Whitepapers - www.technicalin fo.net http://www.technicalinfo.net/papers/ IMSecurity.

html
Instant messenger security: : HarPS
Instant Messenger Security
Securing against the "threat" of instant messengers
Digital communications within business are currently undergoing a change similar tcthose of the early
1990's as organisations moved en-masse to relying upon email services as the prirnarjco mmunications
medium. Just a decade later, organisations are now facing the necessity of implemeritlg and managing
real-time digital communication between both their staff and their customers. Busines now demands the
ability to communicate through brief messages to people who are online at the sameitne.
Instant Messenger (1M) services fill the niche between a phone call and an email. Wtl:l email is ideal for
non-synchronised communications , 1M offers the ability to identify people who are oline at the same time
and exchange information in near real-time .
1M is only now becoming an important digital communication tool within business; howver the concepts
behind the technology are certainly not new. Basic 1M functional ity can be derivedrbm the almost ancient
UNIX "finger" and "talk" applications - the ability to identify users online, and toexchange small text
messages. Certainly, key concepts and functionality of 1M have replicated the most ppu lar features of
Bulletin Board Systems (BBS's) and their chat forums of the early 1980's (e.g. groupchat and file
transfers).
The phenomenal growth of the Internet , and the introduct ion of computers to almost eery home in the
western world , has ensured that most people have access to some form of digital commnicat ion.
Familiarity and ease of use of both emai l and 1M applications within the home enviroment has dr iven the
demand for organisations to implement their own 1M business systems. Both customersand internal users
now require real -time messaging capabilities from the organisat ions they deal with.
Accord ing to a recent IDC publ ication (which one?), it is expected that more than 2Onillion business users
worldwide are currently using 1M, and that the figure is likely to rise to nearer 30 million by 2005 .
However, organisat ions are facing two problems with 1M services ; adoption has been dven by the end
user and not the top management , and that the client applicat ions were initially blUi for home users, not
businesses - consequent ly they emphasise functionality over security.
Thus, almost through the back door, 1M has entered the corporate world - together wh another layer of
security concern. Unsecured 1M client installations are placing enterprise systems arisk to hackers ,
viruses, worms, Trojans, legal liability and violation of country privacy laws.
Functionality:
The most popular 1M clients condense numerous communication functions into a small,easy to use, and
easy to configure application wit h a small footprint - but capable of "tunnelling" at through most
organisations f irewalls.
For instance, once a user has installed and logged in to a publ ic 1M service network a list of favour ite
contacts is presented. The user can communicate with any of their contacts that arealso online. All
1 of 5
8/31/2011 9:09 AM
Whitepapers - www.technicalinfo.net http:// www.techni calinfo.net/papers/IMSecurity.html
text-based messages can either be routed through a centralised collection of serve rsand then on to the
recipient, or can be somet imes done directly (through peer-to-peer connections). Hig-bandwidth functions
(such as audio, video and other digital file transfer s), peer -to-peer connections aE brokered by the server.
Although commercia l versions of 1M services and clients exist , many organisat ions tnd themselves
inundated with consumer-grade 1M clients as their corporate users often find that ienables them to
engage in activities that they would normally avoid over corporate email systems. Tis is most often due to
the combination of lax desktop permissions and an awareness of business policies expeitly stating their
right to monitor email. In fact, many users f ind themselves uncertain about whethercorporate Internet
policies actually govern the use of 1M services.
For many users, instant messaging often represents a small distraction from their ceporate role with
minimal implications regard ing productivity. They have no idea of the security impliat ions of using 1M
services and do not actively str ive to thwart corporate policy or perimeter defencesystems. Unfortunately
the threats are very real , and represent a soft entry point through many organisatios security defences.
Just like web browser adoption in the mid 1990's, user-driven installation of IM dint software is forcing IT
management to deal with this current generation of security threat whether they areready for it or not.
Understanding the Threat:
To ease connection difficulties , many popular 1M clients are adept at navigating trltic through well-secured
network environments by using unauthor ised ports in corporate firewalls . This accessallows additional
entry points into the network for viruses and rogue protocols - bypassing corporateauthentication systems
and contro ls.
With Internet accessible "listening" services such as 1M running from inside an orgaisation, these
applications are increasingly being targeted by hackers and spammers. The spate of ecent vulnerabilities
within 1M clients by all the significant vendors leaves integrity and ccnfidentials of corporate information at
risk - potentially allowing any data a trusted employee can access to also become acessible to a hacker,
abusing flaws in the 1M client application.
Without proper management of an 1M environment , uncontrolled inst allation of consume-grade messaging
clients may make an organisation vulnerable to the follow ing security issues:
Client Vulnerabilit ies - Just like many other software applications, 1M clients havea history of
common secur ity vulnerabilities. Exploitat ion of these vulnerabilities may take thetorrn of denials of
service (e.g. maximum network bandwidth utilisat ion and workstation crashes), "bot he-ware"
notifications and nuisances threatening productivity, access to unauthor ised host dIE, or complete
host compromise and subsequent loss of data integrity.
Insecure Network Traffic - Typically, the corporate networking environment is proteted by a
per imeter defence system (e.g. Firewalls, IDS/IPS, content filtering, anti-virus , et.) that is
supposed to block all malicious network activity initiated outside the network. 1M rents effectively
perforate the firewall and provide an alternate conduit for viruses, spam and otherunauthorised
files.
Open Connections - When engaging in file transfers, voice chat , or other file sharig activit ies, the
1M client reveals the users true IP address. With this information a malicious usermay concentrate
on the host system for the purpose of hacking in to it or as a target for a denial diservice at tack .
Ident ity Theft - 1M clients commonly use little or no encryption for the transmissie of login
credentials. Guides exist on the Internet providing best advice on how to intercept3nd capture this.
Stolen credentials can thus be easily used to impersonate someone else.
Data Theft - The ability to tunnel through perimeter defences makes for an efficientnethod of
transferring confident ial materials out of an organisation. Internal users may use nil clients to
transfer binary data such as custome r databases and development source code to exteral contacts
without alert ing internal security or audit teams. With some 1M clients, this may beachieved
inadvertently through poor conf iguration of file sharing services.
Loss of Privacy - The common failure to implement any form of encrypt ion of the dataneans that
all messages must travel in the clear, meaning that an observer can easi ly intercept3nd read this
information. In the case where non peer-to-peer connect ions are made, all messages rust travel to
a central server before being forwarded to the recipient where they may be logged ad stored (note
that users within the same office may be unaware that their traffic is being routecbver the Internet).
Similarly, t he message recipient may also log and store this information for later se.
Absent Authent ication - As each user may choose their own identity, there is no quaantee that the
message recipient is genuinely who they claim to be. An employee may think that thejare
messaging a work colleague , while in actuality he is communicat ing with a competitorln addition,
because these online identi t ies are not created or managed by the organisa tions IT apartment,
tr acking messages to an actual person within the organisation may prove to be very itficult.
Social Engineer ing - The informal nature of the communication medium lends itself tccommon social
2 of 5
8/ 31/2011 9:09 AM
Whitepapers - www.technicalinfo.net http:// www.technicalinfo.net/papers/ IMSecur ity.html
engineering techniques and trust relationships. Users may be tricked into disclosingionfldential
business information, compromising the security of their own system, and sending orreceiving
unauthorised content (e.g. pornography, internal documents, etc.).
The consequences of these security threats may also be more subtle. Within heavilyEegulated industries
such as financial services and health care, 1M carries a high potential for l i a b i l ~ . Many industries are
required by law to regulate and safeguard the flow of confidential information. lnhe USA for instance, to
comply with SEC, HIPAAand NASD requirements, organisations are required to record ~ customer
interactions for possible future review.
Without centralised management of 1M services, organisations cannot guarantee that Ii communications
are recorded in an appropriate manner. Undocumented communications regarding persorB::Jata may occur
with the organisations knowledge - leading to a breach of access requirements - posibly invoking heavy
fines or legal action.
Security Recommendations:
Many organisations think that they can block 1M traffic at their firewalls by simplyblocking the native 1M
port. However, the most popular 1M applications are 'port-agile' , should their natis port be closed, are
capable of locating other open ports and tunnelling their traffic over a different prt instead. Unless
organisations are prepared to shut off all user access to the Internet , it is very iliicult to prevent 1M usage.
Consider the three most popular 1M clients:
MSN Messenger - Users must login to the centralised service to locate other users. (Dice a
connection is established , users message each other directly in peer-to-peer fashionThe default IP
port for MSN Messenger is 1863 but the client is 'port-agile' and, if the port is b:lcked, it will look for
other open ports - next targeting the HTTP port 80. MSN Messenger supports HTTP proies, but
does not support HTTP proxy authentication. Note that file transfers occur over TCpport 6891,
audio and video conferencing over UDPports 13324 and 13325, and application sharings
commonly TCP port 1503.
Yahoo Instant Messenger - Users login to the centralised Yahoo 1M service to find dier users.
Once authenticated and online, users may choose to message each other directly or trough shared
chat rooms. The default port for Yahoo Instant Messenger is 5050 but the client isport-aqile' and, if
the port is blocked, it will look for other open ports - next targeting the HTIP pot-80. Just like MSN
Messenger, the client supports HTTPproxies, but not HTIP Proxy authentication. NotEihat file
transfers and file sharing is commonly done over TCP port 4443.
AOL Instant Messenger (AIM) - Users login in to the AOL Open System for Comrnunicatim in
Real-time (OSCAR) and then begin communications with Basic OSCAR Services (BOS) to ocate
and message other users. These messages pass through the server before being forwarad to the
recipient. File transfers, voice traffic and other large digital payloads are conduted in peer-to-peer
mode - whereby t he initiating 1M client sends its IP address and an open port over lte service, so
the remote client can connect to it.
The default port for the AIM client is 5190 and, if the port is blocked, the 'port-a ile' software will
attempt to communicate over port 23 (telnet), 20 & 21 (FTP) and then 80 (HTTP). In a1dit ion, users
can choose to go through a SOCKS v4/v5, a HTTP proxy or HTIPS proxy. However, when tmnelling
over the HTTPS proxy connection, AIM does not use SSL to encrypt traff ic.
Some third-party solutions offer the ability to:
Define specif ic services - allowing organisations to restrict users and activities ill specific 1M
protocols.
Block specific features - allowing organisations to select which 1M functionality isavailable (e.g.
peer-to-peer file transfers , allow/deny access to chat room access etc.)
Log 1M access and communication - enabling organisations to record all message traft and link
back to a specific user.
Block by categories - providing an ability to manage usage by specific user, group,site and time of
day.
Depending upon the role of instant messaging within the organisation, the process otecuring an
organisation against the proliferat ion of unauthorised 1M clients and traffic is noaasily accomplished, and
must be tackled through multiple layers of security, education and policy. As indiceec above, blocking
native ports of 1M clients is not enough. Businesses must evaluate whether they reqire 1M functionality
within their organisation and incorporate appropriate security countermeasures.
In order to secure a corporate environment against the 'threat' of instant messenqes, organisations should:
Establ ish a corpo rate 1M usage policy - It is important to clear ly def ine the roleristant messaging
plays wi thin the organisat ion. By establishing a corporate usage policy, the positio is made clear to
3 of 5
8/31/2011 9:09 AM
Whitepapers - www.technicalinfo.net http:/ / www.technicalinfo.net/papers/IMSecurity.html
4 of 5
both users and the technical teams responsible for enforcement. The policy should cotain
information on what services are allowable (e.g. chat is acceptable, while file trasfers are not),
what type of information can be exchanged, the status of monitor ing and recording, ad any legal or
HR implications. Users will thus know the bounds of acceptable use, and understand he companies
legal position. Technical teams will be able to scope and design appropriate securjt counter
measures in keeping wit h the bounds of the policy.
Properly configure corpo rate firewalls to block unapproved 1M traffic - Although mot 1M clients are
'port-agile', blocking default ports and ensuring that outbound connect ions are onl18vailable for
authorised hosts/addresses will make it easier to manage an 1M environment. By using
authenticat ing proxy servers for regulating desktop Internet access (Le. all clienworkstations can
only access Internet resources via the proxy server ), extra contro ls over IP services, protocols and
destinations are possible.
Harden client wor kstat ions - Corporate workstations should be conf igured in such a renner as to
restrict the ability of users to install unauthorised soft ware . This process will il1JDrove the overall
security of the client host by removing non-required applications , restricting acces to operat ing
system calls and data (e.g. the windows command line and accessing the syste m registy), ensuring
appropriate file and directory permissions. Use of approved hardening guides is recmmended.
Deploy desktop protection products - Installation of local anti-virus and personal IDS or firewall
softwar e is strongly recommended. These desktop protection agents will help restric1unwanted
installation and Internet access. Within corporate environments that have allowed te use of 1M
clients for business purposed, desktop protection agents wi ll help protect against rslicious use.
Organisat ions should ensure that these products are centrally managed , and not by the
local user.
Patch the workstations - Organisations must ensure that all workstations that can peentiany access
the Internet (whether direct ly or through proxy servers) or will receive material fom the Internet
(e.g. email attac hments from external sources ) are correctly patched , and running te most current
service packs and security updates. This patching process should ensure that all appcatlons,
including the 1M client software, are patched as soon as possible afte r release of a update.
Enforce client-side 1M settings - Just as with the configuration of desktop protectin agents,
organisat ions should enforce client-side 1M settings through a centra lly managed opeation and
prevent local users from being able to change them.
Monitor to ensure 1M client policy compliance - In conjunction with acceptable usaqepolicies,
organisations must be able to monitor all 1M traffic for compliance. While public IMsystems do not
offer any method of capt uring 1M traff ic, third-party tools exist which can capturelM traffic at its
conclusion. However, conversations that are dropped midstream are lost , unless theM system is
server based .
Deploy private corporate Enterprise 1M (ElM) services to isolate corporate messagingsystems - If
1M services are required for business purposes , organisations should investigate thepossibiiity of
deployi ng dedicated 1M servers within their environment. This will aid the segregatin of business
messaging content, allow comprehensive monitoring and storage of data, and help prdaJe a
reassurance of internal user ident ity. In addition, this closed system can still beexposed t o key
outside customers and vendors.
ElM systems provide organisations with their own clients and servers that are builtwith enterpr ise
security features including blocking, logging, auditing, monitoring, routing and enr::yption.
Secure the information being transmitted by encrypt ion - Some 1M client software doe support
encrypt ion (e.g. SSL) when configured correctly (which ones?). If confident ial infomation (includinq
login authenticati on credentials) is to be transmitted over the Internet or the corpr ate LAN,
organisations must ensure that encrypti on is enabled. However, enabling encrypt ion have a
detrimental effect on an organisat ions ability to monitor and log messaging traffic.
Use a private naming convention - Instead of each 1M user creat ing their own user nme (one that
is not already in use by someone else on a public messenger service), an organisat io should make
use of an Enterprise 1M platform t hat utilises an existing naming scheme (such as erail addressing,
Act ive Directory and LDAP). As the organisation owns it's own namespace, there wilbe no conflict
with user names in other businesses, and less opportunities for confusion.
Conclusions:
It is clear that, whether organisations are ready for it or not, 1M is taking the led in consolidating
communications on the PC. Similarly, organisations are finding that their office conmunications (e.g.
telephony, instant messaging, document-sharing, video and web conferencing) must wck seamlessly
together. Vendors such as Microsoft are already sowing the seeds for this cornrnunicabns convergence
through products like their "Office Live Communications Server".
The prevalence of consumer-grade 1M technologies within the corporate environment ha ensured that
increasing attent ion will be paid to these technologies by both hackers and rnalieios users. It is becoming
increasingly common for attacks to be targeted at unknowing users, whereby they arEtricked into
download ing and running Trojan software designed to provide backdoors in to the orqelsation or
8/31/2011 9:09 AM
Whitepapers - www.technicalinfo .net http:// www.techni calinfo.net/papers/ IMSecurity.html
participate in Distributed Denial of Service (DDoS) attacks against other organisatins.
IT management must therefore take control of 1M usage by estab lishing appropr iate cc:porate policies and
adopting solutions that are designed for the corporate world.
First Published March 2004 - ~ ~ e t w o r k Security
Copy right 2001 -2007 Gunter Oll mann
5 of 5
8/31/2011 9:09 AM