IM Security Problems Persist

Security problems relating to the unfettered use of consumer chat software on corporate networks are fueling adoption of tougher security measures and more commercial-grade products, users and analysts said.

Ongoing concerns about instant messaging (IM) security were heightened last week by the disclosure of six vulnerabilities in America Online Inc.'s Mirabilis ICQ IM client software. Two of them are particularly dangerous and could allow hackers to gain full administrative control of a victim's computer, according to Ejovi Nuwere, a security engineer at Core Security Technologies Inc., the Boston software company that discovered the flaws.

A spokesman for AOL's ICQ subsidiary acknowledged the flaws in the latest version of ICQ's freely downloadable chat software. But he claimed that only one of the flaws, involving a feature that lets users open Internet e-mails, is dangerous. A fix is in the works, he added.

Sensitive Data at Risk

Security analysts have been warning for some time that unchecked use of such software could cause dangerous holes in firewalls, leading to sensitive corporate data being exposed on public networks and files being transferred in an unprotected fashion.

Such concerns are pushing companies to look for new ways of securing IM communications, said Michael Osterman, president of Osterman Research Inc. in Black Diamond, Wash. The firm's twice-yearly surveys have shown adoption of commercial IM products to be growing faster than consumer IM products on corporate networks.

At the same time, public IM products still dominate corporate networks. AOL's Instant Messenger, for instance, is used at 64% of the companies surveyed, Osterman said.

"The good news is that it is easy to detect the use of [consumer] services and to either shut them down or to give users an alternative that is a sanctioned enterprise product," said Dana Gardner, an analyst at The Yankee Group in Boston.

Arlington County, Va., is rolling out Microsoft's Real-Time Communications server software, which will tie into the county's Exchange 2003 and Active Directory environments. It will form the basis of a collaborative infrastructure, where users will be able to carry on secure IM and whiteboard sessions, as well as share applications and files in real time, said Vivek Kundra, the county's director of IT.

The use of consumer IM software is a serious security concern, said Scott Loach, senior information security engineer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla.

"We have seen some vulnerabilities [in consumer IM software] that have been exploited," Loach said. The need to comply with regulatory requirements has led to a much closer scrutiny of IM use on corporate networks, he added.

The company plans to ban the use of consumer IM software on its networks, Loach said. New application-level security software from Check Point Software Technologies Ltd. in Redwood City, Calif., will make it possible to shut down consumer chat clients by simply checking a box in the software's administrative interface, he explained.

1by1.gif

Corporate IM

im_security.gif

blue_square.gif
Companies using IM for business applications

blue_square.gif
Companies blocking use of IM

blue_square.gif
E-mail users who also regularly use IM

blue_square.gif
Companies that use AOL's Instant Messenger

Base: 181 companies

Source: Osterman Research Inc., Black Diamond, Wash.

Related:

Copyright © 2003 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon