View
216
Download
3
Embed Size (px)
Citation preview
Securing Instant Messaging
Matt Hsu
Outline
Introduction Instant Messaging Primer Instant Messaging Vulnerabilities and
Exploits Securing Instant Messaging in Your
Corporation Conclusion
Introduction
Instant Messaging Primer
Instant Messaging is not a new technology
The first system, IRC, was developed in 1988 by Jarkko Oikarinen
Providing Services: p2p real-time chatting and file transfer capabilities
Current IM systems: ICQ, AOL IM, MSN Messenger, Yahoo Messenger
IRC stands for Internet Relay Chat
Communication Mode
Client-Server instant messaging P2P instant messaging
Encryption, File Transfers, Scripting, Others
Most IM systems do not encrypt p2p traffic
Those systems do not encrypt files transferred either
A handful of IM platforms offer scripting capabilities
Additional functionality: mini-Web provided by ICQ
Instant Messaging Vulnerabilities and Exploits (1)
Eavesdropping Using a packet sniffer
Account Hijacking A number of Web sites provide DIY for launching
such a attack Password protection is very limited
Data Access and Modification Buffer overflow In May 2002, w00w00 identified a vulnerability: an
attacker to gain full access to targeted systems
Instant Messaging Vulnerabilities and Exploits (2)
Worms and Blended Threats IM software maintains a list of buddies By two ways: 1)leveraging IM scripting 2)
exploiting a buffer overflow Scripting Instant Messaging Threats
Instant Messaging Threats that Exploit Vulnerabilities Denial-of-Service Instant messaging server vulnerabilities
Securing Instant Messaging in Your Corporation
IM vs. Firewalls Out-of-the-box firewall configurations are not
sufficient enough to block access Tunneling tech: It make a client to slip past the
corporate firewall IM File Transfers vs. Firewalls
The best way to block file transfers is to block the port numbers used by IM products
Instant Messaging Best Practices Establish a corporate instant messaging usage policy
Properly configure corporate perimeter firewalls
Deploy desktop antivirus software
Employ personal firewalls to ensure policy compliance
Deploy corporate instant messaging servers
Recommended instant messaging client settings
Install all IM patches a.s.a.p
Use vulnerability management solutions to ensure policy compliance
Conclusion
Current IM systems are inadequately secured
Need a layer suitable security systems
Consider the growing number of wireless phones already supporting IM services
Great Sentence: “Only by appropriately securing these systems will businesses be able to reap their full economic benefits”