Effusia Blog

I’d like to introduce you to our ongoing series of blog posts about using public instant messaging applications in your business. First, let me make clear what I mean when I talk about public IM applications. These are free applications designed for consumers to use on their home computers for quick communication with friends and family. When your kids aren’t texting each other on their phones, they’re using these to communicate. We’re talking about AOL Instant Messenger (AIM), Yahoo! Messenger, Google Chat and the like. Now, given that we sell a secure business instant messenger and we’re calling this “Public IM Perils” we obviously already have an opinion on this issue. However, we’re not here to throw out a lot of FUD; instead we’d like to give you some things to think about when choosing what’s right for your business (and sometimes that is public IM).

What is social engineering?

Sarah Granger’s article on the subject, Social Engineering Fundamentals, Part 1: Hacker Tactics at Security Focus defines it like so:

…social engineering is generally a hacker’s clever manipulation of the natural human tendency to trust. The hacker’s goal is to obtain information that will allow him/her to gain unauthorized access to a valued system and the information that resides on that system.

So basically social engineering is not about engineering at all, it’s a good old fashioned con. Basically hackers convince people to do something that’s a bad idea for plausible sounding reasons. It’s no different than con artists who get Grandma to pay for a driveway repaving that never happens. It just so happens that social engineering usually involves some kind of technology.

So what does this have to do with Public IM?

One of the first things a social engineer needs to work his magic is access to someone on the inside. Public IM is all about access. With public IM your users can be talking to anyone at any time about anything. As a business owner or IT department you don’t control who’s allowed on the system and you don’t control your user’s contact lists. Even if your users aren’t actively engaging in talking to nefarious outsiders (of course they aren’t!), it’s relatively easy for these outsiders to lookup your users in public directories and contact them. In fact this is how many of the so-called IM viruses actually work. PC world discusses these types of viruses here. A man even lost his job due to one.

What are the risks?

There are two major risks with these types of social engineering attacks: loss of information and actual damage to your internal IT systems. When a social engineering hacker or a virus written by one targets a user, that user may inadvertently give up all sorts of proprietary information that your company doesn’t want released. Not only do most public IM apps permit the transfer of information in the form of messages, they permit file transfers as well. So you’re not just at risk of an employee saying something you’d rather not be said, but that employee could send documents to outsiders as well. As for your IT systems, public IM provides yet another “attack vector” like email. A message with the appropriate wording could convince a user to click on a link which executes a malicious file or takes the user to a dangerous website.

Mitigating the risks

One of the draws of public IM is its openness. It makes it very easy to communicate with people outside your organization. The big caveat is it leaves your users and your company open to social engineering attacks from people who exploit this openness. To combat this, we’d suggest using a secure, internal IM system like Effusia Business Messenger (but you knew we’d say that). If you don’t choose to do that, make sure you’ve educated your users about the risks. Make sure they know the following:

• Don’t click on links sent by unknown people
• Don’t open or download files sent from unknown people
• Don’t send files or privileged information to other users via public IM systems

Bottom line, if you’re using public IM in your business, your users should follow that timeworn motherly advice: “Don’t talk to strangers”.