Langa Letter: More Instant-Messaging Security Holes - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Software // Enterprise Applications
04:59 PM
Fred Langa
Fred Langa

Langa Letter: More Instant-Messaging Security Holes

Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.

You probably know about and use instant messaging, a form of quasi-E-mail that can be exchanged by PC users in near real time. Instant messages are a great way to get and share small bits of information, to quickly ask a question and get an immediate reply, or to communicate faster than E-mail and less expensively than by telephone.

But IM can be a security nightmare. If you use instant messages to convey sensitive business or personal information, you're inviting big, big trouble. We'll get to the specifics in a moment, but first, let's start with some background.

In the aggregate, millions of users--many of them in business--routinely use IM every day to share tens of millions of messages. The giant of IM clearly is AOL, which controls the three top IM clients: its wholly owned ICQ software, AOL's native instant messaging, and its AOL Instant Messenger (AIM), which is available in stand-alone and bundled versions (it comes with Netscape browsers, for example). Microsoft's MSN Messenger places second, with a myriad of other smaller players slicing up the rest of the pie.

But instant-messaging tools are notoriously insecure. Historically, the software itself was vulnerable to a wide range of cracks and exploits. Password theft and outright identity theft were extremely common in IM's early days.

Today's newest IM clients are better than those early offerings, but they still have many security problems: For example, by design, all the major IM clients are intended to be left active, running as a background task. By default, they all configure themselves to broadcast the user's online presence. And they continue doing so even if the user closes the client interface. (Usually, a separate "exit" action is needed to actually stop the client from broadcasting.)

It's ironic that many users employ firewalls to put their systems into attack-proof "stealth" mode, but then they'll fire up an IM client that actively broadcasts "Here I am!" messages to all comers!

Couple this always-on broadcasting with an IM clients' ability to support peer-to-peer downloads, and you can see there's also an obvious risk that Trojans and worms may attempt to make use of the open IM channel.

IM logs are another issue. These log files can save the content of IM discussions, including sensitive, private ones. This content can come back to haunt you (see ICQ Logs Spark Corporate Nightmare).

Making an IM client at least reasonably secure usually involves changing the default settings, which often are quite lax. Keeping an IM client secure in the face of users or malicious software is no simple task, especially in enterprise settings.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
1 of 2
Comment  | 
Print  | 
More Insights
Think Like a Chief Innovation Officer and Get Work Done
Joao-Pierre S. Ruth, Senior Writer,  10/13/2020
10 Trends Accelerating Edge Computing
Cynthia Harvey, Freelance Journalist, InformationWeek,  10/8/2020
Northwestern Mutual CIO: Riding Out the Pandemic
Jessica Davis, Senior Editor, Enterprise Apps,  10/7/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
[Special Report] Edge Computing: An IT Platform for the New Enterprise
Edge computing is poised to make a major splash within the next generation of corporate IT architectures. Here's what you need to know!
Flash Poll