- Skype is not standards-compliant, allowing it and any vulnerability to pass through corporate firewalls.
- Skype's encryption is closed source and prone to man-in-the-middle attacks. There are also some unanswered questions about how well the keys are managed.
- Enterprises using Skype risk a communication barrier with countries and institutions that have already banned the service.
- Skype is undetectable, untraceable, and unauditable, putting organizations that are subject to compliance laws at risk.
- The question of whether VoIP calls constitute a business record is a legal quagmire. Throwing Skype into the communications mix further clouds the issue.
"Approximately 17 million registered Skype users are using the service for business purposes," says Armstrong. "Unless an organization specifies instances where Skype use is acceptable, and outlines rules for client-side Skype settings, that's 17 million opportunities for a hacker to invade a corporate network."
I have heard many of these security concerns before so this report is timely. Any time you have encrypted p2p communications you risk spreading who knows what between peers. Is it a matter of time before there is some massive virus or work outbreak? Possibly. Imagine a phone-based denial of service attack for example where American Airlines is shut down. In other words instead of having many computers sending traffic to a site, Skype clients could all SkypeOut to American Airlines at once.
This is a feasible scenario that is not limited to Skype but something we need to be prepared for.
For more check out comments from Tom Keating.