Security Basics mailing list archives
Re: Survey: Chat and IM
From: Jason Yates <jaywhy2 () comcast net>
Date: Mon, 25 Nov 2002 18:09:27 -0500
I think if you ban file transfer connections and direct connections. You should be alright from a security standpoint. Not really sure how you could do it though =/. I know most of the java web clients support these features, so I really don't see any security differences between the regular binary AIM client and a java one, except for certain buffer overflows in binary aim clients. But even blocking file transfer and direct connections people can still be vulnerable to stupid aol worms. I don't want to give anyone any ideas, but imagine a worm that sends everyone on a buddy list a link to a web page. The web page could consist of a <random ie bug goes here> exploit and the process continues. Also there really isn't any AIM proxying or security technologies out there yet to manage aim use. The only one I'm farmilar with is ReAIM, http://reaim.sourceforge.net. Last I checked it was alpha quality. But don't think banning aim is easy as a firewall rule. Let me give you a personal example. A previous employer of mine, decided blocking instant messaging was a good idea. They simply blocked, on the firewall, the default port AIM uses, problem fixed right. The problem with this solution was the AIM has Auto Connection feature, that allows aim clients to search every port until it finds one it can connect to aol servers with. Since we allowed external ftp connections, AIM would simply use port 21 to connect to the AOL servers. Even if we block every port at the firewall, people can still talk through aim through web proxies. This is when my previous employer eventually gave up on the policy. Good luck you'll need it. =) Jason Yates On Thursday 21 November 2002 16:03, tony toni wrote:
Hi, We currently are allowing web based chat and instant messaging. I know that there are lots of security issues involved with its usage. The IT folks are telling me that it is a common practice in the industry. I have a hard time believing this and this is one battle I would like to take on. QUESTION: DOES YOUR COMPANY ALLOW WEB BASED CHAT AND INSTANT MESSAGING? If this was a battle you fought, could you please give me some ideas on how you won the battle. Any good articles/white papers that could support my position? Toni CISSP, CPA Security Services NW Mutural Banking LTD _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
On Thursday 21 November 2002 16:03, tony toni wrote:
Hi, We currently are allowing web based chat and instant messaging. I know that there are lots of security issues involved with its usage. The IT folks are telling me that it is a common practice in the industry. I have a hard time believing this and this is one battle I would like to take on. QUESTION: DOES YOUR COMPANY ALLOW WEB BASED CHAT AND INSTANT MESSAGING? If this was a battle you fought, could you please give me some ideas on how you won the battle. Any good articles/white papers that could support my position? Toni CISSP, CPA Security Services NW Mutural Banking LTD _________________________________________________________________ Help STOP SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail
Current thread:
- Re: Survey: Chat and IM ONEILL David J (Nov 26)
- Re: Survey: Chat and IM Todd Plesco (Nov 26)
- Re: Survey: Chat and IM Todd Plesco (Nov 26)
- Re: Survey: Chat and IM Charles Otstot (Nov 27)
- <Possible follow-ups>
- RE: Survey: Chat and IM Fred Hoot (Nov 26)
- Re: Survey: Chat and IM Devdas Bhagat (Nov 26)
- Survey: Chat and IM tony toni (Nov 26)
- Re: Survey: Chat and IM Johannes Ullrich (Nov 26)
- Re: Survey: Chat and IM Jason Yates (Nov 26)
- Re: Survey: Chat and IM Zinger (Nov 27)
- Re: Survey: Chat and IM Sumit Dhar (Nov 28)
- Re: Survey: Chat and IM Chris Berry (Nov 26)
- RE: Survey: Chat and IM Robinson, Sonja (Nov 26)
- RE: Survey: Chat and IM LEHMANN, TODD (Nov 26)
- RE: Survey: Chat and IM ChristopherShorter (Nov 28)
- RE: Survey: Chat and IM Chris Santerre (Nov 28)
- RE: Survey: Chat and IM Kuriscak, Ronald (Nov 28)
- RE: Survey: Chat and IM John Canty (Nov 28)
- RE: Survey: Chat and IM ALBEE,RUSSELL. S FC2 (CV63 CS5) (Nov 29)