Mostly about Fantasy genre: Special emphasis on Lord of the Rings, Harry Potter and Deed of Paksennarion. Music, poetry and random ramblings. Actually, anything is up for grabs. Probably not politics, but everything else is fair game. Please ignore al
Yesterday, my boss looked over my shoulder and saw that I was chatting with a coworker in another building about a situation that had just happened and that I would soon deal with. I was also had an IM screen open with another coworker in another room, and had asked her some questions about a travel claim I was doing.

My boss freaked out on me -- not because she thought I was wasting time chatting with friends and not working (which I wasn't) but because my computer could get hacked through the instant messenger.

I used to have Google Talk downloaded on my computer, but was told to get rid of it because the download could be dangerous. Now, I use web-based Google Talk or, more recently, www.meebo.com.

My question is -- are my boss and IT guy correct? Can I get hacked because I use instant messaging? If so, would I have to be in contact with the hacker? Would I have to accept a file transfer?

Any help you all can give me would be great.

Comments (Page 1)
2 Pages1 2 
on Oct 03, 2007
are my boss and IT guy correct?
Yes you can get hacked
Can I get hacked because I use instant messaging?
Yes, IM can be a vector of infection
If so, would I have to be in contact with the hacker?
Not the hacker, but you'd have to be chatting with someone
Would I have to accept a file transfer?
Yes.  And you'd have to execute (open or run) it

I'd say your boss is oversensitive.  Don't open links unless you trust who you are talking to (and even then they may not be able to control what they are sending if they are infected with something crazy).  Don't run strange apps until you scan them.  Use a firewall to make sure no strange apps are sending out data without your permission.
on Oct 03, 2007
I don't know anything about getting hacked...I just wanted to say hello sister! Haven't seen ya in awhile!
on Oct 03, 2007

I'd say your boss is oversensitive.

Ditto on what Zubaz said, but on this I disagree (mildly).  yes it takes user interaction to get zapped through IM, but most users are so conditioned to clicking "OK", they get got.  So instead of saying "if you are PC Savy you can.....", most IT and security people just issue a blanket "NO" to IM.

As for IMing coworkers, the company can set up their own internal IM (it wont go outside of the trusted network) and that should be safe.  Unless a coworker is infected.

And good to see you again! How is school going?

on Oct 03, 2007

As long as you're connected to the internet (no matter how), there's always the danger of being hacked in one way or another.

Having said that... in most cases you have to "accept/allow" the intruders before they can do anything - either via an Email-attachment or some sort of file/link sent to you through instant messaging.

No matter how protected your PC may be - Common sence is always the best protection

on Oct 03, 2007
Any time you have an open port it's possible for someone to enter your system through that port. I think your people are being a little too touchy about it in that the IT department should have protection and detection in place.

That said, if it's your company's IT policy to not use such applications you are expected to comply with their policies.
on Oct 03, 2007
I agree with Tova.
on Oct 03, 2007
Anything can be hacked...the easiest and most common way being accepting and excecuting a file via IM or clicking on a link sent to you by someone unknown \ untrusted. Both of which can compromise your system immediately and give full access to an intruder.

Best advice, do as your told if it's not your system.
on Oct 03, 2007
if the local I.T. dept was worth their salt, they would have locked that machine down before any of this non-sense took place. Users running in a corporate environment should be running as restricted user accounts - this pretty much negates the user's ability to install any software and only use what's installed on that machine. The only people installing software on company desktop/laptop workstations should be the I.T. dept. Having most users run as restricted user accounts on the machines they use will prevent most problems such as spyware/malware/viruses that occur when users run with admin level privileges.

I would say (and I could be wrong) that you probably have installed other software on your machine that is not required for you to perform your work. This also puts your machine at risk for all sorts of malware. Think of the implications, if your machine is infected and you regularly communicate with your co-workers via email, using files in shared network folders, etc - this also puts other machines on the same local network at risk so you not only have 1 machine with problems, you have an entire office full of malware infected machines that could be targeted by hackers to perform all sorts of trouble.

Instant messenging in a corporate environment can be used as an effective means of quick communication as an alternative to phone & email and can be configured for local use only (no access to external IM users) but it can also viewed as a productivity killer. If you feel this can assist you & your co-workers, why not approach your boss & the I.T. dept and find out if getting this setup is a possibility.

Installing & using an IM client without previous approval from your manager at your workplace would be viewed as a serious deviation from company policy - in some corporate environments, that would be sufficient to get your terminated.

Your boss freaking out at you is nothing, I'd say you got off easy.
At least you didn't get fired.

on Oct 03, 2007
Hmm, must be tough love Wednesday.

Wouldn't dare step into using the IM at work argument and I never have a pop at Elfs & Faeries.

If you are asking more generally, then bearing in mind the danger is not the open port, but the vulnerable service, then I'd add:-

Keep updated and minimize inbuilt vulnerabilities.

Look around the program options, get to understand them and make use of any invite/block system.

If you are running in admin mode, consider taking a few steps to drop the rights of your IM program of choice.

on Oct 03, 2007
to give an idea of the possibility of security problems associated with the use of instant messenging clients, vnunet.com has a recent report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful. In a nutshell, if you use this aim client for instant messenging, the software only needs to be running for the attack to be possible, no links to click on or attachments to open.

Other versions of im clients have experienced similar security issues and for the most part, the environment is as secure as it can get until a hacker comes along and exploits another security vulnerability. Make sure you're running the most current version of your im client, make sure windows has all of the security & critical updates installed, make use of a firewall and decent anti-malware software.

It's a rough world out there, make sure you protect yourself.
on Oct 03, 2007
Good post rob.
I'm abig fan of third party IM clients.  I use trillian and meebo.com primarily but also Gaim and Adium.  There may be other security concerns but I "feel" safer using these.

I have to agree with the other responders that say that you shouldn't be chatting using unauthorized systems.  Depending on the size of your organization, implementing some sort of authorized system is probably the best bet.
on Oct 03, 2007
You would have to be visible to non-trusted sources in order to accept this code. It shouldn't happen simply by dint of launching the application, not if you've bothered to take basic precautions. It is partly a result of bad design and partly a result of bad practice. There may be magic bytes, but there is no magic code - it can't take advantage of a vector it doesn't have access to.

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.
on Oct 03, 2007
I read the computer policy at my school (I work for a university) and there are no rules against using instant messenger. There is a program provided by the school, but it must be downloaded. My IT guy doesn't want things downloaded (because he's afraid -- even if the program is from the university website or required for my job, for that matter), so my coworkers and I were using web-based chatting. I was not breaking any rules -- I thought I was complying with them. And, no unclerob, I have not installed any software that is not required for my job. Again, this is why I was using meebo.com so I would not install any unnecessary programs on my computer. The instant messaging was there to help me do my job in a more efficient and effective manner.

Our IT guy, while very nice, doesn't seem to know what he's doing sometimes. He's overly paranoid about being hacked -- but doesn't think to add any extra protection to the computers. Other offices on campus, including financial aid and the registrar all use IM to contact other departments. My department alone seems to be too afraid to use it. *sigh*

It helps to know that I would almost certainly have to accept and run files to be hacked. My computer is likely in danger from one of the many networking programs I have installed to do my job and it is unlikely that IM would cause any further danger.

Thanks for your help!

(For all personal comments, I'll write another blog in a more appropriate forum in a minute. So, I promise, I'm not ignoring you. )
on Oct 04, 2007

He's overly paranoid about being hacked --

If it is a University, you CANNOT be overly paranoid!

on Oct 04, 2007
If it is a University, you CANNOT be overly paranoid!


Yes, but she has a point, Dr. Guy. A good network administrator acts proactively rather than browbeating someone for using software that is not expressly forbidden. He could lock down the site on the network and force them to use computers outside the network (which pose no risk to the network) to connect to the messaging service they need. He could (and should) set privileges to further minimize the risk.

As you well know, security is the opposite of convenience. Sounds to me like a lazy IT guy wants to have his cake and eat it to, choosing to ignore security for convenience and then complain of a poassible security breach.

And yes, sugar, anytime you convrse with someone via IM, it is an open door. Can they hack you directly through IM without a file download? Not necessarily. But they can trace your IP address and use it for targetted attacks later, if they so choose.
2 Pages1 2