Langa Letter: More Instant-Messaging Security Holes - InformationWeek
IoT
IoT
Software // Enterprise Applications
Commentary
9/24/2001
04:59 PM
Fred Langa
Fred Langa
Commentary
50%
50%

Langa Letter: More Instant-Messaging Security Holes

Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.

You probably know about and use instant messaging, a form of quasi-E-mail that can be exchanged by PC users in near real time. Instant messages are a great way to get and share small bits of information, to quickly ask a question and get an immediate reply, or to communicate faster than E-mail and less expensively than by telephone.

But IM can be a security nightmare. If you use instant messages to convey sensitive business or personal information, you're inviting big, big trouble. We'll get to the specifics in a moment, but first, let's start with some background.

In the aggregate, millions of users--many of them in business--routinely use IM every day to share tens of millions of messages. The giant of IM clearly is AOL, which controls the three top IM clients: its wholly owned ICQ software, AOL's native instant messaging, and its AOL Instant Messenger (AIM), which is available in stand-alone and bundled versions (it comes with Netscape browsers, for example). Microsoft's MSN Messenger places second, with a myriad of other smaller players slicing up the rest of the pie.

But instant-messaging tools are notoriously insecure. Historically, the software itself was vulnerable to a wide range of cracks and exploits. Password theft and outright identity theft were extremely common in IM's early days.

Today's newest IM clients are better than those early offerings, but they still have many security problems: For example, by design, all the major IM clients are intended to be left active, running as a background task. By default, they all configure themselves to broadcast the user's online presence. And they continue doing so even if the user closes the client interface. (Usually, a separate "exit" action is needed to actually stop the client from broadcasting.)

It's ironic that many users employ firewalls to put their systems into attack-proof "stealth" mode, but then they'll fire up an IM client that actively broadcasts "Here I am!" messages to all comers!

Couple this always-on broadcasting with an IM clients' ability to support peer-to-peer downloads, and you can see there's also an obvious risk that Trojans and worms may attempt to make use of the open IM channel.

IM logs are another issue. These log files can save the content of IM discussions, including sensitive, private ones. This content can come back to haunt you (see ICQ Logs Spark Corporate Nightmare).

Making an IM client at least reasonably secure usually involves changing the default settings, which often are quite lax. Keeping an IM client secure in the face of users or malicious software is no simple task, especially in enterprise settings.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
Digital Transformation Myths & Truths
Transformation is on every IT organization's to-do list, but effectively transforming IT means a major shift in technology as well as business models and culture. In this IT Trend Report, we examine some of the misconceptions of digital transformation and look at steps you can take to succeed technically and culturally.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll