IM Vulnerable

Instant messages are quick, efficient -- and not as private as you think. Network administrators, take note

By Alex Salkever

Walk into any office in the U.S. and chances are someone has an instant messenger (IM) application open on her desktop computer. According to a March, 2000, study by International Data Corp., last year there were 5 million to 6 million corporate users of IM worldwide. That's expected to grow to 180 million by 2004. The reasons for the projected growth are pretty clear: IM systems are easy to set up, can scale up quickly, and are the perfect lightweight collaboration tool.

I use IM myself, and believe me, I understand how these connections can feel just like an informal conversation around the water cooler and not a traceable text trail. IM sessions often seem private, almost intimate. That's not unlike e-mail, where users seem to let their hair down quite a bit more than when writing formal letters or faxes. I would venture that it's even more common for employees to conduct confidential -- and possibly damning -- exchanges over IM than by e-mail.

But treating IM as a spoken conversation is a no-no, say some security experts. And using it for sensitive topics is even worse. Why? IM conversations are anything but intimate. Since IM messages are rarely encrypted, they could easily be converted into a potentially damaging record -- in black and white -- of communications that users probably thought were private and fungible. Furthermore, unauthorized IM streams pierce corporate firewalls and expose the company's networks to potential cyberattacks. Hackers have found numerous flaws in IM software that was designed first and foremost for ease of use.


  But banning IM from offices, while technologically possible, would be draconian. IM enables precisely the type of on-the-fly collaboration that today's business environment requires. "Everyone has their kitchen cabinet, the people they bounce ideas off, and they can be both inside and outside the organization," explains Clay Shirky, a partner at tech consultancy Accelerator Group. "And IM is how you talk to them today."

The solution to this dilemma? Network administrators should accept that IM risks are part of the cost of doing business today and temper those risks. But users should do their part by keeping their network admins in the loop about their IM proclivities. And managers should think hard before they hit the IM send button if they're writing about plans to ax a supplier or sell the company.

The IM frenzy started five years ago when giant Internet service provider AOL and Mirablis, a small Israeli startup, both launched the first generation of IM clients. They allowed easy, free, real-time text communication over the Internet. They snagged millions of users within the first year. Only Napster grew faster as an application. Seeing the growth potential, AOL acquired Mirablis in June, 1998. There are now more than a dozen companies pushing IM technologies, including such big guns as Yahoo! and Microsoft, as well as little guys like Odigo.


  According to a March, 2001, Jupiter Media Metrix survey, nearly 60 million Americans use IM, and that's only counting those controlled by the big three -- Yahoo, AOL, and Microsoft. Initiatives in the last year have put IM on everything from cell phones to mobile text communicators from Motorola and Research-in-Motion to handheld PDAs. And IM is a key part of Bob Pittman's and Steve Case's "AOL Anywhere" initiative.

In IM exchanges, communications are sent in clear text from the writer to a third-party server, which then relays the message to the receiver. That's a lot like a phone system -- making "calls" vulnerable to bugging, with a cybertwist. "I think people are under the perception that they're connecting directly to each other like in a peer-to-peer system.

But this centralized architecture means that if I am IM-ing with a co-worker, I'm sending messages outside the company firewall, over the Internet to AOL, and then back through the firewall to the receiver," explains Chris Wysopal of online security firm @stake. "It's not like e-mail, where each company has their own mail server on their internal network."


  According to Wysopal, the architecture also means that centralized servers could be potentially logging everything going over the IM system. These types of logs would be far easier to compile than, say, recordings of voice conversations over phone networks, which are hard to digitize and require vast computing resources to store. And IM logs could be subpoenaed in court cases. Because of their size, AOL now stores only 10 days' worth of logs, says Wysopal. But that could change as storage technologies get cheaper.

And the proposed Council of Europe's Treaty on Cybercrime could force ISPs to keep logs. Should a hacker get access to these logs and connect usernames to users, it could blacken more than a few corporate eyes. Witness the March carnage that ensued at online content portal eFront after a malicious hacker grabbed inflamatory IM log files off the desktop of Chief Executive Officer Sam Jain. The hacker posted them on the Internet and exposed disparaging comments about a number of people and companies that did business with eFront.

Another big concern with IM are the vulnerabilities of the software clients themselves. Built for convenience and not security, most IM software has more holes than Swiss cheese. "When they designed those products, it was in the infancy of instant real-time communcation. It was the next generation of e-mail," says Phillip Devin, CEO of software company Mercury Prime, which makes a secure IM client. In fact, in their terms of service agreements, most companies that offer IM software take pains to explain how insecure their client really easy is. And measures that can be easily undertaken by users to make their IM applications more secure are the last thing they think about when they download and install the software.


  Some security experts think companies should just prohibit IM use on their networks. That's the position of Taher Elgamal of managed security provider Securify, who thinks the latest generation of access control management programs should be configured to block IM programs. But by allowing employees to quickly and easily communicate in real time with anyone anywhere, IM systems clearly can improve productivity. (They can also create opportunities to waste time, but that's another issue.) And banning access could cause a backlash in the ranks. "I know people who polished their resume when the IT department blocked access to the Yahoo! rumor boards, or," says security engineer and consultant Jon Callas.

The ultimate solution is a more balanced approach. Network administrators, generally loath to cede any control over their systems, should recognize that IM has a place in the corporate architecture. Part of the solution could be deploying newer e-mail clients on corporate PCs that can encrypt IM exchanges. Novell and Mercury Prime make encrypted IM systems. And Mercury Prime is compatible with the other major IM clients, although exchanges with those systems would not be encrypted. (Still, encrypting intracorporate communications is a good starting point.)

If users feel confident they won't be scolded for using IM systems, they should be willing to let their network admins know what's actually happening on their desktops. But know this: If you are IM-ing sensitive information, it can come back to haunt you. Keep truly sensitive communications off IM systems. In the end, maximizing both functionality and communication is the only way to go.

Salkever covers computer security issues twice a month in his Security Net column, only on BW Online

Edited by Douglas Harbrecht