Instant Messaging Security

By

InfoComm Security/QA, Computer Centre
National University of Singapore
Mar, 2005

 

Instant Messaging Overview

Instant Messaging (IM) is a kind of communication service which can provides real time text, voice and video communication over the internet. Users can also use it to transfer files, share applications and start whiteboard sessions. There are a lot of IM solutions on the market, the most popular among which are the so called big-four: Windows Messenger or MSN Messenger, AIM (AOL Instant Messenger), ICQ and Yahoo Messenger.

IM networks consist of clients and servers. A user installs a client, gets an account and connects to the IM server to communicate. One thing worth mentioning is that IM protocols are proprietary; they are not interoperable with each other. That means ICQ users can only communicate with other ICQ users, Windows or MSN Messenger users can only communicate with other Windows or MSN Messenger users.

Some people may be confused about the differences between Windows Messenger and MSN Messenger. Windows Messenger is part of Windows XP operating system, while you have to download and install MSN Messenger explicitly in order to use it. Windows Messenger is designed for corporate environment; it can connect to .NET Messenger Service, SIP Communications Service and Exchange Instant Messaging Service. MSN Messenger is designed for general consumers and has a lot of fun features which Windows Messenger is lacking, but it can only connect to .NET Messenger Service,

During the past few years, IM has gained tremendous popularity. A lot of people enjoy using IM without realizing its security implications. In this article, Threats to IM users will be discussed first, followed by tips and best practices that we should follow in order to protecting ourselves in using IM.

Threats to IM Users

Threats due to IM Client Vulnerabilities

IM client residing in user’s desktop opens up several ports in order to function properly. For example, the picture below shows the ports opened up by msmsgs.exe, the Windows Messenger 5.1 client in the desktop I’m using currently.

Every open port is like an open door to a building. If not patched properly, hackers, worms and viruses may exploit the vulnerabilities. Exploitation of these vulnerabilities may take the form of denials of service, unauthorized access to confidential data, or complete system compromise and subsequent loss of data integrity.

Microsoft Security Bulletin MS05-009 published in February 2005 is one example of such vulnerability. According to Microsoft, “An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” There are hundreds of IM worms exploiting this kind of vulnerabilities, such as TROJ_PNGFILE, HKTL_MSSNGR, WORM_BROPIA and TROJ_HOHACK, etc.

Threats due to Unencrypted Traffic During Transmission

Using any version of MSN messenger or Windows Messenger version 5.0 and below, all traffic from clients to servers, from servers to clients and from clients to clients is unencrypted. Using Windows Messenger 5.1 and SIP Communications Service, only text messages are encrypted; voice, video, file transferring and application sharing traffic are still in clear text. Using Windows Messenger 5.1 and .NET Messenger Service or Exchange Instant Messaging Service, all traffic is unencrypted.

Because a lot of IM traffic is unencrypted, hackers can easily sniff and read the traffic during transmission. The clear-text message may also be logged and stored by the IM central servers, routers and switches while it travels. All these may result in loss of privacy and data theft.

Threats due to Lack of Discretion in Using IM

Files can be transferred using IM. Viruses, worms and Trojan horses can be transferred in the same manner. When offered with files in using IM, a lot of users may simply click Accept, without knowing whether the files are malicious or not. The Hello.exe worm is an example of a virus that can be passed around through MSN Messenger this way. First you get an instant message similar to "i have a file for u. its real funny" and an invitation asking you to accept a file called Hello.exe. If you choose Accept, you will get the virus transferred to your computer.

Identity Spoofing

Some IM systems let users create anonymous identities, which do not map to e-mail addresses. As a result, you have no way to identify whether the person you are communicating with using IM is who he or she claims to be. This can be used for malicious purposes, subject to the creativity of the attackers. An employee may think that he is messaging a colleague, while actually he is communicating with a competitor.

Spim

By default, most IM clients allow all users to chat with each other without adding each other into the contact list. For example, in Windows Messenger, Tools -> Options -> Privacy, by default My Allow List contains all users while My Block List contains nothing. This results in spim, which is the IM version of spam.

According to IMlogic, 5% to 7% of IM traffic nowadays is spim. My personal experience is that spim is more disturbing psychologically due to IM’s real-time nature.

How to Protect Yourself in Using IM

Due to the security threats described above, you need to follow best practices in order to protect yourself while using IM.

Update the IM Client

The IM client should be patched and kept up-to-date in order to prevent exploitation of the vulnerability. One thing good about Windows Messenger is that it’s part of the Windows XP Operating System. Patching Windows Messenger is part of OS update process, which is achieved thorough SUS (software update service) in NUS. Using SUS, patches are pushed down from central server in NUS to desktops and notebooks. Users do not need to initiate the update. For more information on SUS, check out http://www.nusnet.nus.edu.sg/sus/.

For other IM clients, such as MSN messenger, Yahoo Messenger, etc, you need to patch them separately by going to their corresponding website, download the patch and install it.

Do Not Disclose Confidential Information in IM

Do not disclose confidential information when using IM, because a lot of the IM traffic is transmitted in clear text and may be intercepted by attackers, or logged and stored by the medium it passes though during transmission. If you need to discuss matters containing confidential data, use other communication methods.

Use Discretion

Discretion is the better part of valor. Be sure you know who is sending you a file transfer and what that file is before you accept it.

Use Antivirus Software

Install antivirus software on your computer, and keep the virus signature updated. The updated antivirus software can protect your system from being infected by known viruses and worms.

Change Privacy Setting

To protect yourself from spim, you may need to change the default privacy setting of your IM client. For example, in Windows Messenger, Tools -> Options -> Privacy, your should only have the people in your contact list in the My Allow List, while adding all other users to the My Block List.