For the PC user: Security & Encryption

For the PC user: Security and Encryption
by RedSensiStar

Today you need to protect yourself against a plethora of malicious hackers, spy ware, viruses, and even the government. It is my hope that you will be able to walk away after reading this and be able to protect yourself in a variety of new ways. Right now I'll be talking about instant-messaging but my goal is to update this with additional security measures you may take. Please add any additional information that may help others.

Instant-Messaging security issues

Using regular AIM/MSN/ Instant-messaging clients does not protect you against hackers who would love to know what you're talking about. All of these clients (as of 11 March 2007) have several known exploits for IP harvesting, viruses over a direct connection, and no encryption protection (not exactly true but will be explained later). I will explain some basic flaws about these clients and then give an alternative.

AIM direct-connection happens at port 5190 and has many security issues. AIM is especially vulnerable to attack because of social engineering: a method where someone might befriend you for a long time and then have you click a link inside the message. This may do a number of things: determine IP address or launch attacks through the internet browser. Whatever you type into AIM/AOL and hit that enter key -- all the data goes into the AOL server(s) before going to the recepiant. Whatever you say can be held against you as stated in their Terms of Service:

"In addition, by posting Content on an AIM Product, you grant AOL, its parent, affiliates, subsidiaries, assigns, agents and licensees the irrevocable, perpetual, worldwide right to reproduce, display, perform, distribute, adapt and promote this Content in any medium. You waive any right to privacy."

http://www.aim.com/tos/tos.adp

In short AIM/AOL does nothing to protect your privacy. AIM security certificates (and AIM Pro/Encrypt) are fundamentally flawed. Read more about this from a technical perspective here:

http://www.nabber.org/projects/aimsecurity/main.dvi.pdf

Some of MSN's protocols are not exactly public but it doesn't take too long to figure out with a packet sniffer. Live data can be read over FDDI, PPP, IEEE 802.11, etc. MSN tried hash functions to keep the protocols secret but the algorithms have been reverse-engineered. MSN's major issue is that the user-ID is the email account itself. Anyone who wants to can sign your account for junk mail. Of course you could make a fake email account and use it only for the MSN user-ID login. MSN requires IE -- which poses a problem for those who have removed IE for their own personal reasons. A large number of worms can infect MSN, the user can have their IP exposed with the right software, and MSN does nothing to protect your privacy against investigation.

http://messenger.msn.com/Help/Terms.aspx?mkt=en-us

What can you do to protect your instant messaging?

The most secure instant-messaging client I have tried is GAIM. It is a multi-protocol instant messaging client for many OS's: Linux, Windows, and MacOSX. One of the most important aspects to remember about this software is that it is open source. Nobody is left to guess what is actually contained in the source code. You can download GAIM (free) from:

http://gaim.sourceforge.net

Once you download and install GAIM you will need to download 2 additional things for encryption/authentication:

For RSA-encryption: http://gaim-encryption.sourceforge.net/
For "Off-The-Record" encryption and authentication: http://www.cypherpunks.ca/otr/

These two plugins provide the following for you and person B:

Encryption - No one else can read your instant messages.
Authentication - You are assured the correspondent is who you think it is.
Secrecy - If you lose control of your private keys, no previous conversation is compromised.

IMPORTANT NOTE: The encryption and authentication process only can happen if you and everyone you talk to has the same setup. This obviously means your friend will need to have installed these security plugins as well in addition to GAIM.

For anonymity I recommend also routing your Gaim traffic through Tor.

Preferences -> Network -> Proxy Type -> Socks5

Host: localhost: 127.0.0.1
Port: 9050

 

Is anyone interested in me updating this with other stuff? Anyone try GAIM yet?

 

I'm surprised you don't have something like TrueCrypt for local security. I'll test the Gaim plugins one of these days, only problem is that all my contacts either don't use Gaim, or would think I'm paranoid for using it. Did you ever get your email sending through Tor?

 

well i used YM and sometimes AIM... IMO, as long as i have a good updated antivir like kaspersky and a solid firewall, i'll be safe...

nice read though...

 

You don't seem to understand. This isn't about protecting against viruses. It's for protection against snooping. You should always treat all email and instant messages like you would a postcard, doubly so at work. Remember, unless you encrypt it, anyone can read it.

 

i understand him completely... if its not about viruses, spyware etc , then why did he write this: "Today you need to protect yourself against a plethora of malicious hackers, spy ware, viruses, and even the government. It is my hope that you will be able to walk away after reading this and be able to protect yourself in a variety of new ways. Right now I'll be talking about instant-messaging but my goal is to update this with additional security measures you may take. Please add any additional information that may help others."

 

IMHO, the biggest security issue, which most people seem to want to ignore, is wireless networking, especially at public hotspots. Check out this San Francisco Chronicle Article on how secure wireless was at the RSA Conference.

Security is such a big issue (privacy, safe surfing, common sense, viruses, trojans, shadow networks) that it can seem overwhelming. The easiest one to keep in mind is common sense: don't chat with someone you don't know, don't accept files from someone you don't know (and scan them for viruses), don't open email from someone you don't know, don't do banking or other activities that involve private data over a wireless network, don't email or IM your personal data to anyone, etc.

 

ok if somebody really interested about encryption here's how to do it in YM.

http://www.codeproject.com/csharp/imencryptor.asp

 

i completely agree!!!

 

Helpful guide RedSensiStar!

 

Interesting guide RedSensiStar. I've been using GAIM for at least five years now, although I have never used the plugins you stated.

 

Yeah my next updates will be about data encryption techniques.