Don't Talk to Strangers
Instant messaging is handy, but it pays to know who’s on the end of the conversation
By Andrew S. Hughes
Systems administrators might be getting better at detecting viruses and preventing them from infecting their systems, but that doesn't mean virus perpetrators are going anywhere.
Instead, they're looking for different gateways into computer systems, and they've likely found one in Instant Messaging, the real-time chat version of e-mail.
It's my concern, and others as well, that instant messaging will become 'the next big one,'" Gary Dobbins says. "It's already been used to mislead some users, so far with no significant damage" to any system he's aware of.
The director of information security for the Office of Information Technology, Dobbins says, however, that viruses and worms transmitted by e-mail - the current route of infection - started like that, too: as benign inconveniences that now wreak havoc on systems.
Furthermore, anti-virus software used on traditional e-mail systems doesn't protect against viruses transmitted through Instant Messaging. As with e-mail, too, Instant Messaging can also be used to redirect a person's computer system to other Web sites.
Recently, Dobbins says, a "nuisance outbreak" occurred at the University in which a message invited people to click on a link to "a site of questionable integrity."
"Many of them did, and as a result had to uninstall the resultant agent," he says. "Also, some of these invitations are becoming much more plausible, making it difficult to distinguish between hoaxes and legitimate things from your friends."
In addition to infections from viruses, Dobbins says, Instant Messaging poses concerns related to privacy.
"The content you send is usually handled by third parties with no prior contract for nondisclosure or privacy assurance," he says. “Because of the convenience, a user might be tempted to send something of high sensitivity not realizing the risk they're exposing that data."
To prevent infection from a virus while using Instant Messaging, Dobbins says people should configure their Instant Messaging software to accept messages only from people they know, configure the software to refuse to participate in file sharing and configure the software to not accept "themes." Themes include background graphics or other animated pictures that a buddy might use to identify himself, but virus perpetrators can hijack these and use them to carry their virus.
As with traditional e-mail, Dobbins says, people shouldn't click on links they weren't expecting and should confirm with the sender that any links they receive were sent by the sender.
"To put it in more colloquial terms, don't talk to strangers, don't take candy from strangers, and be careful of candy from people you know," he says. "It's stuff we all learned in kindergarten applied to the digital world."
Businesses, Dobbins says, should install their own Instant Messaging system rather than allowing employees to use third party systems. At present, Notre Dame does not have its own Instant Messaging system. "It's an emerging risk, and the University is aggressively addressing existing risks," Dobbins says. "I think it's only a matter of time and resources."
OIT surveyed its employees recently about the Instant Messaging services they use. Paul Russell, the senior systems administrator for Messaging Services, conducted the survey and says the University is "in the discovery phase" for possibly installing its own Instant Messaging system.
If we bring IM in-house, we can run a secure service so that the traffic from the work station to the server to the recipient is encrypted," he says. "Also, we can restrict who has access to it, and it would be for people connected to the Notre Dame server only. That wouldn't preclude people from using AOL, for example, to communicate with friends and family."