Secure%20Public%20Instant%20Messaging%20(IM):%20A%20Survey - PowerPoint PPT Presentation

About This Presentation
Title:

Secure%20Public%20Instant%20Messaging%20(IM):%20A%20Survey

Description:

– PowerPoint PPT presentation

Number of Views:91
Avg rating:3.0/5.0
Slides: 17
Provided by: scsCar
Category:

less

Transcript and Presenter's Notes

Title: Secure%20Public%20Instant%20Messaging%20(IM):%20A%20Survey


1
Secure Public Instant Messaging (IM) A Survey
  • Mohammad Mannan
  • Paul C. Van Oorschot
  • Digital Security Group
  • School of Computer Science
  • Carleton University, Ottawa, Canada

2
Whats This Talk About?
  • Do we need secure IM?
  • Do the current methods provide enough security
    for IM?

3
Organization
  • Scope and background
  • Whats at stake?
  • Reasons why IM is insecure
  • Existing IM security mechanisms
  • Shortcomings
  • Concluding remarks

4
Scope
  • PC-to-PC (one-to-one) text messaging
  • Popular public and business IM
  • AOL, Yahoo!, and MSN Messenger, ICQ
  • Yahoo! Business Messenger, Reuters Messaging
  • third party clients (Trillian, IMSecure)
  • Out of scope
  • Short Messaging System(SMS)
  • Internet Relay Chat (IRC)
  • chat room/group chat

5
Background
  • IM is mainly used for
  • exchanging text messages
  • tracking availability of a list of users
  • Recent statistics
  • Pew report 2004
  • 42 Internet users use IM in the U.S.
  • growth rate of IM population 29 (since 2000)
  • 70 Internet users report using email more than
    IM
  • Ferris Report (business IM users)
  • 10 million in 2002
  • 182 million in 2007

6
IM Communications Model
  • Client-server presence, contact list and
    availability management, message relay between
    users
  • Client-client audio/video chat, file transfer
  • Authentication password-based, sometimes use SSL
    (Secure Socket Layer)

IM Server
Client 1
Client 2
7
Whats at Stake?
  • Conversations (privacy and information leakage)
  • Propagation vector for Internet worms, viruses
    and Trojans
  • SPIM (IM spam) Unsolicited commercial IMs
  • Radicati Group projections
  • 1.2 billion SPIMs in 2004 (5 of total IMs)
  • 400 million in 2003
  • 34.8 billion spam email messages in 2004
  • Compromised systems

8
Reasons why IM is insecure
  • Insecure connection
  • impersonation
  • replay
  • Sharing IM features with other applications
  • Exploitable URI (Uniform Resource Identifiers)
    handlers aim, ymsgr
  • example aim//addbuddy?mybuddy
  • attacks
  • buffer overflow
  • scripting attacks
  • Deceitful hyperlinks

9
Existing IM Security Mechanisms(1)
  • Built-in methods
  • launch anti-virus
  • explicit consent for add contact, file transfer,
    presence info (not cryptographically protected)
  • new version and critical updates notification
  • prevents automated account creation
  • word filtering
  • password-protected settings etc.

10
Existing IM Security Mechanisms(2)
  • Third-party security solutions
  • AIM can make use of Class 2 digital certificates
  • IMSecure
  • Trillian
  • Why don't we use email security solutions for IM?
  • Proprietary protocols
  • P2P connections

11
Shortcomings of Current Solutions
  • Anti-virus can check only limited file types
  • URL exploitations
  • Cost and maintenance burden of digital
    certificates
  • SSL-based (corporate IM) solutions
  • resource hungry
  • visible messages to server
  • limited threat model (end-points are trusted)

12
Weaknesses of IMSecure Model
User System
IM Server/ Others
Encrypted Messages
IM Client
IMSecure
Unprotected Messages
Read/Modify Messages
Malicious Program
13
Concluding Remarks
  • IM security is important
  • Current methods are insufficient
  • Can we use existing protocols to secure IM?
  • User interface issues
  • Ongoing work in IETF (see also paper)

14
Thanks.
  • Paper http//www.scs.carleton.ca/mmannan/publica
    tions/pst04.pdf
  • Presentation http//www.scs.carleton.ca/mmannan/
    publications/pst04.ppt

15
Web References
  • Symantec IM Worms Could Spread In Seconds, June
    2004, http//www.techweb.com/wire/story/TWB2004061
    8S0007
  • Look out spam, here comes spim, Mar. 2004,
    http//www.theregister.co.uk/2004/03/31/look_out_s
    pam_here_comes
  • Microsoft warns of JPEG threat, Sep. 2004
    http//www.macworld.co.uk/news/index.cfm?NewsID96
    35Page1pagePos2
  • National Cyber Security Alliance Perception Poll
    Release
  • http//www.staysafeonline.info/news/NCSAPerceptio
    nPollRelease.pdf

16
Related Work
  • Much work on feature enhancement, analysis
  • Secure Instant Messaging Protocol Preserving
    Confidentiality against Administrator, Kikuchi
    et al., March, 2004.
  • Threats to Instant Messaging, Symantec Security
    Response, 2003.
Write a Comment
User Comments (0)
About PowerShow.com