Instant Messaging, chat rooms make users, computers vulnerable to attack

CAMP FOSTER, Okinawa (April 10, 2009) -- Although instant messaging, chat rooms, and other real-time communication offer a convenient way to communicate, there are dangers users should be aware of.

It is often difficult to identify whether the "person" on the other end of a real-time communication is human or an automated computer program designed to collect personal information for identity theft or exploit a user for money, however, humans themselves also present a risk.

When in a chat room or instant messaging, people may lie about their identity, accounts may be compromised, users may forget to log out, or account information may be shared by multiple parties.

These factors make it difficult for real-time communication users to know when it is safe to communicate over the internet.

Users are especially susceptible to certain types of attacks such as being convinced to run a program or click on unknown links. In a setting where a user feels comfortable with the "person" he or she is talking to, an attacker has a better chance of convincing them to fall into the trap.

In addition, online conversations are easily archived on most free commercial sites, which the user has no control over.

Real-time communication users also don't know if there's someone looking over the shoulder of the person they're talking to, or if an attacker might be "sniffing" their conversation. This method is used by anonymous third parties who observe conversations while in public chat rooms.

Another often overlooked vulnerability of a user's computer is the default security settings. Computer users often leave stock settings unchanged which tend to be relatively permissive. This makes their computer more open and "usable," and leaves it more susceptible to malicious attack.

Despite the vulnerabilities of operating real-time communication programs, users can still protect themselves by following a few guidelines:
Evaluate security settings - check the default security settings and adjust them if they are too permissive. Make sure to disable automatic downloads. Some chat software offers the ability to limit interactions to only certain users.
Be conscious of what information is being revealed - a user should be wary of revealing personal information unless the intended recipient can be authenticated. Users should also be careful about discussing sensitive business information over public instant message or chat services.
Verify the identity of intended recipients. In some forums and situations, the identity of the "person" a user might be talking to may not matter. However, if a degree of trust is needed in that person, a user should make sure the "person" they are talking to is authentic.
Don't believe everything you read - The information or advice a user might receive while using real-time communications may be false, or worse, malicious. Verify the information or instructions from outside sources before taking action.
Keep software up to date - This includes the chat software, browser software, operating system, and especially anti-virus software.

The information for this article is provided by the U.S. Computer Emergency Readiness Team, a branch of the U.S. Department of Homeland Security. For more information on computer safety log onto http://www.us-cert.gov.

Ellie