Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Public Instant Messaging (IM): A Survey Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University,

Published byKerry Everett Lloyd Modified over 8 years ago

Similar presentations

Presentation on theme: "Secure Public Instant Messaging (IM): A Survey Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University,"— Presentation transcript:

1 Secure Public Instant Messaging (IM): A Survey Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University, Ottawa, Canada

2 What’s This Talk About? Do we need secure IM? Do the current methods provide enough security for IM?

3 Organization Scope and background What’s at stake? Reasons why IM is insecure Existing IM security mechanisms Shortcomings Concluding remarks

4 Scope PC-to-PC (one-to-one) text messaging Popular public and business IM AOL, Yahoo!, and MSN Messenger, ICQ Yahoo! Business Messenger, Reuters Messaging third party clients (Trillian, IMSecure) Out of scope Short Messaging System(SMS) Internet Relay Chat (IRC) chat room/group chat

5 Background IM is mainly used for – exchanging text messages tracking availability of a list of users Recent statistics Pew report 2004 – 42% Internet users use IM in the U.S. growth rate of IM population: 29% (since 2000) 70% Internet users report using email more than IM Ferris Report (business IM users) 10 million in 2002 182 million in 2007

6 IM Communications Model Client-server: presence, contact list and availability management, message relay between users Client-client: audio/video chat, file transfer Authentication: password-based, sometimes use SSL (Secure Socket Layer) IM Server Client 1Client 2

7 What’s at Stake? Conversations (privacy and information leakage) Propagation vector for Internet worms, viruses and Trojans SPIM (IM spam) – Unsolicited commercial IMs Radicati Group projections – 1.2 billion SPIMs in 2004 (5% of total IMs) 400 million in 2003 34.8 billion spam email messages in 2004 Compromised systems

8 Reasons why IM is insecure “Insecure” connection impersonation replay Sharing IM features with other applications Exploitable URI (Uniform Resource Identifiers) handlers aim, ymsgr example: aim://addbuddy?mybuddy attacks buffer overflow scripting attacks Deceitful hyperlinks

9 Existing IM Security Mechanisms(1) Built-in methods launch anti-virus explicit consent for add contact, file transfer, presence info (not cryptographically protected) new version and critical updates notification prevents automated account creation word filtering password-protected settings etc.

10 Existing IM Security Mechanisms(2) Third-party security solutions AIM can make use of Class 2 digital certificates IMSecure Trillian Why don't we use email security solutions for IM? Proprietary protocols P2P connections

11 Shortcomings of Current Solutions Anti-virus can check only limited file types URL exploitations Cost and maintenance burden of digital certificates SSL-based (corporate IM) solutions: resource hungry visible messages to server limited threat model (end-points are trusted)

12 Weaknesses of IMSecure Model IM ClientIMSecureUnprotected Messages Malicious Program Read/Modify Messages Encrypted Messages User System IM Server/ Others

13 Concluding Remarks IM security is important Current methods are insufficient Can we use existing protocols to secure IM? User interface issues Ongoing work in IETF (see also paper)

14 Thanks. Paper: http://www.scs.carleton.ca/~mmannan/publications/pst04.pdf http://www.scs.carleton.ca/~mmannan/publications/pst04.pdf Presentation: http://www.scs.carleton.ca/~mmannan/publications/pst04.ppt http://www.scs.carleton.ca/~mmannan/publications/pst04.ppt

15 Web References Symantec: IM Worms Could Spread In Seconds, June 2004, http://www.techweb.com/wire/story/TWB20040618S0007 http://www.techweb.com/wire/story/TWB20040618S0007 Look out spam, here comes spim, Mar. 2004, http://www.theregister.co.uk/2004/03/31/look_out_spam_here_comes http://www.theregister.co.uk/2004/03/31/look_out_spam_here_comes Microsoft warns of JPEG threat, Sep. 2004 http://www.macworld.co.uk/news/index.cfm?NewsID=9635&Page=1& pagePos=2 http://www.macworld.co.uk/news/index.cfm?NewsID=9635&Page=1& pagePos=2 National Cyber Security Alliance Perception Poll Release http://www.staysafeonline.info/news/NCSAPerceptionPollRelease.pdf

16 Related Work Much work on feature enhancement, analysis Secure Instant Messaging Protocol Preserving Confidentiality against Administrator, Kikuchi et al., March, 2004. Threats to Instant Messaging, Symantec Security Response, 2003.

Download ppt "Secure Public Instant Messaging (IM): A Survey Mohammad Mannan Paul C. Van Oorschot Digital Security Group School of Computer Science Carleton University,"

Similar presentations

TechTracks: Instant Messaging (IM) Amanda Stone South Carolina State Library 803-734-4816 IM: AStonescsl.

TechTracks: Instant Messaging (IM) Amanda Stone South Carolina State Library IM: AStonescsl.
Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.

Instant Messenger Security with a focus on implementing security policies in corporate IM services Kaushal S Chandrashekar CS 691 Dr. Edward Chow UCCS.
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.

SSL Protocol By Oana Dini. Overview Introduction to SSL SSL Architecture SSL Limitations.
COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.

COMPUTER BASICS METC 106. The Internet Global group of interconnected networks Originated in 1969 – Department of Defense ARPANet Only text, no graphics.
Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.

Security and Trust in E- Commerce. The E-commerce Security Environment: The Scope of the Problem  Overall size of cybercrime unclear; amount of losses.
Breaking Trust On The Internet

Breaking Trust On The Internet
Threats To A Computer Network

Threats To A Computer Network
Instant Messaging Internet Technologies and Applications.

Instant Messaging Internet Technologies and Applications.
Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Demo of Some Security Tools Jeffy Mwakalinga.
Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services

Cyber Security - Threats James Clement Network Specialist ETS: Communications & Network Services
Securing Instant Messaging Matt Hsu. Outline Introduction Instant Messaging Primer Instant Messaging Vulnerabilities and Exploits Securing Instant Messaging.

Securing Instant Messaging Matt Hsu. Outline Introduction Instant Messaging Primer Instant Messaging Vulnerabilities and Exploits Securing Instant Messaging.
Computers Going Online Internet Resources and Applications Finding information on the Web browsing: just looking around searching: trying to find specific.

Computers Going Online Internet Resources and Applications Finding information on the Web browsing: just looking around searching: trying to find specific.
Guide to Operating System Security Chapter 10 E-mail Security.

Guide to Operating System Security Chapter 10 Security.
Analysis of Instant Messenger Programs Celia Hung and Nathan Miller ECE 478/578 Department of Electrical Engineering Oregon State University.

Analysis of Instant Messenger Programs Celia Hung and Nathan Miller ECE 478/578 Department of Electrical Engineering Oregon State University.
Instant Messaging Security Flaws By: Shadow404 Southern Poly University.

Instant Messaging Security Flaws By: Shadow404 Southern Poly University.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
SMUCSE 5349/49 Email Security. SMUCSE 5349/7349 Threats Threats to the security of e-mail itself –Loss of confidentiality E-mails are sent in clear over.

SMUCSE 5349/49 Security. SMUCSE 5349/7349 Threats Threats to the security of itself –Loss of confidentiality s are sent in clear over.
Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.

Presence Applications in the Real World Patrick Ferriter VP of Product Marketing.
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Similar presentations

Ads by Google