How to secure Instant Messengers ?

Discussion in 'other security issues & news' started by ronny, May 21, 2006.

Thread Status:
Not open for further replies.
  1. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    I wonder if anyone can help me with some good advice. My girlfriend insist on using instant messengers (MSN , Trillian, ...) to chat with her game buddies. I adviced Skype but she complained that her buddies don't use that.
    I am afraid that these messengers jeopardise my pc's. I thought of buying Zonelabs IM secure but when i saw that it isn't updated in a long time, i cancelled that one.
    So what could i do to minimize the endangerment by using those messengers?
     
  2. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,
    Try GAIM - opensource messenger that supports a lot of networks.
    Education - teach her what to do when online.
    Not click links in messages from unknown people.
    Not converse with strangers.
    Be careful when downloading / viewing pics, music and such.
    You could run the messengers with DropMyRights to reduce their privileges, so if something does occur, they do not escalate the trouble across the system.
    Mrk
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Hi ronny,

    It looks a lot like AV vendors are focused on securing enterprise IM, and in light of that, the tools for securing IM otherwise look almost non-existent. If ZA IM secure can do the job - I'd say go for it.

    Other than that, it is best to secure your PC with one of the more industrial strength AVs with real-time scanning. Take your pick. Kaspersky would be a good one. Please don't take my word for it, keep researching until you find the answer that works for you and you are happy with.

    -- Tom
     
  4. Notok

    Notok Registered Member

    Joined:
    May 28, 2004
    Posts:
    2,969
    Location:
    Portland, OR (USA)
    I haven't had any problems with Trillian in the years that I've been using it. The best thing you can do, however, is to set the account to not show your online status on the web, this will avoid most, if not all, spam from unknown parties. Using DropMyRights, as Mrkvonic mentioned, can certainly help, as well as a good general security setup.
     
  5. StevieO

    StevieO Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    1,067
    ronny

    Quite honestly if people couldn't be relied on to use my PC in a totally safe way, i wouldn't let them use it, ever ! Also i would password protect the bios and windows and a screensaver to stop them from them using it in my absense.

    Actually you can get a free version of IMsecure.

    From the website
    ________________

    Keep IM conversations private
    Protect vulnerable IM connections
    IMsecure is free for individual and not-for-profit charitable entity use (excluding governmental entities and educational institutions).

    http://www.zonelabs.com/store/content/catalog/products/sku_list_ims.jsp?lid=imrdr


    StevieO
     
  6. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    just a reminder, both parties would need the IMsecure (or certificate or whatever u use for encryption). it wont help u unless ur friends have it as well.

    otherwise, id follow Mrkvonic's advice.
     
  7. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,094
    Yahoo IM Worm Hijacks Browsers, Plays Migraine Music
    A worm running through Yahoo's instant messaging network is installing a browser of its own--a first for IM malware. The browser leads users to adware and spyware sites, several security firms said Monday.
    By Gregg Keizer
    TechWeb.com
    May 22, 2006 03:26 PM
    Story here.

    -- Tom
     
  8. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    I've been using ZA IM secure for awhile now. The only useful feature I can find on it is to block all links. Some may find it annoying, but I feel safer if I don't allow anyone to click those AIM links on my computer.
     
  9. herbalist

    herbalist Guest

    Some more things you can do to help secure IMs.
    Many of IM programs support AV integration for file transfers, but a lot of people don't configure it. Have a trusted friend transfer you a safe file to make sure it's set up correctly and scans the file. If the IM has the options, always set it to ask if it can receive a file. Same for webcams, set it to ask. A friend of mine learned that the hard way. Found that an online "friend" had been watching them in their living room and saved pictures.
    Regarding firewall rules for IM programs, even though there are differences between them, none of them need unlimited inbound permission or server rights for all IPs. Most only need to be able to receive incoming packets from one or two specific IP ranges, and usually on a very few ports. Limit the incoming access to only the specific IP ranges that are needed, and only for the specific ports and protocols it needs on those ranges. You can also block many if not all of the ads displayed in the IMs with specific blocking rules without otherwise affecting the IMs performance.
    This has less to do with the IM program itself and more to do with the user, but it's one thing that must be made clear to young users. Most the the popular IM groups have directories and profile pages where they can post info on themselves. It needs to be made clear that they must not put their full names, and definitely not their addresses and phone numbers in them. Many do so they can be found by their "friends" easier. The news is full of reports of so-called friends being predators. Show them how easy it is to take a home addy and produce a map to your door with it. Have a trusted friends scare the hell out of them if they think it can't happen. Whatever it takes to make the point.
    Rick
     
  10. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    For AIM I believe the port is 5190.

    I don't remember Yahoo or MSN though.

    How does one configure for AV to scan? There is usually a myriad of exe's associated with the AV. How does one find the file scanner?
     
  11. herbalist

    herbalist Guest

    I believe Yahoo listens on port 5051.
    This will vary greatly depending on the AV. One way that can help is to use a process monitor like process explorer. Have process explorer running and have your AV scan a rather large folder. Many AVs add an entry to the right click menu you can use for this. You could also do it from their regular interface. When the scan starts, process explorer should show the name of the scanning file. Often the AVs help file will tell you, but it might not be mentioned where you'd expect. Look under command line, integration, etc. If nothing else, launch the exe's in the AVs folder manually and see what happens.
    Rick
     
  12. ronny

    ronny Registered Member

    Joined:
    Feb 18, 2004
    Posts:
    231
    Location:
    Belgium
    Although i didn't got any real new information, i DO appreciate your time & advice.:thumb: Thank you Mrkvonic, lotuseclat79, Notok, StevieO, WsFuser, sosaiso, and herbalist.

    A little (perhaps stupid) question: herbalist writes to block certain ports & protocols, etc with firewall rules, but how do you do that when you use ZoneAlarm?
     
  13. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i read somewhere that to create the advanced rules and block specific ports, u need zonealarm pro. if u do have it, this site should be able to provide instructions.
     
  14. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    After rereading, I might have misunderstood Herbalist at first. I only listed the port. There is a specific IP address that IM programs should listen to? Where would one find such a list?

    As for the AV executable line. How does one find it through the right click? I have an option to scan via the context menu, but I can't seem to get a filename from it. Where is this in the registry?

    And you're welcome ronny.
     
  15. rx2pc

    rx2pc Registered Member

    Joined:
    Aug 14, 2004
    Posts:
    34
  16. herbalist

    herbalist Guest

    Any good process monitor should identify the process when it's launched. Start Process Explorer, then right click on a folder and start the scan. The actual file doing the scanning will show up as a new child process for windows explorer.
    I'm not aware of an actual listing of IPs used by IM programs. The only IM program I'm using is Yahoo, so I can't address the others. Unless you resort to using a "permit all" type of rule (equalivent to no firewall on the IM program), writing tight firewall rules for IM programs can get pretty involved. Your system proxy settings will also affect them. With Yahoo (using 5.6, an old version) for example, there are 2 components that want to initially connect out. One is the updater, yupdater.exe. The other is the actual IM program itself, ypager.exe. With rule based firewalls, each will need their own rules. Assuming that your firewall identifies the application trying to connect out and the IP address it's connecting to (the better ones do give this data on the alerts), run the IP addy thru a whois, like the one in Sam Spade for Windows. This will return who the IP belongs to and the IP range. The older version of Yahoo I'm using makes its initial connection on port 5050. It also listens on port 5101, but you might not be prompted about this until an incoming signal is received. After these, it gets more complicated, depending on how you're configured. If you automatically connect to Yahoo Insider, you'll be prompted for a rule allowing this IP range. You'll also get prompted for several other IP ranges at this time which do nothing but deliver ads. These tend to get rotated, so you may be prompted about different ranges each time you start Yahoo. Between the firewall alerts and the whois results, you can separate the ones you need from the ones you don't. I originally used a trial and error approach, slowly allowing the different connections on a one time basis, just to see what each one did. It'll probably take several trial runs to get thru this stage as Yahoo will time out waiting for the connections.
    To make the whole matter worse, Yahoo connects directly to the individuals you talk to. Now you have a choice to make, depending on how you use it and how many people you (or your girlfriend) chat with. You can either make rules for each chatter or a rule allowing all other connections. I have a short list of contacts, so I made rules for each ones IP addy. If you have 50 contacts, this could be a real pain. If you use the webcam or voice options, this will either add more rules or you'll be prompted when you use these features. The same applies to transferring files with an IM program.
    The configuration I settled on is like this. I have 2 rules covering the requirements of the IM program itself, followed by about 7 blocking rules to stop the ads. These are followed by the rules allowing my short contact list. For anything not covered by these, Kerio prompts me. If you have a fixed contact list, and they consistently use the same IPs, you can follow the above setup with a blocking rule. If your firewall allows you to choose between blocking packets that don't match the rules or being prompted for about them, even better. Be aware that the order the rules are listed matters. Most firewalls read the rules from the top downward and use the first one that applies.
    The biggest issue with IM programs and firewall rules is that they connect to a lot of places for a lot of different reasons. Deciding just what to allow and what to block is the hard part. It's more time consuming than anything else. Depending on how far you go with this, you can even control who your kids can talk to. Between the message archiving feature of the IM program and the firewall logs, you can get quite detailed with the rules.
    While I can't say with any certainty about the other IM programs, I imagine they work in a similar fashion. As for the ones that work with multiple networks, (Yahoo, MSN, ICQ, AOL, etc) you'll also need to allow for each network used.
    Rick
     
  17. sosaiso

    sosaiso Registered Member

    Joined:
    Nov 12, 2005
    Posts:
    601
    That was a really involved post herbalist. Thanks for the enlightenment. I will try to play around with tightening my im programs when I get the chance.
     
Loading...
Thread Status:
Not open for further replies.