News 

Instant messaging has moved from the bedroom to the boardroom, as enterprises realise there are huge benefits in the workplace. But how many users consider security threats? Not many, judging by the users we spoke to.

Yet even the companies that developed the world's most popular IM software have admitted the communication medium carries security threats that could outstrip those associated with email. Hackers have begun to target chat applications, and companies are beginning to take note. With this in mind, can IM have a future in the workplace? Certainly, IT managers are becoming wary of chat applications, with some banning it from corporate networks altogether.

Although IM use has historically centred around less formal chat between friends, enterprises are realising that it offers an improved communication path in the office. It enables workers to have private conversations without booking a meeting room, supports a spontaneity not offered by emails and demands an almost instant response. On top of this, IM provides a more approachable, chatty communication medium. But increasingly, IM applications are being used to deliver files, some of them malicious.

Developers of the most popular IM applications - Yahoo!, AOL and Microsoft - say they didn't design the software for anything more than chatting between friends. Security threats were of little concern before the phenomena reached the enterprise. But security firms are now urging companies to be wary.

'Instant messaging is simply another mechanism that connects millions of people, and any mechanism like that can be used to spread malicious threats,' said Steve Trilling, development manager at Symantec.

Part of its attraction to malicious parties is that infected IMs can sneak past the firewall undetected, reaching an unsuspecting worker's desktop with a virus-ridden file, yet the worker who usually counts on protection at the firewall suspects nothing.

'A lot of companies have put protection in their email gateways, but they haven't put in place protection that intercepts instant messages, which don't travel via the email gateway but use a different Internet protocol,' said Graham Cluley, senior technology

ADVERTISEMENT

consultant for Sophos.

The security threat isn't helped when flawed updates are released, as was the case when the latest version of Yahoo! IM was made available. The company put a fix on the Web within days, but for a while, hackers were presented with the opportunity to delete files from an unsuspected user's system using buffer overflows.

But is this the worst case scenario? Far from it. Experts are concerned the problem could be compounded should interoperability finally become a reality. Unless you use specialist software such as Trillian, users of the various IM applications can currently only communicate with other users of that application. But there are moves to change this, enabling AOL users to message Yahoo! users, for example. This would provide an obvious usability benefit, but it could bring a big security headache.

'If the whole world adopted the same standards for instant messaging then virus writers would have only one platform to target,' said Cluley. 'If everyone uses the same method for communicating then viruses will try and exploit that.'
And the threat doesn't end with simple viruses.

In March this year, the CERT Co-ordination Centre, which provides incident notes for the Internet community, received reports of 'social engineering' attacks on IM applications. Intruders tricked users into downloading and executing malicious software masked as music or pornography, which then allowed intruders to use the system as a platform for launching Denial-of-Service attacks.

Worse still, IM could prove a more attractive medium for communicating confidential information to outside sources given that it's harder for IT staff to track the contents of the conversation.

Experts believe specially developed enterprise IM applications may hold the key - AOL and Microsoft are already working on tailored versions. IDC senior analyst Robert Mahowald, believes the use of traditional IM packages, where security has been bypassed is favour of ease of use, will decrease. And companies are being encouraged to set the terms by which employees use these applications.

'Businesses will develop policies to deter their employees from using consumer IM, either because they just don't want them to be used period, or because they want to lay the path for the time when they buy business IMs,' said Mahowald.

The availability of safer applications could see IM reach an equal footing with email for corporate communication, but developers and security specialist are urging companies, workers and home users to tread carefully until then.

'Companies should ask "Do we need to allow users access to Internet chat?",' said Simon Edwards, Technical Director of DeadSecure. 'It's a mainstream application now, and carries mainstream threats.'