some vulnerabilities and flaws in its security. As a result, this research aims to investigate the security issues related to the Skype.
The unsolved issues in security will be discussed in this research and a survey results will be presented to help the researcher to fill the missing gaps.
This paper is organized as follows. Section 2 presents the current related work in this field. Skype security risk analysis is proposed in section 3, followed by results and discussion in section 4.
Conclusion and recommendations are presented in section 5.
2 CURRENT RELATED WORK
The aim of this section is to present existing studies and to expand the vision of the reader.
Author in [3] wrote “The H Security team recently found evidence that Microsoft does make use of their Skype security policies to read users’ text chats”. Also, He pointed that “Skype claims that accessing URLs is standard way to check for spam and phishing sites, but the H Security isn’t buying it” (Anne, 2013). The H security replayed by stating the following “Spam and phishing sites are not usually found on HTTPS pages. By contrast, Skype
leaves the more commonly affected HTTP URLs, containing no information on ownership, untouched. Skype also sends head requests which merely fetches administrative information relating to the server. To check a site for spam or phishing, Skype would need to examine its content.” [3]
Authors in [4] wrote a paper that proposed a method to detect Skype flows hidden among Web traffic.
They evaluated their study by using real-world experimental data gathered at a commercial Internet Service Provider (ISP) and an academic institution.
The experimental results showed a performance of around 90% detection rate of disguised Skype flows with a false positive rate of only 2%, whereas a 100% detection rate of Skype.
Author in [5] have exposed a new leak in Skype security which is exposing your location to anyone who attempts to connect your Skype handle. And worst you might not know about this. This kind of vulnerability could help stalkers or corporate spies track you in physical movements as they log on from different locations around the world. This is a serious issue that should and must be considered to find a quick solution to it.
As presented in this section, there are some serious issues and concerns that any researcher in this area should consider them. The following section is the proposed methodology that would help to put Skype security in another level.
3 SKYPE SECURITY RISK ANALYSIS The author’s strategy in this study is to expose some of security gaps and leaks. Solutions are presented in order to help reducing the outcome of such gaps.
First, security breaches will be highlighted and then solutions are proposed.
Some security breaches and leaks were exposed during researcher’s analysis study. Example of such leaks is Skype’s security breach in its chat log; the researcher did an experiment to assure this leak. A free program that is available on the web called SQLite Database Browser is used in this test (Figure 1) and a creation of two accounts is done The author used the Skype to initiate a chat with the one of these accounts (e.g. afnan.n.2014) and then
the program is used in order to open the chat log.
The chat log is saved on the sender’s and the receiver’s machine under the name “main.db”.
Although, in this experiment, the author (e.g.
sender “afnan.n.2014”) will access the chat log on the sender’s machine so it alternates the message at the receiver side (e.g. afnan.alomrani). The alternated message is from previous chat. Note that in this experiment, the chat log is not deleted in both machines. Thus, if the sender deleted the chat log that resides in his/her machine and able to hack the victim’s chat log (e.g. receiver), this experiment will work in such situation. Although, most of people thinks that this kind of act is not a major threat, in fact it could be in a situation of exchanging business details or some sensitive information.
Figure 1. SQL Database Browser Main Window
Another security gap that would put Skype’s user in danger of getting hacked is having programs and online tools for cracking the password account of a Skype user. Such these programs are: Skype Hacker Pro v2.8.9 (as shown in figure 2), Skype Password Hack, and many more.
Figure 2. Skype Hacker Pro V2.8.9 Interface
As a consequence of such leaks; a survey is published through online tool which is available on this website: www.SurveyMonkey.com/. The purpose of the survey is to verify the concerns of the authors. The main aim and outcome of this survey is to know the current status of Skype security with its users and to help the authors to do further enhancement regarding the security of Skype. It contained 43 questions. Table 1 presents more detailed information about the survey. The results and the analysis of these results are proposed in the following section.
Table 1. Survey Methodology
In addition, a program is proposed as a solution for some issues that is facing Skype security system.
The authors implemented a program called Skype Security Agent (SSA), Figure 3 shows a snapshot of program. The program helps the sender (i.e.
Skype user) to encrypt text messages and files before sending it to the receiver (i.e. Skype user).
This program is applied by using Delphi programming language. To execute the program the author used Embarcadero RAD Studio 2010 product. This program can be counted as an aggregated work to the researchers in [6]. They
proposed a Skype client application made especially for video calling and its main objective was to implement a specific encryption algorithm in Skype video calling. The main aim of the authors’ proposed program is to continue the work of these researchers and to enhance the security level of Skype in sending messages and/or sharing files. The developed program (SSA) is a tool that can help Skype user to protect the sensitive data from internet leaks and from the hackers. In order to use SSA program, a version of this program should passed to the receiver who is the one that you need to contact with (i.e. Skype user) and then exchange sensitive data over Skype easily. As shown in Figure 3, there are two options: File sharing or Text chatting. When the user choose the
“File sharing” tab, the desired file chose by clicking on the button which is next to “Encrypt/Decrypt”
label. The file automatically will be shown in the next box to indicate the format style of saving the encrypted file. When clicking the “Encrypt” button the file will be saved as “File name. File extension.
SSA”. The sender then can send it to the receiver.
In the decryption process the receiver will do the same steps except he/she will press the Decrypt button.
In “Text chatting” tab, there are two text boxes. One for the clear message and the other for the encrypted one. If the sender wants to encrypt the text message then the text should be placed in the
“Clear message” box and press the “Encrypt”
button. On the other hand, if the receiver wants to decrypt the message, it should be placed in the
“Encrypted message” box and click Decrypt.
Targeted sample All Skype users.
Sample Size 62 users.
Gender Male and Female.
Data Collection
Tool Online questionnaire.
Questions Type Open and closed-ended questions.
Figure 3. SSA Main Window
The following section presents some of survey results along with discussion about Skype security status nowadays.
4 RESULTS AND DISCUSSION
The authors sum up the results of the survey to five main categories. These categories are: 1) measure Skype users’ awareness in Skype security news and highlights the main features that are regularly used by the user. 2) Measure the trust level in Skype from its user perception. 3) Skype as mobile application.
4) Skype source code state and measure understanding for Skype user in this point. 5) Measuring the satisfaction level and popularity of Skype. Two main classifications are chosen by authors to present and discuss in this paper due the importance aspects that they cover.
The first chosen classification is quite interesting in this research; it turns a light to a corner which filled of many questions such as: What is the limit of Skype to reach it users? Can we consider Skype as a software that might be used other than communication tool? What is the user trust level in using Skype? All of these questions have been answered in this set. According to figure 4; 58% of users don’t list their personal information (e.g.
contact number, full name …etc.) in their profile;
due to security reasons. Another subject to clarify in this group is that most of users don’t use Skype as a way to publish their business or even to purchase items. The trust level is wobbling from no trust at all to fully trust, the biggest percentage (38%) goes to user trust Skype at 50%. This sort of questions indicates that Skype strict in certain areas which is communication in general. Users can’t trust such software for many reasons: one, there are many online tools that can crack passwords and they are available online. Two, there are new software that can help to hack the chat log database that stored in the user’s machine and the cost is free;
this is serious issue regarding in transferring sensitive information (e.g. home address, billing information …etc.) in purchase items, for instance.
Three, until know the Skype team haven’t yet release detailed information about the encryption technique that is used, and this will be covered more
in another set of questions. Lastly, there were recent claims that Microsoft can eavesdropping chat conversation, video conference for security purpose. As the author in [7] stated “The owner of Skype regularly scans the contents of messages sent on the service for signs of fraud, but what’s done with the information from those scans—whether it’s stored indefinitely or destroyed—is unknown”.
This means that there is no privacy when using Skype and there is no end – to – end security communication.
Figure 4. Measuring Trust Level in Skype from its User Perception
Another aspect which highlighted by the survey is the Skype source code state and measure understanding for Skype user in this point. As shown in Figure 5, most of Skype users don’t agree about being the source code open. In fact, the researchers believe that there is no awareness by users of how much benefit would be to make the source code open. Many researchers in this field have agreed that there is a mistrustful area of why Skype doesn’t make the source code open or even partially open? This question is one of the main questions that motivate the researchers to investigate this matter. In general, the answer of this question from standpoint of many researchers, including us, it goes around hiding security techniques that is used and how much secure is the Skype.
As been presented in previous sections, there are arguments about privacy and information security in Skype which make the safety level much lower
than one believe. There were claims that a third party (e.g. Skype owner “Microsoft”) can eavesdropping chat conversation and can sell some sensitive information for government [8]. This statement makes us as Skype users have an intense concern about information and data safety. In 2014, Skype Twitter and Facebook account and its blog hacked by a hacking group SEA (Syrian Electronic Army). They claimed and tweeted in Skype’s account that the Skype team spy on their users and they sell information needed to government. “The hacking group taken over the account today, posting several tweets in what appears to be a classic case of phishing. The most recent fake tweet advises Skype’s 3 million followers to avoid Microsoft’s email services. "Don't use Microsoft emails (Hotmail, Outlook), they are monitoring your accounts and selling the data to the governments. Another tweet posted earlier today, which has since been deleted, said "stop spying on people," in a message clearly related to recent NSA accusations. Syrian Electronic Army hackers also compromised Skype’s Facebook page and a company blog hosted at Skype’s website” [8]. This hacking group is well known of their hacking technique which is phishing.
This kind of incident is not good for the sake of Skype reputation. Phishing attack is considered one of the easiest threats that could be containment by any organization that have the capability such Skype. The consequences from that event is that Skype user might think of alternatives and thus reducing the popularity of Skype in years.
Figure 5. Skype Users Point of View Regarding Source Code Status
5 CONCLUSIONS
This research investigates about Skype software security and analyzes its risk. The researcher highlights many concerns that could compromise Skype security. The study and analysis were materialized through a survey that published online.
The researcher proposed a program called Skype Security Agent (SSA) that targets the point of enhancing Skype security. This program encrypts and decrypts texts or files when sharing them with another Skype user. In addition, experiments are done to extent how much Skype is secured. These experiments are done by using either programs that are available online or through online tools. The results are variant and the researcher finds that the Skype security system has some breaches in areas and some are robust. As a consequence, the researcher believe that Skype team are in crossroads and they should do more enhancements in their security system and this is could be done by promoting a program or plug in that encrypts/decrypts the text, files, real-time video conference. Implementing such program can move the Skype to another level of trust and convince in use.
Moreover, in this research, the researcher propose an idea to encrypt the video streaming (e.g. real- time video conference) by using a program called SQLite Database and DirectX. Also, using the same program can encrypt the text and files by accessing on the chat log and write SQL query to the database cell and then the encryption will automatically.
REFERENCES
[1] Skype website. Retrieved February 21, 2014 from: http://www.skype.com/en/what-is-skype/
[2] Goodwill Community Foundation International.
Retrieved February 21, 2014 from:
http://www.gcflearnfree.org/skype/1.1
[3] Anne. (2013, May20). Skype Risks – Putting Your Privacy in Microsoft’s Hand. Vsee.com.
Retrieved February 21, 2014 from https://vsee.com/blog/tag/skype-security-risks/
[4] Freire, E. P., Ziviani, A., & Salles, R. M. (2008, April). Detecting Skype flows in web traffic. In Network Operations and Management Symposium, 2008. NOMS 2008. IEEE (pp. 89- 96). IEEE.
[5] Mello, John P. (2013, May 21). Microsoft may be scanning your Skype messages. pcworld.com.
Retrieved April 22, 2014 from:
http://www.pcworld.com/article/2039410/micr osoft-may-be-scanning-your-skype-
messages.html
[6] Ramdan, A. A., & Munir, R. (2012, October).
Selective encryption algorithm implementation for video call on Skype client. In Telecommunication Systems, Services, and Applications (TSSA), 2012 7th International Conference on (pp. 120-124). IEEE.
[7] Mello, John P. (2013, May 21). Microsoft may be scanning your Skype messages.
pcworld.com. Retrieved April 22, 2014 from:
http://www.pcworld.com/article/2039410/micr osoft-may-be-scanning-your-skype-
messages.html
[8] Warren, Tom. (2014, Jan 1). Skype Twitter account hacked, anti-Microsoft status retweeted more than 8,000 times. Theverge.com.
Retrieved April 22, 2014 from:
http://www.theverge.com/2014/1/1/5264540/sk ype-twitter-facebook-blog-accounts-hacked
