---

Security Portal: Instant Messenger, or Instant Security Risk?

The growth of online communication tools has been
phenomenal, especially those that allow real time conversations and
file transfers. ‘Chat rooms’ on AOL are hugely popular, as is IRC
(Internet Relay Chat). Some IRC networks have tens of thousands of
users logged in, and there are hundreds of IRC networks.
I
will cover several of these programs, including ICQ, AIM, Napster
and Scour. The first two, ICQ and AIM, are primarily messaging
oriented, with file transfer capabilities….”

“ICQ is in some ways the best, and the worst of the three
programs. The bad part is that the protocol is pretty easy to
abuse, ‘hijacking’ of ICQ numbers (your identity on their system)
has occurred, and there is at least one reported case of someone
attempting to ransom the number back to it’s original owner. To be
fair ICQ gives plenty of warnings during the install and
configuration about these problems, it then adds itself to the
Start Menu in Windows, and publishes your email address to ICQ, for
‘password retrieval purposes’. In ICQ you can configure whether
people are allowed to contact you, or if they need to be authorized
before they can do so. The default is to let anyone contact you,
but I would advise changing this. Also when sending email, remember
that it uses your email server, and the headers show the full path,
so do not rely on the email in ICQ to be anonymous or anything. You
can also send attachments with the email program in ICQ.”

“The next in line is AIM, Netscape AOL Instant Messenger, which
has by far the worst default configuration, and no security
warnings. There is one warning about privacy, your member profile
will be public, I would advise leaving it blank. By far the worst
feature is that you can act as a file server, and by default the
feature is turned off, which is good, but
the’c:downloadyournamehere’ directory is shared out by default,
I would advise making sure this is disabled. In the buddy list
control panel go to ‘File’, ‘My Options’, ‘Edit Preferences’,
choose the ‘File Transfer’ tab, and make sure ‘Allow no users to
get my files’ is checked on.”

Complete
Story