Read this whole guide offline with no ads, for a low price!
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Test yourself better with 300 extra Security+ questions!
Get It Here!

Custom Search

Table Of Contents  CertiGuide to Security+
 9  Chapter 2:  Communication Security (Domain 2.0; 20%)
      9  2.3  The Web
           9  2.3.3  Instant Messaging
                9  Vulnerabilities

Previous Topic/Section  Vulnerabilities
Previous Page
Pages in Current Topic/Section
Next Page
Malicious Code
Next Topic/Section

IM Message Privacy

Most IM systems do not natively support encryption, possibly leading to confidential information being transmitted via IM and then sniffed by an attacker. A recent Gartner Group survey200 states that 58% of corporate security managers feel that their #1 threat is employees’ careless use of personal communications, such as Instant Messaging.

  • To protect yourself before encrypted IM becomes a reality:

  • Use an antivirus scanner

  • Deploy a current IM client

  • Do not automagically accept default directories when you install your client

  • Hide your personal identifying information

IM Security

A major security issue with Instant Messaging in a corporate environment is that it can be used to disclose confidential information, either through the in-house user directly sending to another IM user across the Internet, or through someone “sniffing” the in-house network to mine unencrypted instant message communication between employees.

[spacer]Secure IM

Until recently and much to the disappointment of fellow geeks, Tcat didn’t Do IM. The reason is the preceding Success Tip. And in 2004 that changed. AOL has broken its previous promise to support SIMPLE (Session Initiation Protocol for Instant and Presence Leveraging Extensions.) However Yahoo in the 1st quarter of 2003 is set to release an IM that will offer encryption based on SSL, authentication and name/space control through corporate directories, and integration with auditing and protection tools. Similarly, Microsoft plans to offer a secure IM offering for business next year, as part of Windows .Net Server. Available today are multiple secure IM packages for internal corporate use (which lack interoperability with standards like AIM/ICQ), the Magi Secure IM proxy system which proxies AIM and MSN Messenger between corporate Internet gateways using PKI for authentication and SSL for confidentiality
201, and the Trillian IM client which can send encrypted messages via AIM and ICQ. The issue Tcat has had with all this is “forcing” another person to purchase a IM security program.

Given this, along with the current state of speech to text and enough wireless hot spots, 2004 became the year I feel the technology will be advanced enough to use IM without losing sleep over security. I found a low cost program for myself that has a free version for someone using a single IM service





Previous Topic/Section  Vulnerabilities
Previous Page
Pages in Current Topic/Section
Next Page
Malicious Code
Next Topic/Section

If you find useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $

Home - Table Of Contents - Contact Us

CertiGuide for Security+ ( on
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al. Version Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.