`
`BLSEVIER
`
`PRESS
`
`John W. Rittinghouse
`James FE. Ransome
`
`
`
`
`
`We
`
`SS bEeURIT y iA
`
`
`
`SecurlCy
`
`Page 1 of 13
`
`Samsung Exhibit 1025
`
`Page 1 of 13
`
`Samsung Exhibit 1025
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Elsevier Digital Press
`30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
`Linacre House, Jordan Hill, Oxford OX2 8DP UK
`
`Copyright © 2005, John W. Rittinghouse and James F. Ransome.All rights reserved.
`
`No part of this publication may be reproduced,stored in a retrieval system, or
`transmitted in any form or by any means, electronic, mechanical, photocopying,
`recording, or otherwise, without the prior written permission ofthe publisher.
`
`Permissions may be soughtdirectly from Elsevier's Science & Technology Rights
`Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333,
`e-mail: permissions@elsevier.com.uk. You may also complete your request on-line
`via the Elsevier homepage (http://elsevier.com), by selecting “Customer Support”
`and then “Obtaining Permissions.”
`
`69 Recognizing the importanceof preserving what has been written, Elsevier prints its
`books onacid-free paper wheneverpossible.
`
`Library of Congress Cataloging-in-Publication Data
`Application Submitted.
`ISBN: 1-55558-338-5
`
`|
`
`British Library Cataloguing-in-Publication Data
`A catalogue record for this bookis available from the British Library.
`
`For information onall Elsevier Digital Press publications
`visit our Web site at www.books.elsevier.com
`
`05 06 07 08 09 10987654321
`
`Printed in the United States ofAmerica
`
`
`
`Page 2 of 13
`
`Page 2 of 13
`
`

`

`
`
`Contents
`
`List of Figures and Tables
`
`Acknowledgments
`
`Foreword
`
`Introduction
`
`xiii
`
`xv
`
`Vii
`
`Purpose and Audience
`1.1
`1.2. What to Expect from This Book
`1.3 What Is IM?
`1.3.1
`[Mand Its History
`1.3.2
`[Mas an Integrated Communications Platform
`1.3.3.
`Common IM Application Approaches
`1.3.4 Who Uses IM?
`1.3.5 What Are the Advantages of Using IM?
`1.3.6 WhatAre the Risks of Using IM?
`Summary
`Endnotes
`
`1.4
`1.5
`
`2
`
`How Does IM Work?
`
`2.1
`
`2.2
`2.3
`
`High-Level View of IM
`2.1.1
`The Presence Service
`2.1.2
`The Instant Messaging Service
`Basic IM Features
`Enterprise Instant Messaging Considerations
`2.3.1
`Operating System
`2.3.2
`Database
`2.3.3
`Directory Services
`
`2.3.4 Interoperability
`
`
`
`
`
`
`Page 3 of 13
`
`Page 3 of 13
`
`

`

`Contents
`
`2.3.5
`Schema Change Requirements
`2.3.6
`Standards Based for Third-Party Support
`2.3.7
`Compliance Management
`2.3.8
`Remote Access
`2.3.9
`Cost Considerations
`An Enterprise EIM Nightmare Scenario
`An Overview of Mobile and Wireless Instant Messaging
`2.5.1
`WhatIs Mobile Instant Messaging?
`2.5.2
`What !s Wireless Instant Messaging?
`2.5.3
`Short Message Service
`2.5.4
`Wireless Application Protocol
`2.5.5
`General Packet Radio Service
`2.5.6
`The Future of WIM
`2.5.7
`The Future of MIM
`Selecting and Securing a WIM Solution
`Summary
`Endnotes
`
`2.4
`2.5
`
`2.6
`2.7.
`2.8
`
`3
`
`IM Standards and Protocols
`
`3.1
`
`3.2.
`
`3.3
`3.4
`
`Extensible Messaging and Presence Protocol—RFC 2778
`3.1.1
`Jabber and the IM Community
`Jabber Protocol and XMPP
`3.2. |
`Architectural Design
`Instant Messaging/Presence Protocol—RFC 2779
`Session Initiation Protocol
`3.4.1
`SIP Security
`3.4.2
`Existing Security Features in the SIP Protocol
`3.4.3
`Signaling Authentication Using HTTP
`Digest Authentication
`S/MIME Usage within SIP
`Confidentiality of Media Datain SIP
`TLS Usage within SIP
`IPsec Usage within SIP
`Security Enhancements for SIP
`SIP Authenticated Identity Body
`SIP Authenticated Identity Management
`SIP Security Agreement
`SIP End-to-Middle, Middle-to-Middle,
`Middle-to-End Security
`3.4.13
`SIP Security Issues
`SIP for IM and Presence Leveraging Extensions
`
`
`3.4.4
`3.4.5
`3.4.6
`3.4.7
`3.4.8
`3.4.9
`3.4.10
`3.4.11
`3.4.12
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 4 of 13
`
`Page 4 of 13
`
`

`

`
`
`Contents
`
`
`
`
`3.6
`3.7.
`
`The Future of IM Standards
`Endnotes
`
`4
`
`IM Malware
`
`4.1
`
`Overview
`4.1.1
`Instant Messaging Opens New Security Holes
`4.1.2
`Legal Risk and Unregulated Instant Messaging
`The Use of IM as Malware
`4.2.
`4.3. What Is Malware?
`Viruses
`4.3.1
`4.3.2
`Worms
`4.3.3
`Wabbits
`4.3.4
`Trojan Horses
`4.3.5
`Spyware
`4.3.6
`Browser Hijackers
`4.3.7
`Blended Threats
`4.3.8
`Backdoors
`4.3.9
`Exploits
`4.3.10
`Rootkits
`4.4 How Is IM Used as Malware?
`44.|
`As a Carrier
`4.4.2
`As a Staging Center
`4.4.3
`As aVehicle for General Hacking
`4.4.4
`As a Spy
`4.4.5
`As a Zombie Machine
`44.6
`As an Anonymizer
`Summary
`Endnotes
`
`
`
`
`
`
`
`
`
`4.5
`4.6
`
`5
`
`IM Security for Enterprise and Home
`
`113
`
`5.1
`
`5.2
`
`5.3.
`
`How Can IM Be UsedSafely in Corporate Settings?
`5.1.1
`Understanding IM and Corporate Firewalls
`5.1.2
`Understanding IM File Transfers and Corporate Firewalls
`5.1.3
`Blocking and Proxying Instant Messaging
`IM Detection Tools
`5.1.4
`Legal Risk and Corporate Governance
`5.2.1
`Legal Issues with Monitoring IM Traffic
`Corporate IM Security Best Practices
`5.3.1
`Start from the Firewall
`5.3.2
`Consider the Desktop
`
`116
`116
`119
`120
`[22
`122
`124
`124
`125
`125
`
`Contents
`
`|
`
`
`
`Page 5 of 13
`
`Page 5 of 13
`
`

`

`vill
`
`Contents
`
`Install Patches to IM Software ASAP
`5.3.3
`Enforce Client-Side IM Settings
`5.3.4
`IM Proxy Gateways
`5.3.5
`VPNs
`5.3.6
`Antivirus
`5.3.7.
`Set up Containment Wards
`5.3.8
`Secure Information with Encryption
`5.3.9
`IM System Rules, Policies, and Procedures
`5.3.10
`5.3.11 Monitor to Ensure IM Client Policy Compliance
`Security Risks and Solutions for Specific Public IM Clients
`5.4.1
`MSN Messenger
`5.4.2
`Yahoo! Messenger
`5.4.3.
`America Online Instant Messaging
`54.4
`ICQ
`5.4.5
`Beware of IM Third-Party Clients and Services
`5.5 Home |M Security Best Practices
`5.6
`Summary
`5.7.
`Endnotes
`
`5.4
`
`6
`
`IM Security Risk Management
`
`6.1
`6.2
`6.3
`
`6.4
`6.5
`6.6
`6.7
`
`6.3.2
`
`IM Ils a Form of E-mail
`IM Security and the Law
`Cybersecurity and the Law
`6.3.1
`The 1996 National Information Infrastructure
`Protection Act
`President's Executive Order on Critical
`Infrastructure Protection
`The USA Patriot Act of 200]
`6.3.3.
`The Homeland Security Act of 2002
`6.3.4
`IM Must Be Managed as a Business Record
`IM Risk Management
`Summary
`Endnotes
`
`7 The Business Value of IM
`
`126
`126
`126
`127
`128
`128
`129
`130
`131
`132
`132
`137
`145
`153
`156
`158
`16]
`161
`
`165
`
`165
`166
`169
`
`170
`
`170
`\7|
`175
`188
`189
`191
`191
`
`195
`
`
`
`
`
`7.1
`Ubiquitous Presence and Workflow
`195
`7.2
`It’s All about Culture
`200
`7.3>
`Overall ROI for IM
`202
`7.4
`The Choice Is Yours
`204
`
`7.5
`Endnotes
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Page 6 of 13
`
`Page 6 of 13
`
`

`

`
`
`Contents
`
`8
`
`The Future of IM
`
`The Pervasive Network
`8.1
`Peer-to-Peer Instant Messaging
`8.2
`Peer-to-Application (the Human-ComputerInterface)
`8.3
`8.4 Machine-to-Machine (Application-to-Application)
`8.5
`Jabber
`8.6
`Security and Government Compliance
`8.7
`The Business Impact
`8.8
`Endnotes
`
`A General Network Security
`
`|
`|
`
`ix
`
`207
`
`209
`all
`211
`212
`214
`215
`217
`218
`
`219
`
`220
`Threats to Personal Privacy
`A.|
`220
`Fraud and Theft
`A.2
`221
`Internet Fraud
`A.3
`223
`Employee Sabotage
`A.4
`224
`Infrastructure Attacks
`A.5_—
`224
`A.6 Malicious Hackers
`225
`A.7_ Malicious Coders
`225
`A.8&
`Industrial Espionage
`228
`A.9
`Social Engineering
`229
`A.9.|
`Educate Staff and Security Personnel
`23 |
`A.9.2.
`Crafting Corporate Social Engineering Policy
`232
`A.9.3
`Prevention
`
`A.9.4—Audits 232
`A.9.5
`Privacy Standards and Regulations
`232
`A.9.6
`NAIC Model Act
`233
`A.9.7
`Gramm-Leach-Bliley Act
`234
`A.9.8
`HIPAA
`235
`A.10 Summary
`237
`A.1| Endnotes
`238
`
`B Managing Access
`B.|
`Access Control
`B.l.1
`Purpose of Access Control
`B.1.2.
`Access Control Entities
`B.1.3
`Fundamental Concepts of Access Control
`B.1.4.
`Access Control Criteria
`B.1.5
`Access Control Models
`B.1.6
`Uses of Access Control
`
`241
`24
`24!
`242
`242
`244
`244
`249
`
`ee | Contents
`
`
`
`Page 7 of 13
`
`Page 7 of 13
`
`

`

`
`
` % Contents
`
`Access Control Administration Models
`B.1.7.
`Access Control Mechanisms
`B.1.8
`Internal Access Controls
`B.1.9
`B.1.10 Techniques Used to Bypass Access Controls
`Password Management
`B.2.1
`SmartCards
`B.2.2.
`Biometric Systems
`B.2.3.
`Characteristics of Good Passwords
`B.2.4
`Password Cracking
`B.2.5 Windows NT LOphtCrack (LC4)
`B.2.6
`Password Cracking for Self-Defense
`B.2.7
`UNIX Crack
`B.2.8
`John the Ripper
`B.2.9
`Password Attack Countermeasures
`Physical Access
`Summary
`Endnotes
`
`B.2.
`
`B.3
`B.4
`B.5
`
`Security Management issues
`
`249
`25]
`25]
`256
`257
`258
`258
`258
`259
`260
`260
`26|
`262
`263
`263
`263
`264
`
`265
`
`C.2
`
`266
`C.l Organizational Security Management
`266
`C.l.1
`Perceptions of Security
`266
`C.1.2
`Placement of a Security Group in the Organization
`267
`C.1.3
`Security Organizational Structure
`268
`C.1.4
`Convincing Management of the Need
`268
`C.1.5
`Legal Responsibilities for Data Protection
`269
`C.1.6
`DHS Office of Private Sector Liaison
`269
`Security Management Areas of Responsibility
`270
`C.2.1
`Awareness Programs
`
`€.2.2—Risk Analysis 27 |
`€.2.3
`Incident Handling
`272
`
`C.2.4—Alerts and Advisories 273
`C.2.5 Warning Banners
`274
`C.2.6
`Employee Termination Procedures
`274
`€.2.7
`Training
`275
`C.2.8
`Personnel Security
`275
`C.2.9
`Internet Use
`276
`C.2.10 E-mail
`276
`€.2.11
`Sensitive Information
`276
`C.2.12 System Security
`277
`C.2.13 Physical Security
`277
`Security Policies
`278
`
`C.3
`
`
`
`Page 8 of 13
`
`Page 8 of 13
`
`€
`

`

`Contents
`
`
`
`C.4
`
`C.5
`
`Basic Approach to Policy Development
`C.4.1
`Identify What Needs Protection and Why
`CA4.2 Determine Likelihood ofThreats
`C.4.3
`Implement Protective Measures
`C44 What Makes a Good Security Policy?
`C.4.5
`Review and Assess Regularly
`Security Personnel
`C.5.1
`Coping with Insider Threats
`C.5.2 How to Identify Competent Security Professionals
`C.5.3 How to Train and Certify Security Professionals
`C.5.4
`Security-Related Job Descriptions
`C.6 Managementof Security Professionals
`C.6.1
`Organizational Infrastructure
`C.6.2
`Reporting Relationships
`€.6.3
`Working Relationships
`C.6.4 Accountability
`Summary
`C.7
`C.8 Endnotes
`
`D IM Policy Essentials
`
`D.| ABC Inc. Information Security Acceptable Use Policy
`D.2— ABC Inc. E-mail/IM Use Policy
`D3 ABC Inc. E-mail/IM Retention Policy
`
`E Glossary, References, and Policy Issues
`
`IM Specific Glossary
`E.|
`E.2. General Security Glossary
`E.3
`References
`
`Index
`
`278
`279
`279
`280
`281
`283
`283
`283
`285
`286
`289
`295
`295
`296
`297
`297
`298
`298
`
`299
`
`300
`306
`308
`
`3il
`
`311
`316
`342
`
`349
`
`
`
`Contents
`
`Page 9 of 13
`
`Page 9 of 13
`
`

`

`1.3) What Is IM?
`
`1.3.1
`
`IM and Its History
`
`In our fast-paced world there are times when even the rapid responseof e-
`mail is not fast enough. There is no way for you to know if the person you
`are sending e-mail to is online at that moment. This is one of the reasons
`why IM hasgained popularity, acceptance, and become a desired toolin the
`workplace. IM provides us with the ability to maintain a list of people,
`often called a buddylist or contact list, whom we want or need to interact
`with. IM monitors ourlist of people and their status of being online or
`offline. If they are online, we can send messages back and forth. Businesses
`today are increasingly viewing IM as an excellent productivity and commu-
`nication tool that complements voice mail and e-mail. In order for there to
`be complete acceptance, there needs to be specific security, accountability,
`and uniformity among IM solution providers. There needs to be policies
`that protect critical organizational interests and comply with federal man-
`dates and regulations. Corporations want IM solutions that provide seam-
`less security, full audit trails, identity controls, and administrative controls.
`Most corporations agree that message encryptionis essential.
`There are three basic types of IM,as follows:
`
`
`
`
`
`
`
`
`
`
`
`1,
`
`2.
`
`3.
`
`Public messaging
`
`Enterprise messaging
`
`Wireless messaging
`
`In 1987, a computerscientist at MIT developed an instant-messaging
`program called Zephyrin order to provide a system that was faster than e-
`mail, which had begun to be bogged down, so that urgent messages
`regarding the school’s network and server could be received instantly in
`case, for example, the school’s network server was going down. Soon, stu-
`dents adopted Zephyr as a form of easy communication that could be used
`while they worked at
`their computers. This technology was quickly
`adopted by other universities, and the simple early warning system that
`Zephyr wasoriginally designed to be was repurposed, becoming a popular
`tool of conversation and information exchange called IM. IM as we know
`it today wascreated in July 1996 by four youngIsraeli entrepreneurs. Yair
`Goldfinger, Arik Vardi, Sefi Vigiser, and Amnon Amir, started a company
`called Mirabilis in order to introduce a new way of communication over
`the Internet. They created a technology that would enable Internet users to
`locate each other online on the Internet and create peer-to-peer communi-
`
`—_
`
`| Chapter|
`
`
`
`Page 10 of 13
`
`Page 10 of 13
`
`

`

`1.3 What Is IM? 4
`
`cation channels easily, They called their technology ICQ(I seek you) and
`released it in November 1996. Within six months, 850,000 users had been
`registered by Mirabilis, By June 1997, Mirabilis was able to handle
`100,000 concurrent users and had become the world’s largest Internet
`communications network, Mirabilis and ICQ were acquired by America
`Online, Inc., in June 1998 for $287 million. AOLhad also created its own
`Instant Messengersystem. By that time, Microsoft had created its own IM
`client and service, MSN Messenger, and another Internet heavyweight,
`Yahoo!, created one as well. Because IM services evolved from proprietary
`systems created by companies to make a profit,
`their systems remain
`unable to interoperate because of the desire to control the IM market.
`AOL and ICQ,even though owned by the same company, are not interop-
`erable. ICQ currently has twoclients: 1CQ4 Lite Edition with Xtraz (Fig-
`ure 1.1) and ICQPro™(Figure 1.2) [5,6].
`The AOL and ICQ clients cannot communicate with one another, and
`AOL maintains both systems and market dominance in the IM field. All
`this may change soon. Conditions of the AOL—Time Warner merger
`required AOL to openupits IM systems [7]. In its analysis of IM, the FCC
`concluded that the merger would combine an essential input of AOLs
`dominant IM service and future IM-based services—chiefly, the Names and
`Presence Directory (NPD)—withassets oflime Warner, including its cable
`
`— F
`
`igure 1,2
`LCQ™Pyo,
`
` Q
`
`@) Users UntiedMeszaging Center
`Be flename
`
`aly User's Usique Settings
`Sica on Top[On]
`
`
`
`
`
`Page 11 of 13
`
`@ SeedWebPope Adebess (UAL)
`BDicacharve
`1
`cays
`Diate
`
`
`SB System FA 1CQ Phoo|
`
`“Add, Gh) Serd SMS Meztage
`
`cr,
`DE! Senn
`te
`Bervict
`=
`.
`Qa Send Gr
`
`
`
`,
`
`
`
`
`
`
`
`
`Page 11 of 13
`
`

`

`1.3) WhatIs IM?
`
`
`
`facilities and Road Runner ISP. An IM provider’s NPD consists of a data-
`base ofits users’ unique IM names,their Internet addresses, and a “presence
`detection” function, which indicates to the provider that a certain useris
`online andallows the provider to alert others to this information. The FCC
`noted that these features created a market with strong network effects.
`AOL,with by far the largest NPD,resisted making its IM services interop-
`erable with other providers’ services. The merger brought Time Warner's
`cable Internet platform and contentlibrary under AOL’ control and gave
`AOL Time Warnera significant and anticompetitive first-mover advantage
`in the market for advanced, IM-based high-speed services (AIHS). Potential
`AIHSapplications include those using streaming video (lengthy, high-
`quality, one- or two-way video). The merger would frustrate the objectives
`of the Communications Act by preventing the emergence of a competitive
`and innovative market for advanced, IM-based services. This would violate
`key Communications Actprinciples, including the further development of
`healthy competition in the Internet and interactive services arena. The FCC
`did not establish an interoperability protocol. Rather,
`the FCC’s remedy
`requires AOL Time Warnerto follow a protocol developed by the industry
`orto create a protocol with other IM providers pursuant to contracts, Thus,
`the FCCdid not create and will not review an Internet protocol.
`The FCC imposed an “IM condition” on the merger to avert market
`harm nowso that it would not be required to regulate IM in the future,
`Given AOL Time Warner’s likely domination of the potentially competitive
`business of new, IM-based services, especially advanced, IM-based high-
`speed services applications, the FCC ruled that AOL Time Warner may not
`offer any AIHS steaming video applications that use a Names and Presence
`Directory (NPD)over the Internet via AOL Time Warner broadbandfacil-
`ities until the company demonstrates that it has satisfied one of three pro-
`competitive options filed by the FCC. AOL Time Warner must file a
`progress report with the FCC, 180 days from the release date of the order
`and every 180 days thereafter, describing in technical depth the actionsit
`has taken to achieve interoperability of its IM offerings and other offerings.
`These reports will be placed on public notice for comment, The IM condi-
`tion was set to sunsetfive years after the release of the order.
`AOL Time Warner was directed to show that it had implemented an
`industry-wide standard for server-to-server interoperability. AOL Time
`Warner had to show that it had entered into a contract for server-to-server
`interoperability with at least one significant, unaffiliated provider of NPD-
`based services within 180 days of executing the first contract. AOL Time
`Warner also had to show that it entered into two additional contracts with
`
`_. oo |
`
`Chapter|
`
`
`
`Page 12 of 13
`
`Page 12 of 13
`
`

`

`1.3 What Is IM?
`
`significant, unaffiliated, actual or potential competing providers. AOL
`Time Warner was given the opportunity to seek relief by showing by clear
`and convincing evidence that this condition no longer serves the public
`interest, convenience, or necessity because there has been a material change
`in circumstances,
`
`several competing companics have joined
`Since the FCC ruling,
`together to advocate an IM protocolsimilar to those that allow the interop-
`erability of e-mail systems. Other companies have taken a different
`approach rather than wait for an agreed-upon standard. Jabber is one com-
`pany that has created a client program capable of communicating with var-
`ious IM systems,In less than two decades, the concept of IM has become
`an international tool of communication.
`
`1.3.2
`
`IM as an Integrated Communications Platform
`
`The IM platform can be the basis for true integrated communications by
`incorporating additional technology (such as extending it into the wireless
`realm with mobile phones and personal digital assistants [PDAs]) or by
`adding other means of communication (such as voice chat or video chat).
`With the addition of IP telephony (VoIP) capability, the messaging service
`can even extendto telephony, makingit possible to communicate with any-
`one at any time, It can be used as a personal communicationsportal to cre-
`ate a single point of contact forall methods of communication,allowing a
`user to initiate any kind of communication from one place, using a single
`contactlist, Using IM as an integrated communications platform allows for
`one-click communication. Instead of having to run througha list of home,
`office, mobile, pager numbers, and e-mail addresses, someone trying to
`reach another person can simply click on that person’s name.It also enables
`users to control how others communicate with them. Ifthey prefer that
`calls go to their mobile phones when they are away from theoffice, they can
`set their profile so that the system directs calls that way. The system would
`route communications according to that person’s preferences, When addi-
`tional features such as integrated communications, reachability, and com-
`municationsprofiles are part of IM, the market for IM will increase from
`personalto professional use, creating better business markets for messaging
`services and making these services more of a revenue-generating opportu-
`nity for service providers[8].
`
`
`
`Page 13 of 13
`
`Page 13 of 13
`
`