Instant Messaging (IM) is emerging as the new battleground for IT security managers with users unwittingly exposing corporate information to hackers and exposing networks to malicious worms.
IM is emerging as a new avenue for hackers to put companies at risk, but the security dangers of IM are still unknown to IT managers despite the increasing popularity of these services, Internet Security Systems (ISS) has warned.
For example, there are currently 18.5 million users of Microsoft's .Net Messenger, 11.9 million users of Yahoo Messenger and 43.6 million users of AOL Instant Messenger worldwide.
ISS X-Force director Chris Rouland said end users taking home their laptop and logging on to chat in the evening are putting company information at risk.
The dangers are outlined in an X-Force White Paper entitled, Risk Exposure through IM and P2P Networks, which also points out the AIM protocol for these services can send malicious or infected files.
AIM's file sharing feature is configurable and can be set up to mistakenly share directories in which company information such as system passwords and other sensitive data can be exposed.
Moreover, AIM's protocol stack does not include a secure layer so there is no encryption of communications sent and received.
Engaging in a file transfer, image transfer, voice chat, or file sharing can reveal an AIM user's true IP address allowing a malicious user to crack that system.
This information can then be used to make the computer a target of a Denial of Service (DoS) attack.
The paper lists Yahoo Messenger platform as having the weakest security features, because its protocol does not encrypt usernames and passwords making it risky to even log into the system.
Technical countermeasures for IT shops on how to tackle IM risks are covered in the X-Force White Paper.