Security Risks of Instant Messaging in the Workplace

1
Security Risks of Instant Messaging in the
Workplace

• Imtiaz Paniwala
• Instructor Dr. Yang
• Date March 24, 2004

2
Introduction

• Instant messaging is an Internet service that
  allows the user to communicate in real time with
  other users who have the same instant messaging
  application.
• EIM is an abbreviation for "enterprise instant
  messaging." Instant messaging applications are
  generally categorized as either being public or
  enterprise. AOL's instant messenger (AIM), Yahoo
  Messenger and Microsoft .NET Messenger are
  examples of public IM services. Anyone on the
  Internet can sign up, download the software and
  begin messaging.
• Sun ONE Instant Messaging, IBM Lotus Instant
  Messaging Web Conferencing (formerly called
  Sametime) and Microsoft Office Live
  Communications Server 2003 (formerly called
  Greenwich) are examples of enterprise IM
  services. Access to the IM server is restricted
  and security precautions, such as encryption, are
  put in place to protect the enterprise network.

3
Who is using instant messaging?

• 90 of businesses will use IM by end of 2004.
  (Gartner IM Trends)
• Corporate IM is expected to replace 65 of e-mail
  usage by 2004. (Information Week)
• 65 million workers are already using instant
  messaging, and that number is expected to grow to
  350 million by 2005. (IDC Research)
• Corporate IM usage is expected to account for
  nearly 60 of all online traffic by 2005.(Ferris
  Research)
• As more IT departments become convinced of
  the value of IM as a business communications tool
  and begin looking for ways to exert control,
  implement security measures and integrate instant
  messaging with other groupware components,
  unmanaged IM use in the enterprise is likely to
  become a thing of the past.

4
What's Hot , What's Not ?

• AIM (AOL Instant Messenger)www.aim.com.59.7
  million users
• ICQwww.icq.com 6.2 million users
• .net Messengerwww.messenger.msn.com 23.1
  million users
• Yahoo! Messengerwww.messenger.yahoo.com.19.5
  million users
• Source comScore Media Metrix

5
Did you know?

• IM worms do not need to scan the internet for the
  IP addresses of vulnerable systems, a process
  that greatly slows the spread of traditional
  worms. Instead, IM worms simply use the infected
  user's buddy list to find new targets. Even with
  a scenario in which the buddy lists of infected
  and target machines were identical except for
  just one IM user, an IM worm could infect 500,000
  machines in just 31 seconds.
• The packet sniffing software 'dsniff' (available
  at http//www.monkey.org/dugsong/dsniff/) is
  able to decipher AIM passwords on the fly.
• One or two clicks in .net messenger allows a
  remote user to control your computer
• Yahoo! Messenger has the weakest security
  features of the major messaging platforms. Its
  protocol does not encrypt usernames and
  passwords, making it risky to even log into the
  system.
• ICQ has been the target of many DoS bugs and at
  least one remote buffer overflow.

6
Common threats

1. Weakened security settings. During installation,
   instant messaging software may change browser
   security settings, placing the computer at risk.
2. Readability by intruders. Instant messaging
   sessions are conducted in plain, unencrypted
   text, and are an open book to a reasonably
   skilled intruder.
3. Intrusion on privacy. By design, instant
   messaging software runs continuously as a
   background task and broadcasts the computer's
   presence online even if the interface is closed.
   (A separate "exit" action is needed to stop it.)
   In addition, instant messaging software may store
   the content of an instant messaging session in a
   log-file that could be read by others.
4. Hijacking and impersonation. Instant messaging
   accounts are vulnerable to hijacking or spoofing,
   allowing an intruder to impersonate someone in
   conversations with others.

7
Common threats contd.

1. Malicious code. Instant messaging establishes an
   open communications channel to the computer that
   can be exploited by malicious code such as worms,
   viruses, and Trojan horses.
2. Unauthorized access. Instant messaging users can
   potentially access each others hard drives and
   files during a session, placing the computer at
   the disposal of would-be hackers.
3. Poor password security. Instant messaging
   software typically stores passwords in a manner
   that is highly vulnerable to hackers.
4. No virus protection. Instant messaging sessions
   are not virus protected and can freely spread
   virus-ridden files.

8
INSTANT MESSAGING BEST PRACTICES

• Establish a corporate instant messaging usage
  policy
• Properly configure corporate perimeter firewalls
• Deploy desktop antivirus software
• Employ personal firewalls to ensure policy
  compliance
• Deploy corporate instant messaging servers
• Install all instant messaging patches as soon as
  possible
• Use vulnerability management solutions to ensure
  policy compliance

9
Recommended instant messaging client settings

• If a corporation chooses to use an external
  instant messaging systemone whose servers are
  operated by the instant messaging providerthe
  following security practices should be kept in
  mind
• For the best security, do not use any external
  IM system that does not employ a certified
  encryption system.
• Configure all IM clients so that they will
  accept chat requests only from users specified in
  employees buddy lists. This prevents attackers
  from connecting to computers on the network and
  sending malicious code. Only those users
  explicitly specified by employees should be able
  to contact them.
• Configure the IM system to either block file
  transfers or allow such transfers only from users
  specified on the buddy list. If this is not
  feasible, configure the IM software to prompt the
  employee before all file transfers.
• Configure the IM system to use antivirus software
  to scan file transfers, if supported.
• Configure IM accounts so they are not listed on
  public servers. This further prevents unsolicited
  chat requests.

10
Some security products

• Top Secret Messenger Top Secret Messenger (TSM)
  is product developed by Encryption Software, Inc.
  It provides a powerful public-key encryption
  platform, TSM provides integrated add-on for
  popular instant messengers thus integrating the
  new IM technology with existing system
  applications
• Vayusphere Managed IM Gateway Vayusphere MiG
  provides controlled employee access to Public IM.
  It uses relational database to store public IM
  conversation. This feature allows enterprises to
  archive and search thereby satisfying the
  document retention and compliance requirements.
  Vayusphere MIG supports all major public IM
  networks . Vayursphere MIG allows creation of
  usage and traffic reports to dynamically track IM
  usage12.
• A.I.M. Frame A.I.M. Frame runs on top of AOLs
  AIM. A.I.M. Frame records and logs all
  conversations with date/time stamp. IM logs can
  be integrated into enterprise databases via ODBC
  connection. A.I.M Frame also supports encrypted
  instant messaging to other A.I.M. Frame users.

11
Conclusion

• Due to the efficiency and convenience of their
  communications, instant messaging systems are
  rapidly becoming very important tools within
  corporations. Unfortunately, many of the current
  instant messaging systems are inadequately
  secured and in turn are exposing some enterprises
  to serious security and economic breaches.
• Ideally, corporations looking to leverage instant
  messaging should deploy a secure,
  corporate-focused IM solution within the company
  network, and then layer suitable security systems
  on top of this solution (firewalls, vulnerability
  management, antivirus, etc.) However, many
  companies continue to permit employees to use
  popular free IM services. These organizations
  need to understand the associated security risks
  and plan accordingly.
• Clearly, the growth of instant messaging systems
  will bring greater efficiencies to the global
  workplace. Only by appropriately securing these
  systems will businesses be able to reap their
  full economic benefits.

12
Thank you !!!
The intent is not to persuade you NOT to use IM.
Just be aware of how you use it.