People at work communicate like people at home: They use wired and cellular phones, e-mail and in rare instances the U.S. Postal Service. And they IM.
IM is quite a problem from the security point of view because, like many other technologies, it became a corporate tool before it was truly secured. This very valuable CNET piece makes the point that IM is not one size fits all: Major IM platforms vary greatly in their security status.
The platforms covered are AOL AIM; AOL ICQ; Facebook Chat (which refused to participate); Google Talk; IBM Lotus Sametime; Microsoft Windows Live; Skype and Yahoo Messenger. Information includes whether logging in is secure; whether conversations are secure; whether logs are kept of login and communication content; for how long they are kept and whether the firm complies with government wiretapping regulations.
Any corporate security person who thinks the IM security threat is overblown should consider information from FaceTime and Akonix released this spring. Facetime found that one in four employees used IM to transmit sensitive information such as company plans, finances and password-related credentials. The firm says that this should be a wakeup call to make industry more aware of the dangers of real-time communications. Akonix Systems said that it tracked 10 new IM-based malicious code attacks in May, which brought the total number for the year to 73. The new problems included Flocker, Foto-nue and Mondez. LdPinch, the most popular, has two variants. The release details upgrades to the company's software to protect against IM-borne attacks.
Clearly, corporate security staffs have to be careful when it comes to IM. Last month, Trillian -- a client that can be used by several IM services -- was found to have three critical vulnerabilities. The problems, which were uncovered by TippingPoint and rated as highly critical by Secundia, impact Microsoft's MSN and the America Online AIM network. The story briefly described how the three can be exploited -- and carries the good news that developer Cerulean Studies has patched the problems in version 220.127.116.11 of the Trillian software.
SPIM, otherwise known as SPAM instant messaging, is extremely annoying and a potential security problem, since the unwanted messages that are delivered can contain all sorts of malware. This vnunet.com piece says one way to guard against this problem is to only accept messages from known people. This is not a terrific solutions, however, since people in business generally must broaden their list of contacts beyond people with whom they are actually acquainted. There also is the possibility of getting a message that appears to be from a friendly source that in reality has been compromised. The piece says that SPIM blockers are available from ScanSafe and Akonix.
Employees at all levels will use IM. As such, it is important that security staffs substitute more dangerous consumer programs with those built from the ground up with enterprise requirements in mind.