Instant Messengers

Instant Messengers

June 13th, 2008
By Matt Gardenghi and Stephen Northcutt

Instant Messaging Protocols
Yahoo's Messenger, Microsoft's Live Messenger, AOL's AIM (AOL Instant Messenger), and Google's Google Talk all use different protocols and have segregated networks. The first three have proprietary protocols, while Google uses a modified and encrypted version of XMPP; Jabber/XMPP is an open source protocol designed for connecting the various proprietary protocols. Most clients do not use set ports making them difficult to control and/or monitor.

Because of the segregated networks, it is not uncommon to find users with multiple IM clients running simultaneously.

Business Issues
Should a business care if employees integrate IM designed for personal communications into business communications? The rise in IM as an alternative or supplemental form of communication similar in nature to email has brought IM into the e-discovery arena. In fact several companies have added IM session reconstruction to their data collection tools. Other companies specializing in e-discovery make IM collection and analysis a major component of their services.

Unfortunately, because IM providers have made the service free and designed robust user-friendly clients, this software appears regularly on networks with and without the approval of IT. This out of band communication could be a method to leak confidential information. Some companies provide web based clients (Google Talk) that bypass IT restrictions and control unless the company restricts/blocks access to GMail.

Much of the pernicious nature of IM comes from two sources: at its heart, IM is a home user service with the expected level of security baked into it and since IM was designed to work with NAT, the clients automatically seek out ways to reach their home server. This results in simple installs that find their way out of the network.

Companies like IBM and Novell have embraced IM as a collaboration and communication tool. They created a controllable client. Novell created an instant messenger that allows an organization to control who has access to the client/service, whether the IM logs are saved, where they are stored and whether they are encrypted. All of these options are necessary for companies.

When a company decides that it will monitor email for compliance or intellectual property protection, IM must also be included in the monitoring. Fortunately, monitoring tools (appliances) have already begun to add IM monitoring to their suite. As a rule of thumb, management should treat IM as they treat email: control it, secure it, monitor it, and archive it. Almost everything that email can do can be done with IM. Its amorphous and temporal nature make it easy to overlook and may encourage malicious users to see it as form of communications "invisible" to the eyes of IT.

Naming Convention
Instant Messenger is often considered less formal than even email. However organizational controls and standards should still be used. "Instead of each IM user creating their own user name (one that is not already in use by someone else on a public messenger service), an organization should make use of an Enterprise IM platform that utilizes an existing naming scheme (such as email addressing, Active Directory and LDAP). As the organization owns its own namespace, there will be no conflict with user names in other businesses, and less opportunities for confusion."[3] Modern IM implementations like iChat will integrate with your corporate naming scheme, in this case eDirectory.[4]

With enterprise organizations you may want to consider expanding the naming convention to help you know who you are IMing from or to. For instance, NASA appends the organizational department to government employees and company information for contractors:

Example: Doe, James B. (MSFC-IT84)[Lockheed/ODIN] [5]

Many IM implementations use a naming convention often based on date that be useful to forensic examiners. When considering a solution for your organization consider what logs it makes and how they are stored and the relevance to eDiscovery.[6]

Security Issues
Quite a few security issues have cropped up within IM. Many of the clients provide a method of sharing files. This has allowed worms to spread over the IM network. Other Trojans spam malicious links to all the "friends" and contacts in the IM client. When the user receives a link to a "funny video" from a friend, they click it without thinking.

One issue that could easily be overlooked is the transmission of IM: by default most free IM is not encrypted and is transmitted clear text. Google stands out in this regard: while not using encryption, Google has reworked the XMPP protocol to effectively deny eavesdropping.

===
Links were valid as of June 05, 2008
1. http://www.ietf.org/rfc/rfc3923.txt
2. http://www.hypothetic.org/docs/msn/
3. http://www.technicalinfo.net/papers/IMSecurity.html
4. http://www.novell.com/coolsolutions/tools/13786.html
5. https://www.odin.lmit.com/nomad/documents/NOMADExchangetoExchangeUserGuide.doc
6. http://www.accessdata.com/media/en_us/print/training/syllabus.inetfor.en_us.pdf