Does IM stand for insecure messaging?

[whatthe]

http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed

most of which rely for their proliferation on ignorance of their existence among users and IT administrators.

the best way to help people protect themselves is to instill the same distrust regarding Web links or attachments sent via IM that they have been taught to apply to e-mail.

Which do you think is the greater culprit, in this case, the software or the user?

From most of what I've read it doesn't seem like the client software has been exploited until the user took ill advised action.

[the_JinX]

PEBKAC

Problem Exists Between Keyboard And Chair

[zencoder]

I am not aware of *any* exploits that impact (up-to-date) IM applications without user-intervention. As always, the user is the weakest link in an attack like this. Technical attacks are usually easy to fix once they are understood (or we wouldn't have the booming Configuration Management sub-set of the industry), but human failures and misunderstanding or lack of common sense have been a problem ever since that Trojan commander let the big wooden horse inside the city walls of Troy.

[whatthe]

http://www.wwwcoder.com/main/parenti...6/default.aspx

IM's acceptance rate continues to grow. In fact, industry research firm IDC predicts that there will be over 450 million worldwide users of consumer and business IM products by the end of 2007

Today, Websense Security Labs has discovered highly sophisticated IM attacks that spread malicious code and worms directly into an organization without any end-user intervention. Hackers have now begun to utilize IM as a new vector for phishing and pharming scams, by sending out mass messages to thousands of IM users which request the recipient to click on a link which takes them to a fraudulent website. These malicious or fraudulent sites either request personal information from the end user or automatically download and run keyloggers, worms or viruses on the user's machine-creating an open backdoor for hackers.

Every article user clicks this user clicks that. How many years have they been preaching discretion with e-mail. Hopefully it won't take as many years for people to realize the same risks apply to IM and virtually everything else they do on their computers.

[michael737n]

the other threat is one of privacy but also one of safety some people accidentally save their conversations on public computers and that gives some one a chance to profile them on the other hand it is usefull to police if some one comes up missing or murdered they can check for clues on the persons computer

[MrCoffee]

Today, Websense Security Labs has discovered highly sophisticated IM attacks that spread malicious code and worms directly into an organization without any end-user intervention. Hackers have now begun to utilize IM as a new vector for phishing and pharming scams, by sending out mass messages to thousands of IM users which request the recipient to click on a link which takes them to a fraudulent website. These malicious or fraudulent sites either request personal information from the end user or automatically download and run keyloggers, worms or viruses on the user's machine-creating an open backdoor for hackers.

If the user has to click on a reciept, isn't that user intervention? Without the user interacting with the IM client.... it aint going to expliot the box, or am I wrong?

Oh... and in general.. IM stands for Instant Moron.

[aenema]

It's time to brush my teeth

[whatthe]

Aenema, as always, thanks for your wonderful input. Your posts are always so informative.

More IM info, no real surprise but

Report: Companies unprepared for IM attacks

A recent survey conducted by the IT security company found that 90 percent of the 7,500-plus businesses it spoke with have established policies to manage use of e-mail, but 49 percent have no official rules in place to govern IM and peer-to-peer software usage.

.. so buy our new IM protection.

I'm surprised that 51% have an IM policy, maybe all the attention is paying off .... or they lie

http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed

[MrCoffee]

We have a policy in place, but I doubt anyone much pays attention to it. Of my small group of users, only two actually use peer-to-peer or IM, and they both far out rank me within the company, so... :S

I am not really surpized that 51% do have a policy, my best bet is their ASP blanket covers email/IM/P2P etc. The only reason I included it here was because IM caused some issues at a job I worked before, so it was an issue in my head when I wrote the ASP.

[zencoder]

MrCoffee, I'm assuming ASP = Acceptable Use Policy, or some similar term/document?

I hear you loud and clear. My current client doesn't have an in your face policy (it's in their Usage Policy, if you read far enough back into it), but it doesn't matter. They block everything and it's cousin both inbound and out. Help yourself, install all the IM clients you want...your traffic bounces off the electronic barrier. "Well I'll just proxy it through port 80!" you say? Websense takes care of that.

It's a great setup. The downside is it takes a higher level of effort to engineer, administrate, and document the network architecture and policies. And it does feel somewhat draconian at times.