Time to stop the IM bug

With 1 billion instant messages sent everyday, IM is becoming a critical communication tool which enterprises must now ensure is part of their security policy.

With 1 billion instant messages exchanged between 28 billion enterprise users each day, it is clear that instant messaging has become a critical means of communication in the corporate world. But with the proliferation of IM security threats, how can enterprises ensure they are doing enough to keep their networks safe?

IMLogic, which provides security products for messaging systems, raised the alarm that the number of threats detected for IM (instant messaging) and peer-to-peer networks rose a whopping 3,295 percent in the third quarter of 2005 to 713, compared to the same period in 2004. The company noted that MSN Messenger, the most commonly targeted IM service over the past year, was the platform of choice for 62 percent of total threats.

Industry experts further warned that the alliance between Microsoft and Yahoo to make their IM services interoperable, would enable worms to spread faster and to a larger user base.

But IM has undeniably become part and parcel of a company's communications tool, given its convenience and low costs.

Said Abby Lim, sales manager of MediaWeb Creation, an IT consulting firm: "We sometimes have ad hoc discussions between departments so instead of gathering everyone to a meeting room, we just pull up a MSN group conversation. Some of our managers may be traveling too so MSN helps us to communicate with colleagues who are out of the office.

"IM is also a good tool for us to communicate with our overseas counterparts and business partners," Lim said.

According to Yeong Chee Wai, pre-sales consulting manager of Symantec Singapore, the most common IM threat today includes worms and flaws that give hackers remote access to vulnerable computers.

Because this could lead to unintentional disclosure of confidential data and information, companies might find IM insecure for enterprise use, said Yeong, in an interview with ZDNet Asia.

"For example, most IM tools offer a method for sending and receiving file attachments," Yeong explained. "While handy, this feature is also a major point of vulnerability. IM attachments, just like e-mail attachments, can carry destructive viruses, Trojan horses and worms."

In addition, there has been a recent breed of worms that propagate through the IM software, much like how worms are spread via e-mail engines and address books.

"To your friends and colleagues, it appears as though they're receiving a message from you," Yeong said. "In reality, the message is generated by a worm, and in some cases it may contain a link to a Web site that automatically downloads another bit of malicious code… It’s a pretty nasty deceit."

He estimates that there are currently about 30 such worms worldwide traveling across messaging networks and their client software. The greatest problem with these worms, according to Yeong, is that they have the potential to replicate rapidly through vulnerable hosts which can be easily accessed.

"An IM blended threat will not need to iterate through the entire IP address space in search of vulnerable machines," he said.

Inherent to a instant messaging tool is the "buddy" list, said Yeong, which therefore presents a pre-populated target list of potentially vulnerable machines. Within seconds, thousands of these computers can be infected, he said.

IM identities can also be easily created by just about anybody, he noted, making the platform a potential hotbed for online scams, identity theft and other predatory behavior.

"Ill-intentioned individuals can use all sorts of devious methods, including hacking into accounts and impersonating legitimate users, to gain trust and elicit information from unwitting IM users," Yeong cautioned. "This is of particular danger to children, who may be approached by strangers with criminal intent."

Turning spam to spim
The last IM threat is that of spim, or spam sent over IM. Spim is on the rise, said Yeong, and some spim can contain offensive language or links to Web sites with content inappropriate for children.

But the use of IM may not be necessarily an evil tool, said Yeong, as long as the basic security functions that are built within IM applications are properly utilized, and users get smart about threats.

MediaWeb's Lim noted that although her company endorsed the use of IM, it is not deployed without security guidelines and restrictions in place.

"For example, we are not allowed to transfer files over the IM and we have to ensure that all our conversations are encrypted," she explained. "We have to take IM into our security considerations because network security plays a big part in our business operations."

Yeong noted: "If you use your 'allowed' and 'ignore' lists creatively, you can get a pretty good handle on the flow of information passing through your IM tool. For example, automatically rejecting messages from persons not on your allowed list is a fairly reliable way to block most spim."

MediaWeb uses a mix of products to keep its IM communication safe and secure, Lim said. These tools include SonicWALL's firewall and Gateway AV and IPS scanning to monitor and control employees' use of IM and peer-to-peer applications, and Exinda's Optimizer to monitor bandwidth utilization and ensure employees do not abuse the network to carry out file transfers such as music and video streaming.

Enterprises that require additional security measures can turn to a host of vendors that have rolled out products which specifically target IM protection, while others have updated their existing offerings to include IM-level security.

For example, Check Point recently launched its Integrity IM Security product, which blocks dangerous IM transmissions such as invalid messages, buffer overflow attacks, unsafe scripts, and either all URLs or only executable URLs. In addition, all messages are encrypted even if the IM client platforms are different, and messages sent by anyone other than a known and approved contact are automatically rejected, preventing the influx of spim.

Integrity IM Security is part of Check Point's Integrity Security suite, which starts from a price of US$67 per user and includes Integrity Anti-Spyware, SmartDefense Anti-Spyware Service and SmartDefense Program Advisor Service.

Another IM-targeted product is CipherTrust's IronIM, which checks inbound messages at the gateway--before they enter the network--for viruses, worms and spam. Available from US$7,000, IronIM also encrypts conversations and file transfers.

Symantec's Norton AntiVirus 2006 has also been updated to scan IM attachments and automatically remove known virus, Trojan horses, worms and other blended threats. The company's Norton Personal Firewall with Norton Privacy Control monitors outgoing IM content to ensure confidential data is not sent.

Although security products can help prevent the spread of IM threats, its security ultimately lies in the hands of the end-user.

Yeong advised enterprise users to change user passwords frequently, keep the IM software up-to-date, and never send confidential information such as credit card and identification card numbers, over IM.

In addition, he suggested that users should not click on incoming Web links from unknown sources, nor should they open attachments transmitted via IM.

Said Yeong: "Until IM becomes a more secure medium, the best protection is your own education and watchfulness."