Bringing security to instant messaging

In February, the first arrest was made of a man who violated the CAN-SPAM law by sending unsolicited commercial messages not over traditional e-mail but over instant messaging. Given the rate at which e-mail threats, including spam, viruses and phishing attacks, are migrating to the world of instant messaging, this arrest isn’t likely to be the last of its kind.

“Virtually every one of the issues we’ve had to deal with regarding e-mail hygiene is currently applicable to instant messaging or will be soon,” says Matt Cain, an analyst with Meta Group Inc. “It’s just a matter of time before we see hackers, virus writers and spammers aggressively target IM.”

Clearly, IM is not nearly as widely used as e-mail on enterprise networks, and therefore the threats are not as significant. However, the advantage of having this low-cost, real-time communications mechanism on users’ desktops is gaining popularity in the corporate world. The Radicati Group Inc. estimates 85 per cent of corporations in North America are using IM, either as a sanctioned corporate application or in unauthorized pockets. That’s up from 70 per cent in 2003, the last year the firm tracked it.

“IM is still growing as a communications method, but the increasing use of it is driving more and more people to target this system,” says Francis Costello, chief marketing officer at Akonix Systems Inc., which makes IM management and security software.

With IM’s recent growth comes the need to secure these communications systems, says Sara Radicati, an analyst with The Radicati Group. But protecting networks from IM abuses is often overlooked, even by corporations with extensive security schemes, she says.

Ignoring the potential for IM abuses can be a dangerous mistake, because the nature of unwanted messages is changing, experts say. While IM spam, or “spim,” has popped up on users’ screens for a few years now, it is evolving from simply a nuisance to a serious threat. Originally used primarily by operators of Web sites — usually featuring pornographic material or financial lending deals — to lure unsuspecting users to their sites, spim has become the latest way to distribute viruses and other malware that can find a back door into a corporate network.

According to Akonix, the number of viruses spread via IM in the first six weeks of this year tripled versus the same time period last year. IMlogic, an IM management and security software vendor, currently tracks more than 300 viruses and worms spread via IM.

Media General Inc., a publishing, broadcast and interactive media company in Richmond, Va., began using IM in 2003, when a new division president who was hooked on the communications method was hired, says director of security Mike Miller. After monitoring the company’s IM traffic via a program called Snort, Miller says he realized just how vulnerable IM could be.

“We watched the traffic, and we could see clear text go over the Internet and back,” he says. What concerned him even more was that the company couldn’t restrict IM file transfers and therefore couldn’t protect against viruses.

Media General installed software from IMlogic to manage its IM communications and provide spam and virus protection. “I’ve heard of companies where all their users are using IM [without a management tool]….That’s just dumb,” Miller says.

Because IM programs’ buddy lists have direct connections with other computers, IM viruses can spread faster than e-mail viruses, says IMlogic Inc. CTO Jon Sakoda.

Although the concept of spoofing IM names hasn’t truly evolved — it’s hard to guess someone’s screen name, unlike their e-mail address — IM also lends itself to phishing because users tend to respond to chat messages without thinking. “IM is associated with personal communication,” Sakoda says. “Today, people expect an IM that pops up is from another human being, where on e-mail they’re more savvy about getting mass sendings.”

IMlogic surveys have revealed that two-thirds of IM users always will accept an incoming message, even if they don’t recognize the name of the sender. Phished IMs generally don’t ask the recipient to enter sensitive information directly into the response, as e-mails tend to. Instead, they try to lure users to fraudulent Web sites that keylog such entries, Sakoda says.

“As more people get on IM, there may be more people trying to impersonate others,” says Matt Bushman, IT analyst with Minnesota’s Rochester Public Utilities, which runs Akonix’s IM management and security software. “I, personally, don’t find [IM abuses] to be an issue now, but a year or two from now this could explode.”

For organizations that already manage their IM communications with software from IMlogic, Akonix, FaceTime Communications Inc. or others, dealing with this new security threat is rather straightforward. These vendors have added spam- and virus-blocking features on top of their current tools. This adds a layer of security to the tools’ main management functions, which let a company’s users choose any Internet-based IM program and chat with users on competing systems, because currently an MSN user can’t otherwise exchange messages with an America Online Inc. user, for example.

In addition to offering virus and spam protection, these management programs give administrators a way to monitor IM use. For example, administrators can be sure that only authorized users are sending and receiving instant messages, because the traffic is funneled through an IM server before leaving the corporate network, where messages from unauthorized users can be blocked.

At Amerex, an energy commodity brokerage firm in Houston, 150 users run freely available IM software from Microsoft Corp., AOL and Yahoo Inc. While CIO Brian Trudeau says he was hesitant to allow IM into the company, he figured it would be wiser to condone it so he could manage it, rather than suffer the consequences of rogue usage. “It’s a very hard tool to control, you have to either open it wide up or shut it down,” says Trudeau, who chose the former because brokers at the company find it a useful method of communicating in time-sensitive situations.

Amerex runs IMlogic not only for its security and management features but also so it can capture chat conversations. “We use IMlogic for logging all of our conversations; in case one of our brokers messages one of the traders something…we can run a report…and clear up discrepancies,” Trudeau says. This logging feature also can be helpful for companies that are regulated when it comes time to audit compliance.