Instantly Insecure

By Lisa Vaas  |  Posted 2001-12-03 Print this article Print

Instantly Insecure

What makes consumer IM services inherently insecure? A few things, according to Gartner analyst Rob Batchelder. First, consumer IM products, once activated on a users desktop, open a channel through the enterprise firewall that can easily be exploited by hackers. Thats particularly true because IM services, rather than consistently using the same server port, tend to scan firewalls for available ports. That makes it difficult to use virus-scanning tools to clean IM traffic or attachments.

"The likelihood [of security incidents] is similar to that of e-mail being intercepted: little to none," said Batchelder, in Stamford, Conn. "But it is not secure, and some applications require secured messaging—specifically financial-services-type communications."

Recent incidents prove that if IM falls into the wrong hands—either through hacking or carelessness—the results can be disastrous. In July, a hedge fund manager at San Francisco company Azure Capital Partners LP reportedly IMed his AOL buddy list with information about PeopleSoft Inc. and was later accused of undermining PeopleSofts stock price. According to widely reported news accounts, the manager either said to buddy list members that regulators were looking into accounting irregularities at a PeopleSoft subsidiary or asked if that were so and also raised the possibility that PeopleSoft was being sued by a customer for $50 million. The IM turned into a rumor. PeopleSoft got its hands on the message and concluded that it was the cause of what turned out, over the course of a few days, to be a $1.7 billion drop in the companys market value.

Another security problem intrinsic to consumer-grade IM applications is that content is typically unencrypted, experts say. While in transit, messages are stored as open text in server buffers at services such as AOL or Yahoo. Not only can packet sniffers read IM contents, but also unencrypted logs of conversations can easily be stolen.

At Colonial Trust Company Inc., a $4 million bank trust company in Phoenix, network administrator David Brown said thats not a risk hes willing to take. Colonials 40 employees regularly exchange sensitive customer information such as Social Security numbers and investment information that Brown said hes unwilling to trust to IM servers residing outside the corporate firewall. "We deal a lot with customers personal information and didnt like the idea of sending it over a public wire," he said.

Colonial installed NetLerts NetLert IM software on a server running Windows NT 4.0 last July. This not only keeps private information in-house, it also improves security since IM servers run behind Colonials firewall and messages travel the companys private network only. NetLert also encrypts inbound and outbound messages.

At First Community Credit Union, in Houston, network administrator Rito Garzas concerns over IM security are similar. Garzas implementation of WiredReds e/pop IM product two years ago coincided with an overall tightening of security that included the installation of a proxy server, an intrusion detection system and a Cisco Systems Inc. firewall. The security lockdown also brought an end to employees ability to download consumer IM clients—a decision that just made sense, given that the credit unions 160 employees had regularly begun to use IM to exchange data about customers.

"When [use of consumer IM] was here, I noticed it was more of an open type of network," Garza said. "I didnt feel very comfortable with that, given the industry were in. So we decided to restrict that altogether."

Garza cited bandwidth concerns as another reason he moved employees off the Internet and public IM. As the bank grows, it will be moving more and more services to the Internet. It already offers Web-based home banking to customers and plans on moving some day-to-day operations to the Internet. All that requires bandwidth—a commodity Garzas now less inclined to share with IM addicts than ever.

Although behind-the-firewall, enterprise IM products offer enhanced security and the ability to allow instant messages to be audited, many come with a drawback: Since they require proprietary clients and run over private networks, theyre not easily open and available to all users.

Some enterprise IM vendors have engineered a way around that limitation, however. Omniprise, for example, an enterprise IM product from Ikimbo, includes a client that can be downloaded onto invited parties computers. An administrator keeps control of who gets invited to participate. This allows the IM network of users to expand while keeping sensitive information out of the wrong hands. That should help keep enterprises away from a fate similar to that which befell Azure in the PeopleSoft fiasco.

Adam Schecter, a principal at William Blaire New World Ventures, in Evanston, Ill., said he used the client download feature in Omniprise to quickly build an impressive list of contacts on his list—including top-level executives at the portfolio companies he manages.

Schecter, whose company invests in Ikimbo, also saves time using a file-sharing feature in Omniprise that allows him to share the same document that his client company updates. All users get updates at the same time, and all questions about the report can be answered via IM practically instantaneously.

The experience, Schecter said, has convinced the company to forbid the use of consumer IM and standardize on the Ikimbo product.

Lisa Vaas is News Editor/Operations for and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel