[ISN] Net Messaging Called 'Catastrophic'

From: mea culpa (jerichoat_private)
Date: Fri Jun 05 1998 - 08:38:44 PDT

  • Next message: mea culpa: "[ISN] DISC 98 (security/seminar/mexico)"

    Forwarded From: Aleph One <aleph1at_private>
       Net Messaging Called 'Catastrophic'
       by James Glave 
       5:05am  5.Jun.98.PDT
       The world's most widely used Internet "instant-messaging" service is a
       security disaster waiting to happen, according to networking experts
       familiar with the program. ICQ lacks secure barriers against
       hijacking, spoofs, and other hostile programs that can listen in on
       personal, and potentially sensitive, communications sent over the
       Each day, more than 3 million people use ICQ to send quick and easy
       text messages to friends and coworkers over the Internet. Messages
       appear instantaneously in a window on the users' desktops. More than
       12 million users are registered with ICQ, and the program is gaining
       popularity in corporate settings as a productivity tool for office
       workers, such as for exchanging information like sales figures.
       Jesse Schachter, an engineer with Advanced Corporate Networking, said
       that a former employer, an Internet service provider, used ICQ for all
       internal communications.
       "Pretty much anything that would have been talked about in person was
       talked about in ICQ," Schachter said.
       But that's bad news, according to Greg Jones, a freelance
       network-security expert familiar with the program.
       "Using ICQ is like talking by writing on big cue cards: Everyone can
       see what you're exchanging. It wasn't designed for security," he said.
       Mirabilis, the Israeli company that developed ICQ, states that the
       free system was not designed for "mission critical" or "content
       sensitive" communications.
       "We are working on improving the security and also some other
       features, continuously," said Yossi Vardi, business-development
       director for Mirabilis. "But this is not a banking system," he
       In the past week, a security expert who goes by the name "Wumpus"
       posted to a security mailing list the source code for a program called
       ICQ Hijack. Once compiled and run, the program will allow anyone to
       take over an ICQ account and assume another user's identity.
       "It will hijack an ICQ account," said Wumpus, who declined to be named
       for this story, citing potential issues with his employer. "It does
       this by sending spoofed IP [or Internet Protocol] packets which
       pretend to be from the client, saying 'change my password to something
       else.' The user of the program provides what the new password will
       be," he said.
       In January of this year, Alan Cox, a system administrator and
       self-employed consultant, posted a similar program, called
       "icqsniff" to the security mailing list BugTraq. The program
       collects passwords being sent between ICQ users. According to Wumpus,
       Mirabilis president Arik Vardi said at that time that he would fix the
       next version of ICQ to address the issue.
       Apparently, that hasn't happened.
       "The latest version [of ICQ] encrypts the passwords," said Cox. "But
       the password isn't in every message and the messages are not [code]
       signed -- so it's little improvement," he said.
       Further, it is still possible to spoof the system and pretend to be
       someone else. "The spoofing allow[s] me to send a message as anyone
       else on the system, [such as] messages from your boss asking you to
       turn off the Internet connection," said Cox.
       Mirabilis has been the subject of much market speculation in recent
       weeks. The company is reportedly in talks with America Online, which
       is rumored to be considering purchasing the technology. Neither
       company would comment on the rumors.
       All of the security and networking specialists that spoke with Wired
       News for this story said that the greatest problem with ICQ is that
       the protocol -- the actual networking mechanics used by the system --
       is proprietary and undocumented and, as a result, is not subject to
       the bulletproofing process of peer review.
       Wumpus said that he determined that ICQ uses User Datagram Protocol
       (UDP) between clients and the server, and standard Transport Control
       Protocol (TCP/IP) between users. However, he said, ICQ's UDP
       communications have been insecure since the beginning.
       "They are trying to obfuscate the protocol, they are hiding important
       parts of the protocol, but not encrypting it," said Seth McGann, the
       author of icqspoof, another spoofing program and a security
       consultant with Advanced Corporate Networking.
       McGann said that ICQ could be a valuable tool for crackers to use to
       talk their way into sensitive information. "There are a lot of
       possibilities for social engineering. You might be able to present
       yourself as someone in the company ... to get privileged information,"
       he said.
       McGann also said he has developed a program that allows him to see and
       change ICQ messages in real time as they pass between two ICQ users,
       without their knowledge. He has not yet released this code to the Net.
       Yossi Vardi of Mirabillis said the company was straightforward about
       the appropriate use of ICQ and added that all issues will be resolved
       in the next version of the client, due "in a couple of days."
       "The question is, what kind of level of service do you want?" said
       Yossi Vardi. "If you want encryption or security, you want one level,
       if you want things that will be for experts, it will be another
       level," he said.
       "If you want to do something that will provide good security but will
       be palatable to a wide [number] of users, you have to see what you can
       do that will provide reasonable security, but will not create huge
       clients," Vardi said.
       But McGann said that Mirabilis was shirking from its responsibility,
       and that nothing short of a complete code redesign can make it safe to
       "[They] are releasing a product where anyone can pretend they are
       you," McGann said. "I can't imagine that -- even if I am not going to
       use it for mission critical [communication], it's just not even useful
       at that point," he said.
       "They have to make some major protocol changes, and they better do a
       hotfix [patch] to stop that hijacking," said McGann, who makes a hobby
       of auditing networks and finding potential vulnerabilities. "That code
       is really catastrophic."
    Subscribe: mail majordomoat_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:22 PDT