1 / 16

Secure Public Instant Messaging (IM): A Survey

Secure Public Instant Messaging (IM): A Survey. Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada. What’s This Talk About?. Do we need secure IM? Do the current methods provide enough security for IM?. Organization.

colorado-hooper
Download Presentation

Secure Public Instant Messaging (IM): A Survey

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure Public Instant Messaging (IM): A Survey Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada

  2. What’s This Talk About? • Do we need secure IM? • Do the current methods provide enough security for IM?

  3. Organization • Scope and background • What’s at stake? • Reasons why IM is insecure • Existing IM security mechanisms • Shortcomings • Concluding remarks

  4. Scope • PC-to-PC (one-to-one) text messaging • Popular public and business IM • AOL, Yahoo!, and MSN Messenger, ICQ • Yahoo! Business Messenger, Reuters Messaging • third party clients (Trillian, IMSecure) • Out of scope • Short Messaging System(SMS) • Internet Relay Chat (IRC) • chat room/group chat

  5. Background • IM is mainly used for – • exchanging text messages • tracking availability of a list of users • Recent statistics • Pew report 2004 – • 42% Internet users use IM in the U.S. • growth rate of IM population: 29% (since 2000) • 70% Internet users report using email more than IM • Ferris Report (business IM users) • 10 million in 2002 • 182 million in 2007

  6. IM Communications Model • Client-server: presence, contact list and availability management, message relay between users • Client-client: audio/video chat, file transfer • Authentication: password-based, sometimes use SSL (Secure Socket Layer) IM Server Client 1 Client 2

  7. What’s at Stake? • Conversations (privacy and information leakage) • Propagation vector for Internet worms, viruses and Trojans • SPIM (IM spam) – Unsolicited commercial IMs • Radicati Group projections – • 1.2 billion SPIMs in 2004 (5% of total IMs) • 400 million in 2003 • 34.8 billion spam email messages in 2004 • Compromised systems

  8. Reasons why IM is insecure • “Insecure” connection • impersonation • replay • Sharing IM features with other applications • Exploitable URI (Uniform Resource Identifiers) handlers aim, ymsgr • example:aim://addbuddy?mybuddy • attacks • buffer overflow • scripting attacks • Deceitful hyperlinks

  9. Existing IM Security Mechanisms(1) • Built-in methods • launch anti-virus • explicit consent for add contact, file transfer, presence info (not cryptographically protected) • new version and critical updates notification • prevents automated account creation • word filtering • password-protected settings etc.

  10. Existing IM Security Mechanisms(2) • Third-party security solutions • AIM can make use of Class 2 digital certificates • IMSecure • Trillian • Why don't we use email security solutions for IM? • Proprietary protocols • P2P connections

  11. Shortcomings of Current Solutions • Anti-virus can check only limited file types • URL exploitations • Cost and maintenance burden of digital certificates • SSL-based (corporate IM) solutions: • resource hungry • visible messages to server • limited threat model (end-points are trusted)

  12. Weaknesses of IMSecure Model User System IM Server/ Others Encrypted Messages IM Client Unprotected Messages IMSecure Read/Modify Messages Malicious Program

  13. Concluding Remarks • IM security is important • Current methods are insufficient • Can we use existing protocols to secure IM? • User interface issues • Ongoing work in IETF (see also paper)

  14. Thanks. Paper: http://www.scs.carleton.ca/~mmannan/publications/pst04.pdf Presentation: http://www.scs.carleton.ca/~mmannan/publications/pst04.ppt

  15. Web References • Symantec: IM Worms Could Spread In Seconds, June 2004, http://www.techweb.com/wire/story/TWB20040618S0007 • Look out spam, here comes spim, Mar. 2004, http://www.theregister.co.uk/2004/03/31/look_out_spam_here_comes • Microsoft warns of JPEG threat, Sep. 2004 http://www.macworld.co.uk/news/index.cfm?NewsID=9635&Page=1&pagePos=2 • National Cyber Security Alliance Perception Poll Release http://www.staysafeonline.info/news/NCSAPerceptionPollRelease.pdf

  16. Related Work • Much work on feature enhancement, analysis • Secure Instant Messaging Protocol Preserving Confidentiality against Administrator, Kikuchi et al., March, 2004. • Threats to Instant Messaging, Symantec Security Response, 2003.

More Related