Transcript ImtiazOralPresentation

Security Risks of Instant
Messaging in the
Workplace
Imtiaz Paniwala
Instructor: Dr. Yang
Date: March 24, 2004
Introduction



Instant messaging is an Internet service that allows the user to
communicate in real time with other users who have the same
instant messaging application.
EIM is an abbreviation for "enterprise instant messaging." Instant
messaging applications are generally categorized as either being
public or enterprise. AOL's instant messenger (AIM), Yahoo
Messenger and Microsoft .NET Messenger are examples of public
IM services. Anyone on the Internet can sign up, download the
software and begin messaging.
Sun ONE Instant Messaging, IBM Lotus Instant Messaging & Web
Conferencing (formerly called Sametime) and Microsoft Office Live
Communications Server 2003 (formerly called Greenwich) are
examples of enterprise IM services. Access to the IM server is
restricted and security precautions, such as encryption, are put in
place to protect the enterprise network.
Who is using instant
messaging?

90% of businesses will use IM by end of 2004. (Gartner IM Trends)

Corporate IM is expected to replace 65% of e-mail usage by 2004.
(Information Week)

65 million workers are already using instant messaging, and that number is
expected to grow to 350 million by 2005. (IDC Research)

Corporate IM usage is expected to account for nearly 60% of all online
traffic by 2005.(Ferris Research)
As more IT departments become convinced of the value of IM as a
business communications tool and begin looking for ways to exert control,
implement security measures and integrate instant messaging with other
groupware components, unmanaged IM use in the enterprise is likely to
become a thing of the past.
What's Hot , What's Not ?




AIM (AOL Instant Messenger)
www.aim.com.
59.7 million users
ICQ
www.icq.com
6.2 million users
.net Messenger
www.messenger.msn.com
23.1 million users
Yahoo! Messenger
www.messenger.yahoo.com.
19.5 million users
Source: comScore Media Metrix
Did you know?





IM worms do not need to scan the internet for the IP addresses of
vulnerable systems, a process that greatly slows the spread of traditional
worms. Instead, IM worms simply use the infected user's buddy list to find
new targets. Even with a scenario in which the buddy lists of infected and
target machines were identical except for just one IM user, an IM worm
could infect 500,000 machines in just 31 seconds.
The
packet
sniffing
software
'dsniff'
(available
at
http://www.monkey.org/~dugsong/dsniff/) is able to decipher AIM passwords
on the fly.
One or two “clicks” in .net messenger allows a remote user to control your
computer
Yahoo! Messenger has the weakest security features of the major
messaging platforms. Its protocol does not encrypt usernames and
passwords, making it risky to even log into the system.
ICQ has been the target of many DoS bugs and at least one remote buffer
overflow.
Common threats
1.
2.
3.
4.
Weakened security settings. During installation, instant
messaging software may change browser security settings, placing
the computer at risk.
Readability by intruders. Instant messaging sessions are
conducted in plain, unencrypted text, and are an open book to a
reasonably skilled intruder.
Intrusion on privacy. By design, instant messaging software runs
continuously as a background task and broadcasts the computer's
presence online even if the interface is closed. (A separate "exit"
action is needed to stop it.) In addition, instant messaging software
may store the content of an instant messaging session in a log-file
that could be read by others.
Hijacking and impersonation. Instant messaging accounts are
vulnerable to hijacking or spoofing, allowing an intruder to
impersonate someone in conversations with others.
Common threats contd.
5.
6.
7.
8.
Malicious code. Instant messaging establishes an open
communications channel to the computer that can be exploited by
malicious code such as worms, viruses, and Trojan horses.
Unauthorized access. Instant messaging users can potentially
access each others hard drives and files during a session, placing
the computer at the disposal of would-be hackers.
Poor password security. Instant messaging software typically
stores passwords in a manner that is highly vulnerable to hackers.
No virus protection. Instant messaging sessions are not virus
protected and can freely spread virus-ridden files.
INSTANT MESSAGING BEST
PRACTICES







Establish a corporate instant messaging usage policy
Properly configure corporate perimeter firewalls
Deploy desktop antivirus software
Employ personal firewalls to ensure policy compliance
Deploy corporate instant messaging servers
Install all instant messaging patches as soon as possible
Use vulnerability management solutions to ensure policy
compliance
Recommended instant messaging
client settings





If a corporation chooses to use an external instant messaging system—
one whose servers are operated by the instant messaging provider—the
following security practices should be kept in mind:
For the best security, do not use any external IM system that does not
employ a certified encryption system.
Configure all IM clients so that they will accept chat requests only from
users specified in employees’ buddy lists. This prevents attackers from
connecting to computers on the network and sending malicious code.
Only those users explicitly specified by employees should be able to
contact them.
Configure the IM system to either block file transfers or allow such
transfers only from users specified on the buddy list. If this is not feasible,
configure the IM software to prompt the employee before all file transfers.
Configure the IM system to use antivirus software to scan file transfers, if
supported.
Configure IM accounts so they are not listed on public servers. This
further prevents unsolicited chat requests.
Some security products



Top Secret Messenger :Top Secret Messenger (TSM) is product
developed by Encryption Software, Inc. It provides a powerful public-key
encryption platform, TSM provides integrated add-on for popular instant
messengers thus integrating the new IM technology with existing system
applications
Vayusphere Managed IM Gateway : Vayusphere MiG provides
controlled employee access to Public IM. It uses relational database to
store public IM conversation. This feature allows enterprises to archive
and search thereby satisfying the document retention and compliance
requirements. Vayusphere MIG supports all major public IM networks .
Vayursphere MIG allows creation of usage and traffic reports to
dynamically track IM usage12.
A.I.M. Frame :A.I.M. Frame runs on top of AOL’s AIM. A.I.M. Frame
records and logs all conversations with date/time stamp. IM logs can be
integrated into enterprise databases via ODBC connection. A.I.M Frame
also supports encrypted instant messaging to other A.I.M. Frame users.
Conclusion



Due to the efficiency and convenience of their communications, instant
messaging systems are rapidly becoming very important tools within
corporations. Unfortunately, many of the current instant messaging
systems are inadequately secured and in turn are exposing some
enterprises to serious security and economic breaches.
Ideally, corporations looking to leverage instant messaging should deploy
a secure, corporate-focused IM solution within the company network, and
then layer suitable security systems on top of this solution (firewalls,
vulnerability management, antivirus, etc.) However, many companies
continue to permit employees to use popular free IM services. These
organizations need to understand the associated security risks and plan
accordingly.
Clearly, the growth of instant messaging systems will bring greater
efficiencies to the global workplace. Only by appropriately securing these
systems will businesses be able to reap their full economic benefits.
The intent is not to persuade you NOT to use
IM. Just be aware of how you use it.
Thank you !!!