Instantly Insecure What makes consumer IM services inherently insecure? A few things, according to Gartner analyst Rob Batchelder. First, consumer IM products, once activated on a users desktop, open a channel through the enterprise firewall that can easily be exploited by hackers. Thats particularly true because IM services, rather than consistently using the same server port, tend to scan firewalls for available ports. That makes it difficult to use virus-scanning tools to clean IM traffic or attachments.Recent incidents prove that if IM falls into the wrong handseither through hacking or carelessnessthe results can be disastrous. In July, a hedge fund manager at San Francisco company Azure Capital Partners LP reportedly IMed his AOL buddy list with information about PeopleSoft Inc. and was later accused of undermining PeopleSofts stock price. According to widely reported news accounts, the manager either said to buddy list members that regulators were looking into accounting irregularities at a PeopleSoft subsidiary or asked if that were so and also raised the possibility that PeopleSoft was being sued by a customer for $50 million. The IM turned into a rumor. PeopleSoft got its hands on the message and concluded that it was the cause of what turned out, over the course of a few days, to be a $1.7 billion drop in the companys market value. Another security problem intrinsic to consumer-grade IM applications is that content is typically unencrypted, experts say. While in transit, messages are stored as open text in server buffers at services such as AOL or Yahoo. Not only can packet sniffers read IM contents, but also unencrypted logs of conversations can easily be stolen. At Colonial Trust Company Inc., a $4 million bank trust company in Phoenix, network administrator David Brown said thats not a risk hes willing to take. Colonials 40 employees regularly exchange sensitive customer information such as Social Security numbers and investment information that Brown said hes unwilling to trust to IM servers residing outside the corporate firewall. "We deal a lot with customers personal information and didnt like the idea of sending it over a public wire," he said. Colonial installed NetLerts NetLert IM software on a server running Windows NT 4.0 last July. This not only keeps private information in-house, it also improves security since IM servers run behind Colonials firewall and messages travel the companys private network only. NetLert also encrypts inbound and outbound messages. At First Community Credit Union, in Houston, network administrator Rito Garzas concerns over IM security are similar. Garzas implementation of WiredReds e/pop IM product two years ago coincided with an overall tightening of security that included the installation of a proxy server, an intrusion detection system and a Cisco Systems Inc. firewall. The security lockdown also brought an end to employees ability to download consumer IM clientsa decision that just made sense, given that the credit unions 160 employees had regularly begun to use IM to exchange data about customers. "When [use of consumer IM] was here, I noticed it was more of an open type of network," Garza said. "I didnt feel very comfortable with that, given the industry were in. So we decided to restrict that altogether." Garza cited bandwidth concerns as another reason he moved employees off the Internet and public IM. As the bank grows, it will be moving more and more services to the Internet. It already offers Web-based home banking to customers and plans on moving some day-to-day operations to the Internet. All that requires bandwidtha commodity Garzas now less inclined to share with IM addicts than ever. Although behind-the-firewall, enterprise IM products offer enhanced security and the ability to allow instant messages to be audited, many come with a drawback: Since they require proprietary clients and run over private networks, theyre not easily open and available to all users. Some enterprise IM vendors have engineered a way around that limitation, however. Omniprise, for example, an enterprise IM product from Ikimbo, includes a client that can be downloaded onto invited parties computers. An administrator keeps control of who gets invited to participate. This allows the IM network of users to expand while keeping sensitive information out of the wrong hands. That should help keep enterprises away from a fate similar to that which befell Azure in the PeopleSoft fiasco. Adam Schecter, a principal at William Blaire New World Ventures, in Evanston, Ill., said he used the client download feature in Omniprise to quickly build an impressive list of contacts on his listincluding top-level executives at the portfolio companies he manages. Schecter, whose company invests in Ikimbo, also saves time using a file-sharing feature in Omniprise that allows him to share the same document that his client company updates. All users get updates at the same time, and all questions about the report can be answered via IM practically instantaneously. The experience, Schecter said, has convinced the company to forbid the use of consumer IM and standardize on the Ikimbo product.
"The likelihood [of security incidents] is similar to that of e-mail being intercepted: little to none," said Batchelder, in Stamford, Conn. "But it is not secure, and some applications require secured messagingspecifically financial-services-type communications."