Messaging Risks


AOL instant messaging flaw spurs security debate


A security hole in America Online's instant messaging program discovered earlier this month highlights the risks instant messaging poses to corporate networks.

Solution providers say instant messaging programs such as AOL's AIM as well as ones from Yahoo and Microsoft Network were designed for consumers but are increasingly used by employees, presenting security issues to businesses.

"These systems are run by having a piece of code installed locally on every workstation. It's truly a network application. We shouldn't be surprised it can be exploited like anything else," said Paul Rohmeyer, partner and COO at Icons, a North Brunswick, N.J.-based security services firm.

Security experts said the programs present risks for businesses because messages go outside the corporate firewall unencrypted to the provider's server, leaving potentially sensitive corporate data open to interception by hackers.

AOL said it fixed the flaw in an AIM game feature that security specialists said could allow attackers to take control of a victim's system.

Robert Smith, senior information security analyst at Predictive Systems, a New York-based security and networking consultant, predicts that worms such as last year's devastating Nimda will evolve into more complex worms that make use of "buddy lists" in instant messaging programs to spread rapidly.

To protect themselves, businesses can try to block public instant messaging programs, limit their use to within the corporate network and educate users about the possibility that data can be intercepted, solution providers said.

Companies also can use an enterprise instant messaging system such as IBM's Lotus Sametime, which is contained within the firewall and tied into the corporate directory to allow employees within a company to message each other.

But Rick Romkey, president of U.S. operations at Integralis, an East Hartford, Conn., security integrator, said the AIM problem and the risks posed by other instant messaging programs are overblown. Most e-mail isn't encrypted and poses risks but still is a mainstream application, he said.

"I don't think it's fair the industry is attacking AOL and [instant messaging in general. There's a business need to be able to [instant message someone. To suggest that you pull the plug on it because it's not safe is ludicrous," he said.