Can you get hacked through instant messaging?

Yes you can get hackedYes, IM can be a vector of infectionNot the hacker, but you'd have to be chatting with someoneYes.  And you'd have to execute (open or run) it

I'd say your boss is oversensitive.  Don't open links unless you trust who you are talking to (and even then they may not be able to control what they are sending if they are infected with something crazy).  Don't run strange apps until you scan them.  Use a firewall to make sure no strange apps are sending out data without your permission.

I don't know anything about getting hacked...I just wanted to say hello sister! Haven't seen ya in awhile!

I'd say your boss is oversensitive.

Ditto on what Zubaz said, but on this I disagree (mildly).  yes it takes user interaction to get zapped through IM, but most users are so conditioned to clicking "OK", they get got.  So instead of saying "if you are PC Savy you can.....", most IT and security people just issue a blanket "NO" to IM.

As for IMing coworkers, the company can set up their own internal IM (it wont go outside of the trusted network) and that should be safe.  Unless a coworker is infected.

And good to see you again! How is school going?

As long as you're connected to the internet (no matter how), there's always the danger of being hacked in one way or another.

Having said that... in most cases you have to "accept/allow" the intruders before they can do anything - either via an Email-attachment or some sort of file/link sent to you through instant messaging.

No matter how protected your PC may be - Common sence is always the best protection

Any time you have an open port it's possible for someone to enter your system through that port. I think your people are being a little too touchy about it in that the IT department should have protection and detection in place.

That said, if it's your company's IT policy to not use such applications you are expected to comply with their policies.

I agree with Tova.

Anything can be hacked...the easiest and most common way being accepting and excecuting a file via IM or clicking on a link sent to you by someone unknown \ untrusted. Both of which can compromise your system immediately and give full access to an intruder.

Best advice, do as your told if it's not your system.

if the local I.T. dept was worth their salt, they would have locked that machine down before any of this non-sense took place. Users running in a corporate environment should be running as restricted user accounts - this pretty much negates the user's ability to install any software and only use what's installed on that machine. The only people installing software on company desktop/laptop workstations should be the I.T. dept. Having most users run as restricted user accounts on the machines they use will prevent most problems such as spyware/malware/viruses that occur when users run with admin level privileges.

I would say (and I could be wrong) that you probably have installed other software on your machine that is not required for you to perform your work. This also puts your machine at risk for all sorts of malware. Think of the implications, if your machine is infected and you regularly communicate with your co-workers via email, using files in shared network folders, etc - this also puts other machines on the same local network at risk so you not only have 1 machine with problems, you have an entire office full of malware infected machines that could be targeted by hackers to perform all sorts of trouble.

Instant messenging in a corporate environment can be used as an effective means of quick communication as an alternative to phone & email and can be configured for local use only (no access to external IM users) but it can also viewed as a productivity killer. If you feel this can assist you & your co-workers, why not approach your boss & the I.T. dept and find out if getting this setup is a possibility.

Installing & using an IM client without previous approval from your manager at your workplace would be viewed as a serious deviation from company policy - in some corporate environments, that would be sufficient to get your terminated.

Your boss freaking out at you is nothing, I'd say you got off easy.
At least you didn't get fired.

Hmm, must be tough love Wednesday.

Wouldn't dare step into using the IM at work argument and I never have a pop at Elfs & Faeries.

If you are asking more generally, then bearing in mind the danger is not the open port, but the vulnerable service, then I'd add:-

Keep updated and minimize inbuilt vulnerabilities.

Look around the program options, get to understand them and make use of any invite/block system.

If you are running in admin mode, consider taking a few steps to drop the rights of your IM program of choice.

to give an idea of the possibility of security problems associated with the use of instant messenging clients, vnunet.com has a recent report on a serious new AIM vulnerability that could allow remote code execution via instant messaging alone. No user interaction is necessary for the exploit to be successful. In a nutshell, if you use this aim client for instant messenging, the software only needs to be running for the attack to be possible, no links to click on or attachments to open.

Other versions of im clients have experienced similar security issues and for the most part, the environment is as secure as it can get until a hacker comes along and exploits another security vulnerability. Make sure you're running the most current version of your im client, make sure windows has all of the security & critical updates installed, make use of a firewall and decent anti-malware software.

It's a rough world out there, make sure you protect yourself.

Good post rob.
I'm abig fan of third party IM clients.  I use trillian and meebo.com primarily but also Gaim and Adium.  There may be other security concerns but I "feel" safer using these.

I have to agree with the other responders that say that you shouldn't be chatting using unauthorized systems.  Depending on the size of your organization, implementing some sort of authorized system is probably the best bet.

You would have to be visible to non-trusted sources in order to accept this code. It shouldn't happen simply by dint of launching the application, not if you've bothered to take basic precautions. It is partly a result of bad design and partly a result of bad practice. There may be magic bytes, but there is no magic code - it can't take advantage of a vector it doesn't have access to.

All of the vulnerable AIM clients include support for enhanced message types that enable AIM users to use HTML to customize text messages with specific font formats or colours.

The vulnerable AIM clients use an embedded Internet Explorer server control to render this HTML content.

However, as this input is not checked before it is rendered, an attacker could deliver malicious HTML code as part of an instant message to directly exploit Internet Explorer bugs without user interaction.

I read the computer policy at my school (I work for a university) and there are no rules against using instant messenger. There is a program provided by the school, but it must be downloaded. My IT guy doesn't want things downloaded (because he's afraid -- even if the program is from the university website or required for my job, for that matter), so my coworkers and I were using web-based chatting. I was not breaking any rules -- I thought I was complying with them. And, no unclerob, I have not installed any software that is not required for my job. Again, this is why I was using meebo.com so I would not install any unnecessary programs on my computer. The instant messaging was there to help me do my job in a more efficient and effective manner.

Our IT guy, while very nice, doesn't seem to know what he's doing sometimes. He's overly paranoid about being hacked -- but doesn't think to add any extra protection to the computers. Other offices on campus, including financial aid and the registrar all use IM to contact other departments. My department alone seems to be too afraid to use it. *sigh*

It helps to know that I would almost certainly have to accept and run files to be hacked. My computer is likely in danger from one of the many networking programs I have installed to do my job and it is unlikely that IM would cause any further danger.

Thanks for your help!

(For all personal comments, I'll write another blog in a more appropriate forum in a minute. So, I promise, I'm not ignoring you. )

He's overly paranoid about being hacked --

If it is a University, you CANNOT be overly paranoid!

Yes, but she has a point, Dr. Guy. A good network administrator acts proactively rather than browbeating someone for using software that is not expressly forbidden. He could lock down the site on the network and force them to use computers outside the network (which pose no risk to the network) to connect to the messaging service they need. He could (and should) set privileges to further minimize the risk.

As you well know, security is the opposite of convenience. Sounds to me like a lazy IT guy wants to have his cake and eat it to, choosing to ignore security for convenience and then complain of a poassible security breach.

And yes, sugar, anytime you convrse with someone via IM, it is an open door. Can they hack you directly through IM without a file download? Not necessarily. But they can trace your IP address and use it for targetted attacks later, if they so choose.

Actually, if he was half way competant, that is the first line of defense. I do not deny that. But we were getting hacked by 5th graders when I worked for the schools! No, they could not hack our administrator accounts, but you should see what they did to the teacher ones!

The High school kids hacked the administrator ones.

anytime you convrse with someone via IM, it is an open door.

Does this mean I would have to be in contact with the hacker? Sorry to be so obtuse, I'm just curious.

Our IT guy tried to deny me access to programs I needed for my job that my supervisor wanted on my computer. He just doesn't like change...

Assuming malicious code doesn't already exist on your network, then yes - the code/script must be delivered from an external source and this requires a connection between your machine and that of the machine serving the code/script.

Operate on a default deny basis, inviting only trusted sources to see and contact you.

And since the Bank of India was just hacked for that purpose, you can never be completely safe and comfortable with it.

If the computer does not belong to you then you are to do exactly what the owner says to do with it! No matter what you think or may find out - it is the fact that security is in place and rules are made to be followed.
We just this last month fired 3 more employees for failing to use their company computers correctly. All 3 had gotten a virus and it was due to personal use of IM and personal emails. My company has a zero tolerance for improper use of computers. Proper and improper use is set out in a guideline which you have to read and sign that you completely understand you are agreeing to it. Otherwise you will be terminated immediately upon any type of failure to do so by any means.

It is sad company's have to do such things to ensure their security on the net. But I've looked at what has happened to people in the past. Which did not follow those rules and they caused all kinds of very bad problems for security. Thus I must agree with what those guidelines say and follow them to the letter.

If your company needs you to use such a messaging application then they will install a network type of messaging program. But would it not be easier to use a phone? Or for that matter an intercom?

Company emails are sent via share point server where I work and it is the best way to get any good message to anyone anywhere. Due to the fact that a lot of the people I email via this system has a blackberry phone and will get the email asap!!!

Good luck and be careful there - you could get a virus or pickup something on your computer and loose your job because of it.

It is not worth it~!!!

SGT