Last updated July 15, 2008
|
|
Last updated July 15, 2008 |
|
Serving Up Spim June 7, 2004 - When the Chicago Stock Exchange was searching for a secure way to provide instant messaging to the brokerage members clamoring for it, one of executives' main concerns was combating a growing plague: Spim (or Spam over Instant Messaging). In addition to the Securities and Exchange Commission mandates for archiving and monitoring instant messages as a form of electronic communication, Krysia Jacobs, VP of technical services for the exchange, says, "You have to make sure people don't transfer files, that no viruses can come in via the instant messaging infrastructure." A couple of months ago, the stock exchange found a solution that allowed its brokers to use the messaging services they wanted while taking care of the security and compliance issues. A Facetime component called IM Guardian monitors communications and can disallow file transfers, she said. This feature allows the exchange to be safe from Spim carrying Trojan Horses. Spim accounts for 3 percent of all instant messages sent today, according to analyst Genelle Hung of the Radicati Group. By 2008, she expects that number to climb to 39 percent. In other words, users receive less than one Spim a day today, but will average 30 in 2008. Spim might seem a minor problem compared to Spam-30 messages a day would be a relief for many e-mail users. But, unlike Spam, Spim interrupts users as they work instead of quietly piling up in a mailbox to be deleted at leisure. "The easiest countermeasure to IM Spam is to use a white list' or buddy list' exclusively and accept messages only from your list of approved IM correspondents," said Randall Palm, director of IT for CompTIA, an IT trade association. But hackers can find ways around this, he added, by creating worms that propagate through the buddy lists; this is a particularly insidious characteristic, since an IM from someone on a buddy list is more likely to be trusted and opened. Preying on Buddy Lists This can create big problems for a firm, said Paul Ritter, director of IM and collaboration research at Wainhouse Research. "When a worm takes over a buddy list and automatically sends out messages to those people, the people on the receiving end assume that it's from a trusted person and that it's okay to click on links embedded in the message or download a file." In addition, there is no way to fake a return address with instant messaging, a common tactic with e-mail Spam. That adds to the feeling of betrayed trust when a message from a supposed friend or business partner turns out to be an ad or a worm. One recent example of such a worm was the Osama bin Laden infestation. A message from a buddy said that Osama bin Laden had been found and invited the recipient to click on a link, which turned out to be a game. But those who downloaded the game got an unpleasant surprise--their own computers began to surreptitiously send out instant messages to all their buddies, and left their computers vulnerable to more IM Spam in the future. The worm spread fast, but its payload was relatively harmless. At least, that was the experience of OTA LLC, a Purchase, N.Y.-based broker-dealer servicing institutional investors. OTA, which has about 200 employees, was hit by the "Osama Found" Spim worm this spring but was spared any damage. OTA uses AOL, MSN and Yahoo IM systems, combined with a gateway compliance product from IMLogic. "We were pretty well locked down," said Anthony Tarricone, the firm's network administrator. The locking-down process involved adding the worm's text to a block file, "But it was a manual process and required that we understand what was going on," he said, adding that as Spim increases in volume, it would be nice to have the process automated. For now, however, with Spim volumes relatively low, it's not a high priority for him, he said. Damaging Business Relationships "I think Wall Street firms in particular need to be particularly sensitive about this," said Dmitri Shapiro, CTO at Akonix Systems, another leading IM compliance vendor. "If a broker's machine gets comprised and Spims out to a large customer, and the large customer's machine gets compromised, it could put important accounts in jeopardy," he added. "Because it comes from a buddy, most people don't understand that the buddy's machine was compromised. They think the buddy physically typed the message. They reply to it and say, Why did you send this?' Then the buddy says, Send what?' This link.' What link?'" Worse, some people might not even bother to reply when they receive an unsolicited advertisement, pornography or an invitation to download a worm. "They'll just take the buddy off the buddy list," Shapiro said. "There are lots of relationships damaged without the other party knowing that the relationship was damaged at all, which is still the scariest aspect." This recently happened to a financial services firm, he said. An IM worm hijacked a trader's buddy list and sent itself out to all of his customers. The worm looked like a message sent by the trader himself and contained a link that infected the computer when the recipient clicked on it. Several customers complained, and some were quite angry. "For a little while, we were concerned that this event may have cost us customers," said a representative of the firm, which requested anonymity. "We assured the customers that we had taken precautions to prevent this kind of thing from happening in the future." Installing Spim Barriers In addition to blocking file downloads, or checking for known worm signatures, there are also response-based approaches to stopping Spim. "This type of software is intended to trip up automated Spam messaging by requiring manual interaction," said CompTIA's Palm. In order to make sure that an instant message goes through to its intended recipient, the sender has to answer a question or take another action that an automated Spam program or virus can't do. This approach does cut down on Spim, but can be annoying for people who don't want to prove that they're human each time they send a message, or each time they send a message to a new buddy. Another approach to stopping Spim is to create members--only IM networks. Today, Reuters, Bloomberg and Communicator offer IM systems that are limited to members of the financial community--people who, in theory at least, are not likely to generate Spam, viruses or worms. A decentralized version of the same idea is currently being investigated by three major New York firms, including Merrill Lynch. "IT managers at Wall Street firms want IM to be deployed in a secure but open way," said Max Seguineau, CEO of Antepo, which offers enterprise IM to companies like Merrill Lynch. "They want the technology to be standards-based, so they can seamlessly integrate with business partners, but they want the community to be gated, so they can reduce their exposure." The downside to this approach is that it only works if everybody in the financial services community decides to stay in this community. If business partners or clients prefer other IM systems, then firms will have to maintain the entire infrastructure they need to securely access those systems. For example, at the Chicago Stock Exchange, brokers use AOL, Microsoft and Yahoo instant messaging systems. "We have a few that use all three," said Jacobs. By opting for the no-file-transfers approach, the exchange has balanced usability with security, she said. "We're very happy with the Facetime product," she said. "For the users, it's as though the product isn't even there, except for the little disclaimer at the bottom of the messages that says that all communications are monitored." IM Threats Osama Found Jitux
|
|
|
|
Maria Trombly can be reached at 011-86-21-6387-7243 or by email at maria@trombly.com |