Feature: Revolution by stealth

Instant messaging. It's just underworked people wasting time, right? Wrong. It's becoming a vital business tool for the fast exchange of information. There's just a few security and authentication issues to be ironed out first.

Instant messaging. It's just underworked people wasting time, right? Wrong. It's becoming a vital business tool for the fast exchange of information. There's just a few security and authentication issues to be ironed out first.

Someone in the office downloads Yahoo Messenger on to her work PC to chat with friends in London.

She persuades co-workers on different floors and a colleague in the South Island to do the same, so that they can see who is available to answer brief questions. Someone else decides to get ICQ because family members are using it. Others quickly follow suit and before you know it half the office is using three different types of instant messaging software — some compatible, others not. (It happens, you can be sure; it happened in our office.)

But should you be worried? Has a backdoor to the network been flung wide open? Will company data be stored forever on IM software vendors’ servers? Will productivity plummet?

Like all technology, there are technical concerns — viruses being a big one — but office culture and social factors are just as important in keeping a reign on instant messaging (IM) use.

Although it started out as a consumer service, instant messaging is invading corporate networks faster than any one ever would’ve guessed. Research company IDC expects the number of corporate IM users to skyrocket from 18.4 million in 2002 to 229.2 million in 2005. Gartner says that by next year 70% of enterprises will have some sort of IM client running within the organisation — whether they know it or not.

But not everyone is convinced about IM in the office and it has been banned at Auckland-based Lumley General Insurance.

“People were using it in an unofficial capacity and it’s not something we have a clearly defined business case for,” says IT operations manager Greg Covey.

“All our people use email and we accept some of it’s for personal use. We run Mail Marshal and filter quite heavily. We have to be held accountable to anything we say in our email, especially in relation to brokers’ correspondence. By ensuring that communications are sent to and from a lumley.co.nz address we know it passes through the appropriate gateways and adheres to appropriate procedures, processes and standards.”

Covey says head office and all branches are on a high speed WAN and email is very fast, so there isn’t a need for instant messaging.

“None of our divisional managers could give a good reason for leaving it there. In many of their views it was counter-productive.”

Lost without it

But it’s a different story from Microsoft MSN Messenger user Matt Townsend (pictured), an account manager for IT consultancy Sybrel (formerly CyberElves).

“I think it adds to overall productivity,” says Townsend, who regularly works on software development projects which span the globe. “Definitely so for project work. I’d go as far as to say we’d be lost without it.”

After looking at several IM products, Sybrel chose MSN Messenger as it already used Microsoft for most of its IT. Now about 20 staff are users with those working on specific projects chatting on IM every day.

“We have projects and team leaders based around the world — New Zealand, London and San Francisco. It’s important that everyone has an easy and quick means of communication.

“It has opened up an ability to communicate freely when we’re working on a project. You might be sitting in front of a screen coding and a question pops up and it’s just as easy to ask it on Messenger. You can code while you’re chatting and pass snippets of code back and forth. But you can’t afford to have misunderstandings. That’s why emoticons are actually very useful.

“Also the fact that you can log into MSN from anywhere is also very useful. It’s a portable tool.”

Townsend says one of the biggest drawbacks of IM is the inability of various products to talk to each other.

Services such as Trillian and Jabber sit across the main messaging services allowing you to chat to users of each but it’s a clunky solution to the problem and you still have to be signed up to each service.

IM vendors are working on providing interoperability through a recently approved protocol called SIMPLE (session initiation protocol for instant messaging and presence leveraging extensions). Both IBM and Microsoft are shipping SIMPLE-based software with others close behind.

Somebody’s there

Instant messaging is not just about fast communications. Of growing importance is what’s called “presence information” which lets you know when someone is at their desk and available to talk. In the US, some companies are taking this capability and putting it into other applications.

“It’s good that you can see who’s there but I also like the fact that you can adjust your status,” says Townsend. “Quite often I’ll make myself off-line.”

Which could be an answer for clients of Lotus Notes application developer Convergence.

Convergence’s Mark Presnell says customers are still pondering the usefulness of instant messaging in terms of being bothered with pop-ups on their screens and people trying to have an instant conversation with them.

“It’s the old story of synchronous versus asynchronous dialogue or communications where a lot of people actually want to respond in their own time, not whenever a pop-up appears.”

Presnell says perhaps in future Convergence will enable its Lotus Notes workflow software Ability Suite with Notes’ instant messaging product Sametime but not just yet.

But who?

Auckland-based network security consultant Tony Krzyzewski warns of several risks associated with IM, perhaps the best known being the fact that it’s almost impossible to prove who you are talking to at the other end.

“I have proven this fact to my eldest son’s friends several times when, much to their dismay, they discover that the person at the other end of the keyboard on my son’s PC is in fact me. My son has now learnt to log off his PC when he is not using it and his friends have learnt an important lesson in internet security.”

Krzryzewski says in the workplace this authentication risk, combined with the fact that most instant messaging solutions transmit the message in unencrypted clear text, can result in information leaking out of the organisation.

Townsend admits you’ve got to be careful.

“We did have security concerns and talked about that at the start. If there is anything you’re really concerned about sharing, don’t do it. Don’t put confidential information on MSN. I know a lot of the bigger banks have their own messaging systems that are heavily secure and sit on VPNs but we just don’t put highly secure information over MSN.”

Telecom subsidiary and ISP Xtra has 180 staff, many of whom also use MSN Messenger.

Former IT manager Shane Ohlin, now with Telecom, says the security risk is manageable.

“Microsoft and others are working to produce secure and company-focused versions. People just need to be sensible about what they’re saying across this service.”

Easy exploitation

Staff indiscretion is only part of the problem though. IM applications, like all software, have bugs and potential vulnerabilities. Antivirus software vendor Symantec has recently expanded its software and services to monitor viruses that target messaging.

Symantec’s chief architect for the security response team, Carey Nachenberg, says IM clients are active communicators on the internet, connected constantly to servers. A properly crafted worm could literately hit millions or tens of millions of IM clients very quickly.

Nachenberg says an IM worm recently surfaced that referred recipients to a particular website, although it was apparently not malicious. In January AOL admitted there was a security hole in its AOL Instant Messenger (AIM) service that could allow the introduction of harmful code into users’ machines. In May Yahoo discovered two security holes in Yahoo Messenger which could have allowed an attacker to run code or modify content within Yahoo Messenger on a recipient’s PC. Microsoft also had to warn MSN Messenger users that a strain of the W32 virus was being distributed using the chat client’s file transfer feature.

Krzyzewski says IM protocols were specifically designed to easily traverse protection mechanisms and, as a result, can be exploited.

“Hackers can use instant messaging vulnerabilities to gain access to a workstation and use it as a jumping-off point to other parts of the network. A recent AOL instant messaging buffer-overflow flaw enabled hackers to take remote control of target workstations. From there, the hacker could do almost anything the workstation owner could do on the network.”

In the early days of instant messaging, when only ASCII text moved back and forth between IM chatterers, the threat was minimal. But current versions allow file sharing, and that’s where attackers have taken aim.

“Many instant messaging applications can pass attachments between users thus bypassing perimeter firewall protection systems,” says Krzyzewski.

“Since the user-to-user tunnel goes directly to the workstation, infected files riding on instant messaging systems can bypass gateway antivirus scanners. Unless the desktops have active scanning and updated signatures, instant messaging can easily introduce worms, trojans and viruses on to the network.”

While Computerworld found little evidence of local companies sending attachments via IM software — for example, Sybrel’s Townsend says he can never get this feature to work — this will no doubt start to happen.

Accepted security measures such as a firewalls, desktop antivirus software and content filtering software work pretty well for messaging, too, says Nachenburg, although the best antivirus software in the world won’t help users unless they keep it updated to detect new threats. Security experts further recommend maintaining a healthy scepticism about accepting anything online from strangers.

“I only send messages to people I know and trust,” says Townsend. “In a way it’s much easier to get a virus through email because with instant messaging it’s only people I know.”

Meanwhile, IM vendors are working on their products to make them more secure and enterprise-ready. For example, AOL and VeriSign have rolled out beta software which will secure communication through AOL Instant Messenger by encrypting it. It will encrypt instant messages and users won’t need to make changes to their IM software because they will be done at AOL’s servers.

Sticking to who you know

Another way around the problem is to use IM on a closed and secure network and restrict use to staff only.

The New Zealand Navy is rolling out IBM’s Lotus SameTime to communicate between the network operations centre in Devonport and the frigates Te Kaha and Te Mana.

“We have security mechanisms built into our networks,” says Lieutenant Commander Mike de Ruiter, applications integration team leader at the Navy engineering centre.

“So we haven’t especially gone out of our way to look at security in terms of instant messaging. If we didn’t have security on our networks, we would be much more concerned.”

A greater issue is the fact that communication via email and IM are not formally recorded. Until now communications from ship to shore or between ships have been straight formatted text sent via high frequency signals — either radio or modem — over satellite.

De Ruiter says the navy still has to formulate what is appropriate information to transmit over IM and what should stay within the formal system.

“Before signal traffic is released the commanding officer sees it. When you have staff sitting at terminals you lose the ability to vet communications before they are sent. A signal to the ship will be distributed to everyone who needs to know, whereas an email or instant message usually goes to one person only. The formal signal traffic is still the official means of communicating with the ship but we have to work through a policy on official communications and distribution.”

Ohlin says Xtra has extended its email policy to messaging. “The policy talks about appropriate use and provides some basic guidelines. We don’t view how people use email as any different than how they use a chat service.”

In the US IT managers are starting to take a more proactive approach to managing IM use. Companies are asking whether they should monitor, record and archive instant messaging conversations, and there are a number of products entering the market from companies such as Akonix, FaceTime Communications and IM-Age which track IM use by employees. Kiwi software developer Marshal Software will also ship an IM tracking product in the first quarter of next year (see Marshal betas IM tool).

“It’s possible to keep a record of a chat situation,” says Ohlin. “We don’t log the use of the service, just as we don’t make tape recordings of phone calls.”

The ability to track messaging and know a person’s whereabouts has some people worried.

At a US presence and internet messaging conference in May, Brad Templeton, chair of the privacy watchdog the Electronic Frontier Foundation, highlighted logging of chat conversations and the potential for hackers to use them to track where you go as major concerns.

The fact that cellphones can approximate your geographical location will be interesting when IM moves to wireless mobile devices. That information and access would be valuable to advertisers wanting to lure you, for example, to a nearby McDonalds by including a digital coupon for $1 off a Big Mac. And network data that keeps tabs on staff travels could also be of interest to an overzealous boss, spouse or parent.

As always with all technology, instant messaging is a double-edged sword. Wield it with care.

The main IM players

- Yahoo Messenger

- MSN Instant Messenger

- AOL Instant Messenger

- ICQ

- Lotus SameTime (integrated)

Smaller players, cross-platform

- Trillian

- Jabber

- Odigo

Sidebars

Xtra takes the IM message to heart

A technology boon for hearing impaired

Join the newsletter!

Error: Please check your email address.

Tags instant messaging

More about AOLCommanderElectronic Frontier FoundationFaceTimeGartnerIBM AustraliaICQIDC AustraliaIslandMarshal SoftwareMessengerMicrosoftMSNOdigoSymantecTrillianVeriSign AustraliaXtraYahoo

Show Comments

Market Place

[]