When first developed, instant messaging applications allowed individuals to engage in real-time, text-based online conversations. Now, as the technology has developed and with the advent of broadband Internet access, instant messaging applications allow audio, video, and software to be transferred and shared by multiple users. As a messaging system, it is seen as a quicker medium than e-mail, which, in the best-case scenario, will result in a short wait for a response. In many ways, using instant messaging is similar to using a private chat room accessible to only two people.
Most instant messaging platforms are based around the same architectural principle. Client software is downloaded from the Internet and installed on your computer. This contains a configurable contact list, known as a buddy list in some applications. When the instant messaging application first runs, the client communicates with a server, via the Internet. Once the client has accessed the server, you can create your user account. The client then sends computer information such as your IP address, the port number assigned to the client application, and your contact list to the server. This is saved in a temp file and is used to authenticate your account.
When you run the instant messaging application and then log on to the server, the server checks your authentication. How the instant messaging server receives your personal information is a crucial security concern. It is often sent in clear text format or using a weak, easily decoded encryption technique. If a cracker captures such information, your computer and the network it’s in will be open to attack. The server checks if any of the individuals on your contact list are also online. If they are, a message is sent to you with their connection details. You can then communicate with them.
This client server architecture model allows users to transfer information from one client to another via a server, which is responsible for the message delivery. Clients are not directly connected to one another by default, but this facility can be enabled in some clients.
Unlike the client/server model, peer-to-peer network architecture gives authority to the clients to connect to each other directly without the use of a server. All clients can deliver messages and files. In these networks, the client software is aware of the application IP addresses and port numbers of its peers.
Security risks in instant messaging platforms
More and more companies are viewing instant messaging as a potential business medium. However, there are real dangers in implementing instant messaging in a company network. Instant messaging applications were not designed to transfer sensitive material, and most applications still send information formatted in clear text. Although enhancements have alleviated some of the security issues involved with instant messaging, it still attracts much attention from crackers, who view it as a viable option in attempting to compromise company networks. Security issues common to most instant messaging applications include
- Infected files – Viruses and Trojan horses can access your computer’s file system via instant messaging software, as any individual with an instant messaging account can send another user malicious files.
- File transfers reveal IP addresses – Crackers monitoring network traffic can gain access to your IP address. Once your IP address is known, crackers could threaten your computer and your network’s integrity – for example, with denial of service attacks.
- Misconfigured file sharing – File sharing facilities available on most instant messaging applications need to be configured carefully. The security of your business (or business transactions) could be compromised if unauthorized users gain access to sensitive company information. Misconfigured file sharing allocation could allow anonymous instant messaging users access to sensitive documents such as HR information.
- Unencrypted communication – Information sent using instant messaging is typically unencrypted. Instant messaging protocols do not include a secure layer by default. So you shouldn’t use instant messaging applications to transmit sensitive information, unless you can strongly encrypt this data using third-party software.
- Copyright infringement – One of the most common reasons for the increased use of instant messaging is the person-to-person sharing of copyrighted material. Users of instant messaging applications can send copyrighted video, MP3, and application files. System administrators should ensure that their networks are free from illegally copied copyrighted material, as stringent fines are imposed on companies that break this law.
- Social engineering and theft of identity – Crackers will undertake confidence schemes in an attempt to get valid instant messaging users to divulge confidential information, such as their username, password, and credit card details. This process is known as social engineering. With the information gained from such schemes, they can impersonate another user.
Popular instant messaging applications
Each instant messaging application has its own authentication method and security issues. System administrators should be aware of these, and those who suspect that instant messaging may be causing their network to be compromised should act to restrict its use. They will have to deal with the various instant messaging applications individually. The most popular instant messaging applications are
AIM is the instant messaging application owned by AOL Time Warner. To create a session, the AIM client communicates using port address 5190 with two different servers named OSCAR and BOS. OSCAR is responsible for authorizing clients, whereas the BOS server is responsible for handling the various instant messaging services.
To establish the session, the client sends the OSCAR server a package containing the user’s AOL screen name. This can be decrypted easily, as it is encrypted with only a weak XOR algorithm. When the user is authenticated, OSCAR issues a cookie to a BOS server, which creates a session that stays connected until the user logs off.
A buffer overflow security violation in the AIM instant messaging application has been recently recorded. This buffer overflow allowed a game request to be made to an AIM user, resulting in memory being overwritten with data supplied by the attacker. This attack method could result in the cracker gaining control of a remote machine. The AIM application has been since updated to resolve that problem.
For system administrators, AIM is tougher to restrict than many other instant messaging platforms, as you can configure the port address used for communication through the client application. Therefore, blocking port address 5190 doesn’t guarantee that clients cannot access the AIM server. You can restrict some activity in AIM instant messaging sessions. To disable instant messaging images, you can block TCP sessions on port 4443. However, to disable AIM completely, you need to disable access to login.oscar.aol.com on all ports.
The .Net messenger is Microsoft’s instant messaging application and comes packaged with the Windows XP operating system. Its protocol is ASCII-based, and runs on a decentralized network. Communication between .NET clients and .NET servers is conducted using port address 1863. Unlike port addresses in AIM, this cannot be reconfigured using the client software. Any server in the decentralized network can authenticate clients.
Passwords in .NET Messenger are more secure than AIM, as they are encrypted using an MD5 hash algorithm. When trying to log on, the server passes a unique string of characters (a seed) to the client, which appends another string. The result is then hashed with the password by the client and returned to the server for authentication. As all other messages are transmitted in clear text, crackers don’t necessarily need your .NET password to cause damage.
As the port addresses used in .NET are standard and not configurable by the client, it is relatively easy to restrict access to instant messaging services. To prevent file transfers, you disable incoming and outgoing TCP sessions on port address 6891, whereas to prevent multimedia conferencing, you block UDP ports 13324 and 13325. If you want to prevent application sharing, you block the TCP port 1503, and if you want to deny complete access to .NET IM, you refuse access to hosts in the msgr.hotmail.com subdomain and block TCP port 1863.
Yahoo! Messenger is regarded as having the weakest security features of all the main instant messaging applications. Usernames and passwords aren’t encrypted when sent to the Yahoo! Messenger server. They are also sent via HTTP and can be stored in HTTP logs. This makes even trying to log on to the Yahoo! Messenger service risky.
Yahoo! Messenger protocol is also ASCII-based and the client sends information to the server and to other clients using port 5050. ASCII information is sent using port 80.
After the username and password are sent in clear text format, the server replies with a cookie that is valid for a certain amount of time. It is very difficult to restrict Yahoo! Messenger services, as much communication uses the web traffic port 80. However, you can try to restrict some of its features. To prevent instant messaging, you block TCP port 5050 and to disable Yahoo! Messenger completely, you deny access to hosts in the “msg.”.yahoo.com subdomain.
ICQ, an instant messaging application released in 1996 by Mirablis and now owned by AOL Time Warner, is a binary-based protocol. Like AIM, communication between the client and server is conducted on port 5190, but, unlike AIM, it is not configurable by the client. This makes it easier for administrators to restrict access.
When a user signs onto the ICQ network, their User Identification Number and password are sent in an encrypted packet. However, crackers can easily decrypt this, as the algorithm has been reverse engineered. ICQ is an attractive target for many denial of service and buffer overflow attacks, because of its authentication and encryption deficiencies.
System administrators can restrict access to some of the ICQ instant messaging features. To prevent file transfers, administrators can block TCP sessions on port 3574, and to disable image file sharing, you can block TCP port 7320. If you want to disable ICQ completely, you deny access to host login.icq.com on TCP port 5190.
Instant messaging applications can perform various functions, and most can transfer files and images and share applications between computers. This is achieved through a server in a client/server model or directly between clients in the peer-to-peer model. A number of security risks are involved when using an instant messaging application. These include transferring files infected with viruses or trojan horses, revealing your IP address, sending unencrypted information, infringement of copyright laws, and social engineering problems such as theft of identity.
System administrators use different methods to secure their networks from violation via instant messaging applications. This can be difficult because in some applications, such as AIM, the client allows users to reconfigure the application’s port addresses. Weak encryption of usernames and passwords together with the transmission of most information in a clear text format mean that you need to be careful of the information you transmit using instant messaging.