IM secure(ity)

From its humble beginnings as a buddy-to-buddy chatting service, instant messaging (IM) has blossomed into a staple for tens of millions of Internet users. Popular systems such as America Online's Instant Messenger and ICQ, Microsoft's MSN Messenger, and Internet Relay Chat have changed the way we communicate with our friends, acquaintances and now our business colleagues.

And according to industry analysts at Framingham, Mass.-based IDC, the number of corporate IM users is only expected to grow – to a whopping 300 million by 2005.

A vulnerable architecture

Most IM systems in use today were designed with scalability in mind, rather than security. Virtually all freeware IM systems lack encryption capabilities, and most have features to bypass traditional corporate firewalls, making it difficult for administrators to control their use inside the organization. Many of these systems have insecure password management and are vulnerable to account spoofing and potentially to denial-of-service attacks.

The bottom line is that IM systems meet all the criteria required to make them an ideal platform for fast-spreading computer worms and blended threats. For instance:

  • IM is quickly becoming ubiquitous.

  • IM provides an able communications infrastructure.

  • IM has integrated directories that can be used to locate new targets (that is, buddy lists).

  • In many cases, IM can be controlled by easy-to-write scripts.

The majority of IM systems employ a client/server architecture. Users install IM clients on their client machines, and these software clients then communicate with an IM server in the messaging provider's infrastructure to exchange messages.

In most instances, messages aren't sent from one user's computer directly to his or her buddy, but rather from the first user to an IM server over the public Internet and then down to the recipient. In almost all IM systems, messages sent between users are plainly visible (unencrypted) and susceptible to eavesdropping.

1pixclear.gif
Opinion
Carey Nachenberg
1pixclear.gif

Threats from file transfers and scripting

IM systems also allow users to exchange files with each other – again, in an unencrypted form. Such file transfers can cause the spread of traditional viruses, worms and Trojan horses, as well as blended threats. Furthermore, while it is technically feasible to build security products that scan IM file transfers as they pass through the corporate firewall, no security vendor yet offers such gateway scanning solutions, in part because of the proprietary nature of the IM protocols, although companies are investigating such technology. Consequently, the best protection against any threats spread through IM file transfers is to deploy up-to-date antivirus software on all client desktops.

Some of the most popular IM platforms offer scripting capabilities, enabling users to write Visual Basic, JavaScript, proprietary script code or standard Windows programs to control various features in the messaging client. Such scripts can instruct the IM client to automatically contact other users, send files, change program settings and perform other potentially malicious actions. This functionality, while offering convenience, also enables the spread of computer worms and blended threats; there are already dozens of known script-based IM worms, making this a far-from-hypothetical problem. Once again, it is critical to deploy antivirus protection on all desktops to protect against such IM-based malicious code.

More exploits

Like all Internet-enabled software, IM programs can have bugs that may be exploited by attackers over the Internet. Through attacks, such as buffer overflows and malformed data packets, an attacker could potentially gain access to any PC where a vulnerable IM client is installed.

In addition, many IM vendors have added non-chat-related features that open up the IM client software to the Internet and potentially increase its vulnerability to attack. Finally, a number of IM systems are vulnerable to account hijacking or spoofing. Such vulnerabilities could allow an attacker to hijack another user's IM account and impersonate that user in conversations with others. Alternatively, an attacker could potentially crack the poorly secured password files (stored on the desktop computer by many IM systems) and use these passwords to hack into other corporate systems, since users often use the same password on multiple systems.

Instant messaging best practices

For these reasons, we recommend that corporations deploy a desktop firewall, or an integrated antivirus/firewall, on all desktops. Such a firewall can help to block usage of unapproved IM programs and potentially prevent attacks to and from these systems.

More generally, to reduce the risk from IM systems, we recommend the following best practices:

  • Deploy antivirus software and personal firewalls on all desktops.

  • Establish a corporate IM usage policy; encourage users not to send confidential information over public IM systems.

  • Properly configure corporate firewalls to block unapproved IM traffic.

  • Deploy private corporate IM servers if possible to isolate your corporate messaging systems from the outside world.

  • Enforce client-side IM settings (refuse file transfers by default, for example).

  • Install patches to IM software as soon as possible.

  • Use vulnerability management solutions to ensure IM client policy compliance.

IM systems are rapidly working their way into corporations because of their efficiency and convenience. Unfortunately, few companies have standardized on any particular IM system, leaving users to choose for themselves and potentially compromise security within the organization.

Many of today's IM systems were built for consumer chatting rather than secure corporate communications. Consequently, they create new and often hidden vulnerabilities within the corporation. For these reasons, we advise corporations to create and implement a strategy to fully reap the benefits of IM systems, while reducing their exposure to security attacks.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon