Internet chat clients such as instant messaging applications pose a serious security risk for corporations, according to an advisory issued last week by Carnegie Mellon University's Computer Emergency Response Team (CERT).
It's therefore better for companies to limit their use or even disable the functionality of such applications unless they're absolutely needed for business reasons, according to several security experts. Examples of messaging software include America Online Inc.'s Instant Messenger and Microsoft and Yahoo chat software.
Chat clients and Internet Relay Chat (IRC) networks are coming under scrutiny in the wake of recent viruses like the I Love You and Life-Stages bugs. Both were programmed to take advantage of instant messaging software and chat rooms to spread themselves rapidly across computers and networks.
Chat clients "pose a serious security risk to corporations," particularly in cases where an individual or company is being targeted by a cracker, said Ryan Russell, an MIS manager at SecurityFocus.com, an online bulletin board and security portal in San Mateo, California.
"Enterprises should evaluate the need to provide access to chat and instant messaging facilities," said Chad Dougherty, a CERT member.
One user wasn't convinced. "I'm sure there are some legitimate threats" associated with the use of such software, said Matt Kesner, CIO at Fenwick Ampers and West, a law firm in San Mateo, California. But so far at least, his company has seen little direct evidence of that, he said. For instance, although the firm was recently plagued by the I Love You bug, "not a single copy appeared to have come from a chat client or IRC [network]," Kesner said.
But CERT's advisory followed inquiries from users about the threat posed by chat clients, Dougherty said. "The security problems that can be found in these systems are basically of the same kind that plague e-mail" software, he warned.
Flaws in chat client software, for instance, could be relatively easily exploited by crackers to plant and launch malicious code in corporate networks, Dougherty said. Similarly, users could be tricked into communicating sensitive information or downloading files containing malicious code via chat clients, he added.
"One major risk we have seen is people having their instant messenger identities stolen without their knowledge," Russell said. That can make it easy for crackers to fool victims into sending them files and information, he said. All information exchanged via instant messaging clients and chat rooms travels over public networks that can be relatively easily intercepted or read by crackers, Russell noted.
Compounding the problem is the easy availability of tools for password cracking, identification spoofing, message interception and message rerouting, said Andre Mintz, an analyst at Meta Group.
"There are utilities out there that let any 13-year-old sit in the [middle of a conversation] and watch traffic go back and forth," without anybody ever knowing, Mintz said. Users must realise that chat software "was definitely not meant for secure information exchange," he added.