Security problems relating to the unfettered use of consumer chat software on corporate networks are fueling the adoption of tougher security measures and more commercial-grade products, users and analysts said.
Ongoing concerns about instant messaging (IM) security were heightened last week by the disclosure of six vulnerabilities in America Online Inc.'s Mirabilis ICQ IM client software.
Two of them are particularly dangerous and could result in hackers gaining full administrative control of a victim's computer, according to Ejovi Nuwere, a security engineer at Core Security Technologies Inc., the Boston software company that discovered the flaws.
A spokesman for AOL's ICQ subsidiary acknowledged the flaws in the latest version of ICQ's freely downloadable chat software. But he claimed that only one of the flaws, involving a feature that lets users open Internet e-mails, is dangerous. A fix is in the works, he said.
Security analysts for some time have been warning that unchecked use of such software could cause dangerous holes in enterprise firewalls, leading to sensitive corporate data being exposed on public networks and files being transferred in an unprotected fashion.
Such concerns are pushing an increasing number of companies to look for new ways to secure IM communications, said Michael Osterman, president of Osterman Research Inc. in Black Diamond, Wash. The firm's twice-yearly surveys have shown adoption of commercial IM products to be growing faster than consumer IM products on corporate networks, Osterman said.
At the same time, public IM products still dominate corporate networks. AOL Instant Messenger, for instance, is used in 64 percent of the companies surveyed, Osterman said.
"The good news is that it is easy to detect the use of (consumer) services and to either shut them down or to give users an alternative that is a sanctioned enterprise product," said Dana Gardner, an analyst at The Yankee Group in Boston.
Arlington County, Va., is rolling out Microsoft's Real-Time Communications server software, which will tie into the county's Exchange 2003 and Active Directory environments. It will form the basis of a collaborative infrastructure where users will be able to carry on secure IM and whiteboard sessions, as well as share applications and files in real time, said Vivek Kundra, the county's director of IT.
The use of consumer IM software is very much a security concern, said Scott Loach, senior information security engineer at Raymond James Financial Inc., a financial services firm in St. Petersburg, Fla.
"We have seen some vulnerabilities (in consumer IM software) that have been exploited," Loach said. The need to comply with regulatory requirements has led to a much closer scrutiny of IM use on corporate networks, he said.
The company plans to ban the use of consumer IM software on its networks, Loach said. New application-level security software from Check Point Software Technologies Ltd. in Redwood City, Calif., will allow Raymond James Financial to shut down consumer chat clients by simply checking a box in the software's administrative interface.