Instant messaging applications make it easy to chat in real-time with friends and coworkers, or even to meet new people online. Without proper protection, however, IM users make tempting targets for hackers intent on stealing personal information or corrupting PCs for evil purposes.
Security experts say the potential threat is real and growing every day with the skyrocketing use of IM programs from America Online, Microsoft, and Yahoo. As of April, those vendors served a combined total of more than 111 million unique home users in the United States, says Jupiter Media Metrix. That's up from a combined total of 98.6 million unique U.S. users last October.
Gartner Group estimates global users at 200 million last summer, and IDC projects that corporate users--who are increasingly finding IM programs useful at work--will jump to 300 million by 2005.
New Features, New Threats
As these programs sprout complicated new features, such as voice and video chat, the potential threat intensifies.
"IM software, like all software, has bugs and has potential vulnerabilities," says Carey Nachenberg, chief architect for the security response team at Symantec. The antivirus software vendor has expanded its software and services to monitor viruses that target messaging.
"These IM clients are active communicators on the Internet, connected constantly to servers. A properly crafted worm could literately hit millions or tens of millions of IM clients very quickly," Nachenberg says. Recently, an IM-borne worm surfaced that referred recipients to a particular Web site, although it was apparently not malicious.
A coordinated attack utilizing Internet-enabled devices with IM could be devastating, Nachenberg says.
"If you believe the estimates, we are going to have hundreds of millions of IM-enabled machines--cell phones, computers, whatever--within two to three years," he says. "Think about the implications of a Code Red or Nimda-style worm; not just ravaging a couple hundred thousands servers, but tens or hundreds of millions of machines." In fact, IM services are already appearing on cell phones.
In the early days of instant messaging, when only ASCII text moved back and forth between PC-based chatterers, the threat was minimal. Of course, there was a chance even then that confidential information or business secrets might slip out in casual online conversations.
But the current versions of these programs allow file sharing, and that's where attackers have taken aim.
"Now, you get users exchanging executable programs, and what if there is a virus in there?" asks Ted Doty, director of product management at OKENA, an online security development company. "If I'm a corporation and somebody e-mails me a virus, I have an e-mail virus scan on my system, but by the time it comes down to a laptop or desktop, well, you have to depend on individual users to keep the antivirus software up to date."
That's not a bullet-proof assumption to make, according to the experts. As more complicated features come to IM programs, hackers will look for new vulnerabilities to exploit.
No specialized IM security software exists now. However, accepted security measures--such as a personal firewall, antivirus software, and content filtering software--work pretty well for messaging, too. Security experts further recommend keeping a healthy skepticism about accepting anything online from strangers.
But many of the same people who would never download a file from an unknown e-mail address may let their guard down when chatting via IM. The online casual exchange is often regarded as more of a social interaction than as any kind of threat.
"It may be a lot like kicking back in your living room and relaxing, but you have to realize it is not your living room. You are being exposed to the entire Internet," warns Sam Curry, security architect for McAfee.com. "Be aware that anyone can walk into your living room and take advantage of you."
Common Sense Advised
"I think the number one thing to tell users is to be practical. Make sure you are safe from obvious threats by using a personal firewall and antivirus protection," Curry says. "Remember, your exposure to hacking and virus threats online is connected to what you do online. If you do more than just e-mail and browse, then your risk intensifies."
Curry adds that the best antivirus software in the world won't help PC users unless they keep it updated to detect ever-evolving threats.
"It is a cold war of sorts. We are providing the right tools, but it is an escalation," Curry says. "The bad guys come out with a new trick and we come out with a new defense."