Research from VeriSign and Info-Tech Research Group said security risks surrounding increasingly-popular Internet phone software could put networks at risk and should be addressed.
Ross Armstrong, senior research analyst at Info-Tech, is also urging businesses to ban the use of free Voice over IP software provider Skype in the workplace -- especially if they already have similar policies regarding the use of peer-to-peer technologies.
Skype usage in the enterprise, he said, is in many ways similar to the steady growth of public instant messaging (IM) services the past couple years. The real danger, he said, is if Skype is downloaded and used in an enterprise as an unsanctioned software application.https://o1.qnsr.com/log/p.gif?;n=203;c=204660766;s=9477;x=7936;f=201812281312070;u=j;z=TIMESTAMP;a=20392931;e=iWhile Armstrong said he has not seen any Skype vulnerability exploits in the wild, he pointed to vulnerabilities that have been patched in Skype. Last month, the company reported two high-risk security bugs.
Skype was acquired by eBay in September for $2.6 billion and counts some 54 million members in 225 countries and territories using its free software.
Beyond its free PC-to-PC calling service, voicemail, instant messaging, call forwarding and conference calling, Skype offers a paid calling service, called Skype-out, that connects PC callers to traditional landlines and mobile phones.
But as popular as it may be, researchers said if an unpatched version is sitting inside the corporate network, and malware writers capitalize on that, it could create problems for IT managers that don't even know the application is behind the firewall.
"Now, I'm not saying to be reactionary and ban Skype no matter what," Armstrong said. "What I'm saying is IT managers need to be aware whether or not it's being used without proper authorization within the enterprise."
Skype officials said administrators should be diligent with their network and user rules. The company has a security resource center on its Web site featuring a guide to help network administrators manage Skype use on the network.
If Skype is going to be allowed, it needs to be centrally managed, Armstrong said, though he advises companies to wait for an enterprise version of Skype before allowing it in the workplace. As it stands, the research firm noted in an recent advisory, Skype doesn't leave an audit trail and could get companies into trouble on the compliance front; there's also the question of whether VoIP calls in general constitute a business record.