Vulnerability Development mailing list archives
RE: In regards to the insecurity of AOL Instant Messenger
From: Seth Knox <seth.knox () sygate com>
Date: Tue, 6 Aug 2002 11:54:06 -0700
I recently wrote a white paper on the vulnerabilities introduces into enterprise LANs by Instant Messaging and P2P applications. I thought this might spark some interesting debate on policies surrounding IM and P2P usage in the enterprise. Here's the first paragraph, which states the obvious, and a link to the full white paper. I'd be interested in hearing about "Secure" implementation of IM and P2P in enterprise networks and any example of losses or vulnerabilities discovered as a result of insecure usage. Link: http://www.sygate.com/spotlight/IM_P2P_spotlight.htm Abstract: Instant Messaging and P2P: Find it, Stop it, Make it safe. While Instant Messaging (IM) and Peer-to-Peer (P2P) applications are now being deployed in enterprises as productivity-enhancing communications tools, the vast majority of IM and P2P applications in the enterprise today are installed and used without the enterprises' oversight, exposing data and networks to theft and damage. IM allows users to chat, videoconference, share applications, transfer files, and even remotely access their PC. IM is now included with the most widely used operating systems (Windows XP) and Internet access services (America Online). "These users are exceptionally vulnerable to a security attack, and provide a fertile platform on which an instant messaging virus can live and propagate and they are beyond the sphere of control of corporate IS managers." Martin Reynolds, Instant Messaging Threatens Corporate Security, Gartner Group P2P applications such as KazaA, Morpheus, or Gnutella enable people around the world to share music, video, and software applications, often exposing data on their computer to thousands of people on the Internet. These applications are not designed for use in enterprise networks, and, as a result, introduce serious security vulnerabilities to enterprise networks if installed on networked PCs. Regards, Seth Knox Product Manager Sygate Technologies -----Original Message----- From: John Scimone [mailto:sert () snosoft com] Sent: Tuesday, August 06, 2002 6:58 AM To: jbarbo1; Adam Carr; vuln-dev () lists securityfocus com Subject: Re: In regards to the insecurity of AOL Instant Messenger On Tuesday 06 August 2002 12:51 pm, jbarbo1 wrote:
Now my question, is how secure are normal "ims" on AIM. How difficult = would it be to listen to anothers msgs and if at all possible, how could
=
this be fixed.=20Sniffing the line that the messages are transferred on would reveal the contents. They are not encrypted. Maybe if encryption was used, it would prevent eavesdropping, at least, some of it. What about a man in the middle attack, anyone know of that being done sucessfully? Posing as the main AIM server, then redirecting the contents of the messages to the real server. Even on a side note, has anything ever been done like an Open AIM Server. I know people have created open
clients,
but what about an open server for it?
Does the AIM protocol have any kind of authentication to defeat MiM attacks whereby an attacker couldn't drop himself in the middle and log all outgoing conversations and change the actual conversation if he wanted? I don't know much about the protocol and I'm pretty sure it's closed source, but has enough work been done by researchers into the protocol to determine if this is possible. It seems to be it would be trivial for AOL's server to have a random id generated upon every successful login attempt by a user that would need to be included with every message and action on the client side in order for it to register. This would at least prevent an attack by hopping into the middle of a conversation and would require a more extensive attack by being in the middle for the initial login.
Current thread:
- Re: In regards to the insecurity of AOL Instant Messenger, (continued)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger moksha faced (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Bojan Zdrnja (Aug 07)
- Re: In regards to the insecurity of AOL Instant Messenger Nick Lange (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger Alex Lambert (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger H C (Aug 06)
- Re: In regards to the insecurity of AOL Instant Messenger John Scimone (Aug 06)
