Re: Survey: Chat and IM

[Jason Yates <jaywhy2 () comcast net>]

I think if you ban file transfer connections and direct connections.  You 
should be alright from a security standpoint.  Not really sure how you could 
do it though =/.  I know most of the java web clients support these features,  
so I really don't see any security differences between the regular binary AIM 
client and a java one, except for certain buffer overflows in binary aim 
clients.  

But even blocking file transfer and direct connections people can still be 
vulnerable to stupid aol worms.  I don't want to give anyone any ideas, but 
imagine a worm that sends everyone on a buddy list a link to a web page.  The 
web page could consist of a <random ie bug goes here> exploit and the process 
continues.

Also there really isn't any AIM proxying or security technologies out there 
yet to manage aim use.  The only one I'm farmilar with is ReAIM, 
http://reaim.sourceforge.net.  Last I checked it was alpha quality.

But don't think banning aim is easy as a firewall rule.  Let me give you a 
personal example.  A previous employer of mine,  decided blocking instant 
messaging was a good idea. They simply blocked, on the firewall, the default 
port AIM uses, problem fixed right.  The problem with this solution was the 
AIM has Auto Connection feature, that allows aim clients to search every port 
until it finds one it can connect to aol servers with.  Since we allowed 
external ftp connections, AIM would simply use port 21 to connect to the AOL 
servers.  Even if we block every port at the firewall, people can still talk 
through aim through web proxies.  This is when my previous employer 
eventually gave up on the policy.

Good luck you'll need it. =)

Jason Yates

On Thursday 21 November 2002 16:03, tony toni wrote:
> Hi,
>
> We currently are allowing web based chat and instant messaging.  I know
> that there are lots of security issues involved with its usage.  The IT
> folks are telling me that it is a common practice in the industry.  I have
> a hard time believing this and this is one battle I would like to take on.
>
> QUESTION:  DOES YOUR COMPANY ALLOW WEB BASED CHAT AND INSTANT MESSAGING? 
> If this was a battle you fought, could you please give me some ideas on how
> you won the battle.  Any good articles/white papers that could support my
> position?
>
>
> Toni CISSP, CPA
> Security Services
> NW Mutural Banking LTD
>
>
>
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail

On Thursday 21 November 2002 16:03, tony toni wrote:
> Hi,
>
> We currently are allowing web based chat and instant messaging.  I know
> that there are lots of security issues involved with its usage.  The IT
> folks are telling me that it is a common practice in the industry.  I have
> a hard time believing this and this is one battle I would like to take on.
>
> QUESTION:  DOES YOUR COMPANY ALLOW WEB BASED CHAT AND INSTANT MESSAGING? 
> If this was a battle you fought, could you please give me some ideas on how
> you won the battle.  Any good articles/white papers that could support my
> position?
>
>
> Toni CISSP, CPA
> Security Services
> NW Mutural Banking LTD
>
>
>
>
> _________________________________________________________________
> Help STOP SPAM with the new MSN 8 and get 2 months FREE*
> http://join.msn.com/?page=features/junkmail