Instant messaging may seem to be a great way to keep up with office gossip, but it's not as private as you may think. Always assume someone can access your IM conversations, says Stuart King.
There is nothing new about security warnings for instant messaging software. A good deal of that scaremongering comes, not surprisingly, from suppliers. So, just how seriously should we take the threats and where are the statistics to back them up?
Over the past two years, a number of vulnerabilities have been discovered in all of the major IM software packages. These vulnerabilities have the potential for a remote user to take advantage of buffer overruns and gain control of client machines.
Some of these vulnerabilities relate to file transfers, however, it is usually common practice for this facility to be disabled at the firewall in most enterprise environments.
There is no denying that IM is an issue that needs to be taken seriously and we may be in the enviable position of closing the stable door long before the horse bolts.
However, IT budgets need justification and, if there are no statistics to back up the risks, the suppliers who currently cry wolf have only the skill of their sales people to rely on.
Perhaps this is not the whole picture. Maybe we should be looking beyond buffer overflows and file transfer errors. Business security can be compromised from IM usage through deliberate intent and user ignorance.
Consider a geographically dispersed team collaborating via IM. All the messages are passing through a server outside of the administrative control of the organisation and across untrusted networks without encryption.
The risk of information disclosure is increased. While we are usually averse to passing sensitive data from web browser to web server without using some risk-mitigating encryption, with IM we are happy to chat without a thought for who may be eavesdropping.
From an operational security point of view, much can be gleaned from casual conversations, but using tools which maintain a log of conversations will not solve the problem. By the time the log is viewed, the conversation has already occurred.
With IM, there are only two ways to mitigate the risks: do not let it onto the desktop and educate your users. Treat IM with the same respect you treat e-mail and assume that, when you are using an open channel, someone may be listening.
What do you think?
Have you cracked down on IM because it''s a security risk in the workplace? Tell us in an e-mail >> ComputerWeekly.com reserves the right to edit and publish answers on the website. Please state if your answer is not for publication.
Stuart King is an independent security consultant