Langa Letter: More Instant-Messaging Security Holes
Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.
You probably know about and use instant messaging, a form of quasi-E-mail that can be exchanged by PC users in near real time. Instant messages are a great way to get and share small bits of information, to quickly ask a question and get an immediate reply, or to communicate faster than E-mail and less expensively than by telephone.
But IM can be a security nightmare. If you use instant messages to convey sensitive business or personal information, you're inviting big, big trouble. We'll get to the specifics in a moment, but first, let's start with some background.
- Leveraging The Cloud For Business Resilience
- How crowdsourced testing has changed the game for innovative software companies
In the aggregate, millions of users--many of them in business--routinely use IM every day to share tens of millions of messages. The giant of IM clearly is AOL, which controls the three top IM clients: its wholly owned ICQ software, AOL's native instant messaging, and its AOL Instant Messenger (AIM), which is available in stand-alone and bundled versions (it comes with Netscape browsers, for example). Microsoft's MSN Messenger places second, with a myriad of other smaller players slicing up the rest of the pie.
But instant-messaging tools are notoriously insecure. Historically, the software itself was vulnerable to a wide range of cracks and exploits. Password theft and outright identity theft were extremely common in IM's early days.
Today's newest IM clients are better than those early offerings, but they still have many security problems: For example, by design, all the major IM clients are intended to be left active, running as a background task. By default, they all configure themselves to broadcast the user's online presence. And they continue doing so even if the user closes the client interface. (Usually, a separate "exit" action is needed to actually stop the client from broadcasting.)
It's ironic that many users employ firewalls to put their systems into attack-proof "stealth" mode, but then they'll fire up an IM client that actively broadcasts "Here I am!" messages to all comers!
Couple this always-on broadcasting with an IM clients' ability to support peer-to-peer downloads, and you can see there's also an obvious risk that Trojans and worms may attempt to make use of the open IM channel.
IM logs are another issue. These log files can save the content of IM discussions, including sensitive, private ones. This content can come back to haunt you (see ICQ Logs Spark Corporate Nightmare).
Making an IM client at least reasonably secure usually involves changing the default settings, which often are quite lax. Keeping an IM client secure in the face of users or malicious software is no simple task, especially in enterprise settings.