Re: virus: ICQ vs. IRC

Janie! (janie_wojtczak@cybergal.com)
Wed, 10 Jun 1998 21:09:45 +0100


I can't point out that IRC lacks secure barriers against hijacking, spoofs,
and other hostile programs that can listen in on personal, and potentially
sensitive, communications sent over the system.

Basically they are both just as insecure as each other so it's up to you
which you use.

Janie

At 19:56 08/06/98 -0400, you wrote:
>Well, I use IRC. It is basically free, international, unfettered, and is,
after all, the grand-daddy of chat protocols. You don't need a specific
brand of client, nor a small server system, and you don't use bleeding
numbers....
>
>And besides, the version of ICQ for my particular Mac platform is
incredibly buggy, and has never run more than five minutes....
>
>and- there is this little tidbit recently on the Wired site...
>
>
>_______
>
>
>Net Messaging Called 'Catastrophic' by James Glave
>
>5:05am  5.Jun.98.PDT
>
>The world's most widely used Internet
>"instant-messaging" service is a security disaster waiting to happen,
>according to networking experts familiar with the program. ICQ lacks
>secure barriers against hijacking, spoofs, and other hostile programs
>that can listen in on personal, and potentially sensitive,
>communications sent over the system.
>
>Each day, more than 3 million people use ICQ to send quick and easy
>text messages to friends and coworkers over the Internet. Messages
>appear instantaneously in a window on the users' desktops. More than
>12 million users are registered with ICQ, and the program is gaining
>popularity in corporate settings as a productivity tool for office
>workers, such as for exchanging information like sales figures.
>
>Jesse Schachter, an engineer with Advanced Corporate Networking, said
>that a former employer, an Internet service provider, used ICQ for all
>internal communications.
>
>"Pretty much anything that would have been talked about in person was
>talked about in ICQ," Schachter said.
>
>But that's bad news, according to Greg Jones, a freelance
>network-security expert familiar with the program.
>
>"Using ICQ is like talking by writing on big cue cards: Everyone can
>see what you're exchanging. It wasn't designed for security," he said.
>
>Mirabilis, the Israeli company that developed ICQ, states that the
>free system was not designed for "mission critical" or "content
>sensitive" communications.
>
>"We are working on improving the security and also some other
>features, continuously," said Yossi Vardi, business-development
>director for Mirabilis. "But this is not a banking system," he said.
>
>In the past week, a security expert who goes by the name "Wumpus"
>posted to a security mailing list the source code for a program called
>ICQ Hijack. Once compiled and run, the program will allow anyone to
>take over an ICQ account and assume another user's identity.
>
>"It will hijack an ICQ account," said Wumpus, who declined to be named
>for this story, citing potential issues with his employer. "It does
>this by sending spoofed IP [or Internet Protocol] packets which
>pretend to be from the client, saying 'change my password to something
>else.' The user of the program provides what the new password will
>be," he said.
>
>In January of this year, Alan Cox, a system administrator and
>self-employed consultant, posted a similar program, called "icqsniff"
>to the security mailing list BugTraq. The program collects passwords
>being sent between ICQ users. According to Wumpus, Mirabilis president
>Arik Vardi said at that time that he would fix the next version of ICQ
>to address the issue.
>
>Apparently, that hasn't happened.
>
>"The latest version [of ICQ] encrypts the passwords," said Cox. "But
>the password isn't in every message and the messages are not [code]
>signed -- so it's little improvement," he said.
>
>Further, it is still possible to spoof the system and pretend to be
>someone else. "The spoofing allow[s] me to send a message as anyone
>else on the system, [such as] messages from your boss asking you to
>turn off the Internet connection," said Cox.
>
>Mirabilis has been the subject of much market speculation in recent
>weeks. The company is reportedly in talks with America Online, which
>is rumored to be considering purchasing the technology. Neither
>company would comment on the rumors.
>
>All of the security and networking specialists that spoke with Wired
>News for this story said that the greatest problem with ICQ is that
>the protocol -- the actual networking mechanics used by the system --
>is proprietary and undocumented and, as a result, is not subject to
>the bulletproofing process of peer review.
>
>Wumpus said that he determined that ICQ uses User Datagram Protocol
>(UDP) between clients and the server, and standard Transport Control
>Protocol (TCP/IP) between users. However, he said, ICQ's UDP
>communications have been insecure since the beginning.
>
>"They are trying to obfuscate the protocol, they are hiding important
>parts of the protocol, but not encrypting it," said Seth McGann, the
>author of icqspoof, another spoofing program and a security consultant
>with Advanced Corporate Networking.
>
>McGann said that ICQ could be a valuable tool for crackers to use to
>talk their way into sensitive information. "There are a lot of
>possibilities for social engineering. You might be able to present
>yourself as someone in the company ... to get privileged information,"
>he said.
>
>McGann also said he has developed a program that allows him to see and
>change ICQ messages in real time as they pass between two ICQ users,
>without their knowledge. He has not yet released this code to the Net.
>
>Yossi Vardi of Mirabillis said the company was straightforward about
>the appropriate use of ICQ and added that all issues will be resolved
>in the next version of the client, due "in a couple of days."
>
>"The question is, what kind of level of service do you want?" said
>Yossi Vardi. "If you want encryption or security, you want one level,
>if you want things that will be for experts, it will be another
>level," he said.
>
>"If you want to do something that will provide good security but will
>be palatable to a wide [number] of users, you have to see what you can
>do that will provide reasonable security, but will not create huge
>clients," Vardi said.
>
>But McGann said that Mirabilis was shirking from its responsibility,
>and that nothing short of a complete code redesign can make it safe to
>use.
>
>"[They] are releasing a product where anyone can pretend they are
>you," McGann said. "I can't imagine that -- even if I am not going to
>use it for mission critical [communication], it's just not even useful
>at that point," he said.
>
>"They have to make some major protocol changes, and they better do a
>hotfix [patch] to stop that hijacking," said McGann, who makes a hobby
>of auditing networks and finding potential vulnerabilities. "That code
>is really catastrophic."
>
>
> *****************
> Wade T. Smith
>morbius@channel1.com | "There ain't nothin' you
>wade_smith@harvard.edu | shouldn't do to a god."
>morbius@cyberwarped.com |
>******* http://www.channel1.com/users/morbius/ *******
>
>

--
                           ()___()
                           (:@ @:)
************************.ooO-(_)-Ooo.******************************

lovable.ml.org administration. janie_wojtczak@cybergal.com janie@lovable.ml.org admin@lovable.ml.org

.oooO Oooo. *************************( )**( )****************************** \_/ \_/