Basically they are both just as insecure as each other so it's up to you
which you use.
Janie
At 19:56 08/06/98 -0400, you wrote:
>Well, I use IRC. It is basically free, international, unfettered, and is,
after all, the grand-daddy of chat protocols. You don't need a specific
brand of client, nor a small server system, and you don't use bleeding
numbers....
>
>And besides, the version of ICQ for my particular Mac platform is
incredibly buggy, and has never run more than five minutes....
>
>and- there is this little tidbit recently on the Wired site...
>
>
>_______
>
>
>Net Messaging Called 'Catastrophic' by James Glave
>
>5:05am 5.Jun.98.PDT
>
>The world's most widely used Internet
>"instant-messaging" service is a security disaster waiting to happen,
>according to networking experts familiar with the program. ICQ lacks
>secure barriers against hijacking, spoofs, and other hostile programs
>that can listen in on personal, and potentially sensitive,
>communications sent over the system.
>
>Each day, more than 3 million people use ICQ to send quick and easy
>text messages to friends and coworkers over the Internet. Messages
>appear instantaneously in a window on the users' desktops. More than
>12 million users are registered with ICQ, and the program is gaining
>popularity in corporate settings as a productivity tool for office
>workers, such as for exchanging information like sales figures.
>
>Jesse Schachter, an engineer with Advanced Corporate Networking, said
>that a former employer, an Internet service provider, used ICQ for all
>internal communications.
>
>"Pretty much anything that would have been talked about in person was
>talked about in ICQ," Schachter said.
>
>But that's bad news, according to Greg Jones, a freelance
>network-security expert familiar with the program.
>
>"Using ICQ is like talking by writing on big cue cards: Everyone can
>see what you're exchanging. It wasn't designed for security," he said.
>
>Mirabilis, the Israeli company that developed ICQ, states that the
>free system was not designed for "mission critical" or "content
>sensitive" communications.
>
>"We are working on improving the security and also some other
>features, continuously," said Yossi Vardi, business-development
>director for Mirabilis. "But this is not a banking system," he said.
>
>In the past week, a security expert who goes by the name "Wumpus"
>posted to a security mailing list the source code for a program called
>ICQ Hijack. Once compiled and run, the program will allow anyone to
>take over an ICQ account and assume another user's identity.
>
>"It will hijack an ICQ account," said Wumpus, who declined to be named
>for this story, citing potential issues with his employer. "It does
>this by sending spoofed IP [or Internet Protocol] packets which
>pretend to be from the client, saying 'change my password to something
>else.' The user of the program provides what the new password will
>be," he said.
>
>In January of this year, Alan Cox, a system administrator and
>self-employed consultant, posted a similar program, called "icqsniff"
>to the security mailing list BugTraq. The program collects passwords
>being sent between ICQ users. According to Wumpus, Mirabilis president
>Arik Vardi said at that time that he would fix the next version of ICQ
>to address the issue.
>
>Apparently, that hasn't happened.
>
>"The latest version [of ICQ] encrypts the passwords," said Cox. "But
>the password isn't in every message and the messages are not [code]
>signed -- so it's little improvement," he said.
>
>Further, it is still possible to spoof the system and pretend to be
>someone else. "The spoofing allow[s] me to send a message as anyone
>else on the system, [such as] messages from your boss asking you to
>turn off the Internet connection," said Cox.
>
>Mirabilis has been the subject of much market speculation in recent
>weeks. The company is reportedly in talks with America Online, which
>is rumored to be considering purchasing the technology. Neither
>company would comment on the rumors.
>
>All of the security and networking specialists that spoke with Wired
>News for this story said that the greatest problem with ICQ is that
>the protocol -- the actual networking mechanics used by the system --
>is proprietary and undocumented and, as a result, is not subject to
>the bulletproofing process of peer review.
>
>Wumpus said that he determined that ICQ uses User Datagram Protocol
>(UDP) between clients and the server, and standard Transport Control
>Protocol (TCP/IP) between users. However, he said, ICQ's UDP
>communications have been insecure since the beginning.
>
>"They are trying to obfuscate the protocol, they are hiding important
>parts of the protocol, but not encrypting it," said Seth McGann, the
>author of icqspoof, another spoofing program and a security consultant
>with Advanced Corporate Networking.
>
>McGann said that ICQ could be a valuable tool for crackers to use to
>talk their way into sensitive information. "There are a lot of
>possibilities for social engineering. You might be able to present
>yourself as someone in the company ... to get privileged information,"
>he said.
>
>McGann also said he has developed a program that allows him to see and
>change ICQ messages in real time as they pass between two ICQ users,
>without their knowledge. He has not yet released this code to the Net.
>
>Yossi Vardi of Mirabillis said the company was straightforward about
>the appropriate use of ICQ and added that all issues will be resolved
>in the next version of the client, due "in a couple of days."
>
>"The question is, what kind of level of service do you want?" said
>Yossi Vardi. "If you want encryption or security, you want one level,
>if you want things that will be for experts, it will be another
>level," he said.
>
>"If you want to do something that will provide good security but will
>be palatable to a wide [number] of users, you have to see what you can
>do that will provide reasonable security, but will not create huge
>clients," Vardi said.
>
>But McGann said that Mirabilis was shirking from its responsibility,
>and that nothing short of a complete code redesign can make it safe to
>use.
>
>"[They] are releasing a product where anyone can pretend they are
>you," McGann said. "I can't imagine that -- even if I am not going to
>use it for mission critical [communication], it's just not even useful
>at that point," he said.
>
>"They have to make some major protocol changes, and they better do a
>hotfix [patch] to stop that hijacking," said McGann, who makes a hobby
>of auditing networks and finding potential vulnerabilities. "That code
>is really catastrophic."
>
>
> *****************
> Wade T. Smith
>morbius@channel1.com | "There ain't nothin' you
>wade_smith@harvard.edu | shouldn't do to a god."
>morbius@cyberwarped.com |
>******* http://www.channel1.com/users/morbius/ *******
>
>
--
()___()
(:@ @:)
************************.ooO-(_)-Ooo.******************************
lovable.ml.org administration.
janie_wojtczak@cybergal.com
janie@lovable.ml.org
admin@lovable.ml.org
.oooO Oooo.
*************************( )**( )******************************
\_/ \_/