E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Professional Accountants, home page.		 LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by:
Bennett Gold LLP, Chartered Professional Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering notable e-commerce news articles from the period 1999 to 2012.


INSTANT MESSAGING AND CHAT USERS ARE SUCKERS FOR HACKERS

Source: Security Wire Digest

Posted on March 25, 2002

      Just when corporate security officers finally started getting users to leave e-mail attachments unopened, those same users have found a new way for others to compromise systems.

      Carnegie Mellon's Computer Emergency Response Team (CERT) Coordination Center is reporting that hackers are using Instant Messaging (IM) and Internet Relay Chat (IRC) messages to dupe users into visiting dangerous Web sites and downloading malware that can enable distributed denial-of-service attacks. This social engineering scheme bypasses e-mail defenses and introduces vulnerabilities into corporate systems.

      In a typical scenario, an unsuspecting user receives a message that either entices them (with promised software, pornography or other items) or frightens them (with virus horror stories or threats) to download dangerous software. Alternatively, the Web site itself may commandeer the user's machine or data. The same message may go to thousands, using automated software that takes advantage of IM or IRC.

      "People don't have e-smarts," observes Ira Winkler, a CISSP and chief security strategist for Hewlett-Packard Consulting. "They wouldn't follow a stranger down a dark alley, but they do believe what anonymous hackers say."

      Winkler relates a case where a message informed a user that the hacker had obtained files from the user's machine. The frightened user visited a Web site as directed, where another attack actually did read the hard drive of the machine, exposing sensitive information.

      The problem is complicated because many corporations use Instant Messaging extensively for legitimate internal communications.

      Winkler suggests several steps for corporate security officers to take. "They should have policies for IM and IRC, just as they do for e-mail," he advises. "Users should be made aware of this kind of deception, and urged to take common sense precautions."

      In addition, it may be necessary to restrict or forbid IM or IRC use in an organization. Technology solutions, such as personal firewalls, may also save users from unwittingly creating security vulnerabilities.



CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Professional Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.

ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold, Chartered Professional Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.