January 20th, 2003 01:13 AM
Instant Messaging Insecurity
I am posting this message simply to alert people to a potential insecurity in Instant Messaging technology.
Basically, it is this: If you send someone an instant message, they can grab your IP Address. It is as simple as that. I tell you this to address the paranoid people out there, who are afraid of letting anyone get any sort of start attacking you.
You always see messages if you try to set up any sort of "Direct Connection," because that actually connects the computers on a port-to-port method, leaving a gaping hole in anyone's security.
But, as most of us here know, just getting someone's IP Address is enough to start an attack, by port scanning, or whatever. (I'm not going to give out any more ideas here than I have to.)
It works like this. The person who sends or recieves an Instant Message is sending and recieving packets of information, as we all know. Those packets are, in some firewalls, logged.
Because of that, it is possible for anyone to grab your IP Address by looking at the logged packets and in/out signals that every computer sends when connected to another computer.
The Firewall I originally discovered this with, was Sygate. Anyone can do this. It can happen if they send you a message, and you do not respond.
The only solution is to block people you do not trust, otherwise any new screen name, a fake temporary one, can send you a message, and get the information they need.
But even that is not totally secure. Variants of this can be done with almost any technology, as long as detailed logs are kept on in and out packets.
I don't know if anyone can find a way to stop someone from taking advantage of this, because any friend, even if temporarily ticked off at you, can grab your IP Address and begin trying to connect (more dangerous in XP and 2000 than anything else, due to their built in web server functions, on some designs.) OS X is also at possible risk for this, because it is a Unix Platform.
One reason why I prefer message boards and web chat. :-)