As I upgraded my Symantec IM Security server last week, I thought about the state of Instant Messaging security.
These thoughts are based on my experience with Symantec’s products. I only briefly looked at the websites of Akonix and Facetime to see what they could do. I’m not up on their current releases.
When we implemented IMLogic, which was later purchased by Symantec, we were looking to protect ourselves from malware spread via IM. Users were getting infected by each new IM worm and it needed to stop. Typically one person would get a message and a link via IM. The user would click on the link, and install the malware. The user’s IM contacts would receive a message with a link to the same virus. Even if all the other recipients recognize the message as malicious, many would then call the helpdesk, leading to more wasted time. That’s a long way of saying that we implemented IMLogic to provide IM security protection. We aren’t under any logging requirement. Logging is a big driver for implementing IM security solutions at Financial institutions.
There are limitations in using an IM security product. Each time a new version of the IM client is released there is a great likelihood that the public IM vendor will change their protocol in a way that prevents the new client from being used until the IM security vendor updates their own product. AIM 6.8 for example used a new SSL based login that provided a lot of trouble for all IM security vendors.
As time went by, people’s habits changed. Do you still have three IM clients installed on your desktop? Probably not. Most people found them to be pretty bloated pieces of drek. When online web IM offerings became feature comparable, most real people switched to using that. Meebo works great from what I’ve been told. How did the IM security vendors deal with that? They put out a list of URLs to block so that users could not use web IM.
Now public IM systems are bundling their chat with their webmail. That made it difficult to block web IM. For a while, to block Google Talk, you had to block Google Mail. There are now ways to do that. You can also block Yahoo Messenger within Yahoo Mail. I haven’t yet found a way to block Live Messenger within Hotmail.
Users are doing more chatting on Facebook, Myspace and twitter. These are also outside the security environment provided by a IM security solution. Even if I could block just the chat component of Facebook, there would still be quasi real-time communication via the wall.
Symantec IM Manager is ignoring all of these problems. Facetime has a press release from more than a year ago that speaks of controlling 20,000 Facebook applications. That might be interesting to look at.
All the IM security problems seen today are HTTP links. If an adequate HTTP security solution was in place would it even be necessary to run a IM security product anymore? IM Security is not a big software maintenance bill. But it is man hours to update and maintain. Perhaps it is no longer necessary. Then again, if a computer gets infected with a virus that can worm through LCS/OCS, I’d hate to be the one that said its ok for the corporate IM server to go bareback.
Posts tagged ‘AIM’
Instant Messaging Security
Symantec IM Manager Upgrade
On Saturday I upgraded to the latest release of Symantec IM Manager, 8.4.11. This version includes limited support for Microsoft Live Messenger 2009. Prior to this upgrade users with this client could not log into Live Messenger from our network
The install went pretty clean. Before starting I had pruned the database to hold only the past 90 days of data. I backed up the database and the upgrade went like butter.
I updated the SSL cert used by AIM, the old cert was about to expire. I had a bit of a problem with importing the new cert. The problem was caused by NTFS permissions on the location where the certificates get installed.
The event log showed an error “error returned from calling imadminrunscheduledreport asp page=400″. What happened is the reporting pages use “localhost” instead of hostname to access the IIS webserver. IM Security is configured with two IP addresses and the IIS is only on one IP instead of all IPs. This means the server doesn’t listen to requsts for 127.0.0.1. Once I added that, it worked again.
Took a while to work through a few things that cropped up, but not too much trouble.
AIM 6.8 login fails through IM Manager
Beginning yesterday, AIM 6.8 clients couldn’t log in through Symantec IM Manager. This was caused by a change in AOLs SSL certificate for kdc.uas.aol.com and IM Manager could not longer validate the cert. IM Manager is an enterprise IM security and logging product.
A workaround is posted on the IM Manager knowledgebase.
Symantec IM Manager and AOL SSL
The latest Symantec IM Manager includes support for AIM 6.8. This is kind of a big change because previously there was no way to support AIM clients that required SSL logins.
AIM has provided a method whereby we register our domain names with AOL, so when the AIM 6.8 client attempts to log in, AOL directs the client to our internal IM Manager server. As part of setting this up I purchased a SSL cert for my IM Manager server. The client connects using our certificate, therefor the IM Manager server is still able to apply security and perform logging as appropriate.
This support is not retroactive to AIM Pro clients. In fact, I’m told that although this was originally designed for AIM 6.5 as well, AOL made some changes that aced out that client.
I’m not sure I trust AOL not to make major changes again and leave AIM 6.8 installs in the cold. But it is better than being stuck with incredibly old versions of AIM.
Is there an ethical and legal issue here as well? While users are advised that this is our network and our computers, might they argue that they have a reasonable expectation of privacy since AIM is using SSL?
AIM in Google Talk
Google has added AIM to Google Talk. For companies like mine, I’m not sure this is a good thing. We implemented IM security after one too many people got infected and the helpdesk was flooded with calls as their computer sent IMs to everyone in their buddy list. For other companies is a compliance issue rather than a security issue. They need to have IM logs.
Its pretty easy to protect the public IM clients using business solutions from Symantec, Akonix or Facetime. IM over HTTP is another matter. Google has always made it tough to block their GTalk over HTTP by integrating it with Google Mail. I haven’t yet heard of a way to block Google Talk without blocking Google Mail. Now they’ve added in AIM to the mix.
update
you can actually block google talk in gmail http://mail.google.com/support/bin/answer.py?hl=en&answer=34330 In DNS point chatenabled.mail.google.com to 127.0.0.1.
AOL Password Truncation
Brian Kreb’s Security Fix is reporting AOL is truncating passwords at 8 characters. I think our Solaris servers were doing the same thing until we upgraded to version 10. In fact, here’s a blog entry from the SUN Security Coordinator’s blog claiming that password truncation is a security feature. In other words, its a feature not a bog.
IM Manager Day
Today Symantec I’M Manager (formerly IMLogic IMManager) took far more of my time than I really planned. Last night I got approval to block AIM 6 users until I’M Manager supports that version. The method provided by support was to redirect or block a specific host name. The problem, which I discovered later is that host name is also used for AIM Triton. So redirecting that host name broke AIM Triton which had been working for months. I really don’t see a way to block AIM 6 without taking out Triton as well. It would be easier to deal with this if I was sure Triton 1.3 and 1.5 were successfully being filtered by I’M Manager before. If they were bypassing the I’M Manager protection for the past few months, I dint feel back about blocking them now.
So that was my morning. After a series of afternoon meetings, I found that I’d received the I’M Manager renewal license certificate in the mail. Unfortunately, Symantec has changed how you download license files and I haven’t figured out how to do that yet. I also notice that I the Serial Number gives me access to the 8.0.x version of the product rather than the newer 8.1. What’s the deal with that?
Symantec’s IMLogic Acquisition 5 months later
Its 5 months since Symantec bought IMLogic. When it first occurred I wrote an anguished cry predicting woe. Lets take inventory and see what has happened.
IMlogic IMmanager 8 was released the last few days of April. Not bad for having originally been on the books for January before the Symantec purchase. Of course I dont know for sure that the delays were caused by the Symantec purchase. But I have my suspicions. The good news is the release still has the support for Google Talk and AIMs rendezvous file sharing server.
The shoe dropped the other day regarding changes to support. Actually its not quite clear from the letter I received. As I figured they are transferring support into their “gold” support at the end of your current contract. The thing is my gold antivirus support does not have a way to create tickets online, I cannot email support, and the knowledge base is kind of annoying. So although the letter says I wont lose anything, it sounds like I will lose features if they make it like antivirus support. I also wonder if there will be a separate IMlogic support group as there is now, or if this skill set will be merged in with the antivirus support people. There are still a lot of questions and I don’t know who to ask. The letter from Symantec merely talked about how great things would be but did not offer a way to ask questions. Is support equipped for questions like this? Do I have an account rep? Who knows.
I was also rather worried about integration with Sybari (Microsoft) Antigen. I emailed Sybari today to ask them if they were supporting Microsoft Antigen for IM version 8 integrated with the new IMManager version 8 that came out two weeks ago. Support did not know! They actually emailed me back that they would download IMManager 8 and try it out. This does not bode well.
Symantec to buy IMLOGIC
Well shit. Suddenly that decision to purchase IMLogic (the product not the company) is not looking so good. Symantec has just purchased them.
When Symantec purchases something, its almost as bad as when Computer Associates purchases something. First I would suspect all development will go in the crapper while Symantec figures out what they bought and what they want to do with it. Good by quarterly updates. Goodbye support for AIM Triton, Google Talk and AIM file transfers. I know you were on the roadmap, but the roadmap is now burned.
Next, support will suck. I suspect my support team will now be replaced slowly by the “Gold” level drones that Symantec hires.
Third, I wonder what will happen with the Sybari integration? Will it disappear now that two corporate giants the two companies.
Will my product completely disappear they way L0phtcrack has since the @stake purchase? Will it reappear later as Symantec IM Manager.
I really expected Webroot to be picked off (as Pestpatrol was). I didn’t think about the possibility of IMLogic being bought.
IMLogic is still a better product that Facetime or Akonix. We’ll have to hope for the best.
IM Worms Increasing?
ZDnet repeats a Akonix press release reporting that IM Worms have been increasing in November as compared to October.
Its kind of satisfying that 36% of the worms target more than one network. Back when IM Worms first came out they were occurring on the Windows Messenger network first and the Microsoft bashers were lining up to take their swings. Those critics fell strangely silent after more worms targeted the AIM network which is more widely used in the U.S.
Do you trust reports from security vendors? They profit by selling software to protect against X. So are they unbiased when they say X is on the rise (thus you need our product).
