Minimizing the Risks of Instant Messaging
The things that make instant messaging useful also make it risky making instant messaging a ripe medium for online scams, identity theft, and other predatory behavior. Cybercriminals use all sorts of devious methods—including hacking into accounts and impersonating legitimate users—to gain trust and elicit information from unwitting IM users.
Most IM tools offer a method for sending and receiving file attachments—a major point of vulnerability. IM attachments, just like email attachments, can carry destructive viruses, Trojan horses, and worms. There's also a new breed of IM worms. It appears as though the receipants receiving a message from valid senders. In reality, the message is generated by a worm, and may contain a link to a Web site that automatically downloads another bit of malicious code.
Finally, there's spim. Spim—the name given spam sent over IM—is on the rise. Some spim can contain offensive language or links to Web sites with content inappropriate for children.
Because of the almost immediate two-way nature of communication, many users feel that the use of instant messaging in the workplace leads to more effective and efficient workplace communications and, therefore, to higher productivity. As a result, IM is increasing in popularity in both professional and personal applications. However, as with most things Internet based, the increasing use of instant messaging has led to an associated increase in the number of security risks.
This paper will describe instant messaging and offer a brief overview of some of the security threats associated with the service. This article is based on a previously published Symantec white paper called 'Threats to Instant Messaging'.
How does Instant Messaging Work?
Instant messaging networks consist of clients and servers. A user installs a client that connects to a server operated by the instant messaging network vendor, such as AOL or ICQ, or Yahoo Messenger. (It should be noted that because they use different protocols, the different instant messaging services are not interoperable. Therefore, ICQ users can only communicate with other ICQ users, not with users of other instant messaging services.) All users that sign up for instant messaging are given a unique identifier, which can be either a name or a number. The user then gives out the unique identifier to people that he or she wants to communicate with via the instant messaging network.
The user starts an instant messaging session by authenticating to the server. When two authenticated users want to communicate, the following sequence occurs.
• User1 instructs the instant messaging client to send a text-message to User2. The client creates a packet containing the message and sends it to the server.
•The server looks at the packet and determines that the recipient is User2. The server then creates a new packet with the message from User1 and sends it to User2.
Most instant messengers will continue to send all following messages via the central server. However, some instant messengers create a direct connection between the users after the first message. The use of a central server is beneficial in many ways. For example, User1 is only required to know the unique identifier for User2. Furthermore, User1 can send messages to User2 even if he is not on-line. The server will store the message until User2 authenticates with the server, at which time it is sent to him.
Most instant messaging clients have the ability to create buddy lists, or lists of preferred people the user wants to communicate with that keeps track of whether those people are available for instant messaging. For example, when User2 sends User1 his unique identifier, User1 can save it in her buddy list. From then on, whenever User1 authenticates with the instant messaging server, he can see User2 in his buddy list; therefore, he is not required to remember User2’s unique identifier. He will also be notified if he is on-line, off-line, away from his desk, etc.
IM security risk:
It falls into three main categories:
1. Inbound threats: IM creates new vectors for the distribution of malware (viruses, worms, spyware, rootkits, and more) and SpIM (Spam over IM) which can cause a major drain on productivity and resources.
2. Outbound threats: IM opens new 'holes' through which information can leak or be leaked, leading to user privacy concerns and the potential loss of intellectual property
3. Non-compliance with corporate and regulatory requirements: IM creates invisible communications channels that operate below the radar of conventional information security measures, exposing the organization to regulatory compliance breaches. Read more about IM compliance and e-Discovery.
Technical Challenges of IM Security:
1. Real-time communication and Web 2.0 applications are largely invisible to existing information security infrastructure such as firewalls, intrusion prevention and detection devices, and proxies because they are specifically designed to evade detection and provide ubiquitous access. Existing security measures do not adequately address the protocols and behaviors used by these applications.
2. Blocking IM is no longer an option:
A. IM clients use port crawling - the ability to exploit any open port on the firewall - so blocking the 'usual' port for the particular application doesn't work.
B. Every IM network provider has its own unique set of IP addresses to which clients can connect. These IP addresses change frequently or at random without notice, so firewalls and proxies cannot apply blocking policies using the typical black list of IP addresses.
C. IM protocols are proprietary and constantly evolving to deliver new and more advanced features to users; firewalls and proxies do not evolve at this pace, nor do IT organizations want to be constantly updating protocol signatures on the firewall.
D. The synchronous nature of real-time connections is much different from the asynchronous web browsing and email traffic; firewalls and proxies were not designed to inspect and analyze real-time communication traffic, so network performance suffers.
3. Beyond the technical considerations, blocking IM will also result in unhappy employees who will attempt to bypass controls, which may cause more problems than it solves. Sometimes using IM becomes essential for business communication, too.
4. The number of instant messaging worms is rising steadily. This is made clear when one considers the list of recent IM worms: W32.Choke (June 6, 2001), W95.SoFunny.Worm@m (July 3, 2001), W32.Goner.A@mm (Dec. 4, 2001), W32.Led@mm (January 22, 2002), W32.Seesix.Worm(May 15, 2002)
Despite the growing threat, there are still no antivirus applications that directly monitor instant messaging traffic on a server level. This is due to the difficulty in finding Instant Messaging traffic, as it is often embedded inside HTTP packets. However, a few antivirus applications plug in to instant messaging clients, scanning files as they are received. The lack of applications scanning instant messaging network traffic is partly due to the difficulty in monitoring instant messaging traffic, as well as the constant modifications to the clients and the protocols they use. Unfortunately, this makes instant messengers an open door to the computer, as unscanned traffic will bypass most server-based security measures. Only the antivirus product running at the desktop level can catch the worms.
Evolving safeguards:
1. Most free instant messaging tools have minimal security features. Other than basic password protection, IM security is usually limited to allow and ignore lists, and perhaps some spim filters. IM service providers continue to improve their products' security capabilities, so download patches and updates whenever they become available.
2. Use a strong password and change it often and keep your IM , operating system, and security software up to date.
3. Don't send credit card numbers, Social Security Numbers, or any other vital information over IM.
4. Don't open attachments or click on Web links sent by someone you don't know.
5. Even if you know who sent a Web link, hover over the link with your cursor before clicking it to check whether the Web address seems legitimate. 6. Don't send files over IM unless you have no other alternative, and never send files containing information you want to keep private.
7. Be wary of odd behavior. If a person on your allowed list is sending strange messages, terminate your IM session and contact them over the phone or on email.
8. Protect your computer and data with latest AntiVirus signature. Anti-virus scans IM attachments for all known virus, Trojan horses, worms, and other blended threats.
9. Take advantage of third-party encryption and authentication tools—but only if they've received solid reviews.
Controlling IM Security Risks:
The Leader in IM Security:
1. Ranked #1 in IM market share by IDC for five consecutive years, FaceTime is the acknowledged leader in IM security and compliance management with almost five million seats under management, and an industry-spanning customer list that includes nine of the top ten US banks. FaceTime offers the only comprehensive IM and Web application security solutions that prevent malware and secure IM use, providing full visibility and granular control for all major real-time and Unified Communications applications: 2. Public IM Networks (AIM, Yahoo, MSN, GoogleTalk, ICQ, and more)
3. Enterprise IM Networks (OCS, LCS, Sametime, Antepo, Jabber, Parlano MindAlign)
4. Professional Community Networks (Bloomberg, Communicator Inc., PivotSolutions)
5. Web Conferencing (WebEx)
|
|
