For safe IM use, learn IM basics, use common sense, and deploy a personal firewall
Instant Messaging (IM) software, such as AOL Instant Messenger (AIM) and Microsoft MSN Messenger, has attracted business and home users alike. IM products let users communicate immediately, exchange files, and collaborate on work. IM software is so popular that it's installed by default on most new name-brand PCs. The software is usually free, relatively easy to use, and activates as soon as the PC is running. Most home users have a copy running.
Unfortunately, IM also provides new avenues for electronic assault. Intruders constantly use IM to achieve their mischievous or malicious purposes. Some IM networks are so overrun by malicious users that no one else participates. No signs accurately warn users about the IM risks and how to reduce those risks. Let me introduce you to the different IM models, discuss how four popular IM networks operate, and describe how you can protect yourself from malicious attacks.
IM Overview
Initially, IM meant sending text messages back and forth. Today, IM users also can exchange files, send voice communications (if they have microphones), send WebCam images, play network games, use email, and even set up virtual communities. However, users also can send viruses, worms, Trojan horses, and other sorts of malicious software (malware) to friends and online associates. If you accept one file that contains malicious code or surf to the wrong place on the Internet, you can open your PC to the world. Attackers can then use your PC to infect other PCs and to launch massive attacks against other Internet-connected servers and networks. But I'm getting ahead of myself.
Most IM clients let you preselect groups of people (called a contact or buddy list) with whom you want to chat. When only invited participants can chat with one another, the chat session (or channel) is private. IM networks have thousands of existing channels that address individual topics, such as Windows XP or PC troubleshooting. If anyone can join a chat discussion, it's considered public. Most public chat channels let participants contact one another and establish a private conversation. Nearly all public channels have a channel operator (also called moderator, chanop, or sysop) who administers and controls the channel. Channel operators can temporarily "kick" users from the channel for violating channel rules or "ban" them for life from a particular discussion group.
IM Networks
Most IM clients work over the Internet. For IM to work between two PCs, the PC users must have a participating client installed, and in most cases, must connect to a particular IM network. One IM network doesn't usually interoperate with another. IM users must have a unique identifier, which might be a screen name, nickname, user ID number, or IP address.
Peer-to-peer IM clients connect directly to each other. A user usually must be invited to communicate or be designated as a trusted user (usually by supplying the trusted person's chat nickname or email address). Some peer IM clients allow only one-to-one connections. Others allow more (you can gather users into a group list), but in all cases, relatively few participants can connect at the same time. The size of peer-to-peer model IM networks is limited because such networks require lots of processing power to manage several connections coming from different locations and communicating everyone's changes to one another simultaneously. Therefore, most popular IM networks are of the peer-to-server type.
The largest IM networks employ the peer-to-server model, in which each client's PC connects to a network of servers. All the related servers in the IM network communicate with one another and transfer their clients' input to the other servers and everyone else's messages and commands back, as Figure 1 shows.
This model reduces each participating computer's workload so that a PC can participate in many public discussions at the same time without dramatically slowing the server or the client. For this model to work, the servers in a particular IM network must stay synchronized with one another. If they become unsynchronized (called a netsplit), they must be able to reconnect and clean up any resulting problems. Two clients on different sides of the networks exchanging messages might be disconnected and reconnected without either party knowing that the other might have missed one or more messages. Intruders will sometimes cause netsplits and try to take advantage of the resulting reconnection process. How an IM network handles this situation indicates the quality of the service.
Because each user must be unique within a particular IM network, servers track user identities. Intruders often attempt to take a user's online identity (called name hijacking). They can then pose as that user to gain other trusted users' confidence. If an intruder hijacks a channel operator's name, the intruder then controls the channel. After they're in control, intruders try to make sure that the legitimate operator doesn't get back in, and they disconnect anyone else who questions them or objects. Intruders and legitimate operators battle to control a channel in channel wars. Often these struggles are automated using programs and scripts known as war bots. Bots, a term that comes from the word robot, contain routines designed to react instantly to a known condition or challenge. For example, if a bot detects the legitimate operator ending his or her chat session, the bot might repeatedly try to join the list by using the operator's credentials, hoping that a hiccup in the channel will grant illegitimate success.
Popular IM Clients
Among the many IM networks and clients, four major IM networks have most of the market. Because most home users have either AIM or MSN Messenger, I discuss those networks first. Two other major IM networks are ICQ ("I Seek You") and Internet Relay Chat (IRC). I cover IRC in more detail because it's more complex than other networks, more frequently attacked, and more often used as an attack tool.
Previous
Register
