[unisog] MSN Messenger - two questions

Brian Eckman eckman at umn.edu
Tue Feb 20 21:41:03 GMT 2007


Comments within.

Alan Rothenbush wrote:
> Background:
> I'm now under some pressure to "release" MSN Messenger to a group of my users, 
> some of them senior administrators.
> To date, the answer has been "no, insecure, next question", and as I "own" the 
> machines and the users are but users, it has not yet been installed.

I'd argue that it is less insecure than E-mail. At least you don't have
to protect the server.

> Sadly, these bosses (at least one of whom can fire me) now present a 
> legitimate business need for which I have no other solution, the problem 
> being that prospective students almost universally choose some sort of IM as 
> the preferred form of communication.  

Using IM to converse with prospective students? I don't work in
Admissions, but that seems more than a little odd to me. Maybe a "live
help" Java applet on a "Have Questions?" type of Web page is manageable,
and perhaps whatever solution like this that they want interfaces with
MSN Messenger (I doubt it), but chatting via IM with prospective
students does not sound professional nor productive to me.

> (The Instant Gratification generation, I suppose, making me once again feel my 
> age)
> Since we (annoyingly) do need students around the place, I'm probably going to 
> have to come up with some solution.
> My concerns (perhaps unfounded) are the need to open up the built-in XP 
> firewall to a server off in the big bad internet, allowing access to an 
> application that I think has historic security issues.

MSN Messenger hasn't been much of an issue as far as client security
goes. Also, there shouldn't be any need to allow it through the
firewall, at least not for most uses. It can make an outbound connection
to the MSN servers, and the chat can go through those (this is the
default behavior anyways).

> Question 1:
> Are my concerns unfounded ?  

Mostly. The security concerns with IM aren't far off those with E-mail.
However, many folks have E-mail Anti-virus, Anti-spam and/or content
defanging, and thus aren't really used to receiving several viruses each
day (anymore, that is).

These days, the IM threat is mostly when someone on your "buddy list"
gets 0wned, and their bot starts sending IMs with a link to the bot
malware hosted on some Web page. The bot herder (if you will) can
control whatever message and link are sent, and some of them are pretty
good at social engineering. If the users are educated well enough to
know not to fall for this type of social engineering, the threat level
is pretty low.

While adding thousands of prospective students to your "buddy list"
would be a great way to keep tabs on the location of the latest IRC bot
distribution points, it is a terrible way to communicate with them.
Offer a Java applet on a Web page for "Live Help" if that's the
functionality you need.

> (My response "they're all wrong" to the statement "every other university does 
> it" doesn't seem to be enough of an explanation)
> Question 2:
> If it turns out I have to do this, any tips for keeping things safe ?

The safest way to IM is to accept messages only from people on your
"buddy list". However, that doesn't scale well in this scenario. You'd
have to publish your IM info publicly, and accept messages from anyone.
That opens up a wealth of potential social engineering attacks, far
beyond just links to malware. It also opens you up to potential attacks
against the client itself, should it have a unpatched vulnerability.
It's cheaper to do, less time consuming, and harder to trace to attempt
to gain sensitive information via things like IM than it is to make a
phone call when you're trying to impersonate someone, so I imagine Bad
Guys(tm) will try it. Also, restricting this "valuable resource" to MSN
Messenger (as opposed to other, more popular IM networks) restricts your
client base. Not everyone has MSN Messenger (non-Windows computers,
anyone?). (Even if they do or use a 3rd party client that works over the
MSN Messenger network, they might not want school administration to know
their IM screen name.) Most folks have Java and a Web browser, and if
they don't, they probably aren't about to use MSN Messenger anyways.

And naturally, running Windows using a regular user account (not in the
Administrators *nor* Power Users group) is strongly suggested, whether
or not you install IM software.

> Thanks in advance.
> Alan

In summary, IM itself isn't much of a security risk. The risk is that you:
- are opening people up to a new avenue for social engineering
- risk a loss of productivity, as they spend too much time chatting
- risk alienating everyone who wants to use this service, but doesn't
choose to use the IM network that you decide on

Personally, I suspect that these people either:
- want to IM their family, friends and collegues, and are making up a
lame excuse so that they can do so
- haven't thought this through, and/or don't know what options there
are, and are simply jumping on the first bandwagon they can think of to
appeal to the next generation of students

My gut tells me the first is the case, but I've been wrong before (so my
wife tells me). However, if someone paying you tells you to do it, I'd
suggest you offer up alternatives, but be prepared to install it if asked.

Good luck,
Brian Eckman, Security Analyst
University of Minnesota
Office of Information Technology
Security & Assurance

More information about the unisog mailing list