IM: Instant Messaging or Instant Mailbomb?

[BigBlueBall News]

Dr. Seamus Phan

May 1, 2004

There is increasing media hype about instant messaging (IM) becoming the next battleground for malware, intrusions, and even spam.

However, IM is not as ubiquitous as e-mail or the Web yet, so are the menacing perceptions of IM real, or just imagined?

Harmless? Perhaps not!

In reality, spam that targets IM (otherwise known as spim) are surfacing.

Typically, spim seems to be from your "buddies" in your contact list. One such seemingly harmless service that carries the "permission-based" banner is Buddy-Links (www.buddylinks.net).

BuddyLinks, on the surface, is about playing a seemingly innocuous game with themes around Osama and the like. But some users have openly declared BuddyLinks as "spyware". This is because BuddyLinks sends its URL link to all your contacts when the game is played.

The braves of IM

Not everyone is afraid of IM, even the much feared public IM clients such as MSN Messenger, Yahoo! Messenger, and AIM.

Ang Keng Loo, deputy principal and chief technology officer, Temasek Poly-technic, Singapore, says: "We have installed MSN Messenger as a baseline tool for all office systems. There is no specific ban on other IM clients, although we do have corporate Internet usage guidelines.

"For security, we have standard corporate network security controls in place, such as firewalls, proxies, and various filters. Our staff is required to be active partners in keeping out viruses and spam as well. Using our current public IM system and allowing only named buddies or contacts is good enough, although additional tools to filter or block unwanted contacts might be useful."

Even large international companies, including traditionally conservative ones such as law firms, are using public IM. One of the largest legal practices in the US, with branches and joint practices in Asia, is using public IM clients. However, executives from this legal practice commented that although IM is not banned, it is not institutionally endorsed either.

The closed door approach

If IT administrators have reservations about employees using public IM clients, then what can they do to ensure network security?

According to Dr Douglass Capogrossi, president of Akamai University, the university uses intranet IM rather than public IM to alleviate security concerns. Says Dr Capogrossi: "To improve security and reduce spim from reaching our users, we have exclusive memberships with password-protected entry."

There are many internal IM systems available, from commercial versions to independently developed solutions. There are also open source versions which can be customised for specific internal use without per-user licensing of any kind.

For example, Yet Another Bulletin Board, or YaBB (www.yabbforum.com), is an open source alternative that requires no more than a Web hosting account capable of running Perl 5. Put that together with CGI.pm and Socket.pm Perl modules, and Sendmail (the default mail transfer agent on Unix servers), and you have an intranet-ready IM system.

If you are more familiar with PHP, you can try other open source solutions such as Open Bulletin Board (www.openbb.com), which runs on PHP and the MySQL database engine on Unix servers.

What you can do against spim

The technology may be easy to use and efficient to IM users, but IT administrators think otherwise, especially with increasing media hype about IM’s security, or the lack of it.

One of the most IT-savvy enterprise networks belongs to the Institute of Technical Education (ITE) in Singapore (www.ite.edu.sg). According to Anna Lee from the IT Services Division of ITE, the institution does not allow the usage of public IM, because IM traffic will contend for the bandwidth required for teaching and learning, and may distract students unnecessarily.

Adds Lee: "There is also concern that students may get themselves involved in the discussion of undesirable issues."

And with network security threats and potential data theft, IM may be banished from a corporate network without recourse. What then, can IT administrators do to allow the use of IM while providing security for the enterprise? A four step approach to increasing security is recommended:

1. User verification. This is the simplest step, where users logging in to the network are authenticated against a database of user names and passwords. Stricter password controls with mixed upper/lowercase and numerals, as well as non-dictionary user names, may be enforced for greater security with a lesser likelihood of hijacked accounts.



2. Encryption. Most public IM clients do not encrypt the data in transit, and it is next to impossible to know if the data has been modified or tampered with. If you are using IM for mission-critical and sensitive information, you should use data encryption for all IM data in transit.



3. Specialised IM protection. If you need to use public IM clients but need specialised protection, you can consider Akonix’s (www.akonix.com) L7 Enterprise, which is an IM proxy, or ZoneLabs’ (www.zonelabs.com) Integrity IM Security for enterprise networks.



4. Intranet IM only. If you are certain you do not want to leverage on public IM clients, but are willing to invest time and effort to set up your own IM, you can try Open Bulletin Board or YaBB running on a secured Unix, FreeBSD, Linux or Mac OS X server. This will mean that all remote users may need to authenticate themselves and access the intranet IM through your stateful inspection and application-aware VPN setup. This will be sufficient for most
   enterprises.

IM, e-mail, or any other communication medium is really just a way to provide effective communication. There is always a trade-off between usability and security, and it is your decision to see which is more important to your users and the company.

Source: Network Computing ASIA