TNL.net is designed for modern browsers but the content is still readable in older ones. If you want to ensure the best experience, please install a browser that was developed after 2009.

tnl.net

AIM Not Secure

In the past few years, AIM has become a com­mu­ni­ca­tion tool used by both indi­vid­u­als and cor­po­ra­tions to facil­i­tate dis­cus­sions of issues rang­ing from what movie to see on the week­end to arcane details in con­trac­tual cor­po­rate nego­ti­a­tions. But buyer beware as hack­ers have found ways to exploit the AIM client and server to leave such com­mu­ni­ca­tion open to every pry­ing eyes and cause all sorts of mischief.

The AIM client allows any users on the Inter­net to cre­ate a “buddy list” and carry on text-based chat with other peo­ple on their buddy list. With 27 mil­lion AOL users and 21 mil­lion reg­is­tered AIM users, Amer­ica Online has become the lead­ing provider of instant mes­sag­ing soft­ware, dwarf­ing its com­peti­tors in terms of user base. Accord­ing to Medi­aMetrix, Yahoo Mes­sen­ger is the sec­ond most pop­u­lar instant mes­sag­ing client, with 10.6 mil­lion users, fol­lowed by Microsoft’ MSN Mes­sen­ger, with 10.3 mil­lion reg­is­tered users.

AOL has aggres­sively pro­moted its AIM mes­sag­ing plat­form as a cor­po­rate tool, cut­ting deals with Nov­ell and Lotus to incor­po­rate it in their offer­ings. How­ever, its focus on secu­rity issues has not been as strong as its mar­ket­ing. In the past AOL has cov­ered up secu­rity breaches instead of being forth­com­ing about them, said Dave Cas­sel, edi­tor of the AOL Watch Newslet­ter, an email mail­ing list sent out to 50,000 subscribers.

Two areas in which AIM secu­rity has already been com­pro­mised are pass­word theft and buffer over­flow, a way for hack­ers to remotely crash a com­puter sys­tem by send­ing a cer­tain set of char­ac­ters to an AIM client. Fur­ther­ing the prob­lem is the fact that the client does not need to be run­ning at the time in order to be exploited. Sim­ply installing it on a machine is enough to expose it to the buffer over­flow problem.

In Jan­u­ary 2000, hack­ers were com­ing to the press with that prob­lem because they wanted the buffer over­flow secu­rity hole closed, said Cas­sel. But AOL didn’t respond so the hack­ers thought that neg­a­tive press would spur AOL into action. After I wrote an arti­cle about it, AOL said they would close the hole but in Decem­ber 2000, the hole could still be exploited.

In Decem­ber, @Stake, an Inter­net secu­rity con­sult­ing firm, issued a secu­rity advi­sory about the buffer over­flow prob­lem. In it, the com­pany described how a hacker could use the AIM client to shut­down a com­puter or exe­cute local com­mands on the victim’s desktop.

The issue was fixed, said Nicholas Gra­ham, a spokesper­son for AOL. We encour­age our users to upgrade but it’s not an issue at this point.

Weld Pond, man­ager of research and devel­op­ment for @Stake, added that while the Decem­ber issue was not exactly the same one as the Jan­u­ary one, it did fall into the same class of prob­lems. What that illu­mi­nates is the fact that they are not using secure poli­cies, he said. It’s sort of like find­ing out that one of your win­dows has no lock and not going around to check the other windows.

We answer instances of secu­rity on a case by case basis, defends Gra­ham. Our lat­est client is the most secure one to date and we intend to con­tinue pro­vid­ing a more robust and more secure client as time goes on.

Buffer over­flow and the hijack­ing of AIM screen names have been prob­lems since AIM was intro­duced a few years back, said an active AOL hacker who pre­ferred to remain anony­mous. Prod­uct integrity and secu­rity has never been a spe­cialty of AOL and this is very obvi­ous from the numer­ous exploits I and oth­ers have found in the ser­vice in the past three years.

While AOL has issued a new ver­sion of its client cor­rect­ing the prob­lem, the secu­rity risks posed by the AIM client should remain a con­cern among sys­tem admin­is­tra­tors. The funny thing is that upgrad­ing to the most recent ver­sion of AIM solves noth­ing, said the hacker. Most of the exploits are what we call server side hacks, which means the soft­ware client has noth­ing to do with the hack at all. The buffer over­flow hack was the only major hack so that involved the actual client software.

Some of my bud­dies used the hijacked AIM accounts to carry on fake con­ver­sa­tions with the friends of the per­son who orig­i­nally owned it. The con­ver­sa­tions resulted in my bud­dies trick­ing the real owner’s friends into pro­vid­ing per­sonal infor­ma­tion and even credit card infor­ma­tion. Peo­ple have no rea­son to believe that accounts have been hacked unless the real owner noti­fies them.

This was the prob­lem that Habeeb Dihu, a senior prin­ci­pal at Dia­mond Clus­ter, an ebusi­ness con­sult­ing firm., encoun­tered when a hacker kid­napped his instant mes­sen­ger ID. I was work­ing on the Cov­isint deal, he said, refer­ring to the B2B exchange devel­oped by Gen­eral Motors, Chrysler, Ford, Ora­cle, and Com­merce One.

Because we have con­sul­tants work­ing at sev­eral clients, the way we keep in touch with each oth­ers is through instant mes­sag­ing. Some­where in the mid­dle of the Cov­isint deal, my AIM screen ID got hacked. Some­one mas­quer­aded as me and started to talk to my cowork­ers. I took care of it by alert­ing all my co-workers but AOL was very unre­spon­sive in terms of tech sup­port. I was com­pletely ignored by the sup­port peo­ple there and was finally con­tacted by the head of press rela­tions for AOL after I talked to the press. Rel­a­tive to how much AIM is used in the cor­po­rate world, the secu­rity behind this thing is abysmal.

Fol­low­ing the inci­dent, the com­pany insti­tuted a review of dif­fer­ent instant mes­sag­ing solu­tions and stan­dard­ized on Yahoo’s Instant Mes­sen­ger. Despite the fact that you could have some ID theft issue behind Yahoo, no one has man­aged to hack into the yahoo user data­base to the extent of the prob­lems with MSN and AOL, he added. We looked at Yahoo’s cor­po­rate solu­tion but the cost of cor­po­rate yahoo was pro­hib­i­tive com­pared to the free prod­ucts avail­able out there, he said, adding that his com­pany has been involved in the devel­op­ment of Jab­ber, another IM client. Our hope is that jab­ber will increase secu­rity and we’ll be able to migrate there but it’s not quite there yet in terms of robust user inter­face for non tech­ni­cal people.

Instant Mes­sag­ing is used as much if not more than email these days in the cor­po­rate world. The lack of secu­rity and lack of com­plete­ness in the solu­tion is pretty alarm­ing from my per­spec­tive. The only mes­sag­ing solu­tion that hasn’t been hacked is Yahoo’s and it’s only a mat­ter of time before it happens.

If you just want to talk to peo­ple in your com­pany, you’re bet­ter off using some other piece of soft­ware that wouldn’t be under as much scrutiny from hack­ers, said Cassel.

Using a third party to do your cor­po­rate com­mu­ni­ca­tion that has no legal stand­ing is a dan­ger­ous thing, said Pond. Unlike the phone, it’s unreg­u­lated and inse­cure. When you are using AOL IM, you’re send­ing your com­mu­ni­ca­tion in the clear over the Inter­net to AOL’s server and back, whether you are talk­ing to some­one in a remote loca­tion or in the office next door. Peo­ple think of it as the phone but they shouldn’t. AOL has full con­trol of com­mu­ni­ca­tion for cor­po­ra­tions who use AIM for communication.

We’re mov­ing to a world were there are more and more clients that peo­ple are run­ning on their machines, out of the con­trol of the IT depart­ment. Com­pa­nies should set secu­rity poli­cies set up at cor­po­rate level and work on an approval process for those clients.

How­ever, there’s no one size fits all solu­tion. Dif­fer­ent envi­ron­ments can put the expense out there to cre­ate more secure envi­ron­ments. Think­ing you can sort of read about a secu­rity prob­lem and know what the best solu­tion is with­out tak­ing the envi­ron­ment into con­sid­er­a­tion is not possible.

There are far bet­ter prod­ucts out there such as MSN Mes­sen­ger and Yahoo Mes­sen­ger, said the hacker. But these prod­ucts haven’t taken off in pop­u­lar­ity due to AOL’s huge mar­ket share. These other prod­ucts are far more secure and reli­able than the AIM ser­vice. Any hacker will tell you this.

Net­work man­agers can solve the issue by either block­ing out con­nec­tion to the AOL IM servers or install dif­fer­ent clients on their users’ desk­tops. Groove is doing a sim­i­lar kind of tool but it’s an encrypted chat in a peer to peer envi­ron­ment, which ends up being more secure, said Pond.

If you have to use it, spend as lit­tle time as pos­si­ble on it, adds Cas­sel. When I’m through with my mes­sag­ing con­ver­sa­tion, I close it out the soft­ware in both my win­dow and my tray. Yes, I can’t be mes­saged but I also can’t be hacked. I just keep my email win­dow open and then peo­ple can reach me that way. Your email client is def­i­nitely more secure than IM.”

Originally published on February 23, 2001 in Technology . You may find related thoughts pieces under the following terms: , , , , , , ,