The next hacker target: instant messaging

A HANDFUL OF successful worms have already infected instant-messenging clients, including Aplore, which spreads via AOL Instant Messenger (AIM); Goner, which takes advantage of ICQ; and CoolNow, Message from Jerry (also known as Hello), and Choke, which are all spread via MSN Messenger. So far, no viruses have successfully infected Yahoo Messenger.

Earlier this year, the security organization w00w00 reported two buffer overflows in AIM, the first in January and the second in April. These vulnerabilities, now patched by AOL, made it possible for an attacker to steal your buddy list and spread malicious code throughout the entire AIM community--as well as run malicious code on your computer.

ISS has published a white paper detailing the technical countermeasures system administrators might employ regarding AIM, MSN Messenger, Yahoo Messenger, and ICQ.

Ingevaldson says a lot of companies simply do not allow employees to use instant messengers on the job. Trouble is, the genie is out of the bottle. Instant messaging fills a niche between a phone call and e-mail--it's fast, and not too intrusive. Plus, it's hard to keep employees from installing it, and hard to stop them from using a proxy once they discover the default IM ports have been blocked.

For example, Yahoo Messenger will automatically attempt to connect to non-blocked ports, including port 23, which is used for telnet. "It is unlikely companies would block telnet," said Ingevaldson. "Yahoo Messenger was designed to make it difficult to block."

FOR TRULY SECURE corporate instant messaging, one alternative suggested by Ingevaldson is Communicator Hub software, which is currently used by Salomon Smith Barney, J.P. Morgan Chase, Merrill Lynch, Credit Suisse First Boston, Goldman Sachs, and other financial institutions. Communicator's instant messaging service traces user activity with identity management, content aggregation and management, and auditing tools.

Unfortunately, widespread use of encrypted instant messaging (either at the consumer or enterprise level) is not expected for a few years. In the meantime, Ingevaldson recommended Trillian, a chat app that connects users to all the major IM clients: AIM, ICQ, MSN Messenger, and Yahoo Messenger. Trillian offers 128-bit blowfish encryption for AIM and ICQ, something these products currently do not provide on their own.

Yet an even bigger threat to your security, said Ingevaldson, are the peer-to-peer file-sharing networks. Recently, KaZaa users faced a clever worm called Benjamin, which infected their computers with thousands of bogus files disguised as popular film, song, and game titles. Two years ago, Gnutella users faced a similar viral threat. Ingevaldson also said SubSeven (a Trojan horse) is all over these networks, and could open company networks to back-door script kiddie attacks.

The danger of allowing employees to use these file-sharing networks at the office goes beyond just viruses and malicious code, though. Hosting illegal copies of copyrighted material can open corporations to lawsuits, as well.

Does your company allow you to use instant messengers? Do you think it should? Why or why not? Will you stop using IM because of the security risks? TalkBack to me!