You can’t stop IM so learn to love it

Stockbrokers do it with investors, salespeople with their bosses. Travel agents do it with vagabonds, newspaper reporters with their editors.

If you think your organization's employees are not doing it – using instant messaging to communicate with colleagues, customers, their spouses and children, their friends – then you are leaving your network open to a wide range of potential vulnerabilities.

Simply put, instant messaging (IM), once the domain of teens chatting online with their friends, has become one of the most widely deployed communications tools in corporations today and, though there's no question that IM has yet to reach the popularity of email, it is significantly less secure than email.

Though about half of all corporate employees are using IM in one form or another at work, only a quarter of organizations have deployed a formal IM solution, according to the Radicati Group, an IT market research firm that focuses on enterprise messaging.

This means most instant messaging within corporations is still happening over free, public IM networks – problematic, of course, because the public IM systems can open up dangerous security holes in a corporate network.

Public IM traffic is sent unencrypted, so it can be hacked, identities can be spoofed, and conversations can be intercepted by packet-sniffing, leaving networks vulnerable to a wide variety of attacks. Symantec, for example, reports a 400 percent increase in IM and peer-to-peer (P2P) networking viruses, worms and trojans over the last 12 months.

Where does that leave enterprises with large bases of IM users? In the lurch, according to analysts.

The risks are very real, they say. Some of the potential problems enterprise IM users bring up include virus and worm attacks, such as the Bropia, Serflog and Kelvir viruses seen this past winter, trojan programs and other similar corrupt files that are undetected by traditional anti-virus scanners, and spim – the acronym for spam over instant messaging.

Add to that the uncontrolled use of screen names, which can allow rogue users to impersonate others, client vulnerabilities such as buffer overflow vulnerabilities, and lack of IT policies and capabilities for stopping the exchange of confidential information.

That IM has become popular among enterprise workers is not a major news scoop – it is in use in 85 percent of American enterprises, according to the Radicati Group. Radicati projects there will be 78 million enterprise IM users by the end of 2008.

That number will include the obvious users – customer support reps providing technical help, brokers passing stock prices to investors, even travel agents answering questions about flight times and availability.

But IM's value to enterprises runs to much more than that. For instance, Barr Management uses WiredRed's e/pop enterprise IM product to broadcast alerts on network outages, new company procedures – in essence, information that must be distributed quickly to hundreds of employees.

It is particularly useful in sales organizations such as brokerages and energy firms, where reacting quickly to rapid price fluctuations can mean a profit or loss for the companies involved.

But these environments also require a secure system, and e/pop's private, secure architecture was a big selling point to Jon Klein, a vice president and general manager at the Chicago, IL, check cashing firm with 48 locations, when he bought the software a couple of years ago.

Unlike the popular consumer IM products – AOL's AIM, Yahoo! Messenger and Microsoft's MSN – which process messages through a publicly accessible IM server, enterprise IM packages rely on internal servers placed behind the corporate firewall, in effect shielding users from many of the threats found on the public IM networks.

"I like the fact it's internal and users can't go anywhere else," says Klein.

"The last thing I want is a Yahoo! or AOL system, where my people could contact anyone. Because it's internal, there's a limited number of people who can send messages, and I'm pretty much assured someone isn't going to inadvertently send out or download some type of virus."

Klein is right to worry about virus attacks via IM. Of the top 50 virus and worm attacks in the past year, 19 have used IM or P2P technologies – the 400 percent increase Symantec was talking about earlier.

"If you're using a public IM network, your security threats are similar to those with email," says Graham Titterington, a principal analyst with research firm Ovum. Two of the big threats users face while using these networks, he points out, are downloading and executing virus-infected attachments, and clicking on links within instant messages that take them to "dirty" websites that execute malicious code.

Variants of the Bropia and Kelvir IM viruses, for instance, both install software that entices users of the MSN Messenger IM system to click on a link. That takes them to a malicious site where the code – a version of the Spybot worm – is downloaded to their system, opening it up for attack or hijacking by spammers.

Bropia exploits IM's so-called "presence," which indicates when a person is online. It inserts a copy of itself inside internet packets to alert other computers when IM users go online, automatically infecting everyone within the infected computer's buddy, or contacts list.

Serflog displays obscenities targeting the author of the email worm Assiral, which attempted to curtail the spread of Bropia. In addition to those, malicious code that could be used to create an IM virus to attack MSN Messenger was published in February on the web.

The code attacks a hole in Messenger's "libpng" feature that controls the display of smiley faces, buddy icons and other graphics. Shortly thereafter AOL's AIM was attacked by a virus called Worm_Aimdes.A.

The antivirus software vendors, such as Symantec, McAfee, and F-Secure, all say their products will stop IM-borne viruses as well as those from email.

Chris Wysopal, director of development for Symantec's security response unit, for example, says the company's enterprise antivirus product can make sure malicious code is not executed on the client side when users access the public IM networks.

Viruses, worms, and trojans aren't the only threats enterprises using IM face. Spim is increasingly showing up on the public IM networks, and enterprises face the task of limiting the spread of confidential information via unprotected IM clients.

A bigger problem is the unauthorized distribution of confidential data via non-secure IM networks, says Jon Sakoda, chief technology officer at IMLogic.

"Companies are waking up that [IM] is a two-way pipe to the outside world, and they need to see what's going out."

This is where products such as Akonix's L7, IMLogic's IM Manager, CipherTrust's IronMail, FaceTime's Enterprise Edition, IM-Age Software's IM-Policy Manager, Sybari's Antigen for Instant Messaging, and SurfControl's Instant Messaging Filter enter the picture. These products – dedicated appliances such as IronMail and software-only offerings such as L7 – help IT staff secure their IM systems in a variety of ways.

So-called IM management gateways, such as Akonix's L7 Enterprise, are able to mediate employee access to public as well as enterprise IM systems.

They enforce policies on appropriate IM use, protect an enterprise network and its users from IM-based viruses and attacks, and monitor and log IM conversations for regulatory compliance, a key issue for health care and financial services companies.

Moreover, IM management solutions give IT the tools to scan IM content and match keywords to prevent unauthorized transmission of proprietary information and filter out spim. They can also be used to create and enforce a standardized profile for public or enterprise IM use by blocking access to unauthorized IM networks. In addition, several of the vendors integrate antivirus into their gateways.

Where IM-carried viruses are markedly different from email-borne threats, however, is the speed at which they can propagate. IM is a trusted medium, and people aren't so cautious about using it as they are about email, explains Marcel Nienhuis, a senior analyst at Radicati.

As a result they tend to click first and think later, opening an IM-delivered file or clicking on a link in an IM message quickly. This allows the virus to hijack their IM and propagate very quickly, says Nienhuis.

"An instant message pops up immediately on the recipient's desktop, unlike email," he says. Radicati predicts 1.5 billion spim messages will be sent this year, three times the growth rate of spam.

"It's not a huge problem now," says Nienhuis. "[But] I think spammers are just getting a handle on how to deal with IM."

Jim Carr is an Aptos, CA-based freelance business and technology writer. He can be reached at [email protected]

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.