Using IM with Confidence

Preface

Most people are familiar with Instant Messaging (IM) – applications that let users communicate in real-time with online friends and acquaintances over the Internet and monitor their availability. Instant messaging brings tangible benefits by making it easy to exchange information and take advantage of other extra services such as video conferencing and voice chat. However, with these benefits comes responsibility, and a person who uses IM must understand and address its security and privacy implications in order to stay safe online and keep personal information hidden from prying eyes. The safe use of IM is our main topic today.

Introduction to IM

Overview

Instant messaging has been in mainstream use for the past ten years, and continues to grow in both user base and sophistication as use of the Internet grows. IM’s popularity is due in large part to the fact that, unlike traditional email, IM can be delivered and replied to in a few seconds, dramatically speeding up communications. Plus, you can check if your friends or colleagues are online and indicate to them your availability or willingness to chat. In addition to conversation, you can send a file or a link over IM, as well as initiate a VoIP chat or video session, which is available with some advanced services. You can even play a game or share a desktop application remotely with someone you know.

Pre-requisites

To get started with IM, you really just need to choose a network and install the software. The most widely used IM networks today are AIM (AOL Instant Messenger), ICQ, Windows Live Messenger, Yahoo! Messenger, Jabber, and Skype. You access these networks using proprietary client software which is available as a free download. There are also independent third-party clients such as Miranda or Trillian that can support multiple protocols under one hood so that anyone who’s a member of, say, both the ICQ and AIM networks doesn’t have to install two separate client applications – he/she can configure these services within one IM client and switch between their profiles as needed.

How IM works

You can log into your IM account using the software you’ve downloaded from the network you’ve chosen, or initiate a session within your browser without downloading any software. This latter approach is becoming more common as more applications transition to web-based services instead of using desktop software. Google Talk, for example, provides such an option.

There are two ways in which messages can be sent over an IM network: using the IM server as an intermediary to deliver data, or using direct peer-to-peer data exchange.

In the first case, the information that two clients exchange passes through the central IM server, which then routes the corresponding messages to their designated recipient. In the second case, the server facilitates the initial hookup by explaining to both clients how they should “talk” to each other (by supplying the corresponding IP addresses and communication port numbers). From then on, the messages are exchanged directly between the two clients, avoiding any server participation. The latter case is more efficient in terms of resource allocation because it doesn’t require the server’s processing and bandwidth resources to manage data. It is also more secure because the messages travel across a shorter distance if the clients are nearby, resulting in less exposure. Using this approach, if two people connected to an office or home LAN want to chat on the ICQ network, their messages won’t leave the boundaries of that network, making it almost impossible for outside parties to capture their dialogs.

The most common way, though, is to connect through the client-server-client configuration which is used by the majority of Internet protocols. However, transfers of large files or remote desktop sharing sessions over IM occur exclusively on a peer-to-peer basis to minimize the server load.

Log-in procedure

The majority of IM services log members in using the standard ID/password combination supplied by the IM client to the authorization server when the user attempts to connect to the service. This information is sent in unencrypted format, meaning that anyone who has managed to infiltrate the authorization session can easily intercept login data and steal user identities. A more secure way to authenticate users is through the “secure login” option available in some IM services such as ICQ. Essentially, this means that the IM client encrypts the user’s credentials with a special hash key issued by the server on connection. This reduces the possibility of network packets being captured and log-in data extracted from them.

On successful validation, the system logs the user in, and the user’s “friends” list is populated, along with other relevant information such as the current status of people on that list.

IM security essentials

Your IM profile

When you’re choosing a screen name (or nickname), try using names that can’t easily be identified with your personality, such “ja_cool26” instead of “johnandrews26”. Also, do not ever divulge your personal data such as home address, telephone number or other sensitive information on your online profile. When choosing a password, make sure you make it at least 6 characters long and use a combination that differs from other accounts (such as the password for the email address to which the confirmation email would be sent in the case of a lost password).

Most IM clients save your password in a local cache to automate future logins. We recommend that you manually enter your password each time you log-in (in other words, do not save you passwords), but if you chose otherwise, make sure the password is not visible on the logon screen or in your local cache, usually stored in the Windows Registry. Consult your IM vendor concerning how the cached passwords are managed locally.

Avoid using IM in public places such a library or internet café. If you absolutely have to, never opt to save passwords on log-in.

Make sure your system is clean of viruses, keyloggers and other malware, as these can completely negate your password preservation efforts by directly recording your keyboard activity and relaying it to scammers. If your IM account has been hijacked, notify your contacts and try to restore your account by providing as much information as possible in the special accounts restoration section on the IM service’s website.

Usage

One key thing to remember when using IM is that all information you send or receive is communicated in plain, easily readable text, so don’t ever communicate confidential or private information over IM. Many people underestimate this risk until it’s too late, and their account has been hijacked, credit card data stolen, or confidential information exposed or misappropriated.

A hacker or unethical ISP can easily eavesdrop on IM sessions, capturing conversations and selling them for financial gain or posting them in public forums just for fun. This kind of intrusion is possible because, by using sophisticated “sniffing” software that intercepts network traffic or through a deficiency in the TCP/IP protocol, hackers can stage man-in-the middle attacks and impersonate either the sender of information, or its recipient, without the knowledge of the other party.

You can overcome this limitation in part by installing additional plug-ins that can encrypt IM traffic with PGP keys. Miranda, a free cross-protocol IM program, can optionally enable data encryption for confidential communication. It is believed that plotters of the Sept.11 Terrorist Attack used encryption in instant messaging to exchange details of the upcoming attack so that the CIA couldn’t decipher their messages.

As with every Internet-enabled program, bugs and vulnerabilities can lead to system compromises. Make sure you keep Windows and your IM client software updated and patched. IM worms exploit vulnerabilities in IM software and send copies of themselves to the people listed in victims’ contact lists, spreading rapidly. Another rule of thumb is to never download or open executable files received over IM, and if possible, check all other files with updated antivirus. Never click on a link in an instant message, especially if it comes from an unknown source; it’s also wise to treat messages from your friends as potentially hazardous; these can also be deployed from hacked or compromised accounts. Internet links can point to infected locations and you can unwittingly infect your computer by clicking to them. As file downloads usually take place on a peer-to-peer basis, your IP address is revealed to the other party creating an opportunity for remote intrusion if your network is not protected by a firewall. Older clients, such as ICQ 2003, may reveal your external IP address by default, so remember to update your IM client software to the latest version.

Many IM clients record your conversations locally for the purpose of viewing it later. You may opt to deselect this option thought the IM client’s configuration option.

SpIM (spam over IM) is another nuisance. These messages can be doing anything from enticing you to purchase a certain item to attempting to infect your PC with drive-by downloads. Many IM clients have spam protection functionality that you may find very usable. However, the most appropriate response to spam is to not react or reply – just the action of your replying tells the sender (human or bot) that there is a live email account at that address. Some clients offer to deploy a challenge-response systems, which will pass the message from an unknown sender to you only if the sender answers a simple question, ensuring the sender is not a spam bot.

Requests to authorize a new user should be treated with suspicion and you should investigate the soliciting user before granting authorization. Cases of stalking need to be reported to the responsible authorities. Do not respond to chain letters and other solicitations from unknown people.

Conclusion

IM is a very efficient and convenient way to communicate because messages can reach the recipient very quickly. There are a few rules that should be followed when using IM – never send sensitive information if no encryption is available (by default, your messages are sent in unencrypted form), never run executable files obtained from unfamiliar or dubious sources, use your antivirus and firewall to protect from propagating threats and network intrusions, and treat the links that your contacts send you as potentially malicious.