Commentary
9/24/2001
04:59 PM
Fred Langa
Fred Langa
Commentary

Langa Letter: More Instant-Messaging Security Holes

Fred Langa warns that hyper-aggressive IM installations may end-run your online safeguards.



You probably know about and use instant messaging, a form of quasi-E-mail that can be exchanged by PC users in near real time. Instant messages are a great way to get and share small bits of information, to quickly ask a question and get an immediate reply, or to communicate faster than E-mail and less expensively than by telephone.

But IM can be a security nightmare. If you use instant messages to convey sensitive business or personal information, you're inviting big, big trouble. We'll get to the specifics in a moment, but first, let's start with some background.

In the aggregate, millions of users--many of them in business--routinely use IM every day to share tens of millions of messages. The giant of IM clearly is AOL, which controls the three top IM clients: its wholly owned ICQ software, AOL's native instant messaging, and its AOL Instant Messenger (AIM), which is available in stand-alone and bundled versions (it comes with Netscape browsers, for example). Microsoft's MSN Messenger places second, with a myriad of other smaller players slicing up the rest of the pie.

But instant-messaging tools are notoriously insecure. Historically, the software itself was vulnerable to a wide range of cracks and exploits. Password theft and outright identity theft were extremely common in IM's early days.

Today's newest IM clients are better than those early offerings, but they still have many security problems: For example, by design, all the major IM clients are intended to be left active, running as a background task. By default, they all configure themselves to broadcast the user's online presence. And they continue doing so even if the user closes the client interface. (Usually, a separate "exit" action is needed to actually stop the client from broadcasting.)

It's ironic that many users employ firewalls to put their systems into attack-proof "stealth" mode, but then they'll fire up an IM client that actively broadcasts "Here I am!" messages to all comers!

Couple this always-on broadcasting with an IM clients' ability to support peer-to-peer downloads, and you can see there's also an obvious risk that Trojans and worms may attempt to make use of the open IM channel.

IM logs are another issue. These log files can save the content of IM discussions, including sensitive, private ones. This content can come back to haunt you (see ICQ Logs Spark Corporate Nightmare).

Making an IM client at least reasonably secure usually involves changing the default settings, which often are quite lax. Keeping an IM client secure in the face of users or malicious software is no simple task, especially in enterprise settings.



All this is bad enough, but it's made worse when an IM vendor actively seeks to circumvent your online security settings. For example:

AOL/Netscape Undermines Your Browser Security Settings
AOL/Netscape's abuse of browser security settings first came to my attention when reader Michael G. Baker, Jr. sent this alarming E-mail:

"When a user downloads or updates AIM, free.aol.com is added to the users' IE Trusted Sites Zone. This also happens if you download Netscape6.x with integrated AIM. It is one thing for them to put that free.aol.com link everywhere when you download N6, even in IE's bookmarks, but quite another thing to mess with security settings. Although mostly harmless, it is the principle. I don't think this is right. If this was Microsoft messing with a Netscape security setting, all hell would break loose."

It's true. Without so much as a by-your-leave, AOL software inserts "free.aol.com" into your IE browser's "Trusted Zone." Talk about an aggressive installation routine!

The IE Trusted Zone's security permissions are intentionally relaxed. Scripts and ActiveX components can run (some with no prompting); downloads are enabled; Java safety is low; cross-domain data-sourcing is allowed; there's no alert when a site's security certificate is missing or revoked; and so on. Normally, that's OK, because the only sites in the Trusted Zone are those you put there yourself, after you decide that a site is entirely above-board. (Even so, many security-conscious users put no sites in the Trusted Zone, leaving nothing to chance or goodwill, and instead enforcing at least the "Internet Zone" restrictions on all Web sites.)

By automatically placing its own site in the Trusted Zone, AOL creates a double security threat. If you (or your users) download and install Netscape 6.x, AIM, or any product with integrated AIM, not only do you have to cope with the inherent problems of an IM client itself, but you'll also have AOL set up as trusted site. That can bypass the browser security settings you've established for normal Internet connections.

To me, this is clearly a very wrong thing to do. No site, from any vendor, should set itself up to bypass your normal browser security settings. (Microsoft's browser should not allow such changes to be made covertly--but IE's problems are a whole other issue.) Free.aol.com may be relatively harmless, but there's nothing to prevent a malicious site from trying to set itself up as either a trusted site on its own, or as a spoofed, malicious version of free.aol.com.

AOL Admits The Dangers
Think I'm being alarmist? Note that AOL freely admits its IM products are insecure, and specifically recommends against using them for sensitive communication. For example, the ICQ user agreement explicitly states that using the ICQ software puts you at risk for:

"... unauthorized exposure of information and material you listed or sent, on or through the ICQ system to other users, the general public, or any other specific entities for which the information and material was not intended by you ... If you do not wish to be subjected to these risks, you are advised not to use the ICQ service and software. Furthermore, please do not use the ICQ service and software for 'Mission Critical' or 'Content Sensitive' applications and purposes. For the purpose of this section, 'Mission Critical' applications and purposes shall mean applications and use that may result in damage; 'Content Sensitive' shall mean any information or data you do not wish to be freely accessible and generally available to Internet users."

In the above, I bold-faced the key phrase for emphasis: AOL is specifically telling you not to trust ICQ for anything important!

AIM is almost as bad; its agreement states:

"... AOL and its officers, directors, employees, and agents are not responsible for any files you send or receive ... You also understand that files you share with other Service users may be redistributed and used without your knowledge. In sending and receiving files, other Service users may also be able to determine your IP address ..."

Although MSN Messenger hasn't had as many built-in security problems as have AIM and ICQ, it does rely on Microsoft's separate "Passport" service, which contains its own set of vulnerabilities and security issues. See, for example, Risks of the Passport Single Sign-On Protocol, Passport Is Cracked, or Microsoft's Passport sparks concern.

In short, all the major IM software carries significant security risks.

Toys, Not Tools
Instant messaging was never, ever originally intended as a secure channel for sensitive information. In fact, IM's initial major application was for entertainment--it was an online toy originally used mainly for dating and cyber sex. (ICQ's name even derives from the phrase "I seek you.")

Despite these decidedly informal origins, huge numbers of businesses now routinely use IM to discuss delicate personnel matters, private schedules, sensitive strategic issues, non-public budgets, and more.

Frankly, it's nuts--especially when the major vendor of IM tools freely admits that the medium is fundamentally insecure. And it's even more nuts when we see vendors (like AOL) diddling with browser security settings, or (like Microsoft) relying on a flawed log-in system.

I strongly recommend against using any form of public IM client for sensitive communication of any kind--business or private. The risks are simply too great.

But what's your take? Do you or your business use IM for sensitive communication? Were you aware of the risks? What steps do you take to prevent snooping, eavesdropping, identity theft, and the host of other problems that IM invites? What secure forms of online communication do you use to supplant IMs? Are there any kinds of business communication that IM is good for? Join the discussion!


To discuss this column with other readers, please visit Fred Langa's forum on the Listening Post.

To find out more about Fred Langa, please visit his page on the Listening Post.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Email This  | 
Print  | 
RSS
More Insights
Copyright © 2020 UBM Electronics, A UBM company, All rights reserved. Privacy Policy | Terms of Service