[Web4lib] FW: [DIG_REF] IM & Security

Michael McCulley drweb at san.rr.com
Mon Jan 30 21:12:14 EST 2006


There are quite a number of complex security issues related to IM systems; I
know front-line librarians are not fully aware of these, nor should they
necessarily be, but the basic system and "platform" needs improvements in
security to fit within acceptable limits.

Most IT professionals will have read about this, as in this "White Paper"
(undated) from Symantec. They are likely seeing these reported systemic
flaws, and while there are individual solutions, workarounds, etc., a whole
"system" problem is a huge red flag. They will be very reluctant to go here,
without lots of help, fixes, patches, and administrative support (equals
time).

Corporate and enterprise-wide "secure" solutions for IM exist, and more are
coming onstream, but they are not necessarily free, or open-source, or based
on the current 'popular' systems we often use in our communications (AOL IM,
Trillian "client," Yahoo! Messenger, etc.). We need to lobby vendors,
software writers, companies, and the industry to provide secure workable IM
systems for libraries (and other similar "community" enterprises).

This full white paper (about 16 pages) is online: see
http://www.symantec.com/avcenter/reference/secure.instant.messaging.pdf

"Most IM systems presently in use were designed with scalability rather than
security in mind. Virtually
all freeware IM programs lack encryption capabilities and most have features
that bypass traditional
corporate firewalls, making it difficult for administrators to control
instant messaging usage inside
an organization. Many of these systems have insecure password management and
are vulnerable
to account spoofing and denial-of-service (DoS) attacks. Finally, IM systems
meet all the criteria
required to make them an ideal platform for rapidly spreading computer worms
and blended threats:2
they are ubiquitous; they provide a communications infrastructure; they have
integrated directories
(buddy lists) that can be used to locate new targets; and they can, in many
cases, be controlled by
easily written scripts. Even worse, no firewall on the market today can scan
instant messaging
transmissions for viruses."

"This paper details the security risks of using instant messaging systems
and provides guidelines to
help enterprises make informed decisions about how to properly implement
such systems within a
corporate environment."

This is not just about running clients at home; this about a client-server
environment (most IM systems) that can operate outside the usual firewalls
that libraries in their environments rely on to "keep safe." Don't we rely
heavily on our firewalls at home to keep us safe(r)?

That is the biggest part of the issue, to my mind. I love IM, use it
constantly, and wish we could have it at work. Alas, we don't, and I doubt
we can afford to (buy a secure system) anytime soon.

Best,
DrWeb

-- 
P. Michael McCulley aka DrWeb
mailto:drweb at san.rr.com
San Diego, CA 
http://drweb.typepad.com/

Quote of the Moment:
 They can't chase you if you don't run.
Monday, January 30, 2006 5:54:57 PM 
 



More information about the Web4lib mailing list