Employees using instant messaging could be opening up gaping holes in
their companies’ network security.
Viruses aimed directly at instant messaging (IM) software, along with a
lack of security for IM freeware, are creating big problems, according
to Eric Chien, chief researcher for Symantec Security Response.
And to make matters worse, many, if not most, IT administrators don’t
have policies regarding instant messaging, and many don’t even know how
many end users have it installed on their desktops and laptops. That
means there are potential problems and security lapses that
administrators aren’t even aware of.
”At conferences, when we ask if people are using instant messaging,
everyone raises their hands,” says Chien. ”But when we ask who has a
policy about it, maybe 50 percent raise their hands… It’s a problem.”
Not so long ago, email surpassed the telephone as the key form of
communication in the workplace. People could send and receive emails
without interrupting their work flow. They could contact several
colleagues with one message. They could open a message and read it when
they had an opening instead of when the phone was ringing.
But today, instant messaging is nipping at the heels of email for the
top rung on the communication ladder. Messages can travel back and forth
in real time, enabling colleagues or business partners to communicate in
real time. Buddy lists enable coworkers to see when you’re online and
available. Away messages keep bothersome interruptions at bay.
All of that has made instant messaging popular. And that popularity has
made it dangerous.
”Instant messaging has become so popular that we’re getting the classic
issues that we’ve had with email,” says Chien. ”IM can attach and
transfer files, so viruses and worms can attach themselves. There are
worms that will send themselves to everyone on your buddy list.”
Actually, between 2002 and 2003 there was a 400 percent increase in IM
malware, according to Symantec’s figures. Since 2002, 25 instant
messaging worms have been released into the wild, with about 20 of them
coming out last year alone. At least five or six have hit the wild so
far this year, reports Chien.
”It’s a continuing threat,” says Steve Sundermeier, a vice president
for Medina, Ohio-based Central Command. ”Virus writers are always
looking for a new vector for infection… As companies secure their
email gateways, virus writers will be looking for alternative or
additional ways to get their viruses inside.”
However, with relatively so few viruses and worms targeting instant
messaging software, Chien and Sundermeier agree that the biggest
security threat comes through unencrypted messages traveling across
free, public software.
”What people should be the most worried about is that the IM traffic
with the popular free clients is unencrypted today,” says Chien. ”If
you use free messaging, people can sniff the traffic and read your
messages. It’s something hackers do all the time.”
Chien explains that if an employee is using IM to send a message to a
coworker down the hall or even in the next cubicle, the message travels
outside the building and through outside servers where it easily could
be picked up.
”Even if you’re talking to the guy in the cube next to you, your
message may go halfway around the world before it gets to the guy in the
cube next door,” says Chien. ”Sensitive business matters are exposed
to the general Internet for people to potentially sniff and view.”
Central Command’s Sundermeier says the best thing for IT administrators
to do is to create a corporate policy regarding IM usage. He suggests
that users not be allowed to use any freeware. The company should buy
instant messaging software designed for internal communications so
messages don’t needlessly travel across a remote server. They should
also make sure the IM software they’re using has encryption
Chien also recommends that IM shouldn’t be used for sensitive
information. And users should be reminded that they need to follow safe
computing practices when using instant messaging. That means they should
never open an executable and they should be careful around any