Beware chat clients' security risks: CERT

Internet chat clients such as instant messaging applications pose a serious security risk for companies, according to advice from the Computer Emergency Response Team (CERT) last week.

It's therefore better for companies to limit their use or even disable the functionality of such applications unless they're absolutely needed for business reasons, according to several security experts. Examples of messaging software include America Online's Instant Messenger and Microsoft and Yahoo chat software.

Chat clients and Internet Relay Chat (IRC) networks are coming under scrutiny in the wake of recent viruses like the ILoveYou and Life-Stages bugs. Both were programmed to take advantage of instant messaging software and chat rooms to spread themselves rapidly across computers and networks.

Chat clients "pose a serious security risk to companies", particularly in cases where a cracker is targeting an individual or organisation, said Ryan Russell, an IS manager at SecurityFocus.com, an online bulletin board and security company.

"Enterprises should evaluate the need to provide access to chat and instant messaging facilities," said Chad Dougherty, a CERT member.

One user wasn't convinced. "I'm sure there are some legitimate threats" associated with the use of such software, said Matt Kesner, CIO at law firm Fenwick Ampers and West. But so far at least, his company has seen little direct evidence of that, he said. For instance, although the firm was recently plagued by the ILoveYou bug, "not a single copy appeared to have come from a chat client or IRC [network]," Kesner said.

But CERT's advice followed enquiries from users about the threat posed by chat clients, Dougherty said. "The security problems that can be found in these systems are basically of the same kind that plague e-mail" software, he warned.

Flaws in chat client software, for instance, could be relatively easily exploited by crackers to plant and launch malicious code in corporate networks, Dougherty said. Similarly, users could be tricked into communicating sensitive information or downloading files containing malicious code via chat clients, he added.

"One major risk we have seen is people having their instant messenger identities stolen without their knowledge," Russell said. That can make it easy for crackers to fool victims into sending them files and information, he said. All information exchanged via instant messaging clients and chat rooms travels over public networks that can be relatively easily intercepted or read by crackers, Russell noted.

Compounding the problem is the easy availability of tools for password cracking, identification spoofing, message interception and message re-routing, said Andre Mintz, an analyst at Meta Group.

"There are utilities out there that let any 13-year-old sit in the [middle of a conversation] and watch traffic go back and forth," without anybody ever knowing, Mintz said. Users must realise that chat software "was definitely not meant for secure information exchange", he added.

Join the newsletter!

Error: Please check your email address.

More about America OnlineCERT AustraliaComputer Emergency Response TeamMessengerMeta GroupMicrosoftSecurityFocusYahoo

Show Comments

Market Place