Is Jabber Secure
Is Cisco Jabber HIPAA compliant? – Paubox
by Hoala Greevy Founder CEO of Paubox
Article filed in
HIPAA compliance
23 Oct 2017
Lately we’ve been discussing in the office whether certain cloud-based solutions are HIPAA compliant or not. Jabber by Cisco is a provider of presence and messaging software.
We know the HIPAA industry is vast so we can empathize with just how many people need to use cloud-based services in this sector.
In previous posts, we’ve covered the following cloud solutions and their capabilities for HIPAA compliance:
Amazon CloudFront
Apple iCloud
Box
Citrix ShareFile
Dropbox
FaceTime
Google Drive
Google Forms
Google Hangouts
GoToMeeting
Microsoft 365
OneDrive
SharePoint
Slack
WhatsApp
Yammer
Zoho
Zoom
The purpose of this post is to determine if Cisco Jabber offers HIPAA compliance or not.
SEE ALSO: HIPAA Breaches and Cloud Providers
About Jabber
Jabber is a provider of presence and messaging software.
It’s important to note that Cisco acquired the company called Jabber () in 2008. The open standard Jabber () is a stand-alone entity.
The Jabber protocol, now called XMPP, is an open standard for Instant Messaging.
We’ve previously talked about how a Business Associate Agreement (BAA) is a written contract between a Covered Entity and a Business Associate. It is required by law for HIPAA compliance to ensure security and privacy.
Jabber XCP Frequently Asked Questions
We checked the Cisco Jabber site and found a page called Jabber XCP Frequently Asked Questions.
In it, Cisco points out:
Q: How secure is Jabber XCP?
A: Jabber XCP is secure enough to support compliance regulations such as the Securities Exchange Commission (SEC) and Health Insurance Portability and Accountability (HIPAA). Jabber XCP security is used and trusted by the U. S. federal government.
The page does not make any mention however, of Cisco being willing to sign a Business Associate Agreement for use with Jabber.
The Cisco Approach to Telehealth White Paper
We also found a White Paper on Cisco’s site called The Cisco Approach to Telehealth.
It’s written in marketing speak and does not dive into any details around whether the company will actually sign a BAA with its customers.
Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide
We next found the Cisco Compliance Solution for HIPAA Security Rule Design and Implementation Guide.
The Implementation Guide is comprehensive and overwhelmingly demonstrates Cisco’s focus on the U. Healthcare market.
There are two issues remaining however:
Cisco still does not mention signing a BAA.
Jabber is not mentioned as being HIPAA compliant.
We were unable to find any other evidence on Cisco’s site that mentions it signing a BAA.
Does Cisco Jabber Offer HIPAA Compliant Service?
The Business Associate Agreement is a key component to HIPAA compliance between a Covered Entity and a Business Associate.
While Cisco is obviously focused on the U. Healthcare market, we were left with the impression that they do not actually sign Business Associate Agreements with their customers.
Instead, we believe they’ve determined themselves to fall in the HIPAA Conduit Exception Rule category.
SEE ALSO: HIPAA Conduit Exception Rule – What is it?
It’s also possible we fundamentally do not understand the nature of Jabber. Perhaps it’s not a cloud-based service at all and instead must be installed on-premises. If that’s the case, a BAA from Cisco would most likely not be required.
Conclusion: We are unable to conclusively determine if Jabber is HIPAA Compliant or not. We’re also unable to determine if it’s even a cloud-based service.
Try Paubox Email Suite for FREE today.
Patch now: Cisco warns Jabber IM client for Windows has a …
Cisco has raised an alert for customers using its Jabber video and instant-messaging client to patch four security flaws, including one critical bug that’s wormable. Without the latest patch, the Jabber for Windows client allows a remote attacker to exploit the flaw by sending rigged XML-based Extensible Messaging and Presence Protocol (XMPP) messages to the vulnerable Jabber client, according to Cisco.
Privacy
How to make privacy your company’s ‘killer app’
Personally identifiable information (PII): What it is, how it’s used, and how to protect it
Data privacy and data security are not the same
Cyber security 101: Protect your privacy from hackers, spies, and the government
Such an attack also poses a threat to the Windows system the Jabber client is running on. SEE: Security Awareness and Training policy (TechRepublic Premium)”A successful exploit could allow the attacker to cause the application to execute arbitrary programs on the targeted system with the privileges of the user account that is running the Cisco Jabber client software, possibly resulting in arbitrary code execution, ” Cisco notes. The bug only affects vulnerable versions of the Cisco Jabber client for Windows that have XMPP messaging services enabled. The flaw, tracked as CVE-2020-3495, has a severity rating of 9. 9 out of 10 and should be patched immediately, given a report by Norwegian pen-tester Olav Sortland Thoresen of Watchcom, who discovered the flaws.
He’s published a detailed account of the four flaws and the design of Jabber, which is based on the Chromium Embedded Framework (CEF). CEF allows developers to embed a natively sandboxed Chromium-based web browser in their applications. The one critical Jabber flaw allows an attacker to create a worm that spreads malware automatically between Jabber users without requiring user interaction, according to Thoresen. “Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter, ” he explains. “Cisco Jabber uses XHTML-IM by default for all messages. A malicious message can therefore easily be created by intercepting an XMPP message sent by the application and modifying it. Attackers can do this manually on their own machine or it can be automated to create a worm that spreads automatically. “While the embedded browser is sandboxed to prevent access to files and performing system calls, he notes developers create ways to bypass the sandbox to add functionality, in this case to allow the client to open files received from other Cisco Jabber users. “Since Cisco Jabber supports file transfers, an attacker can initiate a file transfer containing a malicious file and force the victim to accept it using an XSS attack, ” explained Thoresen. “The attacker can then trigger a call to llCppFunction, causing the malicious file to be executed on the victim’s machine. “Thoresen says organizations using Cisco Jabber should consider disabling communication with external organizations through Cisco Jabber until all employees have installed the update. He’s also provided some indicators that security teams should be watchful for: XMPP messages with unusual HTML contentInvocations of with unusual flagsUnusual sub-processes of CiscoJabber. exeMalicious files being sent through Cisco Jabber’s file-sharing feature
Security
When your VPN is a matter of life or death, don’t rely on reviews
Ransomware gangs are complaining that other crooks are stealing their ransoms
Bandwidth CEO confirms outages caused by DDoS attack
These systems face billions of attacks every month as hackers try to guess passwords
How to get a top-paying job in cybersecurity
Cybersecurity 101: Protect your privacy from hackers, spies, the government
Security Plan – jabber.org
As part of our work on continuing to improve the security of the IM service, the admin team has drafted the following security plan. As always, we value your feedback, so feel free to send us comments.
Goals
Actions
Timeline
What You Can Do
Our goal is to provide a high level of security for our users. We want your communications to be private and confidential. To this end, we use strong security technologies, such as industry standard Transport Layer Security (TLS), at the IM service. We also actively engage with operators of other XMPP services to ensure that data is encrypted across the public XMPP network. Details regarding our current plans are provided in the rest of this document.
We are now working on the following security improvements:
Mandatory encryption of client connections.
What this accomplishes: This ensures that your password, buddy list, and messages are kept confidential between your device and the IM service. As a result, if you chat with another person with a address then your messages will never be “in the clear” over the wire.
What this does not accomplish: This does not protect your messages if you communicate with someone at another server (e. g., ). To make that happen, we need to enable mandatory encryption of server-to-server connections (see below). Also, this does not ensure that your messages are encrypted inside the IM service. To make that happen, you need to use IM software that supports end-to-end encryption (see What You Can Do at the bottom of this page).
When we will take this action: We plan to test this improvement on December 20-21, 2013. If there are no significant problems, we will enable it full-time in the near future (date to be determined).
Potential impact on you: If you are running IM software that does not support the XMPP STARTTLS technology first standardized in 2004, you will not be able to connect to the IM service. When we tested this setting several years ago, some old IM software was unable to connect, but we now expect few users to experience problems. However, if you are unable to connect, please send an email message to and tell us what IM software you are using (including the version and operating system).
Mandatory encryption of server-to-server connections.
What this accomplishes: This ensures that your messages to people with XMPP addresses at other servers (e. g., ) are kept confidential between and the remote server.
What this does not accomplish: This does not protect your messages between the remote server (e. g., ) and your friend’s IM software, nor does ensure that your messages are encrypted inside the service or inside the remote server. To make that happen, you need to use IM software that supports end-to-end encryption (see What You Can Do at the bottom of this page).
When we will take this action: Along with many other servers on the public XMPP network, we will test this improvement on January 4, 2014. Additional test dates are planned throughout the spring of 2014 (see below).
Potential impact on you: If you try to communicate with a remote server that does not support encryption, you will not see your friends online and you will not be able to exchange messages. Note that Google-hosted domains will not be part of the initial test days! However, it is our understanding that Google-hosted domains will be reachable over encrypted connections later in the testing process. If you experience communication problems during the test days listed below under the Timeline, please send an email message to and tell us what IM services you are attempting to contact.
The list actions provided above is incomplete, and this document will be updated as we work on further improvements.
December 20-21, 2013: Test of mandatory encryption for all client connections.
January 4, 2014: First test day of mandatory encryption for all server-to-server connections.
February 22, 2014 – Second test day for server-to-server encryption.
March 22, 2014 – Third test day for server-to-server encryption.
April 19, 2014 – Fourth test day for server-to-server encryption.
May 19, 2014 – Permanent upgrade to encrypted network for server-to-server encryption.
Although we do what we can to improve the security of the IM service, we alone can’t ensure the privacy and confidentiality of your communications. Here are things you can do to help:
Run IM software from well-known providers, such as Adium, Gajim, iChat, Jitsi, Pandion, Pidgin, Psi, or Swift.
Make sure you are running the latest version of your IM software and operating system software, including the most recent security patches.
Verify that your IM software is configured to require encryption of connections to the IM service.
If possible, use software that supports (either directly or through a plugin) an end-to-end encryption technology such as Off-the-Record Messaging.
Frequently Asked Questions about is jabber secure
How secure is Cisco Jabber?
“Cisco Jabber is vulnerable to Cross Site Scripting (XSS) through XHTML-IM messages. The application does not properly sanitize incoming HTML messages and instead passes them through a flawed XSS filter,” he explains. “Cisco Jabber uses XHTML-IM by default for all messages.Sep 3, 2020
Can Jabber be monitored?
Jabber doesn’t currently support monitoring notification tone or recording notification tone. You can use silent monitoring and call recording functionality only. Jabber doesn’t support other functionality such as barging or whisper coaching.
Is Jabber end to end encrypted?
To this end, we use strong security technologies, such as industry standard Transport Layer Security (TLS), at the Jabber.org IM service. We also actively engage with operators of other XMPP services to ensure that data is encrypted across the public XMPP network.