Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Instant mayhem

Instant mayhem

by Nikola Strahija on February 18th, 2003 Email has revolutionised the way we talk to each other. For many of us, snail mail is a thing of the past. However, the benefits of speedy communications have come at a price. The past few months have seen commercial and home email users assailed with malicious worms and viruses, underlining the dangers of sharing information online.


The popularity of email, however, may soon be rivalled by a newer and more nimble online communications system, Instant Messaging (IM).

At last count, there were 50 million IM users worldwide. Its exploding popularity threatens to open a range of new security issues - issues that the anti-virus and internet firewall vendors have been slow to address.

IM is like email on steroids. Users hold online conversations in real-time, passing typed messages back and forth in a way similar to speaking on a telephone. IM software tells users who is online and provides for conferences between multiple participants. In a corporate setting, this has, in many instances, filled the gap between email and telephones, providing fast collaboration between many people in different parts of the business.

Elsewhere, IM has become the latest toy of internet consumers, many of whom are enamoured of its recreational potential but ignorant of its potential dangers.

In recent years email has been the preferred target of hackers. As virus infections have affected an increasing number of ordinary email users, the adoption of email antivirus packages such as Norton, by Symantec, Vet, from Computer Associates, and McAfee, from Network Associates, has become increasingly common. The increasing popularity of IM over the past two years threatens to take security breaches to a new level.

The four most popular IM products in use outside the commercial world - MSN Messenger, Yahoo Messenger, AOL Instant Messenger and ICQ - are all free and all highly vulnerable to security breaches. They allow users to freely transfer potentially virus-ridden files and to conduct unencrypted chat sessions that are a virtual open book to any reasonably knowledgeable hacker. The security vendors, however, appear to have lagged behind the IM popularity curve and this is an issue weighing heavily on the minds of corporate users.

David Barnes, Asia-Pacific regional manager of Symantec security response, is relatively dismissive of any heightened security threats posed by the increasingly widespread adoption of IM. "Norton Internet Security 2003 includes virus scanning for the MSN, Yahoo and AOL products. Any attachments that come in or go out are scanned," Barnes says. "Even if you have an earlier version, if you get an infected file that comes in as an attachment and you try to save it to disk, the antivirus software will catch it."

Barnes's nonchalance is not matched by a growing army of experts in and outside the security vendor community who are raising the alarm about the risks of unsafe communications practices associated with IM.

Andrew Hennell, president of the Systems Administrators Guild of Australia (SAGE-AU), believes the unchecked use of popular freeware IM packages within corporations is an accident waiting to happen. He says: "You've got a product that's open on the desktops of corporate users with the ability to chat to anyone in the office and outside. We have firewalls and email scanning in place at most organisations but instant messaging by-passes these points of security, therefore we have a problem. Around (last) Christmas, my organisation had some members receive executable files through email which were blocked. However, they got through to ICQ users. Using instant messaging within corporations is fine but having unchecked communications with the outside world is asking for trouble."

While email provides a good medium to share information with other users through file transfers, in recent years this has been, by far, the biggest source of security breaches. Many an unsuspecting user has unwittingly infected his computer and thousands of others by simply double-clicking on an innocent attachment masquerading as a screen saver, which is actually a malicious program that damages the user's system and sends itself to others in his address book, masquerading as the user.

Like email, IM enables information to be shared through file transfers, with all its inherent dangers. However, IM goes one step further; it enables peer-to-peer file sharing among members of a messaging group. In other words, all users in an IM club can potentially access the disks of the other members of the group. Thus, the hard disks of unprotected IM users are potentially at the disposal of any would-be hacker during an IM chat session.

The latest version of a whitepaper titled Instant Insecurity: Security Issues of Instant Messaging, written by Symantec virus researcher, Neal Hindocha, identifies five main IM security threats - worm viruses, back-door Trojan horses, hijacking and impersonation, denial of service and unauthorised disclosure of information.

One major difference between email and IM goes some way towards limiting the appeal of IM to hackers. All the popular IM products on the market are proprietary systems and none of them talk to each other - yet. Some would say the current lack of standards and interoperability of the various IM systems is a weakness in this form of communication. However, from a security stand-point, the proprietary nature of IM could also be considered an advantage over email. A hacker wishing to spread malicious code such as a worm or virus through a proprietary IM system will, for the time being, be limited to a smaller audience than the far more universal email system. Despite this, the number of worms targeting IM systems is on the rise - possibly because there is no effective anti-virus software that can catch viruses embedded within IM packets at the server level. Therefore, unlike email, IM users currently have just one line of defence against worms - anti-virus software at the desktop.

Within the corporate computing world, virus transmission is just one of a number of security breaches that occur regularly. According to SAGE-AU's Hennell, the unauthorised intentional disclosure of sensitive information is a major security risk associated with the proliferation of IM systems. "The potential for theft of intellectual property is a major problem with instant messaging," says Hennell. "With email, we've had time to develop systems that look at files going out of the organisation. Instant messaging has crept in the side door. In most companies, instant messaging users can transfer files out of the organisation without the company being aware of it. Most systems administrators haven't addressed this as yet."

Perhaps the most insidious problem that all IM users may be forced to confront is the possibility that you may be talking to an impostor during an IM session. IM account information, including passwords, can be stolen using Trojan horse execution programs attached to emails. In addition, hackers can quite easily gatecrash the unencrypted chat sessions of all the popular IM systems and insert their own messages.

IBM's most senior IM guru says that authentication and interoperability standards must be established before IM can be adopted as a universal messaging system.

Brian White, worldwide product manager of Lotus Sametime, IBM's corporate instant messaging system, says that interoperability standards such as SIP (session initiation protocol) and the emerging SIMPLE (SIP for instant messaging and presence leveraging extensions) will go a long way towards establishing the sort of rigour in public IM systems that now exists in the proprietary corporate systems.

"With a corporate service like Lotus Sametime, users are authenticated against a private directory, while the public services enable users to impersonate anybody," says White. "If you're talking business to business or business to consumer you need to know who you're talking to. SIMPLE will allow gateways to be built between proprietary IM systems. For consumers, we'll support any SIMPLE client that wants to connect to a Lotus Sametime server."

Hand in hand with the implementation of interoperability and authentication protocols, White believes the problem of catching viruses before they reach the desktops of IM users will be solved eventually but this is still some way off. Meanwhile, file transfers in IM should be a no-no for all sane users. He says: "The anti-virus vendors believe they have the technology to do anti-virus checking during streaming but this is still 12 to 18 months away. At present, I will never transfer files through an IM system." In the meantime White, like other experts concerned with corporate IT security, recommends that all organisations should disable the file transfer capabilities of their IM systems. He estimates about 90 per cent of corporations have done this so far.

For those enterprises that continue to allow employees to conduct chat sessions with friends and family while at work, the message from those in the know is clear - stop it now. As for consumers who belong to IM chat groups, unfortunately it's a case of user beware.

IM CASE STUDY

Global technology components and products distributor, Avnet, decided to implement an instant messaging (IM) system to improve its customer support capabilities. The company, with more than 10,000 staff in 350 offices, also wanted to increase the efficiency and productivity of its geographically dispersed employees through improved internal communications.

Avnet implemented Lotus Sametime in mid-2002, making the proprietary IM system available to reseller partners through the Avnet website and internally to its sales and administrative staff. The company tested AOL Instant Messenger but decided to go with the IBM product because of perceived security issues. Avnet's aim was to provide customers and internal staff with the capability to get more immediate answers to complex inquiries than were available through existing communications channels, such as email.

Avnet customers can now communicate with company support specialists through the internet using IM chat sessions launched from the Avnet website. Internal users employ IM to communicate through the corporate network. In both cases, the file transfer capabilities of Lotus Sametime have been disabled to minimise the possibility of virus transmission.

Customers access Avnet support staff listed on the corporate website using a colour-coding system that informs them of the availability of each listed support person. If the colour indicates that a particular support person is available, a customer can simply point and click on the person, launching a real-time IM chat session.

The Avnet IM system uses two servers - one for company users and the other for messaging between the outside world and Avnet staff. The server that is used for outside communications is isolated from the Avnet corporate network for security reasons.

According to Avnet, the deployment of IM throughout the organisation and to its customer base has improved the quality of communications between its sales and support staff, significantly lowering email traffic. However, Avnet has not as yet deployed the IM system in its Australian operations.

- article available at http://www.smh.com.au -


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »