AIM Not Secure

In the past few years, AIM has become a communication tool used by both individuals and corporations to facilitate discussions of issues ranging from what movie to see on the weekend to arcane details in contractual corporate negotiations. But buyer beware as hackers have found ways to exploit the AIM client and server to leave such communication open to every prying eyes and cause all sorts of mischief.

The AIM client allows any users on the Internet to create a “buddy list” and carry on text-based chat with other people on their buddy list. With 27 million AOL users and 21 million registered AIM users, America Online has become the leading provider of instant messaging software, dwarfing its competitors in terms of user base. According to MediaMetrix, Yahoo Messenger is the second most popular instant messaging client, with 10.6 million users, followed by Microsoft’ MSN Messenger, with 10.3 million registered users.

AOL has aggressively promoted its AIM messaging platform as a corporate tool, cutting deals with Novell and Lotus to incorporate it in their offerings. However, its focus on security issues has not been as strong as its marketing. In the past AOL has covered up security breaches instead of being forthcoming about them, said Dave Cassel, editor of the AOL Watch Newsletter, an email mailing list sent out to 50,000 subscribers.

Two areas in which AIM security has already been compromised are password theft and buffer overflow, a way for hackers to remotely crash a computer system by sending a certain set of characters to an AIM client. Furthering the problem is the fact that the client does not need to be running at the time in order to be exploited. Simply installing it on a machine is enough to expose it to the buffer overflow problem.

In January 2000, hackers were coming to the press with that problem because they wanted the buffer overflow security hole closed, said Cassel. But AOL didn’t respond so the hackers thought that negative press would spur AOL into action. After I wrote an article about it, AOL said they would close the hole but in December 2000, the hole could still be exploited.

In December, @Stake, an Internet security consulting firm, issued a security advisory about the buffer overflow problem. In it, the company described how a hacker could use the AIM client to shutdown a computer or execute local commands on the victim’s desktop.

The issue was fixed, said Nicholas Graham, a spokesperson for AOL. We encourage our users to upgrade but it’s not an issue at this point.

Weld Pond, manager of research and development for @Stake, added that while the December issue was not exactly the same one as the January one, it did fall into the same class of problems. What that illuminates is the fact that they are not using secure policies, he said. It’s sort of like finding out that one of your windows has no lock and not going around to check the other windows.

We answer instances of security on a case by case basis, defends Graham. Our latest client is the most secure one to date and we intend to continue providing a more robust and more secure client as time goes on.

Buffer overflow and the hijacking of AIM screen names have been problems since AIM was introduced a few years back, said an active AOL hacker who preferred to remain anonymous. Product integrity and security has never been a specialty of AOL and this is very obvious from the numerous exploits I and others have found in the service in the past three years.

While AOL has issued a new version of its client correcting the problem, the security risks posed by the AIM client should remain a concern among system administrators. The funny thing is that upgrading to the most recent version of AIM solves nothing, said the hacker. Most of the exploits are what we call server side hacks, which means the software client has nothing to do with the hack at all. The buffer overflow hack was the only major hack so that involved the actual client software.

Some of my buddies used the hijacked AIM accounts to carry on fake conversations with the friends of the person who originally owned it. The conversations resulted in my buddies tricking the real owner’s friends into providing personal information and even credit card information. People have no reason to believe that accounts have been hacked unless the real owner notifies them.

This was the problem that Habeeb Dihu, a senior principal at Diamond Cluster, an ebusiness consulting firm., encountered when a hacker kidnapped his instant messenger ID. I was working on the Covisint deal, he said, referring to the B2B exchange developed by General Motors, Chrysler, Ford, Oracle, and Commerce One.

Because we have consultants working at several clients, the way we keep in touch with each others is through instant messaging. Somewhere in the middle of the Covisint deal, my AIM screen ID got hacked. Someone masqueraded as me and started to talk to my coworkers. I took care of it by alerting all my co-workers but AOL was very unresponsive in terms of tech support. I was completely ignored by the support people there and was finally contacted by the head of press relations for AOL after I talked to the press. Relative to how much AIM is used in the corporate world, the security behind this thing is abysmal.

Following the incident, the company instituted a review of different instant messaging solutions and standardized on Yahoo’s Instant Messenger. Despite the fact that you could have some ID theft issue behind Yahoo, no one has managed to hack into the yahoo user database to the extent of the problems with MSN and AOL, he added. We looked at Yahoo’s corporate solution but the cost of corporate yahoo was prohibitive compared to the free products available out there, he said, adding that his company has been involved in the development of Jabber, another IM client. Our hope is that jabber will increase security and we’ll be able to migrate there but it’s not quite there yet in terms of robust user interface for non technical people.

Instant Messaging is used as much if not more than email these days in the corporate world. The lack of security and lack of completeness in the solution is pretty alarming from my perspective. The only messaging solution that hasn’t been hacked is Yahoo’s and it’s only a matter of time before it happens.

If you just want to talk to people in your company, you’re better off using some other piece of software that wouldn’t be under as much scrutiny from hackers, said Cassel.

Using a third party to do your corporate communication that has no legal standing is a dangerous thing, said Pond. Unlike the phone, it’s unregulated and insecure. When you are using AOL IM, you’re sending your communication in the clear over the Internet to AOL’s server and back, whether you are talking to someone in a remote location or in the office next door. People think of it as the phone but they shouldn’t. AOL has full control of communication for corporations who use AIM for communication.

We’re moving to a world were there are more and more clients that people are running on their machines, out of the control of the IT department. Companies should set security policies set up at corporate level and work on an approval process for those clients.

However, there’s no one size fits all solution. Different environments can put the expense out there to create more secure environments. Thinking you can sort of read about a security problem and know what the best solution is without taking the environment into consideration is not possible.

There are far better products out there such as MSN Messenger and Yahoo Messenger, said the hacker. But these products haven’t taken off in popularity due to AOL’s huge market share. These other products are far more secure and reliable than the AIM service. Any hacker will tell you this.

Network managers can solve the issue by either blocking out connection to the AOL IM servers or install different clients on their users’ desktops. Groove is doing a similar kind of tool but it’s an encrypted chat in a peer to peer environment, which ends up being more secure, said Pond.

If you have to use it, spend as little time as possible on it, adds Cassel. When I’m through with my messaging conversation, I close it out the software in both my window and my tray. Yes, I can’t be messaged but I also can’t be hacked. I just keep my email window open and then people can reach me that way. Your email client is definitely more secure than IM.”

Previous Post
Securing SOAP
Next Post
New Virus Evolves
%d bloggers like this: