Since when is IRC a security risk?
March 3rd, 2006
I recently had a negative experience with the IT staff at the company I work for. Our security administrator, who has only been here a few months, took it upon himself to remove three programs I have been using regularly for the past three years: Firefox, WinAmp, and mIRC. He also stripped my admin privileges to my workstation, so I cannot install any programs, nor can I write data to my hard drive in any directory other than c:\documents and settings\username\.
After complaining and getting my supervisor to sign a System Security Request (a.k.a. TPS Report) for me, we managed to get Firefox back, but they vetoed the request to reinstall WinAmp and mIRC. WinAmp I can almost understand, since it’s not really work related (though keeping employee morale up should be considered as such), and I have since managed to get WMP10 to be almost adequate as a replacement. IRC, however, I use on a daily basis for entirely legitimate communications that directly relate to my job duties and impact my performance. Specifically, it provides me with immediate access to a large number of colleagues who can assist me with any problems I have in all aspects of programming and web application development.
The following is a copy of the reason the admin gave for not approving my request to restore mIRC:
“IRC along with other chat clients are insecure points of entry into our network. These clients have a continuing history of providing a vehicle for spreading worms and other malware. At this time, we do not have anyway to filter or scan the data at the perimeter via the ports that these clients use for potential malware or vulnerabilities which leave an un necessary risk through our firewall to our internal network.”
Now I won’t deny that it is a point of entry, but I would hardly consider it an insecure one. For one thing, it is a client, not a server, so inbound IRC connections are not allowed (I’m not going to go into DCC, which is and always has been disabled). The only data the client receives are plain text ASCII messages conforming to the IRC protocol, and it only receives that from the servers I have explicitly chosen to connect to.
The only potentially vulnerable point in the system is the IRC client itself. And to the best of my knowledge, in the 6+ years I have been using mIRC, there has only been one exploitable vulnerability in the client, which occured in the fall of 2003, and was fixed in an updated client the day after the exploit started being used. This single exploit cannot even be accurately called an IRC insecurity, since it was a DCC exploit.
In contrast, our company uses Internet Explorer as its officially supported browser. How many vulnerabilities and exploits thereof been discovered in regards to that little program in the last 6 years?
In a closely related struggle, after two weeks I was finally able to get the IT department to set up an FTP account for me to be able to transfer files to and from the externally-hosted web server. I am now on the third day of waiting for my request for an FTP client to be approved. With security policies like this, it’s amazing I can get any work done at all.
Join the group and SSH into a remote server then use a text based IRC client *cough* irssi *cough* from a *nix box.
Except it would have to be telnet instead of SSH, since Windows doesn’t come with an SSH client and I’m not allowed to install one. Is irssi really that much better than bitchx? I was familiar with using bitchx over SSH at one time, so I was planning on going that route. I guess I can always broaden my horizon.