Software // Enterprise Applications
Commentary
9/24/2001
04:59 PM
Fred Langa
Fred Langa
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Langa Letter: More Instant-Messaging Security Holes

Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.

You probably know about and use instant messaging, a form of quasi-E-mail that can be exchanged by PC users in near real time. Instant messages are a great way to get and share small bits of information, to quickly ask a question and get an immediate reply, or to communicate faster than E-mail and less expensively than by telephone.

But IM can be a security nightmare. If you use instant messages to convey sensitive business or personal information, you're inviting big, big trouble. We'll get to the specifics in a moment, but first, let's start with some background.

In the aggregate, millions of users--many of them in business--routinely use IM every day to share tens of millions of messages. The giant of IM clearly is AOL, which controls the three top IM clients: its wholly owned ICQ software, AOL's native instant messaging, and its AOL Instant Messenger (AIM), which is available in stand-alone and bundled versions (it comes with Netscape browsers, for example). Microsoft's MSN Messenger places second, with a myriad of other smaller players slicing up the rest of the pie.

But instant-messaging tools are notoriously insecure. Historically, the software itself was vulnerable to a wide range of cracks and exploits. Password theft and outright identity theft were extremely common in IM's early days.

Today's newest IM clients are better than those early offerings, but they still have many security problems: For example, by design, all the major IM clients are intended to be left active, running as a background task. By default, they all configure themselves to broadcast the user's online presence. And they continue doing so even if the user closes the client interface. (Usually, a separate "exit" action is needed to actually stop the client from broadcasting.)

It's ironic that many users employ firewalls to put their systems into attack-proof "stealth" mode, but then they'll fire up an IM client that actively broadcasts "Here I am!" messages to all comers!

Couple this always-on broadcasting with an IM clients' ability to support peer-to-peer downloads, and you can see there's also an obvious risk that Trojans and worms may attempt to make use of the open IM channel.

IM logs are another issue. These log files can save the content of IM discussions, including sensitive, private ones. This content can come back to haunt you (see ICQ Logs Spark Corporate Nightmare).

Making an IM client at least reasonably secure usually involves changing the default settings, which often are quite lax. Keeping an IM client secure in the face of users or malicious software is no simple task, especially in enterprise settings.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.