Upload
colorado-hooper
View
34
Download
1
Embed Size (px)
DESCRIPTION
Secure Public Instant Messaging (IM): A Survey. Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada. What’s This Talk About?. Do we need secure IM? Do the current methods provide enough security for IM?. Organization. - PowerPoint PPT Presentation
Citation preview
Secure Public Instant Messaging (IM): A Survey
Mohammad Mannan Paul C. Van OorschotDigital Security GroupSchool of Computer ScienceCarleton University, Ottawa, Canada
What’s This Talk About? Do we need secure IM? Do the current methods provide
enough security for IM?
Organization Scope and background What’s at stake? Reasons why IM is insecure Existing IM security mechanisms Shortcomings Concluding remarks
Scope PC-to-PC (one-to-one) text messaging Popular public and business IM
AOL, Yahoo!, and MSN Messenger, ICQ Yahoo! Business Messenger, Reuters
Messaging third party clients (Trillian, IMSecure)
Out of scope Short Messaging System(SMS) Internet Relay Chat (IRC) chat room/group chat
Background IM is mainly used for –
exchanging text messages tracking availability of a list of users
Recent statistics Pew report 2004 –
42% Internet users use IM in the U.S. growth rate of IM population: 29% (since 2000) 70% Internet users report using email more than
IM Ferris Report (business IM users)
10 million in 2002 182 million in 2007
IM Communications Model
Client-server: presence, contact list and availability management, message relay between users
Client-client: audio/video chat, file transfer Authentication: password-based, sometimes use
SSL (Secure Socket Layer)
IM Server
Client 1 Client 2
What’s at Stake? Conversations (privacy and information
leakage) Propagation vector for Internet worms,
viruses and Trojans SPIM (IM spam) – Unsolicited commercial
IMs Radicati Group projections –
1.2 billion SPIMs in 2004 (5% of total IMs) 400 million in 2003 34.8 billion spam email messages in 2004
Compromised systems
Reasons why IM is insecure “Insecure” connection
impersonation replay
Sharing IM features with other applications Exploitable URI (Uniform Resource Identifiers)
handlers aim, ymsgr example: aim://addbuddy?mybuddy attacks
buffer overflow scripting attacks
Deceitful hyperlinks
Existing IM Security Mechanisms(1)
Built-in methods launch anti-virus explicit consent for add contact, file
transfer, presence info (not cryptographically protected)
new version and critical updates notification prevents automated account creation word filtering password-protected settings etc.
Existing IM Security Mechanisms(2) Third-party security solutions
AIM can make use of Class 2 digital certificates
IMSecure Trillian
Why don't we use email security solutions for IM? Proprietary protocols P2P connections
Shortcomings of Current Solutions
Anti-virus can check only limited file types URL exploitations Cost and maintenance burden of digital
certificates SSL-based (corporate IM) solutions:
resource hungry visible messages to server limited threat model (end-points are trusted)
Weaknesses of IMSecure Model
IM Client IMSecureUnprotected Messages
Malicious Program
Read/M
odify
Messa
ges
Encrypted Messages
User System
IM Server/Others
Concluding Remarks IM security is important Current methods are insufficient Can we use existing protocols to
secure IM? User interface issues Ongoing work in IETF (see also
paper)
Thanks.
Paper: http://www.scs.carleton.ca/~mmannan/publications/pst04.pdf
Presentation: http://www.scs.carleton.ca/~mmannan/publications/pst04.ppt
Web References Symantec: IM Worms Could Spread In Seconds, June
2004, http://www.techweb.com/wire/story/TWB20040618S0007 Look out spam, here comes spim, Mar. 2004,
http://www.theregister.co.uk/2004/03/31/look_out_spam_here_comes
Microsoft warns of JPEG threat, Sep. 2004 http://www.macworld.co.uk/news/index.cfm?NewsID=9635&Page=1&pagePos=2
National Cyber Security Alliance Perception Poll Release
http://www.staysafeonline.info/news/NCSAPerceptionPollRelease.pdf
Related Work Much work on feature
enhancement, analysis Secure Instant Messaging Protocol
Preserving Confidentiality against Administrator, Kikuchi et al., March, 2004.
Threats to Instant Messaging, Symantec Security Response, 2003.