Forwarded From: Aleph One <aleph1at_private> http://www.wired.com/news/news/technology/story/12758.html Net Messaging Called 'Catastrophic' by James Glave 5:05am 5.Jun.98.PDT The world's most widely used Internet "instant-messaging" service is a security disaster waiting to happen, according to networking experts familiar with the program. ICQ lacks secure barriers against hijacking, spoofs, and other hostile programs that can listen in on personal, and potentially sensitive, communications sent over the system. Each day, more than 3 million people use ICQ to send quick and easy text messages to friends and coworkers over the Internet. Messages appear instantaneously in a window on the users' desktops. More than 12 million users are registered with ICQ, and the program is gaining popularity in corporate settings as a productivity tool for office workers, such as for exchanging information like sales figures. Jesse Schachter, an engineer with Advanced Corporate Networking, said that a former employer, an Internet service provider, used ICQ for all internal communications. "Pretty much anything that would have been talked about in person was talked about in ICQ," Schachter said. But that's bad news, according to Greg Jones, a freelance network-security expert familiar with the program. "Using ICQ is like talking by writing on big cue cards: Everyone can see what you're exchanging. It wasn't designed for security," he said. Mirabilis, the Israeli company that developed ICQ, states that the free system was not designed for "mission critical" or "content sensitive" communications. "We are working on improving the security and also some other features, continuously," said Yossi Vardi, business-development director for Mirabilis. "But this is not a banking system," he said. In the past week, a security expert who goes by the name "Wumpus" posted to a security mailing list the source code for a program called ICQ Hijack. Once compiled and run, the program will allow anyone to take over an ICQ account and assume another user's identity. "It will hijack an ICQ account," said Wumpus, who declined to be named for this story, citing potential issues with his employer. "It does this by sending spoofed IP [or Internet Protocol] packets which pretend to be from the client, saying 'change my password to something else.' The user of the program provides what the new password will be," he said. In January of this year, Alan Cox, a system administrator and self-employed consultant, posted a similar program, called "icqsniff" to the security mailing list BugTraq. The program collects passwords being sent between ICQ users. According to Wumpus, Mirabilis president Arik Vardi said at that time that he would fix the next version of ICQ to address the issue. Apparently, that hasn't happened. "The latest version [of ICQ] encrypts the passwords," said Cox. "But the password isn't in every message and the messages are not [code] signed -- so it's little improvement," he said. Further, it is still possible to spoof the system and pretend to be someone else. "The spoofing allow[s] me to send a message as anyone else on the system, [such as] messages from your boss asking you to turn off the Internet connection," said Cox. Mirabilis has been the subject of much market speculation in recent weeks. The company is reportedly in talks with America Online, which is rumored to be considering purchasing the technology. Neither company would comment on the rumors. All of the security and networking specialists that spoke with Wired News for this story said that the greatest problem with ICQ is that the protocol -- the actual networking mechanics used by the system -- is proprietary and undocumented and, as a result, is not subject to the bulletproofing process of peer review. Wumpus said that he determined that ICQ uses User Datagram Protocol (UDP) between clients and the server, and standard Transport Control Protocol (TCP/IP) between users. However, he said, ICQ's UDP communications have been insecure since the beginning. "They are trying to obfuscate the protocol, they are hiding important parts of the protocol, but not encrypting it," said Seth McGann, the author of icqspoof, another spoofing program and a security consultant with Advanced Corporate Networking. McGann said that ICQ could be a valuable tool for crackers to use to talk their way into sensitive information. "There are a lot of possibilities for social engineering. You might be able to present yourself as someone in the company ... to get privileged information," he said. McGann also said he has developed a program that allows him to see and change ICQ messages in real time as they pass between two ICQ users, without their knowledge. He has not yet released this code to the Net. Yossi Vardi of Mirabillis said the company was straightforward about the appropriate use of ICQ and added that all issues will be resolved in the next version of the client, due "in a couple of days." "The question is, what kind of level of service do you want?" said Yossi Vardi. "If you want encryption or security, you want one level, if you want things that will be for experts, it will be another level," he said. "If you want to do something that will provide good security but will be palatable to a wide [number] of users, you have to see what you can do that will provide reasonable security, but will not create huge clients," Vardi said. But McGann said that Mirabilis was shirking from its responsibility, and that nothing short of a complete code redesign can make it safe to use. "[They] are releasing a product where anyone can pretend they are you," McGann said. "I can't imagine that -- even if I am not going to use it for mission critical [communication], it's just not even useful at that point," he said. "They have to make some major protocol changes, and they better do a hotfix [patch] to stop that hijacking," said McGann, who makes a hobby of auditing networks and finding potential vulnerabilities. "That code is really catastrophic." -o- Subscribe: mail majordomoat_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:55:22 PDT