|Shadow:: Outerz0ne Speech||[Changes] [Calendar] [Search] [Index]|
Instant Messaging Security Flaws
Major underlying problems in IM messaging software:
1. Messages are sent in clear text (“Why is this the most stressed problem?”) A. Allows the in-experienced computer user to just sniff an open network and grab messaging contents all day. B. All buddy list user names are also sent in clear text. Privacy to others names are voided at the same time. C. Confidential information could be sent on these networks and can pose a huge security risk to any business.
2. What else is a security flaw? A. File transfers 1. They allow a medium by which is simpler to fake as being a reputable file over email. 2. Most instant messaging software does not warn the user as of yet about the danger of accepting file transfers. 3. Most users will accept these file transfers without second thought.
B. Logs 1. If a computer is compromised, logs can be obtained which could hold incriminating, sensitive or harmful information with-in them. 2. With some clients, by default, logs are kept without asking during setup if this is ok. 3. Logs can be altered and then used as incorrect evidence convicting someone of something that was not really discussed.
C. Sender Credentials 1. How do you know for sure that the person sending the message is really the person you think it is? 2. Man in Middle attacks. 3. PGP Key 4. Unique User Identification
D. Profile Listings and User Privacy 1. Many users list everything you ever wanted to know about a person. 2. For example, on AIM, the profile asks for your whole name, address, zip, state, and country. 3. So how easy is it to then reverse lookup this information and further the progress of an online stalkers activity?
E. Passwords 1. Stored passwords pose a huge security risk, because the password has to be kept somewhere on the machine. 2. Like the clear text example, passwords are sometimes sent in clear text. 3. There is always going to be an inherent risk when passwords are used to gain access into restricted places.
3. 5 Major Instant Messaging Clients and some of their specific security flaws.
A. AIM Client Security Risks
1. Messages are sent in clear text. 2. Buddy list updates sent in clear text. 3. By default, anyone can see you log-on as well as pull info up on you. 4. All conversations have to go through AIM central server, which makes the clear text conversations even more vulnerable if a hacker were able to pull off a successful server side hack, which could leave any user of AIM open to eavesdropping. 5. Buffer overflow issues, redirect to URL where more code could be downloaded. (http://www.aim.com/help_faq/security/faq.adp?aolp=) 6. Man in the middle password hacks vulnerability.
B. Yahoo Messenger Client Security Risks 1. Messages are sent in clear text. 2. Buddy List updates also sent in clear text. 3. In some versions of the client software a buffer overrun vulnerability has been reported using an active-x control to download malicious code from a website. (http://www.pcworld.com/news/article/0,aid,113723,00.asp) 4. Java-script can be placed into instant messaging chat field.
C. Skype Client Security Risks 1. (-) Messages are actually sent to the actual recipient’s IP rather through a server. 2. (-) This does pose a security risk though; because then an attacker would know without too much work what IP he needs to spoof to do a MIM attack. 3. (-) Certain versions of Skype are also vulnerable to buffer overflow problems. (http://www.skype.com/security/ssa-2004-02.htm) 4. (-) Logs are kept by default without asking. 5. (+) Messages are actually sent in encrypted format (go-figure). 6. (+) Uses 256-bit encryption.
D. Microsoft Messenger Security Risks 1. Messages sent in Clear Text. 2. Remote Code Exploitation. (http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx) 3. (+) Windows did make update to fix this vulnerability mandatory! (That’s a first)
E. IRC (Internet Relay Chat) 1. Messages are sent in clear text. 2. Many vulnerabilities have been identified. 3. Third-party scripts and bots sometimes have malicious codes attached to them that will initiate on the users computer. http://www.irchelp.org/irchelp/security/ 4. DCC file transfer security flaws. 5. IP address show publicly.
What are some things you can do to prevent attacks from instant messaging software?
1. Keep your software up to date. 2. Do no talk about anything sensitive (i.e. Credit card #’s, telephone numbers, financial information) using instant messaging software. 3. Institute some sort of security lockdown or filtering of instant messaging conversations in a business environment. 4. Change your passwords regularly. 5. Ensure the person you are talking to is really the person you think it is. (Ask personal questions that only they would know if you suspect an imposter.) 6. Use a proxy/bnc to mask your real IP. 7. Use a firewall and keep it up to date.
Credits: DAD (Joe Klein)
Shout Outs: Hacksonville Yak Crew 404 – 2600
The PowerPoint Presentation Slides Instant_Messaging_Security_Flaws.ppt
The Outline speech_outline.doc
<DO NOT COPY WITHOUT EXPRESSED PERMISSION FROM SHADOW404> Thank you :)
|(last modified 2005-03-13) [Login]|