Instant messaging supports the real-time exchange of messages between two parties using the Internet. In order to use this service, the user has to have instant messaging client software on his or her computer. The client software then communicates with an instant messaging server. The user provides the server with a contact or “buddy” list of people with which he or she desires to set up instant messaging.
To use instant messaging, the user logs on to the instant messaging server with the user’s ID and password. The server authenticates the user. Then the client sends to the server the user’s IP address and the port number on the user’s computer that is being used by the instant messaging client. The server stores this information as well as identical information from any other individuals on the user’s contact list that are logged in at that time. An important point to note is that once an individual, A, is logged on to the server, the server sends the IP addresses and port numbers of all the others logged on to the server at that time to A’s client software. Thus, all people on the contact list who are logged on to the instant messaging server at that time are notified of the online presence and contact information of the others who are also logged on.
A user can send a message to another individual on the contact list who is logged on, and that message will instantly appear on the screen of the receiving individual. Because a user’s client knows the IP address and port number of the receiving individual, the user’s message is sent directly to the intended recipient and does not have to go through the instant messaging server.
With instant messaging, communication takes place between only two individuals. If the situation requires instant conferencing among more than two individuals, a chat room can be set up. A chat room is similar to instant messaging, but everyone logged on to the “room” can see a message that is sent by any individual.
When an individual, A, wants to terminate the instant messaging session, A closes his or her message window and exits the instant messaging client. The client then sends a message to the instant messaging server indicating that A has logged off. The server, in turn, sends a message to all the active participants of the contact list that A has exited the session. The members of the contact list still logged on will see the status of A on their windows change from “online” to “offline.”
Instant messaging software packages also offer other services, including chat room setup, image and sound transmission, voice communication, and streaming content.
Some of the more popular instant messaging utilities are the freeware ICQ (for “I seek you” at www.icq.com), AIM (America Online’s Instant Messenger), Microsoft’s instant messaging utility in MSN Explorer, and Yahoo Instant Messenger.
One problem with instant messaging is the lack of interoperability. An individual with an instant messaging utility from one source or vendor may not be able to communicate with a person using a different instant messaging package. In order to address this situation, the Internet Engineering Task Force (IETF) has developed a standard protocol for instant messaging - the Instant Messaging Presence Protocol (RFC2779).
IM brings with it a variety of security risks by providing a fertile ground for developing smarter worms, sophisticated enough to deliver Trojan horses or even chat with you in your native language. IDC Research estimates that the nearly 12 billion IMs sent every day offer a potent malware transmission vector, with IM Trojans and worms increasing from 21 in 2004 to over 300 in 2005.
Messages sent by means of instant messaging are not inherently secure and safe from prying eyes. The instant messaging server is particularly vulnerable because it contains both the messages and the connection information of the participants.
Corporate users have often installed IM clients without the IT departments’ authority on their companies’ computers, thereby opening their corporate infrastructure to a myriad of security threats, such as:
- Privacy issues - IP address exposure, loss of confidentiality, and eavesdropping
- Authentication issues - identity impersonation
- Malware - worms, viruses, Trojan horses
- Client bugs - buffer overflows enabling denial-of-service and other types of attacks
Since consumer IM clients bypass corporate security defenses, they don’t provide encryption or message auditing, logging, and archiving, functions an organization requires to maintain its security posture. IM worms can hijack buddy lists, spread much more rapidly than e-mail-borne viruses or worms, and are similar to phishing because they appear to be coming from a trusted source (social engineering). Some examples of recent IM worms are:
- Kelvir-A - A worm that spreads through Windows Messenger and instructs recipients to visit a Web site to download a file called patch.exe
- Opanki.A - A worm that spreads using AOL Instant Messaging and infects PCs with the worm
- Sdbot-AAH - A worm that spreads via MSN Messenger, IRC, and Windows Messenger and installs poker3.exe, a file that permits hackers to steal passwords and upload files to an infected PC
Some of the older IM worms that are still circulating are:
All of this can add up to enormous potential for organizational liability. When determining the impact IM use may have on an organization, it’s important to consider:
- Level of access - What level of employees can have IM access
- Access authorization - How IM access should be authorized by the appropriate level of management
- Type of access - Whether employees are allowed to use IM services for personal use or company business only
- Means of access - Whether IM will be installed on networked workstations, laptops, or wireless appliances
- Record keeping - What the IM session logging and records retention policies should be
If it’s determined that the organization absolutely needs IM, Information Systems Security Officers (ISSO) or other corporate security personnel should take definite steps:
- Creating security policies specifiying IM usage restrictions
- Implementing integrated antivirus products on all workstations
- Hardening company firewalls to block IM traffic
- Upgrading existing IM software to more secure versions
Also, if the organization decides that the IM risk is not very high, third-party instant messaging software utilities may provide adequate additional security features, including:
- Encryption, integrity, and authentication services using SSL
- Authentication against propriety databases, domains, or LDAP
- Secure file transfer guarantee
- Web-based tools for administration of the instant messaging network on the instant messaging server, including tools for user account administration, logging of critical data, and analysis of log information
No comments:
Post a Comment