US-CERT Cyber Security Tip ST04-011 -- Using Instant Messaging and Chat Rooms Safely

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

                        Cyber Security Tip ST04-011


Using Instant Messaging and Chat Rooms Safely

   Although they offer a convenient way to communicate with other people,
   there are dangers associated with tools that allow real-time
   communication.

What are the differences between some of the tools used for real-time
communication?

     * Instant  messaging  (IM)  -  Commonly used for recreation, instant
       messaging  is  also  becoming more widely used within corporations
       for   communication  between  employees.  IM,  regardless  of  the
       specific   software   you   choose,   provides  an  interface  for
       individuals to communicate one-on-one.
     * Chat  rooms - Whether public or private, chat rooms are forums for
       particular groups of people to interact. Many chat rooms are based
       upon  a  shared  characteristic; for example, there are chat rooms
       for people of particular age groups or interests. Although most IM
       clients  support "chats" among multiple users, IM is traditionally
       one-to-one while chats are traditionally many-to-many.
     * Bots  -  A  "chat  robot," or "bot," is software that can interact
       with  users  through chat mechanisms, whether in IM or chat rooms.
       In  some  cases,  users  may  be  able  to  obtain current weather
       reports,  stock  status,  or  movie  listings. In these instances,
       users are often aware that they are not interacting with an actual
       human.  However,  some  users  may be fooled by more sophisticated
       bots  into  thinking  the  responses  they  are receiving are from
       another person.

   There are many software packages that incorporate one or more of these
   capabilities.  A  number of different technologies might be supported,
   including IM, Internet Relay Chat (IRC), or Jabber.

What are the dangers?

     * Identities  can be elusive or ambiguous - Not only is it sometimes
       difficult  to  identify whether the "person" you are talking to is
       human, but human nature and behavior isn't predictable. People may
       lie  about  their identity, accounts may be compromised, users may
       forget to log out, or an account may be shared by multiple people.
       All  of  these  things make it difficult to know who you're really
       talking to during a conversation.
     * Users  are  especially  susceptible  to  certain types of attack -
       Trying  to convince someone to run a program or click on a link is
       a common attack method, but it can be especially effective through
       IM  and  chat  rooms.  In a setting where a user feels comfortable
       with  the  "person"  he or she is talking to, a malicious piece of
       software  or an attacker has a better chance of convincing someone
       to  fall  into  the  trap  (see  Avoiding  Social  Engineering and
       Phishing Attacks for more information).
     * You  don't know who else might be seeing the conversation - Online
       interactions  are  easily  saved,  and  if  you're  using  a  free
       commercial  service the exchanges may be archived on a server. You
       have  no  control  over what happens to those logs. You also don't
       know  if  there's  someone looking over the shoulder of the person
       you're  talking  to,  or  if  an attacker might be "sniffing" your
       conversation.
     * The  software  you're using may contain vulnerabilities - Like any
       other  software,  chat  software  may  have  vulnerabilities  that
       attackers can exploit.
     * Default  security  settings  may  be  inappropriate  - The default
       security   settings   in  chat  software  tend  to  be  relatively
       permissive  to  make  it more open and "usable," and this can make
       you more susceptible to attacks.

How can you use these tools safely?

     * Evaluate  your  security  settings - Check the default settings in
       your  software  and  adjust  them if they are too permissive. Make
       sure to disable automatic downloads. Some chat software offers the
       ability  to  limit interactions to only certain users, and you may
       want to take advantage of these restrictions.
     * Be conscious of what information you reveal - Be wary of revealing
       personal  information  unless  you know who you are really talking
       to.  You  should  also be careful about discussing anything you or
       your  employer  might consider sensitive business information over
       public IM or chat services (even if you are talking to someone you
       know in a one-to-one conversation).
     * Try to verify the identity of the person you are talking to, if it
       matters  -  In  some  forums  and  situations, the identity of the
       "person"  you  are talking to may not matter. However, if you need
       to  have  a degree of trust in that person, either because you are
       sharing  certain  types of information or being asked to take some
       action  like  following a link or running a program, make sure the
       "person" you are talking to is actually that person.
     * Don't  believe everything you read - The information or advice you
       receive in a chat room or by IM may be false or, worse, malicious.
       Try to verify the information or instructions from outside sources
       before taking any action.
     * Keep  software  up to date - This includes the chat software, your
       browser, your operating system, your mail client, and, especially,
       your   anti-virus   software   (see   Understanding   Patches  and
       Understanding Anti-Virus Software for more information).
     _________________________________________________________________

     Authors: Mindi McDowell, Allen Householder
     _________________________________________________________________

     Produced 2004 by US-CERT, a government organization. 
     
     Note: This tip was previously published and is being re-distributed
     to increase awareness.

     Terms of use

     <http://www.us-cert.gov/legal.html>

     This document can also be found at

     <http://www.us-cert.gov/cas/tips/ST04-011.html>

     

     For instructions on subscribing to or unsubscribing from this
     mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRmblx+xOF3G+ig+rAQLFjgf/XyAL3JxGwxNSvM+oyunxnV7Uk1cI0vmI
RAq+aUvoWrHfEhRV4zzfFQh2DofEn2W/4uaXgeqXseg7I5dYD+jeHXQLHfogqDgx
By1Y4FAzJpuJVSKia/zJE6uW77evLlLzg1bcTQsCofSj24LMYGjYe/1jowXP9Wuh
2gQdCH+CEJUpQs6wvbgaVuaTYbNpzU6Ha/zzxEnxMo19EkCxgbidlS7YPkcA4J5O
nXYc12VNoutj9w4P3HF0g5BANtIwJEql5MgSHQU8PHwD1aHMvOPUZBtRnbrfFgI0
K5gqv2ePPVwlV4N8NHFfPpPs0Sn5mKSKdyUnaAu6b8xkEQm59wIIBw==
=vRSF
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux