Instant Messaging Security

As I upgraded my Symantec IM Security server last week, I thought about the state of Instant Messaging security.
These thoughts are based on my experience with Symantec’s products. I only briefly looked at the websites of Akonix and Facetime to see what they could do. I’m not up on their current releases.
When we implemented IMLogic, which was later purchased by Symantec, we were looking to protect ourselves from malware spread via IM. Users were getting infected by each new IM worm and it needed to stop. Typically one person would get a message and a link via IM. The user would click on the link, and install the malware. The user’s IM contacts would receive a message with a link to the same virus. Even if all the other recipients recognize the message as malicious, many would then call the helpdesk, leading to more wasted time. That’s a long way of saying that we implemented IMLogic to provide IM security protection. We aren’t under any logging requirement. Logging is a big driver for implementing IM security solutions at Financial institutions.
There are limitations in using an IM security product. Each time a new version of the IM client is released there is a great likelihood that the public IM vendor will change their protocol in a way that prevents the new client from being used until the IM security vendor updates their own product. AIM 6.8 for example used a new SSL based login that provided a lot of trouble for all IM security vendors.
As time went by, people’s habits changed. Do you still have three IM clients installed on your desktop? Probably not. Most people found them to be pretty bloated pieces of drek. When online web IM offerings became feature comparable, most real people switched to using that. Meebo works great from what I’ve been told. How did the IM security vendors deal with that? They put out a list of URLs to block so that users could not use web IM.
Now public IM systems are bundling their chat with their webmail. That made it difficult to block web IM. For a while, to block Google Talk, you had to block Google Mail. There are now ways to do that. You can also block Yahoo Messenger within Yahoo Mail. I haven’t yet found a way to block Live Messenger within Hotmail.
Users are doing more chatting on Facebook, Myspace and twitter. These are also outside the security environment provided by a IM security solution. Even if I could block just the chat component of Facebook, there would still be quasi real-time communication via the wall.
Symantec IM Manager is ignoring all of these problems. Facetime has a press release from more than a year ago that speaks of controlling 20,000 Facebook applications. That might be interesting to look at.
All the IM security problems seen today are HTTP links. If an adequate HTTP security solution was in place would it even be necessary to run a IM security product anymore? IM Security is not a big software maintenance bill. But it is man hours to update and maintain. Perhaps it is no longer necessary. Then again, if a computer gets infected with a virus that can worm through LCS/OCS, I’d hate to be the one that said its ok for the corporate IM server to go bareback.

2 Comments

  1. Well blogged! Its always hard to deal with the links over IM. Some are easy to deal though some like Skype is difficult for the protocol is not widely known in the Security Arena. Anyways, my idea was the IM Providers can make the link “non-clickable” at least. Which by then leave the user with a “self committed” error of copy pasting and accessing BUT not for ‘security’ sake as clicked my mistake!
    Count my 2 cents.

  2. Microsoft LCS by default has URLs disabled, but I found that I include alot of links when I IM internally. non-clickable links would be a good middle ground.

Comments are closed.