IM Security Considerations in the Enterprise

IM use carries considerable risk

Does your organization use Instant Messaging (IM) software? IM has become an incredibly popular tool in the corporate world. Several companies that offer IM networks, including AOL, ICQ ("I Seek You"), Microsoft, and Yahoo!, have IM client packages with various features and capabilities. However, some administrators virtually ignore IM security considerations. For example, IM communications often traverse a network in plain text format, which means someone could eavesdrop easily on private business communications.

If you don't have IM software on your network, don't install it without planning. IM use carries considerable risk and requires not only the implementation of company policies, but also diligent ongoing attention to IM's vulnerabilities. For example, last week Microsoft reported that its MSN Chat Control software contains a buffer-overflow condition that could let intruders run the code of their choice on a user's machine. The problem affects MSN Chat Control, MSN Messenger, and Microsoft Exchange IM and is the third MSN chat security problem that Microsoft has reported this year. (See the related Security UPDATE story.

But Microsoft isn't alone in having IM software security problems. So far this year, reports have documented eight security problems with AOL Instant Messenger (AIM), four with Yahoo! Messenger, and five with ICQ (which AOL owns).

You can address one IM security risk, for example, by using security software that protects IM's plain text transport. Cerulean Studios has an IM security solution that's definitely worth a look: Trillian. Among many security-related IM software packages, this solution stands out for two reasons: Trillian permits messaging between several popular IM networks—including AOL, ICQ, Internet Relay Chat (IRC), MSN, and Yahoo!—and it encrypts communications by using continually regenerated encryption keys. Trillian's encryption feature, SecureIM, uses the Blowfish encryption algorithm to generate a new encryption key each time the user begins a new secure chat session. After the software generates a key, it stores the key only in memory and never to disk, making it harder for an attacker to compromise the key.

AOL recently announced its encrypted messaging client, Enterprise AIM. According to a Washington Post Newsbytes story, AOL has partnered with VeriSign to create the new IM client, which AOL intends to sell to enterprise users. In addition to encrypted communications, Enterprise AIM will use VeriSign's certificate technology to authenticate users, which will help prevent user impersonation.

If you subscribe to the Security Administrator monthly print newsletter, you might have read Roger A. Grimes' article in the May issue, "IM Security Primer," InstantDoc ID 24665, which offers a detailed overview of the major IM networks and information about the security concerns they raise for the enterprise. (To learn more about the print newsletter, visit the Security Administrator Channel home page.)

We're conducting a new Instant Poll this week: If your organization uses IM, we want to know which IM software you've standardized on. Stop by our home page and give us your answer.