The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.
<h2>Chat Clients and Network Security</h2>
Date: Wednesday, June 21, 2000
<p>
The CERT/CC has received reports and inquiries regarding the security
issues inherent in the use of chat clients.
<p>
Internet chat applications, such as instant messenging applications
and Internet Relay Chat (IRC) networks, provide a mechanism for
information to be transmitted between computers within a network and
computers at remote sites across network borders in both
directions. Chat clients provide groups of individuals the means to
exchange dialog, Web URL's, and in many cases, files of any type. As
with any similar networked application (e.g., email), chat
applications pose security risks when used in a networked environment.
<p>
The security model of chat clients is one that relies on each end-user
to make independent security decisions rather than relying on a
central enforceable security policy. The result is a broader base of
exposure to risk across a network with less central control, making
security policies that allow chat client usage difficult to implement
and enforce.
<p>
There are several general security issues network and system
administrators can consider when evaluating security policies and the
use of chat clients.
<p>
<ul>
<li>Software flaws, such as buffer overflows or insecure
configurations, may be present in client software and may provide
a means for remote users to initiate attacks that execute code on
internal systems. The configuration of chat software should be
reviewed; check security settings and insure security issues have
been addressed with work arounds or patches.
<p>
<li>Social engineering attacks may entice users into taking insecure
actions, such as communicating sensitive information with
outsiders or executing untrusted software. Users should be
aware of the potential for social engineering attacks and
use caution in releasing information and executing untrusted
software.
<p>
<li>Information, including passwords, may be passed across untrusted
networks (both domestic and international) in clear text, making
them subject to interception. Strong encryption, if available,
should be used to secure sensitive communications.
<p>
<li>For sensitive communications, it may be difficult to strongly
authenticate the identity of remote parties using only the
information provided in most chat clients. Strong authentication,
if available, should be used to establish trusted communications.
<p>
<li>Attacks involving Trojan horse programs have been known to
leverage chat networks to enable intruders to coordinate the
actions of compromised computers in attacks against other Internet
sites.
</li></p></li></p></li></p></li></p></li></ul>
<p>
A general security practice for system configuration is to disable all
services that are not needed. The same concept can be applied to
network configuration. Unless the services provided by chat clients
are needed in your environment, we encourage you to consider
disabling chat client functionality on your network.
<p>
<b>Author</b>: <a href="mailto:cert@cert.org?subject=IN-2000-08%20Feedback">Kevin Houle</a><br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2000 Carnegie Mellon University.</p>
</p></p></p></p></p></p></p> |