`-~--------------
`
`ELSEVIER
`DIGITAL
`PRESS
`
`John W. Rittinghouse
`James F. Ransome
`
`•
`
`
`
`Elsevier Digital Press
`30 Corporate Drive, Suite 400, Burlington, MA 01803, USA
`Linacre House, Jordan Hill, Oxford OX2 8DP, UK
`
`Copyright © 2005, John W. Rittinghouse and James F. Ransome. All rights reserved.
`
`No part of this publication may be reproduced, stored in a retrieval system, or
`transmitted in any form or by any means, electronic, mechanical, photocopying,
`recording, or otherwise, without the prior written permission of the publisher.
`
`Permissions may be sought directly from Elsevier's Science & Technology Rights
`Department in Oxford, UK: phone: (+44) 1865 843830, fax: (+44) 1865 853333,
`e-mail: permissions@elsevier.com.uk. You may also complete your request on-line
`via the Elsevier homepage (http://elsevier.com), by selecting "Customer Support"
`and then "Obtaining Permissions."
`
`§ Recognizing the importance of preserving what has been written, Elsevier prints its
`books on acid-free paper whenever possible.
`
`Library of Congress Cataloging-in-Publication Data
`Application Submitted.
`
`ISBN: l-55558-338-5
`
`British Libra1y Cataloguing-in-Publication Data
`A catalogue record for this book is available from the British Library.
`
`For information on all Elsevier Digital Press publications
`visit our Web site at www.books.elsevier.com
`
`05 06 07 08 09 10 9 8 7 6 5 .4 3 2 1
`
`Printed in the United States of America
`
`
`
`Contents
`
`List of Figures and Tables
`
`Acknowledgments
`
`Foreword
`
`Introduction
`
`Purpose and Audience
`I. I
`1.2 What to Expect from This Book
`1.3 What Is IM?
`IM and Its History
`1.3.1
`1.3.2
`IM as an Integrated Communications Platform
`Common IM Application Approaches
`1.3.3
`1.3.4 Who Uses IM?
`1.3.5 WhatAre the Advantages of Using IM?
`1.3.6 What Are t he Risks of Using IM?
`1.4 Summary
`1.5 Endnotes
`
`2 How Does IM Work?
`
`2.1 High-Level View of IM
`2.1.1
`The Presence Service
`The Instant Messaging Service
`2.1.2
`2.2 Basic IM Features
`2.3 Enterprise Instant Messaging Considerations
`2.3.1
`Operating System
`2.3.2 Database
`2.3.3 Directory Services
`Interoperability
`2.3.4
`
`xiii
`
`xv
`
`xvii
`
`I
`2
`2
`3
`6
`7
`7
`11
`15
`27
`27
`
`31
`
`31
`32
`38
`40
`42
`42
`43
`43
`43
`
`V
`
`j'
`1:
`I
`,1
`
`n
`11·
`II
`:,
`I
`I ,,
`
`:i
`
`
`
`vi
`
`Contents
`
`._.,
`
`Schema Change Requirements
`2.3.5
`2.3.6
`Standards Based for Third-Party Support
`Compliance Management
`2.3.7
`Remote Access
`2.3.8
`2.3.9 Cost Considerations
`2.4 An Enterprise EIM Nightmare Scenario
`2.5 An Overview of Mobile and Wireless Instant Messaging
`2.5.1 What Is Mobile Instant Messaging?
`2.5.2 What Is Wireless Instant Messaging?
`2.5.3
`Short Message Service
`2.5.4 Wireless Application Protocol
`2.5.5 General Packet Radio Service
`2.5.6
`The Future ofWIM
`2.5.7
`The Future of MIM
`Selecting and Securing a WIM Solution
`2.6
`Summary
`2.7
`2.8 Endnotes
`
`3
`
`IM Standards and Pr otocols
`
`43
`44
`44
`44
`44
`45
`46
`46
`47
`47
`47
`48
`48
`49
`49
`51
`52
`
`53
`
`53
`57
`58
`59
`65
`66
`68
`69
`
`69
`69
`70
`70
`71
`71
`71
`71
`72
`
`73
`73
`75
`
`3.1
`
`3.2
`
`Extensible Messaging and Presence Protocol-RFC 2778
`Jabber and the IM Community
`3.1.1
`Jabber Protocol and XMPP
`3.2.1
`Architectural Design
`Instant Messaging/Presence Protocol- RFC 2779
`3.3
`3.4 Session Initiation Protocol
`3.4.1
`SIP Security
`3.4.2
`Existing Security Features in the SIP Protocol
`3.4.3
`SignalingAuthentication Using HTTP
`Digest Authentication
`S/MIME Usage within SIP
`3.4.4
`3.4.5
`Confidentiality of Media Data in SIP
`TLS Usage within SIP
`3.4.6
`IPsec Usage within SIP
`3.4.7
`Security Enhancements for SIP
`3.4.8
`SIP Authenticated Identity Body
`3.4.9
`3.4.10 SIP Authenticated Identity Management
`3.4.11 SIP Security Agreement
`3.4.12 SIP End-to-Middle, Middle-to-Middle,
`Middle-to-End Security
`3.4.13 SIP Security Issues
`SIP for IM and Presence Leveraging Extensions
`
`3.5
`
`
`
`Contents
`
`3.6 The Future of IM Standards
`3.7 Endnotes
`
`4
`
`IM Malware
`
`4.1 Overview
`4.1. 1
`Instant Messaging Opens New Security Holes
`4.1.2
`Legal Risk and Unregulated Instant Messaging
`4.2 The Use of IM as Malware
`4.3 What Is Malware?
`4.3.1
`Viruses
`4.3.2 Worms
`4.3.3 Wabbits
`4.3.4
`Trojan Horses
`4.3.5
`Spyware
`4.3.6 Browser Hijackers
`4.3.7
`Blended Threats
`4.3.8
`Backdoors
`4.3.9
`Exploits
`4.3.10 Rootkits
`4.4 How Is IM Used as Malware?
`4.4.1
`As a Carrier
`4.4.2 As a Staging Center
`4.4.3 As a Vehicle for General Hacking
`4.4.4 As a Spy
`4.4.5 As a Zombie Machine
`4.4,6 As an Anonymizer
`Summary
`4.5
`4.6 Endnotes
`
`vii
`
`76
`78
`
`81
`
`81
`83
`85
`86
`87
`88
`88
`88
`89
`90
`90
`9 1
`9 1
`93
`93
`95
`96
`99
`100
`104
`107
`109
`111
`111
`
`s
`
`IM Secur ity for Enterprise and Home
`
`113
`
`5. 1 How Can IM Be Used Safely in Corporate Settings?
`116
`5. 1.1
`. Understanding IM and Corporate Firewalls
`11 6
`5. 1.2
`Understanding IM File Transfers and Corporate Firewalls 119
`5.1.3
`Blocking and Proxying Instant Messaging
`120
`5.1.4
`IM Detection Tools
`122
`5.2 Legal Risk and Corporate Governance
`122
`5.2. 1
`Legal Issues with Monitoring IM Traffic
`124
`5.3 Corporate IM Security Best Practices
`124
`5.3. 1
`Start from the Firewall
`125
`5.3.2 Consider the Desktop
`125
`
`Contents
`
`'I
`I
`.t
`I'
`
`I
`'I
`
`
`
`viii
`
`Contents
`
`-·
`
`Install Patches to IM Software ASAP
`5.3.3
`Enforce Client-Side IM Settings
`5.3.4
`IM Proxy Gateways
`5.3.5
`5.3.6 VPNs
`5.3.7 Antivirus
`Set up Containment Wards
`5.3.8
`5.3.9
`Secure Information with Encryption
`5.3.10
`IM System Rules, Policies, and Procedures
`5.3.11 Monitor to Ensure IM Client Policy Compliance
`5.4 Security Risks and Solutions for Specific Public IM C lients
`5.4.1 MSN Messenger
`5.4.2 Yahoo! Messenger
`5.4.3 America Online Instant Messaging
`ICQ
`5.4.4
`Beware of IM Third-Party Clients and Services
`5.4.5
`5.5 Home IM Security Best Practices
`5.6
`Summary
`5.7
`Endnotes
`
`6
`
`I M Secu r ity Risk Management
`
`6.3.2
`
`IM Is a Form of E-mail
`6. 1
`IM Security and the Law
`6.2
`6.3 Cybersecurity and the Law
`The 1996 National Information Infrastructure
`6.3.1
`Protection Act
`President's Executive Order on Critical
`Infrastructure Protection
`The USA Patriot Act of 200 I
`6.3.3
`The Homeland Security Act of 2002
`6.3.4
`6.4
`IM Must Be Managed as a Business Record
`IM Risk Management
`6.5
`Summary
`6.6
`6.7 Endnotes
`
`7 The Business Value o f IM
`'
`7.1
`Ubiquitous Presence and Workflow
`It's All about Culture
`7.2
`7.3 Overall ROI for IM
`7.4 The Choice Is Yours
`7.5 Endnotes
`
`126
`126
`126
`127
`128
`128
`129
`130
`131
`132
`132
`137
`145
`153
`156
`158
`161
`16 1
`
`165
`
`165
`166
`169
`
`170
`
`170
`171
`175
`188
`189
`191
`191
`
`19 5
`
`195
`200
`202
`204
`205
`
`
`
`- -· - - -- - - - - - - - -· ....
`
`Contents
`
`8
`
`The Future of IM
`
`8. 1 The Pervasive Network
`Peer-to-Peer Instant Messaging
`8.2
`8.3
`Peer-to-Application (the Human-Computer Interface)
`8.4 Machine-to-Machine (Application-to-Application)
`8.5
`Jabber
`Security and Government Compliance
`8.6
`8.7 The Business Impact
`8.8 Endnotes
`
`A General Network Security
`
`A.I Threats to Personal Privacy
`A.2 Fraud and Theft
`Internet Fraud
`A.3
`A.4 Employee Sabotage
`AS
`lnfrastr_ucture Attacks
`A.6 Malicious Hackers
`A.7 Malicious Coders
`A.8
`Industrial Espionage
`A.9 Social Engineering
`Educate Staff and Security Personnel
`A.9.1
`A.9.2 Crafting Corporate Social Engineering Policy
`A.9.3
`Prevention
`A.9.4 Audits
`Privacy Standards and Regulations
`A.9.5
`A.9.6 NAIC Model Act
`A.9.7 Gramm-Leach-Bliley Act
`A.9.8 HIPAA
`A.IQ Summary
`A. II Endnotes
`
`B Managing A ccess
`
`B. I Access Control
`B.1 . 1
`Purpose of Access Control
`B. 1.2 Access Control Entities
`B.1.3
`Fundamental Concepts of Access Control
`B.1.4 Access Control Criteria
`B.1.5 Access Control Models
`B.1.6 Uses of Access Control
`
`ix
`
`207
`
`209
`2 11
`211
`2 12
`214
`215
`2 17
`2 18
`
`219
`
`220
`220
`221
`223
`224
`224
`225
`225
`228
`229
`23 1
`232
`232
`232
`233
`234
`235
`237
`238
`
`24 1
`
`241
`241
`242
`242
`244
`244
`249
`
`Contents
`
`'
`IJ
`
`
`
`X
`
`Contents
`
`B.2
`
`B.1.7 Access Control Administration Models
`B.1.8 Access Control Mechanisms
`B.1.9
`Internal Access Controls
`B.1.1 0 Techniques Used to Bypass Access Controls
`Password Management
`B.2. I
`SmartCards
`B.2.2 Biometric Systems
`B.2.3
`Characteristics of Good Passwords
`B.2.4
`Password Cracking
`B.2.5 Windows NT L0phtCrack (LC4)
`B.2.6
`Password Cracking for Self-Defense
`B.2.7 UNIX Crack
`B.2.8
`John the Ripper
`Password Attack Countermeasures
`B.2.9
`Physical Access
`B.3
`B.4 Summary
`B.5 Endnotes
`
`C Se curity Manageme nt Issues
`
`C. I Organizational Security Management
`C. I . I
`Perceptions of Security
`C.1.2
`Placement of a Security Group in the Organization
`C. 1.3
`Security Organizational Structure
`C. I .4 Convincing Management of the Need
`C.1.5
`Legal Responsibilities for Data Protection
`C.1.6 OHS Office of Private Sector Liaison
`C.2 Security Management Areas of Responsibility
`C.2.1 Awareness Programs
`C.2.2 Risk Analysis
`C.2.3
`Incident Handling
`C.2.4 Alerts and Advisories
`C.2.5 Warning Banners
`C.2.6 Employee Termination Procedures
`C.2.7 Training
`C.2.8
`Personnel Security
`C.2.9
`Internet Use
`C.2.10 E-mail
`C.2.1 I Sensitive Information
`C.2.12 System Security
`C.2.13 Physical Security
`C.3 Security Policies
`
`249
`251
`251
`256
`257
`258
`258
`258
`259
`260
`260
`261
`262
`263
`263
`263
`264
`
`1 6 5
`
`266
`266
`266
`267
`268
`268
`269
`269
`270
`271
`272
`273
`274
`274
`275
`275
`276
`276
`276
`277
`277
`278
`
`
`
`Contents
`
`C.4 Basic Approach to Policy Development
`C.4.1
`Identify What Needs Protection and Why
`C.4.2 Determine Likelihood ofThreats
`C.4.3
`Implement Protective Measures
`C.4.4 What Makes a Good Security Policy?
`C.4.5 Review and Assess Regularly
`C.5 Security Personnel
`C.5.1 Coping with Insider Threats
`C.5.2 How to Identify Competent Security Professionals
`C.5.3 How to Train and Certify Security Professionals
`C.5.4 Security-Related Job Descriptions
`C.6 Management of Security Professionals
`C.6.1 Organizational Infrastructure
`C.6.2 Reporting Relationships
`C.6.3 Working Relationships
`C.6.4 Accountability
`C.7 Summary
`C.8 Endnotes
`
`D
`
`IM Policy Essentials
`
`D. I ABC Inc. Information Security Acceptable Use Po licy
`D.2 ABC Inc. E-mail/lM Use Policy
`D.3 ABC Inc. E-mail/lM Retention Policy
`
`E Glossary, References, and Policy Issues
`
`IM Specific Glossary
`E. I
`E.2 General Security Glossary
`E.3 References
`
`Index
`
`xi
`
`278
`279
`279
`280
`281
`283
`283
`283
`285
`286
`289
`295
`295
`296
`297
`297
`298
`298
`
`199
`
`300
`306
`308
`
`311
`
`311
`316
`342
`
`349
`
`Contents
`
`I
`I I ,
`
`
`
`- -
`
`1.3 W hat Is IM?
`
`3
`
`1.3.1
`
`IM and Its History
`
`In our fast-paced world there are times when even the rapid response of e(cid:173)
`mail is not fast enough. There is no way for you to lmow if the person you
`are sending e-mail to is online at that moment. This is one of the reasons
`why IM has gained popularity, acceptance, and become a desired tool in the
`workplace. IM provides us with the ability to maintain a list of people,
`often called a buddy list or contact list, whom we want or need to interact
`with. IM monitors our list of people and their status of being online or
`offiine. If they are online, we can send messages back and forth. Businesses
`today are increasingly viewing IM as an excellent productivity and commu(cid:173)
`nication tool that complements voice mail and e-mail. In order for there to
`be complete acceptance, there needs to be specific security, accountability,
`and uniformity among IM solution providers. There needs to be policies
`that protect critical organizational interests and comply with federal man(cid:173)
`dates and regulations. Corporations want IM solutions that provide seam(cid:173)
`less security, full audit trails, identity controls, and administrative controls.
`Most corporations agree that message encryption is essential.
`There are three basic types ofIM, as follows:
`
`1.
`
`2.
`
`Public messaging
`
`Enterprise messaging
`
`3. Wireless messaging
`
`In 1987, a computer scientist at MIT developed an instant-messaging
`program called Zephyr in order to provide a system that was faster than e(cid:173)
`mail, which had begun to be bogged down, so that urgent messages
`regarding the school's network and server could be received instantly in
`case, for example, the school's network server was going down. Soon, stu(cid:173)
`dents adopted Zephyr as a form of easy communication that could be used
`while they worked at their computers. This technology was quickly
`adopted by other universities, and the simple early warning system that
`Zephyr was originally designed to be was repurposed, becoming a popular
`tool of conversation and information exchange called IM. IM as we !mow
`it today was created in July 1996 by four young Israeli entrepreneurs. Yair
`Goldfinger, Arik Vardi, Sefi Vigiser, and Amnon Amir, started a company
`called Mirabilis in order to introduce a new way of communication over
`the Internet. T hey created a technology that would enable Internet users to
`locate each other online on the Internet and create peer-to-peer communi-
`
`Chapter I
`
`
`
`4
`
`1.3 What Is IM?
`
`cation channels easily. T hey called their technology ICQ (I seek you) and
`released it in November 1996. Within six months, 850,000 users had been
`registered by Mirabilis. By June 1997, Mirabilis was able to handle
`100,000 concurrent users and had become the world's largest Internet
`communications network. Mirabilis and ICQ were acquired by America
`Online, Inc., in June 1998 for $287 million. AOL had also created its own
`Instant Messenger system. By that time, Microsoft had created its own IM
`client and service, MSN Messenger, and another Internet heavyweight,
`Yahoo!, created one as well. Because IM services evolved from proprietary
`systems created by companies to make a profit, their systems remain
`unable to interoperate because of the desire to control the IM market.
`AOL and ICQ, even though owned by the same company, are not interop(cid:173)
`erable. ICQ currently has two clients: ICQ4 Lite Edition with Xtraz (Fig(cid:173)
`ure 1.1) and ICQPro™ (Figure 1.2) (5,6).
`
`The AOL and ICQ clients cannot communicate with one another, and
`AOL maintains both systems and market dominance in the IM field. All
`rhis may change soon. Conditions of the AOL-Time Warner merger
`required AOL to open up its IM systems [7]. In its analysis ofIM, the FCC
`concluded that the merger would combine an essential input of AOL:s
`dominant IM service and future IM-based services-chiefly, the Names and
`Presence Directory (NPD)-with assets ofTime Warner, including its cable
`
`Figure 1.2
`ICQ™Pro.
`
`~@r
`
`(
`
`s...11,l'oGof..'.;;;:'.. @
`tCQ r,o 100Jt,
`0 ei
`
`
`
`F"
`
`1.3 What Is IMI
`
`- ··-
`
`-·--- - -
`
`s
`
`facilities and Road Runner ISP. An IM provider's NPD consists of a data(cid:173)
`base of its users' unique IM names, their Internet addresses, and a "presence
`detection" function, which indicates to the provider that a certain user is
`online and allows the provider to alert others to this information. The FCC
`noted that these features created a market with strong network effects.
`AOL, with by far the largest NPD, resisted making its IM services interop(cid:173)
`erable with other providers' services. The merger brought Time Warner's
`cable Internet platform and content library under AOLs control and gave
`AOL Time Warner a significant and anticompetitive first-mover advantage
`in the market for advanced, IM-based high-speed services (AIHS). Potential
`AIHS applications include those using streaming video (lengthy, high(cid:173)
`quality, one- or two-way video). The merger would frustrate the objectives
`of the Communications Act by preventing the emergence of a competitive
`and innovative market for advanced, IM-based services. This would violate
`key Communications Act principles, including the further development of
`healthy competition in the Internet and interactive services arena. The FCC
`did not establish an interoperability protocol. Rather, the FCC's remedy
`requires AOL Time Warner to follow a protocol developed by the industry
`or to create a protocol with other IM providers pursuant to contracts. Thus,
`the FCC did not create and will not review an Internet protocol.
`
`The FCC imposed an "IM condition" on the merger to avert market
`harm now so that it would not be required to regulate IM in the future.
`Given AOL Time Warner's likely domination of the potentially competitive
`business of new, IM-based services, especially advanced, IM-based high(cid:173)
`speed services applications, the FCC ruled rhat AOL Time Warner may not
`offer any AIHS steaming video applications that use a Names and Presence
`Directory (NPD) over the Internet via AOL Time Warner broadband facil(cid:173)
`ities until the company demonstrates that it has satisfied one of three pro(cid:173)
`competitive options filed by the FCC. AOL Time Warner must file a
`progress report with the FCC, 180 days from the release date of the order
`and every 180 days thereafter, describing in technical depth the actions it
`has taken to achieve interoperability of its IM offerings and other offerings.
`These reports will be placed on public notice for comment. The IM condi(cid:173)
`tion was set to sunset five years after the release of the order.
`
`AOL Time Warner was directed to show chat it had implemented an
`industry-wide standard for server-to-server interoperability. AOL Time
`Warner had to show that it had entered into a contract for server-to-server
`interoperability with at least one significant, unaffiliated provider of NPD(cid:173)
`based services within 180 days of executing the first contract. AOL Time
`Warner also had to show that it entered into two additional contracts with
`
`Chapter I
`
`
`
`6
`
`1.3 What Is IM?
`
`significant, unaffiliated, actual or potential competing providers. AOL
`Time Warner was given the opportunity to seek relief by showing by clear
`and convincing evidence that this condition no longer serves the public
`interest, convenience, or necessity because there has been a material change
`in circumstances.
`
`Since the FCC ruling, several competing companies have joined
`together to advocate an IM protocol similar to those that allow the interop(cid:173)
`erability of e-mail systems. Other companies have taken a different
`approach rather than wait for an agreed-upon standard. Jabber is one com(cid:173)
`pany chat has created a client program capable of communicating with var(cid:173)
`ious IM systems. In less than two decades, the concept of IM has become
`an international tool of communication.
`
`1.3.l
`
`IM as an Integrated Communications Platform
`
`The IM platform can be the basis for true integrated communications by
`incorporating additional technology (such as extending it into the wireless
`realm with mobile phones and personal digital assistants [PDAs)) or by
`adding other means of communication (such as voice chat or video chat).
`With the addition of IP telephony (VoIP) capability, the messaging service
`can even extend to telephony, making it possible to communicate with any(cid:173)
`one at any time. It can be used as a personal communications portal to cre(cid:173)
`ate a single point of contact for all methods of communication, allowing a
`user to initiate any kind of communication from one place, using a single
`contact list. Using IM as an integrated communications platform allows for
`one-click communication. Instead of having to run through a list of home,
`office, mobile, pager numbers, and e-mail addresses, someone trying to
`reach another person can simply click on that person's name. It also enables
`users to control how others communicate with them. If they prefer that
`calls go to their mobile phones when they are away from the office, they can
`set their profile so that the system directs calls that way. The system would
`route communications according to that person's preferences. When addi(cid:173)
`tional features such as integrated communications, reachability, and com(cid:173)
`munications profiles are part of IM, the market for IM will increase from
`personal to professional use, creating better business markets for messaging
`services and malcing these services more of a revenue-generating opportu(cid:173)
`nity for service providers [8].
`
`