| Instant Messaging (IM) is proving its value as a tool for employees to communicate with others, both inside and outside of an organization. It offers a real-time, two-way channel for them to exchange ideas, questions, and answers. It provides a way to privately exchange notes during conference calls with customers or clients. It helps them to multitask by supporting several concurrent conversations. It's more immediate than email, and it's also unobtrusive. It should be no surprise that the usefulness and popularity of IM has made it the latest frontier for hackers. Depending on which survey you read, January 2006 saw up to a five-fold increase in IM-based attacks over last year. More than 150,000 compromised systems stand ready to launch attacks on IM clients under the control of hackers. These attacks can cause the disclosure of stored IM logs and hard drive contents, threatening the safety of business information and causing embarrassing revelations. Once a single client in your network has been infected, your entire enterprise network may be at risk. | | Many of the hacking techniques that we have learned to be good at resisting in email are successful in IM networks because we aren't as wary or well protected. Most users know not to send personal information, passwords, or credit card numbers via email, but they are willing to give away anything in an instant message. Social engineering techniques that no longer fool email users - “click here to update your credit-card profile” - are deceiving a whole new generation of IM users. And technology to filter out malicious content, the way that many Trojan horses, viruses, and worms can be filtered out of email, is in its infancy.
Instant messaging serves an important business function. As with any network service, it also comes with risks. This article will help you understand the risks so you can make informed decisions for how you will support IM and what policies you will put in place to minimize risks. There are two categories: the risk of information disclosure, and the risk of IM providing a mechanism for hackers to compromise the security of your systems and networks.
Information disclosure concerns
Your employees may not realize that anything they say in an instant message could be viewed by a malicious third party. IM sessions managed by central servers on the Internet (such as AIM and MSN) use public networks from which an observer at any point along the way can capture packets as they pass. Enterprise networks aren't as secure as we'd like to believe, and all it takes is one compromised system on a net-work, or one disgruntled employee, to capture your IM traffic.
It's surprising that the same employees who know to protect company and personal information by not disclosing it in email messages sometimes give away their deepest secrets in their IM sessions. They exchange information about company products and schedules that you might not want your competitors to know about, or a hacker to hold for ransom. They can type passwords, credit card numbers, and other personal information that can compromise both company and personal security. “I'll meet you at 8 at Joe's bar.” “I've got blond hair and I'll be wearing a red dress” might be an effective way to use IM to set up a first face-to-face meeting with someone. The otherwise innocuous message, when intercepted by someone with malicious intent, could cause that meeting to take a turn your employee doesn't expect. Solutions
It's relatively easy to protect instant messages from prying eyes: - Train employees not to exchange sensitive information such as passwords and credit card numbers. Help them to transfer the lessons they've learned about using email safely to the realm of instant messaging.
- Keep employee-to-employee IM traffic on your internal networks by deploying your own open-source or commercial IM server.
- Encrypt instant messages between internal and external peers. This is as easy as choosing the right IM network and the right IM server for company use. The only inconvenience is having to authenticate with a password, and to set IM client preferences correctly. At Applied Trust, we use encrypted ICQ.
Viruses, worms, Trojan horses, and phishing attacks
Do these terms sound familiar? Hackers are now using all of your favorite techniques to attack vulnerabilities in client soft-ware, including (but not limited to) the IM client. Once infected, an IM client might be used to reveal your IM logs, turn over all of your files on your hard drive, or spread the infection through buddy lists. Infected clients can be turned into zombies that act under an intruder's control, or they can be turned into attack vectors that are used to take over other workstations on your network. | 
| Phishing attacks can lure unsuspecting users into visiting sites with malicious content, revealing personal information, or opening files that exploit software vulnerabilities. It's frightening how easy it is for a man-in-the-middle attack to take over an unencrypted IM session and interject a message that seems like it's coming from a trusted peer .
(see Figure 1). Send a disconnect message to a client, and take over the session with the server. The user on the other side of the connection thinks he's still communicating with his peer, when instead he's the target of an IM attack. 
Figure 1: It's easier than you think for a third party to hijack an instant-messaging session. | Solutions
Protect against these attacks with the same techniques you know from email - policy, education, and technology: - Develop a policy that defines how employees can use instant messaging.
- Educate employees to be suspicious of unexpected URLs, images, or programs that come their way
 through instant messages. Don't open unexpected ‘presents' and don't visit URLs that you haven't verified. Don't accept messages from strangers, and limit communication to those on your buddy list until you know for sure who you want to add. - Use internal IM servers to keep internal business communication on internal networks, and encrypt communication to make it more difficult for attacks to be successful in the first place.
- If some IM servers are more prone to attack than others, prohibit their use. It's tricky to block IM traffic at the firewall because it can use a variety of ports and proxy servers, including the HTTP port 80. Once you think you've set up your firewall correctly, monitor traffic to be sure that workarounds haven't made your efforts moot.
- Put IM antivirus software on your shopping list. Antivirus
software that filters malicious content out of email messages has been around for years, and products that do the same for instant messaging traffic are starting to come to market. Circle the wagons now
As with any technology that can speed communication and increase productivity, instant messaging comes with a set of risks to manage. Begin by planning how you will use instant messaging in your organization. Define your policy first, and then decide on the educational and technological measures you will use to implement it. At a minimum, train employees so they know to be wary of instant messaging just as they have learned to be careful with email. Use encrypted IM servers to make it more difficult for others to observe private information, initiate sessions without prior authorization, or hijack IM sessions. Depending on your company size, you may wish to deploy your own IM server using a commercial product or open-source software.
Don't expect to be able to turn off IM traffic completely. Instead, plan on managing traffic by restricting and then monitoring to be sure the restrictions continue to be effective. Hopefully you've already established egress filtering on your networks. Modify your firewall rules to deny access to IM servers or protocols that you consider to be suspect. Monitor traffic and watch for any circumvention. Stay on top of IM antivirus software developments, and consider using it to filter your traffic at the firewall.
If instant messaging is truly the next frontier for the hacking community, circle your wagons now to protect the safety of your employees, networks, and your business-critical information. |
|
