posted on Saturday, January 08, 2005 2:05 PM by bradley

So all those IM messages you have on a daily basis

So you are IMing away typing up some pretty senstive info and because it's on IM and not on email the fact that you are giving away secrets to Fort Knox is fine because this is IM and not email right?

You do know that IM traffic can be sniffed... that it's going over in plain text. 

We were talking yesterday in a meeting how we need to take a concerted effort to “do the right thing” when it comes to computer security. 

Encryption is a HUGE right thing and it's still WAY too hard to do.  Like MSN IM.  Why doesn't it just include encryption that you can turn on natively?  You can add it on to your IM sessions but it's not built into the box.

Greg talks about what a pain it is to get people to understand let alone swap public keys to set up encrypted email.  WHY IS THAT?

Why shouldn't we try to ensure that communication is safe and secure ESPECIALLY when it comes to sensitive info, but on a regular basis I about fall out of my chair as to the number of documents that are merely emailed with no regard to sensitive information.

I mean why do I have to google to find the Verisign public key page?

It should be easier than this.  Right now I'm recommending that we at least use Adobe Acrobat and password protect/encrypt the file for the minimum of protection.

And pssst... Microsoft.... read this from the Verisign instructions...if AIM does it...why don't you?

The latest release of AIM (5.2 and up) allows you to send and receive encrypted instant messages using your Digital ID.

To use your new Digital ID with AIM, follow these directions.

 

Comments

# re: So all those IM messages you have on a daily basis

Saturday, January 08, 2005 6:15 PM by Haacked
You can also look into Jabber clients. It's an open source protocol. I wrote about how unsafe IM is here:

http://haacked.com/archive/2004/09/30/1288.aspx

# re: So all those IM messages you have on a daily basis

Monday, January 10, 2005 12:52 PM by Carlos
The problem is that jabber is not running in SSL by default and that jabber is a real pain in the tail end to setup.

I opted to add encryption to my IM client (GAIM gaim.sf.net) with a plug-in available at gaim-encryption.sourceforge.net. On top of that I run my own SILC server (http://www.silcnet.org/) inside my network. SILC is SSL enabled by default so even if I don’t have the gaim-encryption plug-in installed my IM traffic is secure. The firewalls are set to not allow any kind of IM to get through because IM is just as big a security risk as P2P applications because you can send sensitive files and data out though it without any kind of check. Email is a necessary thing and true enough that a user can send out files that are sensitive over it but then I at least have a way to track the offence and take action to have the user dismissed for not following company policy.

# re: So all those IM messages you have on a daily basis

Monday, January 10, 2005 6:24 PM by James B
I am a big fan of encryption, being on the security and risk awarness side of things. As such email should be encrypted because even the most "safe" person will put stuff in email they shouldn't such as account names or passwords. Since you can get a free digital signature from Thawte it makes no sense not to encrypt email but how many people do it? IM is just another example but to me it's not the worse one. Did you know you cannot do encrypted email with either OWA or Pocket Outlook? All those little computers runnign around out there and not one email being sent from them is secure, how much of it is travelling over wifi in airports. The fact MS doesn't support, scratch that, insist on, encryption is just another example of how they are a joke when it comes to security. They make lots of noise but do bother fixing the smallest holes.

BTW who is that guy over there that is always just sitting at the airport all day with his laptop and what is that tin can for....