Security Portal: Instant Messenger, or Instant Security Risk?Apr 19, 2000, 08:56 (0 Talkback[s])
(Other stories by Kurt Seifried)
"The growth of online communication tools has been phenomenal, especially those that allow real time conversations and file transfers. 'Chat rooms' on AOL are hugely popular, as is IRC (Internet Relay Chat). Some IRC networks have tens of thousands of users logged in, and there are hundreds of IRC networks. I will cover several of these programs, including ICQ, AIM, Napster and Scour. The first two, ICQ and AIM, are primarily messaging oriented, with file transfer capabilities...."
"ICQ is in some ways the best, and the worst of the three programs. The bad part is that the protocol is pretty easy to abuse, 'hijacking' of ICQ numbers (your identity on their system) has occurred, and there is at least one reported case of someone attempting to ransom the number back to it's original owner. To be fair ICQ gives plenty of warnings during the install and configuration about these problems, it then adds itself to the Start Menu in Windows, and publishes your email address to ICQ, for 'password retrieval purposes'. In ICQ you can configure whether people are allowed to contact you, or if they need to be authorized before they can do so. The default is to let anyone contact you, but I would advise changing this. Also when sending email, remember that it uses your email server, and the headers show the full path, so do not rely on the email in ICQ to be anonymous or anything. You can also send attachments with the email program in ICQ."
"The next in line is AIM, Netscape AOL Instant Messenger, which has by far the worst default configuration, and no security warnings. There is one warning about privacy, your member profile will be public, I would advise leaving it blank. By far the worst feature is that you can act as a file server, and by default the feature is turned off, which is good, but the'c:\download\yournamehere\' directory is shared out by default, I would advise making sure this is disabled. In the buddy list control panel go to 'File', 'My Options', 'Edit Preferences', choose the 'File Transfer' tab, and make sure 'Allow no users to get my files' is checked on."