Instant Messenger Security
Securing against the "threat" of instant
Digital communications within business are currently undergoing a change similar to those of the early 1990’s as organisations moved en-masse to relying upon email services as the primary communications medium. Just a decade later, organisations are now facing the necessity of implementing and managing real-time digital communication between both their staff and their customers. Business now demands the ability to communicate through brief messages to people who are online at the same time.
Instant Messenger (IM) services fill the niche between a phone call and an email. While email is ideal for non-synchronised communications, IM offers the ability to identify people who are online at the same time and exchange information in near real-time.
IM is only now becoming an important digital communication tool within business; however the concepts behind the technology are certainly not new. Basic IM functionality can be derived from the almost ancient UNIX “finger” and “talk” applications – the ability to identify users online, and to exchange small text messages. Certainly, key concepts and functionality of IM have replicated the most popular features of Bulletin Board Systems (BBS’s) and their chat forums of the early 1980’s (e.g. group chat and file transfers).
The phenomenal growth of the Internet, and the introduction of computers to almost every home in the western world, has ensured that most people have access to some form of digital communication. Familiarity and ease of use of both email and IM applications within the home environment has driven the demand for organisations to implement their own IM business systems. Both customers and internal users now require real-time messaging capabilities from the organisations they deal with.
According to a recent IDC publication (which one?), it is expected that more than 20 million business users worldwide are currently using IM, and that the figure is likely to rise to nearer 300 million by 2005.
However, organisations are facing two problems with IM services; adoption has been driven by the end user and not the top management, and that the client applications were initially built for home users, not businesses – consequently they emphasise functionality over security.
Thus, almost through the back door, IM has entered the corporate world – together with another layer of security concern. Unsecured IM client installations are placing enterprise systems at risk to hackers, viruses, worms, Trojans, legal liability and violation of country privacy laws.
The most popular IM clients condense numerous communication functions into a small, easy to use, and easy to configure application with a small footprint – but capable of “tunnelling” out through most organisations firewalls.
For instance, once a user has installed and logged in to a public IM service network, a list of favourite contacts is presented. The user can communicate with any of their contacts that are also online. All text-based messages can either be routed through a centralised collection of servers and then on to the recipient, or can be sometimes done directly (through peer-to-peer connections). High-bandwidth functions (such as audio, video and other digital file transfers), peer-to-peer connections are brokered by the server.
Although commercial versions of IM services and clients exist, many organisations find themselves inundated with consumer-grade IM clients as their corporate users often find that it enables them to engage in activities that they would normally avoid over corporate email systems. This is most often due to the combination of lax desktop permissions and an awareness of business policies explicitly stating their right to monitor email. In fact, many users find themselves uncertain about whether corporate Internet policies actually govern the use of IM services.
For many users, instant messaging often represents a small distraction from their corporate role with minimal implications regarding productivity. They have no idea of the security implications of using IM services and do not actively strive to thwart corporate policy or perimeter defence systems. Unfortunately the threats are very real, and represent a soft entry point through many organisations security defences.
Just like web browser adoption in the mid 1990’s, user-driven installation of IM client software is forcing IT management to deal with this current generation of security threat whether they are ready for it or not.
Understanding the Threat:
To ease connection difficulties, many popular IM clients are adept at navigating traffic through well-secured network environments by using unauthorised ports in corporate firewalls. This access allows additional entry points into the network for viruses and rogue protocols – bypassing corporate authentication systems and controls.
With Internet accessible “listening” services such as IM running from inside an organisation, these applications are increasingly being targeted by hackers and spammers. The spate of recent vulnerabilities within IM clients by all the significant vendors leaves integrity and confidentiality of corporate information at risk – potentially allowing any data a trusted employee can access to also become accessible to a hacker, abusing flaws in the IM client application.
Without proper management of an IM environment, uncontrolled installation of consumer-grade messaging clients may make an organisation vulnerable to the following security issues:
- Client Vulnerabilities – Just like many other software applications, IM clients have a history of common security vulnerabilities. Exploitation of these vulnerabilities may take the form of denials of service (e.g. maximum network bandwidth utilisation and workstation crashes), “bother-ware” notifications and nuisances threatening productivity, access to unauthorised host data, or complete host compromise and subsequent loss of data integrity.
- Insecure Network Traffic – Typically, the corporate networking environment is protected by a perimeter defence system (e.g. Firewalls, IDS/IPS, content filtering, anti-virus, etc.) that is supposed to block all malicious network activity initiated outside the network. IM clients effectively perforate the firewall and provide an alternate conduit for viruses, spam and other unauthorised files.
- Open Connections – When engaging in file transfers, voice chat, or other file sharing activities, the IM client reveals the users true IP address. With this information a malicious user may concentrate on the host system for the purpose of hacking in to it or as a target for a denial of service attack.
- Identity Theft – IM clients commonly use little or no encryption for the transmission of login credentials. Guides exist on the Internet providing best advice on how to intercept and capture this. Stolen credentials can thus be easily used to impersonate someone else.
- Data Theft – The ability to tunnel through perimeter defences makes for an efficient method of transferring confidential materials out of an organisation. Internal users may use IM clients to transfer binary data such as customer databases and development source code to external contacts without alerting internal security or audit teams. With some IM clients, this may be achieved inadvertently through poor configuration of file sharing services.
- Loss of Privacy – The common failure to implement any form of encryption of the data means that all messages must travel in the clear, meaning that an observer can easily intercept and read this information. In the case where non peer-to-peer connections are made, all messages must travel to a central server before being forwarded to the recipient where they may be logged and stored (note that users within the same office may be unaware that their traffic is being routed over the Internet). Similarly, the message recipient may also log and store this information for later use.
- Absent Authentication – As each user may choose their own identity, there is no guarantee that the message recipient is genuinely who they claim to be. An employee may think that they are messaging a work colleague, while in actuality he is communicating with a competitor. In addition, because these online identities are not created or managed by the organisations IT department, tracking messages to an actual person within the organisation may prove to be very difficult.
- Social Engineering – The informal nature of the communication medium lends itself to common social engineering techniques and trust relationships. Users may be tricked into disclosing confidential business information, compromising the security of their own system, and sending or receiving unauthorised content (e.g. pornography, internal documents, etc.).
The consequences of these security threats may also be more subtle. Within heavily regulated industries such as financial services and health care, IM carries a high potential for liability. Many industries are required by law to regulate and safeguard the flow of confidential information. In the USA for instance, to comply with SEC, HIPAA and NASD requirements, organisations are required to record all customer interactions for possible future review.
Without centralised management of IM services, organisations cannot guarantee that all communications are recorded in an appropriate manner. Undocumented communications regarding personal data may occur with the organisations knowledge – leading to a breach of access requirements – possibly invoking heavy fines or legal action.
Many organisations think that they can block IM traffic at their firewalls by simply blocking the native IM port. However, the most popular IM applications are ‘port-agile’, should their native port be closed, are capable of locating other open ports and tunnelling their traffic over a different port instead. Unless organisations are prepared to shut off all user access to the Internet, it is very difficult to prevent IM usage.
Consider the three most popular IM clients:
- MSN Messenger – Users must login to the centralised service to locate other users. Once a connection is established, users message each other directly in peer-to-peer fashion. The default IP port for MSN Messenger is 1863 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. MSN Messenger supports HTTP proxies, but does not support HTTP proxy authentication. Note that file transfers occur over TCP port 6891, audio and video conferencing over UDP ports 13324 and 13325, and application sharing is commonly TCP port 1503.
- Yahoo Instant Messenger – Users login to the centralised Yahoo IM service to find other users. Once authenticated and online, users may choose to message each other directly or through shared chat rooms. The default port for Yahoo Instant Messenger is 5050 but the client is ‘port-agile’ and, if the port is blocked, it will look for other open ports – next targeting the HTTP port 80. Just like MSN Messenger, the client supports HTTP proxies, but not HTTP Proxy authentication. Note that file transfers and file sharing is commonly done over TCP port 4443.
- AOL Instant Messenger (AIM) – Users login in to the AOL Open System for Communication in Real-time (OSCAR) and then begin communications with Basic OSCAR Services (BOS) to locate and message other users. These messages pass through the server before being forwarded to the recipient. File transfers, voice traffic and other large digital payloads are conducted in peer-to-peer mode – whereby the initiating IM client sends its IP address and an open port over the service, so the remote client can connect to it.
The default port for the AIM client is 5190 and, if the port is blocked, the ‘port-agile’ software will attempt to communicate over port 23 (telnet), 20 & 21 (FTP) and then 80 (HTTP). In addition, users can choose to go through a SOCKS v4/v5, a HTTP proxy or HTTPS proxy. However, when tunnelling over the HTTPS proxy connection, AIM does not use SSL to encrypt traffic.
Some third-party solutions offer the ability to:
- Define specific services – allowing organisations to restrict users and activities to specific IM protocols.
- Block specific features – allowing organisations to select which IM functionality is available (e.g. peer-to-peer file transfers, allow/deny access to chat room access etc.)
- Log IM access and communication – enabling organisations to record all message traffic and link back to a specific user.
- Block by categories – providing an ability to manage usage by specific user, group, site and time of day.
Depending upon the role of instant messaging within the organisation, the process of securing an organisation against the proliferation of unauthorised IM clients and traffic is not easily accomplished, and must be tackled through multiple layers of security, education and policy. As indicated above, blocking native ports of IM clients is not enough. Businesses must evaluate whether they require IM functionality within their organisation and incorporate appropriate security countermeasures.
In order to secure a corporate environment against the ‘threat’ of instant messengers, organisations should:
- Establish a corporate IM usage policy – It is important to clearly define the role instant messaging plays within the organisation. By establishing a corporate usage policy, the position is made clear to both users and the technical teams responsible for enforcement. The policy should contain information on what services are allowable (e.g. chat is acceptable, while file transfers are not), what type of information can be exchanged, the status of monitoring and recording, and any legal or HR implications. Users will thus know the bounds of acceptable use, and understand the companies legal position. Technical teams will be able to scope and design appropriate security counter measures in keeping with the bounds of the policy.
- Properly configure corporate firewalls to block unapproved IM traffic – Although most IM clients are ‘port-agile’, blocking default ports and ensuring that outbound connections are only available for authorised hosts/addresses will make it easier to manage an IM environment. By using authenticating proxy servers for regulating desktop Internet access (i.e. all client workstations can only access Internet resources via the proxy server), extra controls over IP services, protocols and destinations are possible.
- Harden client workstations – Corporate workstations should be configured in such a manner as to restrict the ability of users to install unauthorised software. This process will improve the overall security of the client host by removing non-required applications, restricting access to operating system calls and data (e.g. the windows command line and accessing the system registry), ensuring appropriate file and directory permissions. Use of approved hardening guides is recommended.
- Deploy desktop protection products – Installation of local anti-virus and personal IDS or firewall software is strongly recommended. These desktop protection agents will help restrict unwanted installation and Internet access. Within corporate environments that have allowed the use of IM clients for business purposed, desktop protection agents will help protect against malicious use. Organisations should ensure that these products are centrally managed, and not configurable by the local user.
- Patch the workstations – Organisations must ensure that all workstations that can potentially access the Internet (whether directly or through proxy servers) or will receive material from the Internet (e.g. email attachments from external sources) are correctly patched, and running the most current service packs and security updates. This patching process should ensure that all applications, including the IM client software, are patched as soon as possible after release of an update.
- Enforce client-side IM settings – Just as with the configuration of desktop protection agents, organisations should enforce client-side IM settings through a centrally managed operation and prevent local users from being able to change them.
- Monitor to ensure IM client policy compliance – In conjunction with acceptable usage policies, organisations must be able to monitor all IM traffic for compliance. While public IM systems do not offer any method of capturing IM traffic, third-party tools exist which can capture IM traffic at its conclusion. However, conversations that are dropped midstream are lost, unless the IM system is server based.
- Deploy private corporate Enterprise IM (EIM) services to isolate corporate messaging systems – If IM services are required for business purposes, organisations should investigate the possibility of deploying dedicated IM servers within their environment. This will aid the segregation of business messaging content, allow comprehensive monitoring and storage of data, and help provide a reassurance of internal user identity. In addition, this closed system can still be exposed to key outside customers and vendors.
EIM systems provide organisations with their own clients and servers that are built with enterprise security features including blocking, logging, auditing, monitoring, routing and encryption.
- Secure the information being transmitted by encryption – Some IM client software does support encryption (e.g. SSL) when configured correctly (which ones?). If confidential information (including login authentication credentials) is to be transmitted over the Internet or the corporate LAN, organisations must ensure that encryption is enabled. However, enabling encryption will have a detrimental effect on an organisations ability to monitor and log messaging traffic.
- Use a private naming convention – Instead of each IM user creating their own user name (one that is not already in use by someone else on a public messenger service), an organisation should make use of an Enterprise IM platform that utilises an existing naming scheme (such as email addressing, Active Directory and LDAP). As the organisation owns it’s own namespace, there will be no conflict with user names in other businesses, and less opportunities for confusion.
It is clear that, whether organisations are ready for it or not, IM is taking the lead in consolidating communications on the PC. Similarly, organisations are finding that their office communications (e.g. telephony, instant messaging, document-sharing, video and web conferencing) must work seamlessly together. Vendors such as Microsoft are already sowing the seeds for this communications convergence through products like their “Office Live Communications Server”.
The prevalence of consumer-grade IM technologies within the corporate environment has ensured that increasing attention will be paid to these technologies by both hackers and malicious users. It is becoming increasingly common for attacks to be targeted at unknowing users, whereby they are tricked into downloading and running Trojan software designed to provide backdoors in to the organisation or participate in Distributed Denial of Service (DDoS) attacks against other organisations.
IT management must therefore take control of IM usage by establishing appropriate corporate policies and adopting solutions that are designed for the corporate world.
First Published March 2004 - Network Security