People sometimes ask me for my business IM address. Well, I do not have one, because I do not use IM for business transactions. However, if you do, please make sure that you are aware of the risks involved. Here are a couple of the topmost reasons why IM, IMO, does not mix well with business involving confidential information.
IM connections usually take place in plain text. This means that anyone and anything with access to the media (e.g. Ethernet cables) over which your unencrypted IM session is transmitted can read (as well as alter) what you and your party write. The eavesdropper could be a nosy user or administrator on your network, on that of the recipient or somewhere in between. Espionage organizations are known to wiretap Internet traffic en masse. A VPN, a WPA-enabled wireless network or another kind of encrypted network can protect your information on that network, but not beyond that network.
Admittedly, the same issue also applies to plain-text email, but at least encryption tools for email are available as well as widely used. Another difference between the two is that there is no central email server for the entire world, while IM conversations typically are routed through the IM provider, such as MSN (even if you and the person with whom you are writing are located in the same building). In order to go through your entire email traffic, the eavesdropper would have to be on a network close to you. In the case of IM, however, access to a network close to a central server (or, indeed, to such a server itself) would allow access to all your IM sessions as well as to those of everyone else using that provider.
Another issue is that IM software often needs to open UDP ports for listening (whereas your mail client only makes outgoing connections, and only to your provider’s servers). It may be easy for you to adjust your firewall, but before you do that, please ask yourself why you installed it in the first place. Configuring a firewall to give the world at large free reign on a range of your UDP ports can be compared to locking almost all office entrances for the weekend—one opening may be all an intruder needs.
Of course, if you have configured your software in a reasonable manner, an attacker would have to exploit a vulnerability on your system rather than just waltz in. Finding and abusing one may not be very hard, though. After all, every vulnerability for which a software house has created a security patch did exist before that patch was available. Security updates are often released for software that has been in use, vulnerability and all, for several years. For those who are having holes in their applications raped now, receiving a patch in a year or two will be cold comfort.
Malicious software can run in a very quiet manner; so-called root kits even try to conceal themselves entirely. Because of this, you cannot rely on detecting a break-in should one be perpetrated.
In short, my advice to PC users at work is to avoid using plain text protocols for non-public information as well as to keep those incoming SYN solicitations firewalled. In a corporate environment, the ICT department is likely to handle this, but if you run a small business, the onus is likely yours personally.
What do you think? Please post your comments!