Does IM stand for insecure messaging?

Printable View

March 22nd, 2005, 03:58 PM
whatthe

Does IM stand for insecure messaging?

http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed

Quote:

most of which rely for their proliferation on ignorance of their existence among users and IT administrators.

Quote:

the best way to help people protect themselves is to instill the same distrust regarding Web links or attachments sent via IM that they have been taught to apply to e-mail.

Which do you think is the greater culprit, in this case, the software or the user?

From most of what I've read it doesn't seem like the client software has been exploited until the user took ill advised action.
March 22nd, 2005, 04:27 PM
the_JinX

PEBKAC

Problem Exists Between Keyboard And Chair
March 22nd, 2005, 04:33 PM
zencoder

I am not aware of *any* exploits that impact (up-to-date) IM applications without user-intervention. As always, the user is the weakest link in an attack like this. Technical attacks are usually easy to fix once they are understood (or we wouldn't have the booming Configuration Management sub-set of the industry), but human failures and misunderstanding or lack of common sense have been a problem ever since that Trojan commander let the big wooden horse inside the city walls of Troy.
March 22nd, 2005, 04:41 PM
whatthe

Instant Messaging Continues to Advance as an Attack Vector for Hackers to Gain Access

http://www.wwwcoder.com/main/parenti...6/default.aspx

Quote:

IM's acceptance rate continues to grow. In fact, industry research firm IDC predicts that there will be over 450 million worldwide users of consumer and business IM products by the end of 2007

Quote:

Today, Websense Security Labs has discovered highly sophisticated IM attacks that spread malicious code and worms directly into an organization without any end-user intervention. Hackers have now begun to utilize IM as a new vector for phishing and pharming scams, by sending out mass messages to thousands of IM users which request the recipient to click on a link which takes them to a fraudulent website. These malicious or fraudulent sites either request personal information from the end user or automatically download and run keyloggers, worms or viruses on the user's machine-creating an open backdoor for hackers.

Every article user clicks this user clicks that. How many years have they been preaching discretion with e-mail. Hopefully it won't take as many years for people to realize the same risks apply to IM and virtually everything else they do on their computers.
March 22nd, 2005, 05:21 PM
michael737n

the other threat is one of privacy but also one of safety some people accidentally save their conversations on public computers and that gives some one a chance to profile them on the other hand it is usefull to police if some one comes up missing or murdered they can check for clues on the persons computer
March 22nd, 2005, 07:01 PM
MrCoffee

Quote:

Today, Websense Security Labs has discovered highly sophisticated IM attacks that spread malicious code and worms directly into an organization without any end-user intervention. Hackers have now begun to utilize IM as a new vector for phishing and pharming scams, by sending out mass messages to thousands of IM users which request the recipient to click on a link which takes them to a fraudulent website. These malicious or fraudulent sites either request personal information from the end user or automatically download and run keyloggers, worms or viruses on the user's machine-creating an open backdoor for hackers.

If the user has to click on a reciept, isn't that user intervention? Without the user interacting with the IM client.... it aint going to expliot the box, or am I wrong?

Oh... and in general.. IM stands for Instant Moron. :)
March 23rd, 2005, 04:37 AM
aenema

It's time to brush my teeth
March 23rd, 2005, 05:34 PM
whatthe

Aenema, as always, thanks for your wonderful input. Your posts are always so informative.

More IM info, no real surprise but

Report: Companies unprepared for IM attacks

Quote:

A recent survey conducted by the IT security company found that 90 percent of the 7,500-plus businesses it spoke with have established policies to manage use of e-mail, but 49 percent have no official rules in place to govern IM and peer-to-peer software usage.

.. so buy our new IM protection.

I'm surprised that 51% have an IM policy, maybe all the attention is paying off .... or they lie ;)

http://news.zdnet.com/2100-1009_22-5...=zdfd.newsfeed
March 23rd, 2005, 06:10 PM
MrCoffee

We have a policy in place, but I doubt anyone much pays attention to it. Of my small group of users, only two actually use peer-to-peer or IM, and they both far out rank me within the company, so... :S

I am not really surpized that 51% do have a policy, my best bet is their ASP blanket covers email/IM/P2P etc. The only reason I included it here was because IM caused some issues at a job I worked before, so it was an issue in my head when I wrote the ASP.
March 23rd, 2005, 06:41 PM
zencoder

MrCoffee, I'm assuming ASP = Acceptable Use Policy, or some similar term/document?

I hear you loud and clear. My current client doesn't have an in your face policy (it's in their Usage Policy, if you read far enough back into it), but it doesn't matter. They block everything and it's cousin both inbound and out. Help yourself, install all the IM clients you want...your traffic bounces off the electronic barrier. "Well I'll just proxy it through port 80!" you say? Websense takes care of that.

It's a great setup. The downside is it takes a higher level of effort to engineer, administrate, and document the network architecture and policies. And it does feel somewhat draconian at times.
March 23rd, 2005, 06:48 PM
whatthe

Quote:

And it does feel somewhat draconian at times.

I guess that's when we have to emerge from the IT dungeon and use our *cough* people skills to educate the users why it is necessary to protect their employer, themselves and their paycheck.
March 23rd, 2005, 07:16 PM
Egaladeist

Personally, I don't understand why anyone needs all these mail boxes...yahoo, g-mail, IM, hotmail, etc...etc...etc...I've got one e-mail box with my ISP and that's all I need.

What exactly is the purpose of having all of these accounts/boxes ?
March 23rd, 2005, 07:21 PM
MrCoffee

People skills?
I have said it before and I will say it again.... My Network would be prefect except I have users. :)

Most of the time when people ask me why they can't use IM or ICQ or P2P at work, I start to explain and their eyes glaze over. So I talk like I do to my kids.... No, you cant use it because it's bad..."But why"... CAUSE I SAID SO! :)