Library: Instant Messaging Systems and Security

Library: Instant Messaging Systems and Security

[Below is my post to DIG_REF, on the topic of why IT supporting libraries' staff are hesistant about installing IM systems for libraries - particularly when they can be used so effectively for virtual reference services.]

There are quite a number of complex security issues related to IM systems; I know front-line librarians are not fully aware of these, nor should they necessarily be, but the basic system and "platform" needs improvements in security to fit within acceptable limits. Most IT professionals will have read about this, as in this "White Paper" (undated) from Symantec.

They are likely seeing these reported systemic flaws, and while there are individual solutions, workarounds, etc., a whole "system" problem is a huge red flag. They will be very reluctant to go here, without lots of help, fixes, patches, and administrative support (equals time). Corporate and enterprise-wide "secure" solutions for IM exist, and more are coming onstream, but they are not necessarily free, or open-source, or based on the current 'popular' systems we often use in our communications (AOL IM, Trillian "client," Yahoo! Messenger, etc.).

We need to lobby vendors, software writers, companies, and the industry to provide secure workable IM systems for libraries (and other similar "community" enterprises).

This full white paper (about 16 pages) is online: see http://www.symantec.com/avcenter/reference/secure.instant.messaging.pdf
"Most IM systems presently in use were designed with scalability rather than security in mind. Virtually all freeware IM programs lack encryption capabilities and most have features that bypass traditional corporate firewalls, making it difficult for administrators to control instant messaging usage inside an organization. Many of these systems have insecure password management and are vulnerable to account spoofing and denial-of-service (DoS) attacks. Finally, IM systems meet all the criteria required to make them an ideal platform for rapidly spreading computer worms and blended threats:2 they are ubiquitous; they provide a communications infrastructure; they have integrated directories (buddy lists) that can be used to locate new targets; and they can, in many cases, be controlled by easily written scripts. Even worse, no firewall on the market today can scan instant messaging transmissions for viruses."

"This paper details the security risks of using instant messaging systems and provides guidelines to help enterprises make informed decisions about how to properly implement such systems within a corporate environment."

This is not just about running clients at home; this about a client-server environment (most IM systems) that can operate outside the usual firewalls that libraries in their environments rely on to "keep safe." Don't we rely heavily on our firewalls at home to keep us safe(r)? That is the biggest part of the issue, to my mind. I love IM, use it constantly, and wish we could have it at work. Alas, we don't, and I doubt we can afford to (buy a secure system) anytime soon.

Best,
DrWeb