Wade T. Smith wrote:
> Well, I use IRC. It is basically free, international, unfettered, and is, after all, the grand-daddy of chat protocols. You don't need a specific brand of client, nor a small server system, and you don't use bleeding numbers....
>
> And besides, the version of ICQ for my particular Mac platform is incredibly buggy, and has never run more than five minutes....
>
> and- there is this little tidbit recently on the Wired site...
>
> _______
>
> Net Messaging Called 'Catastrophic' by James Glave
>
> 5:05am 5.Jun.98.PDT
>
> The world's most widely used Internet
> "instant-messaging" service is a security disaster waiting to happen,
> according to networking experts familiar with the program. ICQ lacks
> secure barriers against hijacking, spoofs, and other hostile programs
> that can listen in on personal, and potentially sensitive,
> communications sent over the system.
>
> Each day, more than 3 million people use ICQ to send quick and easy
> text messages to friends and coworkers over the Internet. Messages
> appear instantaneously in a window on the users' desktops. More than
> 12 million users are registered with ICQ, and the program is gaining
> popularity in corporate settings as a productivity tool for office
> workers, such as for exchanging information like sales figures.
>
> Jesse Schachter, an engineer with Advanced Corporate Networking, said
> that a former employer, an Internet service provider, used ICQ for all
> internal communications.
>
> "Pretty much anything that would have been talked about in person was
> talked about in ICQ," Schachter said.
>
> But that's bad news, according to Greg Jones, a freelance
> network-security expert familiar with the program.
>
> "Using ICQ is like talking by writing on big cue cards: Everyone can
> see what you're exchanging. It wasn't designed for security," he said.
>
> Mirabilis, the Israeli company that developed ICQ, states that the
> free system was not designed for "mission critical" or "content
> sensitive" communications.
>
> "We are working on improving the security and also some other
> features, continuously," said Yossi Vardi, business-development
> director for Mirabilis. "But this is not a banking system," he said.
>
> In the past week, a security expert who goes by the name "Wumpus"
> posted to a security mailing list the source code for a program called
> ICQ Hijack. Once compiled and run, the program will allow anyone to
> take over an ICQ account and assume another user's identity.
>
> "It will hijack an ICQ account," said Wumpus, who declined to be named
> for this story, citing potential issues with his employer. "It does
> this by sending spoofed IP [or Internet Protocol] packets which
> pretend to be from the client, saying 'change my password to something
> else.' The user of the program provides what the new password will
> be," he said.
>
> In January of this year, Alan Cox, a system administrator and
> self-employed consultant, posted a similar program, called "icqsniff"
> to the security mailing list BugTraq. The program collects passwords
> being sent between ICQ users. According to Wumpus, Mirabilis president
> Arik Vardi said at that time that he would fix the next version of ICQ
> to address the issue.
>
> Apparently, that hasn't happened.
>
> "The latest version [of ICQ] encrypts the passwords," said Cox. "But
> the password isn't in every message and the messages are not [code]
> signed -- so it's little improvement," he said.
>
> Further, it is still possible to spoof the system and pretend to be
> someone else. "The spoofing allow[s] me to send a message as anyone
> else on the system, [such as] messages from your boss asking you to
> turn off the Internet connection," said Cox.
>
> Mirabilis has been the subject of much market speculation in recent
> weeks. The company is reportedly in talks with America Online, which
> is rumored to be considering purchasing the technology. Neither
> company would comment on the rumors.
>
> All of the security and networking specialists that spoke with Wired
> News for this story said that the greatest problem with ICQ is that
> the protocol -- the actual networking mechanics used by the system --
> is proprietary and undocumented and, as a result, is not subject to
> the bulletproofing process of peer review.
>
> Wumpus said that he determined that ICQ uses User Datagram Protocol
> (UDP) between clients and the server, and standard Transport Control
> Protocol (TCP/IP) between users. However, he said, ICQ's UDP
> communications have been insecure since the beginning.
>
> "They are trying to obfuscate the protocol, they are hiding important
> parts of the protocol, but not encrypting it," said Seth McGann, the
> author of icqspoof, another spoofing program and a security consultant
> with Advanced Corporate Networking.
>
> McGann said that ICQ could be a valuable tool for crackers to use to
> talk their way into sensitive information. "There are a lot of
> possibilities for social engineering. You might be able to present
> yourself as someone in the company ... to get privileged information,"
> he said.
>
> McGann also said he has developed a program that allows him to see and
> change ICQ messages in real time as they pass between two ICQ users,
> without their knowledge. He has not yet released this code to the Net.
>
> Yossi Vardi of Mirabillis said the company was straightforward about
> the appropriate use of ICQ and added that all issues will be resolved
> in the next version of the client, due "in a couple of days."
>
> "The question is, what kind of level of service do you want?" said
> Yossi Vardi. "If you want encryption or security, you want one level,
> if you want things that will be for experts, it will be another
> level," he said.
>
> "If you want to do something that will provide good security but will
> be palatable to a wide [number] of users, you have to see what you can
> do that will provide reasonable security, but will not create huge
> clients," Vardi said.
>
> But McGann said that Mirabilis was shirking from its responsibility,
> and that nothing short of a complete code redesign can make it safe to
> use.
>
> "[They] are releasing a product where anyone can pretend they are
> you," McGann said. "I can't imagine that -- even if I am not going to
> use it for mission critical [communication], it's just not even useful
> at that point," he said.
>
> "They have to make some major protocol changes, and they better do a
> hotfix [patch] to stop that hijacking," said McGann, who makes a hobby
> of auditing networks and finding potential vulnerabilities. "That code
> is really catastrophic."
>
> *****************
> Wade T. Smith
> morbius@channel1.com | "There ain't nothin' you
> wade_smith@harvard.edu | shouldn't do to a god."
> morbius@cyberwarped.com |
> ******* http://www.channel1.com/users/morbius/ *******