Instant Messaging Security Risks

Wow!

Twice in two days means the universe is telling me something and I have to talk about it.

So! Here’s the scoop if you didn’t already know this: public instant messaging products are a huge security risk and you should not use them in the workplace. Yeah, they’re convenient, fun, a time saver, productivity tools, yadda yadda. But they’re also an unfiltered hole from the untrusted Internet directly to your PC, and the risks should just be presumed. Here’s why.

Developers of viruses and malware will write their products to be delivered to users through instant messaging applications. There’s a couple of reasons for this.

1. IM bypasses our traditional filters like on email, firewalls, or virus scanners. Files, links, phishing attacks can all be easily delivered on this platform directly to a user.

2. IM is an emotional, impulse application. Users are usually having fun, or, quickly responding to IM’s without much critical thought, disconnecting their rational-mind in favor of quickly responding to IM’s.

3. The user usually trusts the person who’s sending the message. That trust is what gets exploited by people who write bad software.

4. Users will create generally weak passwords on these services, or, they’ll be convinced to click on something they shouldn’t, so that their accounts are easily hacked.

5. Finally, IM is a perfect zero-day platform. Malware released instantly can’t be easily seen by antivirus and antimalware products that scan IM’s because their definition files haven’t been updated. So, on the first day, with mass proliferation, IM-distributed malware can completely defeat a software defense on the workstation.

Yesterday, I had to spend about an hour with a machine after it was delivered malware through an IM product. Today I got this email from one of my clients with an IM screenshot, “Is this real?” And yep, it looks like it already delivered a payload to a couple of machines at my client’s office.

The take away here is that using unsecured IM is risky to any business. The best way to avoid that risk is to completely disconnect yourself from IM, set policies concerning the use of IM with specific accounts, or, use a secure IM platform offered by commercial vendors that only your company’s employees can use.

In the least, users should exercise some practical safeguards.

1. Create random, long, complex passwords on IM service accounts.

2. Don’t click on any hyperlink or download any file presented in IM that looks suspicious. Think critically about what’s being transmitted and by whom.

3. Limit the size of your buddy list. This will reduce your attack profile. The more buddies you have, the greater risk you’re at.

4. Frequently update the instant messaging software. Vendors are aware of these risks and improve their products incrementally.

5. Create separate accounts. One for work, another for play. Limit the buddy list for work accounts to strictly work-contacts.

These aren’t perfect solutions but they do help curb the risks. Generally though, the message is this: if you use public instant messaging products, you run a greater chance of exposure to malware and viruses.

R

Name (required)

Mail (will not be published) (required)

Website

Notify me of follow-up comments by email.

Notify me of new posts by email.