Forwarded From: Aleph One <aleph1@nationwide.net>
http://www.wired.com/news/news/technology/story/12758.html
Net Messaging Called 'Catastrophic'
by James Glave
5:05am 5.Jun.98.PDT
The world's most widely used Internet "instant-messaging" service is a
security disaster waiting to happen, according to networking experts
familiar with the program. ICQ lacks secure barriers against
hijacking, spoofs, and other hostile programs that can listen in on
personal, and potentially sensitive, communications sent over the
system.
Each day, more than 3 million people use ICQ to send quick and easy
text messages to friends and coworkers over the Internet. Messages
appear instantaneously in a window on the users' desktops. More than
12 million users are registered with ICQ, and the program is gaining
popularity in corporate settings as a productivity tool for office
workers, such as for exchanging information like sales figures.
Jesse Schachter, an engineer with Advanced Corporate Networking, said
that a former employer, an Internet service provider, used ICQ for all
internal communications.
"Pretty much anything that would have been talked about in person was
talked about in ICQ," Schachter said.
But that's bad news, according to Greg Jones, a freelance
network-security expert familiar with the program.
"Using ICQ is like talking by writing on big cue cards: Everyone can
see what you're exchanging. It wasn't designed for security," he said.
Mirabilis, the Israeli company that developed ICQ, states that the
free system was not designed for "mission critical" or "content
sensitive" communications.
"We are working on improving the security and also some other
features, continuously," said Yossi Vardi, business-development
director for Mirabilis. "But this is not a banking system," he
said.
In the past week, a security expert who goes by the name "Wumpus"
posted to a security mailing list the source code for a program called
ICQ Hijack. Once compiled and run, the program will allow anyone to
take over an ICQ account and assume another user's identity.
"It will hijack an ICQ account," said Wumpus, who declined to be named
for this story, citing potential issues with his employer. "It does
this by sending spoofed IP [or Internet Protocol] packets which
pretend to be from the client, saying 'change my password to something
else.' The user of the program provides what the new password will
be," he said.
In January of this year, Alan Cox, a system administrator and
self-employed consultant, posted a similar program, called
"icqsniff" to the security mailing list BugTraq. The program
collects passwords being sent between ICQ users. According to Wumpus,
Mirabilis president Arik Vardi said at that time that he would fix the
next version of ICQ to address the issue.
Apparently, that hasn't happened.
"The latest version [of ICQ] encrypts the passwords," said Cox. "But
the password isn't in every message and the messages are not [code]
signed -- so it's little improvement," he said.
Further, it is still possible to spoof the system and pretend to be
someone else. "The spoofing allow[s] me to send a message as anyone
else on the system, [such as] messages from your boss asking you to
turn off the Internet connection," said Cox.
Mirabilis has been the subject of much market speculation in recent
weeks. The company is reportedly in talks with America Online, which
is rumored to be considering purchasing the technology. Neither
company would comment on the rumors.
All of the security and networking specialists that spoke with Wired
News for this story said that the greatest problem with ICQ is that
the protocol -- the actual networking mechanics used by the system --
is proprietary and undocumented and, as a result, is not subject to
the bulletproofing process of peer review.
Wumpus said that he determined that ICQ uses User Datagram Protocol
(UDP) between clients and the server, and standard Transport Control
Protocol (TCP/IP) between users. However, he said, ICQ's UDP
communications have been insecure since the beginning.
"They are trying to obfuscate the protocol, they are hiding important
parts of the protocol, but not encrypting it," said Seth McGann, the
author of icqspoof, another spoofing program and a security
consultant with Advanced Corporate Networking.
McGann said that ICQ could be a valuable tool for crackers to use to
talk their way into sensitive information. "There are a lot of
possibilities for social engineering. You might be able to present
yourself as someone in the company ... to get privileged information,"
he said.
McGann also said he has developed a program that allows him to see and
change ICQ messages in real time as they pass between two ICQ users,
without their knowledge. He has not yet released this code to the Net.
Yossi Vardi of Mirabillis said the company was straightforward about
the appropriate use of ICQ and added that all issues will be resolved
in the next version of the client, due "in a couple of days."
"The question is, what kind of level of service do you want?" said
Yossi Vardi. "If you want encryption or security, you want one level,
if you want things that will be for experts, it will be another
level," he said.
"If you want to do something that will provide good security but will
be palatable to a wide [number] of users, you have to see what you can
do that will provide reasonable security, but will not create huge
clients," Vardi said.
But McGann said that Mirabilis was shirking from its responsibility,
and that nothing short of a complete code redesign can make it safe to
use.
"[They] are releasing a product where anyone can pretend they are
you," McGann said. "I can't imagine that -- even if I am not going to
use it for mission critical [communication], it's just not even useful
at that point," he said.
"They have to make some major protocol changes, and they better do a
hotfix [patch] to stop that hijacking," said McGann, who makes a hobby
of auditing networks and finding potential vulnerabilities. "That code
is really catastrophic."
-o-
Subscribe: mail majordomo@sekurity.org with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Fri Jun 5 12:55:24 1998