E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants

Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


Source: ZDNet UK

Posted on December 3, 2001

      Instant messaging programs are proving to be as vulnerable to hacking attacks as email - and the security problem is set to grow.

      A hacker named Methodic spotted a hole in America Online's instant messaging system, so he penned a program to crash the chat program of any AOL "buddy" he targeted.

      Luckily, Methodic wasn't a malicious hacker, and he settled for just proving a point: Instant messaging systems used by millions around the world are vulnerable to the same types of lightning attacks spread by email causing billions of dollars in damages.

      Methodic, also known as Tony Lambiris, says AOL patched up its system a week later, and the hole was gone, forever.

      AOL said it spends heavily on security and fixed the problem. "It could have potentially been annoying but the user's password and account remained secure and we quickly resolved the issue when it was discovered," Andrew Weinstein, a spokesman for AOL, said.

      That's not the point, according to Lambiris.

      Instant messaging, a faster and more direct form of email that allows written conversations and file transfers, is growing faster than the Internet according to researchers. The speed and vigor of programs that make it perfect for a quick chat are also becoming attractive as ways to launch a quick attack, security analysts say.

      Lambiris' program proved capable of shutting down the AOL program by overwhelming it with data, a so-called buffer overload attack that is strategically similar to the Code Red email worm, which caused an estimated $2.6bn in damage.

      "To have an email attack be successful, you need to send it, have the party download it, save the attachment, and run it. With a messaging system, all you need to know is the person's user name," Lambiris wrote in an email message.

      There were some 90 million active home and business instant messaging users in September, according to Jupiter Media Metrix.

      The most popular providers are America Online, which has a stand-alone program that works outside the AOL network, Microsoft Corp's MSN Messenger, and Yahoo! Inc's messenger service.

      And as the popularity of instant messaging grows, so does its attraction to malicious hackers, says MSN, for one.

      "Computer viruses can be passed around in a variety of ways: via email messages, on floppy disks, and increasingly, through messaging applications like MSN Messenger," it warned on its Web site.

      A spokeswoman said MSN was working with the antivirus software community.

      Instant messaging systems have become very good at tunneling through corporate security systems, for example, says Carey Nachenberg, chief architect at antivirus firm Symantec Corp's security response team.

      "Imagine a day when all these people are on with broadband connections -- they are always connected, their computers are always on, and a computer worm targeting a popular messaging system starts spreading. That would potentially ravage hundreds of millions of machines," he said, cautioning that such a worm had not reared its head and desktop antivirus software was very effective now.

      The "buddy lists" popularized by AOL are address books of best friends, but for a hacker they are also a road map for where to send a virus, said Nick Weaver, a graduate student at the University of California, Berkeley, who has studied what kind of hacks could most quickly paralyze the Internet.

      "You use the list of known machines as your source for what machines you try to infect," he said. Under the right circumstances, such an attack could easily spread around the Net in a matter of minutes, while it takes the Internet community a good hour to begin responding to trouble, he estimated.

      There is a bright side. Instant messaging systems are always being updated automatically, which means its makers can send out a patch to all users immediately. "You have to find a security hole that you can use autonomously without user intervention that hasn't been discovered yet," Weaver said.

      Furthermore, corporations can make the systems more secure by requiring users to route messages through a server computer, called a proxy, that can scan and strip out threats.

      And Symantec and others say antivirus software should protect desktops while the companies work on corporate network tools.

      However, instant messaging will evolve, and that could be dangerous.

      "Adding features increases risk," said Matt Blaze, a network security scientist at AT&T Labs.

      Gartner technology researcher Martin Reynolds argued that the self-updating program could update itself with new holes. "There is no certainty that there is going to be an instant messaging virus but if there were the risk is enormous," he said.

      Hacker Lambiris says the providers are only looking in the rear view mirror. "The big guys (AOL, MSN, etc.) only seem to address an issue at a time, instead of fixing the problem from the ground up," he lamented.

CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

Final Entries

LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Privacy Breaches.

Get WebTrust
Working For
Your Site.