Thursday, June 18, 2009

Secure Instant Messaging Issues

Many people talk about safety in the corporation from intruders—including, perhaps, its own employees. But who's protecting your instant messages from hackers attacks? Most companies don't pay a big attention for some personal calls, e-mails, and IMs, as long as the privilege isn't abused. But don't forget—they can legally monitor conversations on their equipment, whether phone or computer. So not only are your e-mails fair game, but so are your IM sessions.

While we're sure your messages are entirely wholesome and aboveboard, we're equally sure there are some you'd rather not have bandied around the department or forwarded to everyone. Fortunately, you can secure your personal IM messages without too much difficulty. Bear in mind, however, that no encryption scheme prevents keystroke capturing or copying unencrypted text from the screen by spyware and monitoring software; the messages are encrypted only while in transit, on your network, or on the Internet.

AOL, Microsoft, and Yahoo! include encryption in the enterprise versions of their software, but the easiest way to encrypt personal IM sessions is to download IMSecure, from Zone Labs (www.zonelabs.com). The freeware version of this program will encrypt one IM account, and it also protects against buffer overflow IM exploits. AIM, MSN, or Yahoo! will all work with the freeware version. The Pro version encrypts multiple accounts and provides additional security features. Your correspondent must be running IMSecure as well; messages to recipients without the program are not encrypted.

IMSecure encrypts third-party, universal clients such as GAIM and Trillian, too. You can also find proprietary end-to-end encryption add-ons for MSN Messenger and Yahoo! Messenger. These function like IMSecure, but only for one product.

Another route to securing IM is to get a digital certificate. A Class 1 or personal digital certificate is issued by a certificate authority, which maintains a unique public key for your identity. We tested VeriSign's certificate system for AOL Instant Messenger, which costs $14.95 a year. The VeriSign solution is not actually integrated with AIM, but there are clear directions for acquiring and installing the certificate. You can also use the certificate to secure and encrypt e-mail.

You start by going to www.verisign.com/products/class1/aim/index.html. You can choose the 60-day free trial option or pay $14.95 a year with a credit card. After you fill out your name, billing information, and e-mail address, VeriSign sends an e-mail with a PIN number that allows you to pick up the digital certificate from its site with your browser. Once you have done so, your browser stores the ID. Next you export the ID to a file, following the instructions on VeriSign's site. You then import the certificate into AIM.

When you restart AIM, you will be asked for the security password, and AIM will start normally. Others who see your name on their buddy lists will see a lock icon next to your name, but there is no change in AIM's operation. When you initiate a session with another user who has a certificate, you will see a message at the bottom of the window that says "Encrypted conversation" and cites the user's name and certificate authority. If you use AIM from another machine, your buddies will not see the lock icon and messages will not be encrypted.

You can also get a free "personal e-mail certificate" from the VeriSign subsidiary Thawte (www.thawte.com/email/index.html). The certificate works with IM as well and interoperates with VeriSign certificates. To install and use it, follow the instructions on the AIM and VeriSign sites. MSN, Yahoo!, GAIM, and Trillian do not currently support Class 1 certificates.

Digital certificates use public-key encryption. Your public key is on the vendor's servers, and the other user's secure AIM session retrieves your key, encrypts the message, and sends it to you, where your session uses your stored private key to decrypt it. While publicly vetted encryption, as used by AIM, is generally preferable, the proprietary algorithms used by IMSecure and other add-ons are probably sufficient for most users' needs.

by Bill Machrone

No comments:

Durov: The phone of the richest man in the world was hacked through WhatsApp.

The founder of "VKontakte" and Telegram Pavel Durov said that back in November 2019 he warned about the vulnerability of the Whats...