Get the security message

By Emma Winfield

Posted on 10 Jul 2002 at 14:44

Instant messaging applications are climbing the corporate agenda, but is the technology a disaster waiting to happen?

Instant messaging has moved from the bedroom to the boardroom, as enterprises realise there are huge benefits in the workplace. But how many users consider security threats? Not many, judging by the users we spoke to.

Yet even the companies that developed the world's most popular IM software have admitted the communication medium carries security threats that could outstrip those associated with email. Hackers have begun to target chat applications, and companies are beginning to take note. With this in mind, can IM have a future in the workplace? Certainly, IT managers are becoming wary of chat applications, with some banning it from corporate networks altogether.

Although IM use has historically centred around less formal chat between friends, enterprises are realising that it offers an improved communication path in the office. It enables workers to have private conversations without booking a meeting room, supports a spontaneity not offered by emails and demands an almost instant response. On top of this, IM provides a more approachable, chatty communication medium. But increasingly, IM applications are being used to deliver files, some of them malicious.

Developers of the most popular IM applications - Yahoo!, AOL and Microsoft - say they didn't design the software for anything more than chatting between friends. Security threats were of little concern before the phenomena reached the enterprise. But security firms are now urging companies to be wary.

'Instant messaging is simply another mechanism that connects millions of people, and any mechanism like that can be used to spread malicious threats,' said Steve Trilling, development manager at Symantec.

Part of its attraction to malicious parties is that infected IMs can sneak past the firewall undetected, reaching an unsuspecting worker's desktop with a virus-ridden file, yet the worker who usually counts on protection at the firewall suspects nothing.

'A lot of companies have put protection in their email gateways, but they haven't put in place protection that intercepts instant messages, which don't travel via the email gateway but use a different Internet protocol,' said Graham Cluley, senior technology consultant for Sophos.

The security threat isn't helped when flawed updates are released, as was the case when the latest version of Yahoo! IM was made available. The company put a fix on the Web within days, but for a while, hackers were presented with the opportunity to delete files from an unsuspected user's system using buffer overflows.

But is this the worst case scenario? Far from it. Experts are concerned the problem could be compounded should interoperability finally become a reality. Unless you use specialist software such as Trillian, users of the various IM applications can currently only communicate with other users of that application. But there are moves to change this, enabling AOL users to message Yahoo! users, for example. This would provide an obvious usability benefit, but it could bring a big security headache.

'If the whole world adopted the same standards for instant messaging then virus writers would have only one platform to target,' said Cluley. 'If everyone uses the same method for communicating then viruses will try and exploit that.'
And the threat doesn't end with simple viruses.

In March this year, the CERT Co-ordination Centre, which provides incident notes for the Internet community, received reports of 'social engineering' attacks on IM applications. Intruders tricked users into downloading and executing malicious software masked as music or pornography, which then allowed intruders to use the system as a platform for launching Denial-of-Service attacks.