4.4. Understanding Instant Messaging's Features
Instant messaging (IM) has become a hugely popular application on the Internet. Millions of users are estimated to be using instant messaging worldwide. America Online and Microsoft provide IM services to their subscribers. Their services are free and easily accessible.
IM users can send photos, play network games, conduct chats, send e-mail, and even have IM conferences. IM functionality in no small part explains its growth. Besides, it's just fun. Clients use software to connect to IM servers to communicate. These servers might be synchronized worldwide to allow instantaneous communications between any two users in the world. Figure 4.18 shows clients connecting to an IM server system similar to the ones used by Microsoft and AOL.
Figure 4.18. An IM network with worldwide users
The next sections deal with the vulnerabilities inherent in IM as well as ways to control privacy.
4.4.1. Understanding IM Vulnerabilities
Attacks using IM are becoming common. Many of the attacks are intended to disrupt existing systems by interjecting or flooding a channel with garbage data. This is also called jamming, and it's one of the favorite techniques used to disrupt public channel communications systems, including instant messaging systems.
Malicious code, Trojan horse programs, and traditional DoS attacks can also compromise IM clients. IM is supposed to be easy to use, highly interactive, and intuitive for average users. Unfortunately, users frequently don't pay attention to security-related issues when they're using IM.
Most IM systems allow broadcasts and, in fact, sell this capability to businesses. The broadcasting capability allows an attacker to potentially send a "bait message" to millions of people simultaneously throughout the world. These broadcasts may announce sites offering free pornography or the opportunity to make millions of dollars in minutes. The acronym SPIM has even been added recently to the vernacular to describe spam over instant messaging.
When they go to these sites, unsuspecting individuals can be flooded with literally hundreds of windows that open simultaneously on the client system. When the user closes one window, two, three, or more windows open. In short, this is a DoS attack against a client. You can go into a chat room or a conversation area on a busy network, such as AOL or MSN, and watch the amount of jamming that occurs on these channels.
The best protection against this type of attack includes using antivirus software, not visiting sites that are advertised in this manner, and not opening suspicious files.
4.4.2. Controlling Privacy
Many users take privacy for granted. Unfortunately, IM systems weren't intended for confidential purposes.
Although most IM providers have made improvements in this area, never assume that information being sent using an IM system is private. Attachments, if sensitive, should be encrypted before you send them across an IM system.
IM is commonly used for people to meet each other. People frequently use IM to exchange phone numbers, addresses, and other personal information. If made available on the Internet, this information might create an unsafe situation for an individual. Even the disclosure of an e-mail address could cause an increase in unwanted e-mails from other people on the Internet.
|
