ICQ - Are You Seeking Trouble?

DanceArt ^ | 05/03/1998 | David

[CommiesOut]

ICQ - Are You Seeking Trouble?

Hey David, how come you won't use ICQ? It's such a great program! You can chat and tell when your friends log in to the internet and send them files and and and...
Well it is time to come clean on this issue. Even some of my close friends think I'm nutso over my position on the ICQ chat program from Mirabilis Ltd. So, okay, I know I'm on the outer fringes of society, given that millions of people seem to have used ICQ at one time or another. A little too security conscious perhaps? But look at it this way: the people I know in the software industry don't and won't use it either.

Years ago, working as a systems programmer for American Airlines I developed a system that was like ICQ without chat. The idea was that you could schedule programs to run on any personal computer on the local network. Say you knew that the sales department folks go home at 4 pm. You could schedule your reporting and printing tasks to run after that time on any available machine in that department and thus avoid tying up your own machine.

Talking about programmer heaven! It was a really cool project that did cool, necessary work, that had ALL SORTS of avenues for mischief.

You see, once a programmer installs software on somebody's computer that 'listens' to remote requests and services them there isn't much he can't do to that computer. Schedule a deletion of data at 3 am? No problem. Retrieve account information, password files, resumes? No problem.

Sure, you could, and I did, add an option that lets the user 'control' what happens on her machine. She could select "don't run programs" or "don't run THIS program" and feel like she was retaining control of her computer. But it is really easy to design a "remote override" and there are some fairly good reasons for doing so.

Primarily, when you are working with software that has a large install base, it is expensive and time consuming to update the software on all the client computers. Regardless of what the users want, and what the programmer's boss wants, the motivation for retaining control over the user software is very high. Lets say the programmer discovers a bad software bug, or creates a new feature, and needs to update the hundreds (or millions) of copies that are installed around the network (or around the world). If the programmer takes advantage of the "remote override" and allows the software to update itself on all those computer he saves tons of time and money.

ICQ has plenty of 'feel good' options that let the user disable file transfers and remote executions of programs. When these options are used correctly they do control what other users can do to your computer. I say 'users' because there is no telling what a hacker, Mirabilis, or a former Mirabilis employee could do in spite of the options the user selects.

Okay, so lets talk a bit more specifically about ICQ. Who wrote it and where does it come from? The publisher, Mirabilis Ltd. is an Israeli company. Israel has been building a stable of cutting edge software development companies over the last few years, staffed with some extremely sharp young engineers. It should be mentioned that Israel is also one of the most troubled and unstable nations on the planet, no stranger to violent extremist groups, terrorism, and recently, home of a young hacker that successfully breached several classified US Government computer systems.

Is Mirabilis Ltd. publishing ICQ for the profits? They've given away, for free, over 10 million copies of their software. Their business model has not gelled over the last few years - they continue to give away software, racking up what must be soaring development, server, and tech support costs. They claim to be selling the server end of their software to companies. While this may be true, they are clearly not being compensated for millions of copies of ICQ and they continue to host the enormous server loads without compensation.

To dispense bitter medicine, you can force the issue or you can sugar coat it. If Mirabilis created ICQ with the intent to do harm then their distribution mechanism and marketing skills are beyond masterful. The program has been decorated with cute little flowers that appeal to the 12-years-olds and with enough power to keep the adults engaged.
When ICQ is installed in corporate or government environments, it must contend with various firewall and security measures designed to keep out hackers and dangerous software. ICQ must ask for firewall account ID's and passwords at installation time to be able to operate from these environments. How many people are installing ICQ at work so they can keep up with family at home, with friends in other companies, and with special interest groups? I venture that quite a few have. What does ICQ do with the firewall account information? One millisecond burst of data when connecting to the Mirabilis server could breach some of our most sensitive corporate and government systems. ICQ also integrates into your email system, which means it needs to know your account name, server, and password. Now who is reading your mail?

Data doesn't have to get sent immediately for this situation to be dangerous. Every time ICQ is started it logs into a server to tell the world that you are now online. That little flower icon in the corner of your screen means that ICQ is running, listening for possibly damaging requests that could come from anywhere in the world. That little flower effectively demolishes all the 128-bit encryption and plug-in security that Netscape and Microsoft work so diligently to provide for you.

If you are unlucky enough to have a credit card stolen you are responsible for $50 only, regardless if the loss occurs at the corner store or on the web. Hand somebody the keys and passwords to your computer and you can lose your tax and accounting info, your stock portfolio, your manuscript, your corporate secrets and worse.

Are we supposed to just trust that Mirabilis is not building a database of firewall passwords for corporate America, and that they, a disgruntled employee, or a hacker won't abuse that information? ICQ should scare the pants off every IS manager. I can hear it now: "But the director's assistant just wanted to chat with her daughter at home! It kept the phones free and let them stay in touch."

I occasionally entertain the idea of reverse engineering ICQ and of capturing the data that it sends to Mirabilis. Besides being a difficult and expensive proposition for a busy individual to tackle, I'm not so sure it really matters if ICQ is currently damaging your privacy or if it is configured to farm the Internet for firewall info. Even if ICQ came up squeaky clean after dozens or hundreds of hours of analysis it doesn't matter. They can release an update that will be quickly and cheaply distributed and embraced by millions that could lay waste to your PC even after the previous version got the 'good housekeeping' seal.

The last word? Mirabilis says it best. From the license agreement for ICQ:

Mirabilis do not warrant or guarantee 1) that any program or Information will be free of infection by viruses, worms, Trojan horses or anything else manifesting contaminating or destructive properties; ... It is the sole responsibility of the user to isolate software and Information, execute anti-contamination software and otherwise take steps to ensure that software or Information, if contaminated or infected, will not damage user's information or system.

You've been warned. Enjoy!

Additional Resources:
Wired article 1
Wired article 2

[CommiesOut]

.

[LarryLied]

Slick.

[SheLion]

Yea......ICQ is a super program! But the new build sucks. They did away with the Reminder Feature AND the sounds. I used to be able to enable a special sound for each of my friends. So, when I was away from the pc, and I heard a wav........I knew exACTLY who was online.

I am very sad.

[CommiesOut]

Speaking of $lick...
I wonder what they use in the WH, Pentagon and other joints.

[Free the USA]

Check the Bump List folders for articles related to and descriptions of the above topic(s) or for other topics of interest.

[CommiesOut]

.

[JCG]

These articles are in the range of four-years-old. Has security been tightened? (Fours years is four decades on the Web.)

America's Fifth Column ... watch PBS documentary JIHAD! In America
Download 8 Mb zip file here (60 minute video)

[LarryLied]

I wonder what they use in the WH, Pentagon and other joints.

I sure hope if they decide to redecorate their offices and get some artwork, they don't use this program.

[CommiesOut]

"Has security been tightened?"

Oh, sure. Just look around.

[Snuffington]

Wasn't ICQ purchased by AOL some time ago?

[Lokibob]

Incredimail is also a free program with all the bells and whistles. HOWEVER, it is an Israeli company, and for that reason alone, I got rid of it. Not that I'm doing anything wrong, I just don't want others reading my e-mail. You can never be 100% certain they arn't reading your mail (who ever "they" are) but make them work for it, instead of giving them the keys.

[CommiesOut]

Another one. AOL Blocks Another Messaging System
At least Odigo will send you a warning about future 911, LOL!
Instant Messages To Israel Warned Of WTC Attack

[zog]

now just DANG if this isn't exactly what I thought several years ago. Here's this company, supposedly some israeli kids, giving away this program that links a buncha zillions of computers together, and with no ads, no revenue. I expected that to change, then it just keeps getting bigger and bigger. Smelled a rat then and now about it. Who's forking out the big bucks for the servers and bandwith, and why?

[CommiesOut]

"Who's forking out the big bucks for the servers and bandwith, and why?"

How about you and me?
And why? Maybe because we're stupid?

[zog]

--are ONLY the individual machines the icq program are installed on acting as the client and server, or are there other machines involved at icq intergalactic someplace? That's the part I don't know.

And their potential as just another port in for a trojan, that is understood. Just wondering if there's an additonal security *thing* there. You'd have to be able to run a traceroute via the program to someone else's machine on the icq to see if there's some common denominators filter points I guess.

[CommiesOut]

Can't answer that. I'm just an average lazy idiot with a mouse.

[JCG]

Wasn't ICQ purchased by AOL some time ago?

A security hole that may allow an attacker to run malicious code on a victim's PC has been detected in AOL's ICQ chat program.

All versions prior to AOL Mirabilis 2001B are vulnerable to the exploit, according to a report published on Thursday by the U.S.-based Internet security center CERT. Users who have the most recent build of the Mirabilis client are safe because vulnerable builds of the newest client will be automatically instructed by the server to disable the vulnerable plug-in. But all versions prior to 2001B do not have an external plug-in to disable, and so are vulnerable even after connecting to the server.

News: CERT reports ICQ security hole

America's Fifth Column ... watch PBS documentary JIHAD! In America
Download 8 Mb zip file here (60 minute video)

[zog]

--thanks fer da link! Ahhh, it sez winderz icq progs. Good thing I'm still on my 68 heathkit running on studemacrobaker 1.1 beta OS....ya, thas the ticket! Drat, running out of coal again and water pressure dropping, have to shovel, quick!

[Prodigal Son]

I hear so much about icq. We installed it for a while on our computer. We found it to be incredibly annoying. Wound up tossing it out.