Slashdot Mirror
Instant-Messaging Attacks On the Rise
Ant writes "CNET News.com and ZDNet News report that security attacks over instant-messaging (IM) networks became more prevalent in 2005, according to a new study. MSN experienced the largest number of IM security incidents in both 2004 and 2005, while year-on-year incident growth rates were largest on AIM."
It is too bad that people are not aware of applications like gaim, trillian, etc. You get all the benefits and fewer risks (not to mention that you avoid all the bolted-on crap that comes with all the default clients).
We use MSN Messenger at my work and everyone uses the MSN client. Has anyone seen this embarrasment? There is so much crap tacked around the buddy and message windows that it is almost unusable. I am trying to move people over to trillian and it is not hard. Once they see a nice clean UI, they want to use it.
I guess its time to start educating the masses!
I meta-moderate because I care.
What is interesting to me is the number of new users to IM services fall for Bots that chat with them using a perl script or whatever. Now some of the worms using IM are chatting with the users first in order to work better:
http://news.com.com/New%20IM%20worm%20chats%20wit
Randy.Flood@RHCE2B.COM
You should get a new girlfriend named Miranda, http://www.miranda-im.org/
I still get a lot of these. Someone will message me, with PISS poor english...claim they are from the US and abroad (or in one instance...a girl from England who lives in the US but is visiting her family). Sends me some model pictures and talks to me...within hours telling me how she loves me and thinks there is something special...it usually lasts about two weeks---hey I do get bored playing CS -- and at least I am keeping those clowns busy.
It's amazing, and there is really nothing we can do about these idiots except hope people won't be stupid enough to send them money. In the end, it is the old scams "I am from war torn country, send me account number so I give you 10 million..."
I mod down so you can mod up. Your welcome.
I had a large hand in developing a security policy for my workplace regarding instant messaging. One of the key points in the policy is that all IM software is to be configured to automatically reject unsolicited IMs (i.e. "Only accept messages from people in my buddy list"). Not a great solution if malware infects a user's computer, hijacks the IM client (or just the username/password), and propagates to all of that person's IM buddies. However, most of the IM-based malware also has some portion of its payload distributed via the file-sharing mechanisms, which is also addressed in our security policy: "All file transfers must be initiated by user action. A remote user may not read or write any file to or from a [my company] computer; i.e. a computer may not behave as a peer-to-peer file-sharing server ." If you close those two doors, you stop a big portion of the problems.
I pity the foo that isn't metasyntactic
Your assumption that these security are IE/ActiveX related is completely flawed.
I am a WinGaim user and I have seen a large number of infected AIM profiles and away messages as well as received quite a few "click this" type IMs. The vast majority of these attacks are social attacks. Generally, the malware inserts a "click this" type link that tries to get you to "look at my pictures" or something like that with a link to pictures.gif.pif.
For IE 6 or FireFox users running on Windows XP with Service Pack 2, this results in a dialog indicating that you are about to run an application that came from an untrusted and unsigned source. STILL users click "run" on this dialog.
IE/ActiveX is not to blame. Hell, I wouldn't even blame Windows because Windows tags the incoming file as untrusted and prevents it from running without USER PERMISSION (this is the escentially same as chmod +x, just not a serious pain in the ass for when you are downloading something you trust)
http://brandonbloom.name
Almost everyone knows that 127.0.0.1 is a loopback address.
:)
But it is not widely known that ANY 127.x.x.x address is loopback. So you can have a lot of fun asking to attack, say 127.3.44.165
I am the "admin" for my family network (4PCs, connected via router, 1 WPA-PSK secured wireless connection to the router) and I try my best to keep things running smoothly and securely. A couple of months ago, my 15 year old daughter downloaded a virus via the MS IM thing. I had to restore her system from backup--that virus was eeeeevil. To her credit, she's been very careful since then, and I actually trust her not to do it again (her mother is a different story...). However, it bugs me that I don't have any control of what comes in via IM. For example, you can't just turn off the IM port--the damn things will use any open port, including 80. There's no way to exclude particular IM clients or senders...no control at all. (I'm just a control freak when I'm in sys admin mode...really). So what to do?
Great men are almost always bad men--Lord Acton's Corollary
Only partially true.
IE 6 with SP2 shows "Run" instead of "Open" for executable and then WINDOWS (not IE) displays the prompt I am discussing.
FireFox simply disables "Open" instead of displaying run, but then shows the download manager which reads "Open" regardless of the file type and if you click that prompts you "Open Executable File?" and even has a "Don't ask me again" check box. You press "OK" (not "Run") to continue.
Upon further testing... I have discovered that FireFox DOES NOT cause the WINDOWS prompt. Apparently, FireFox fails to attach the secondary data stream to the NTFS node of the file like IE6SP2 does. This means that if I do "Save to disk" (in FireFox) or "Save" (in IE) then go and double click the file in explorer (regardless of its file extension) the file downloaded with FireFox will simply run where as the IE downloaded file will prompt me for permission for a program to execute. The IE behavior is clearly superior in that it works without the presence of IE.
http://brandonbloom.name